Introduction to the Android OS. the Android Developers Kit, Android Emulators, Rooting Android devices, de-compiling Android Apps. Dex2jar, Java JD_GUI and so on. During the presentation I will pull an App apart and show how to bypass a login screen. What better way to express the Zombie Apocalypse then with mobile devices. They are ubiquitous. they are carried everywhere, they go everywhere. Having a decent understanding of the Operating System and it’s vulnerabilities can go a long way towards keeping your device protected.

2. Reverse Engineering
the
Android OS

3. About Me
Ex Military “31 Mic” Microwave Communications - 34th Signal Battalion
Lab Developer for Jones and Bartlett Publishing
CEI – CEH V8
Martial Art Nutcase
Co-creator of Cyber Kung Fu

4. Reverse Engineering
• Understand how applications work
• Analyze them
• Find vulnerabilities
• Uncover hard coded information

5. Why do I want to Hack Mobile Devices

6. • Natural Curiosity
• MacGyver Fan
• CEH V8 mobile sucked
• Humongous Installed Base
• Self Defense

7. Lots of important information
• Contacts
• Messages
• Photos
• Email
• GPS co-ordinates
• Personal notes
• Stored accounts
• Web traffic
• Application configs and credentials

8. Double Edged Sword
• User moves between work and personal environments
• Carries Corporate Data
• Device can be compromised in less secure areas
• Compromised device is then connected to work
environment

9. Theft and Loss
• Weak protective mechanisms
• Compounded by users turning off security features
• Rooted devices

10. More Problems
• Increasing everyday use
• Users not educated
• Mix of personal and business use
• Always connected to internet

11. Physical Security
• Phone is easily accessed
• SD Card
• Charging/io port access – Rubber Ducky
• Shoulder Surfing
• Smudge attack

12. Web Issues
• Small screen hides full URL
• XSS
• CSRF
• Phishing

13. Rogue Applications
• Malware
• Virus
• Trojans
• Spyware

14. History
• Cabir – 2004
• Skulls – 2004
• pbstealer
• Commwarrior
• Cardtrap
• All Symbion basesd but eventually spread to CE
and Java (J2ME

15. Android and IOs
• Ikee – 2009/2010 - worm
• AndroidOS.FakePlayer – premuium SMS
• Geinimi Trojan
• SMS Replicator
• DroidDream
• GinerMaster
• DroidKungFu

16. Older Devices
• Out of date software
• Vulnerable to older fixed exploits
• Patching – no incentive for older hardware
• Carrier indifference

17. Architecture

18. Kernel
First layer to interact with Hardware

19. C/C++ Libraries
• Exposed to developer via Java API
• Kind of a transaction layer between kernel and
application framework
• Provides common services for apps

20. Core Libraries
• SSL
• SLite
• Surface Manager
• WebKit
• Font, media, display libraries

21. Runtime
• DVM – Dalvik Virtual Machine
• Efficient and Secure mobile environment

22. Secure
• Each app runs in its own instance
• Unique ID and VM
• Separate memory and files

23. Application Framework
• Compiled java code running in DVM
• Provides services to multiple apps
• Layer that 3rd party developers interact with
• Abstract access to key resources

24. Application Layer
• Contacts
• Phone
• Calendar
• Browser
• Maps
• Pictures

25. Privilege Separation & Sandboxing
• Based on Linux security model
• Each user is assigned a unique ID (UID)
• Each user can be assigned to Groups
• Each Group has an unique ID (GID)

26. Resource Permissions
• Owner
• Group
• Rest of world (everyone)

27. Sandboxing
• Two or more applications can communicate
• Provided they grant permissions
• Implemented in the kernel
• Extended to all software above 1st layer

28. App Separation
• Kernel assigns unique UID
• Runs as that user in separate process
• Different than multiuser OS

29. File Separation
• New apps get new UIDs
• Extended across memory cards
• All associated DB and files use the new UID

30. File Permissions

31. Separate File Permission Groups
• Note – only the associated UID and root UID have full privileges on
these resources unless the developer exposes files to other apps.

32. SD Cards
• Everyone (Whole World) has access Storage
• Currently vfat fs
• Doesn’t support granular permissions
• Note – good place for privilege escalation

33. Data Storage on the Device
• Databases
• SharedPreferences

34. SharedPreferences
• Allows app to store and retrieve persistent key values
• Persist across device sessions
• Accesss using the SharedPreferences Object
• Stored as XML
• /data/data/”app”/shared_prefs
• Example

35. SQLite3
• Full Support
• Accessed via the UID of the related app
• /data/data/”app”/databases

36. Application Signing
• Ensures Integrity and Authenticity
• APK must be signed
• Inhibits tampering
• Aids confidentiality by insuring where it came from
• Apps signed with same key can share UID, Process, Memory,
Data Storage and Sandbox

37. Signing Quirks
• Apps can be disassembled and changed
• Can be resigned with same certificate if you have key
• Multiple apps can use same certificate
• App can be manipulated to accept same certificate
• Debugging certificate

38. App access to resources
• Developer limits access to required resources
• Helps to inhibit rogue apps from taking over
• Text, GPS, MMS, camera, microphone, contacts

39. API Permissions
• AndroidManifest.xml
• Used by trusted applications
• Tracks what the user is allowed to do
• Each app must have an AndroidManifest.xml

40. Permission Model
• System displays permissions
• Helps user to decide to trust app or not.
Normal – Dangerous – Signature – Signature or System

41. Components
• Activity
• Content Providers
• Broadcast Receivers
• Services

42. Activity
• Provides a screen and allows a user to interact with it.
• A window where the user interface is defined

43. Content Providers
• Allow efficient data sharing between processes & applications
• Allow applications to access the stored data of other
applications
• Use relational databases similar to tables
• Each row is an Instance each column is a Type
• Pic

44. Examples of Content Providers
• Calendar provider
• Contacts provider

45. Broadcast Receiver
• Listens for asynchronous request from intents
• Apps can register for events and get notified when it happens

46. Services
• Background processes
• Run even when app is not visible
• Provide computations
• Example is GPS

47. SecurityException
• Without proper permissions a component call will raise a
Security Exception

48. Intents
• Mechanisms for asynchronous IPC (Inter Process Communication)
• Allow app to send or broadcast messages to specific components
• Control task and transport data
• Components like Activities, Broadcast Receivers & Services are
activated via Intents
• Contain a large amount of information
• Parsed by OS & used by the receiver to take action
• Contain category and instruction for activity launch
Action – Data – Type – Category (note)

49. Google Bouncer
• Automatically scans Android Market looking for malicious Apps
• Checks new applications
• Apps already in Store
• Developer accounts
• No restrictions on upload process
• Can be bypassed

50. Rooting
• Gain Root permissions
• Allow access and editing of Carrier and Manufacturer apps
• Install Custom Software (ROMs)
• Install different Android Version
• Wi Fi tethering
• Overclocking
• Removing Fluff-ware

51. Some Rooting Techniques
• Depends on the device
• OneClickRoot
• SuperOneClick
• z4Root
• GingerBreak
• UnlockRoot

52. The SDK
• Windows and Linux
• SDk & Eclipse
• Virtual Devices (emulators)
• Allows interaction with virtual and real devices
– Browse files
– Create, install, extract apps
– Get shells
– SSH & VNC

53. SDK continued
• Eclipse
• ADT – Android Developer Tools
– Signing
– Debugging
– Important for developer & tester
– Use Android SDK Tools
• IDE – integrated Development Environment

54. Package Explorer

55. Package Explorer
Middle pane
• Source code
• Activity’s UI

56. Right Pane (Outline)
• Methods
• Functions
• Arguments
• Variables
• Properties

57. Perspectives
• Java – DDMS – Debug (Dalvik Debug Monitor Server)

58. AVD Manager
• Allows emulation of devices
• Custom hardware
• Custom software
• Runs from SDK executables

59. Android Virtual Device

60. Device definition
• Create
• Clone – Edit – Delete
• New custom devices

61. What we can do with a Virtual Device
• Send and receive text between devices
• make calls
• interact with the touch screen if you have one on your host
• browse file
• threads

62. Commands Available
• the VM can be run from the command line
• Command - adb devices
• adb connect <device name>
• note the number reference the port used

63. USB devices are different

64. Shell interaction is via the –s option

65. Shell commands
• allows browsing
• read and write files & folders
• change permissions
• get network statistics

66. basic linux commands
• ls
• ps
• netstat
• top

67. More Commands
• list all the packages
• pm list packages –f

68. sqlite3
• access databases *.db
• query statements
• show a browsed database from
/data/Datacom.android.providers.telephony/databases

69. Browse SMS Folder

70. Database containing SMSs

71. Sqlite3 mnsms.db

72. sqlite .tables

73. select * sms

74. Adb pull - Adb push
• adb pull <device_path> <local_path>
• adb push <device_path> <local_path>

75. Pull Example
Browser Files

76. Push Example
Changed “enable_javascript” to true

77. Device Settings Changed

78. Sqlite.exe in sdk/tools

79. Sqlite store credentials
Because the Web Browser had the “Remember Password” option
enabled we can view it in the “webview.db” file

80. DDMS View
Dalvik Debug Monitor Server
Browse all Devices and Contents by using the “File Explorer” Tab

81. More Powerfull Shell

82. SSH Client

83. SSH Server

84. Putty as Client

85. putty shell via ssh over wifi

86. Droid VNC

87. Analysis Types

88. APK = ZIP

89. Decompiling & Disassembling

90. Elements in apk

91. Source
AndroidManifest.xml

92. Dex files
dexdump –d path_to_file.dex

94. apktool
apktool d name.apk path_to_file

95. Smali / bacsmali
• Developed by Jesus Freke
• Assembler/ disassembler for dex files

96. smali Folder

97. classes.dex vs .smali

98. Apktool
AndroidManifest.xml

99. Folders & Uses
src – source
• Packages
• MainActivity.java
assets
• Fonts, audio, images, text files
• Non-android xml files

100. Folders & Uses
bin – same as Linux
libs - same as Linux
res - resources
• drawables – images for layouts
• layout –user interface *
• values – string.xml – styles.xml – dimens.xml - colors

101. layout/Folder
Activity_Main.xml
<TextView
android:layout_width=“wrap_content”
android:layout_height=“wrap_content”
android:text=“@string/”hello world”

102. valuesFolder
Strings.xml
<resourses>
<string name=“Hello world”> Hello world </string>

103. dex2jar

104. Decompiles dex into java

105. JD-GUI

106. XDAAutoTool

107. XDAAutoTool Options

108. Bypassing Security Controls

109. Code example

110. for - if - else

111. password
after 5 iterations

112. Quick Way

113. Tom Updegrove
tu@internetworkservice.com