This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process.
This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)
2. Agenda
• Introduction to Android Testing
– Static Analysis
– Dynamic Analysis
– Local Storage Inspection
• Challenge.txt
3. Android Security Testing
• Can install apps on device and go hack the
network.
• Can install the application in the
emulator and test it.
4. What’s inside?
• Android is a Linux kernel based OS.
• Dalvik VM (Dalvik Virtual Machine) makes the
dex file (Dalvik Executables) reach execution.
• APK (Android Application Package) contains all
the resources, i.e. manifest file, signatures,
dex file, and other resources in a zipped
manner.
5. So what happens.
• Java source code is compiled to Java byte
Code using Java Compiler
• Byte code is converted into Dalvik Code using
Dex compiler
• Dalvik Executable (Dex file) goes to “Dalvik
VM” and executes within it.
7. Pentest. How to do?
• Break the testing into
three parts:
– Static Testing
– Dynamic Testing
– Local Storage
• Try to uncover issues in
every phase.
8. Static Analysis
• Get the .apk file.
• Reverse Engineer it.
• Decompile / Dis-assemble it.
• Dis-assemble it using
– Dedexer gives assembly like output) or
– Baksmali (based on dedexer and gives code more easy to understand.
• Decompile it using
– Dex2jar (dalvik code turns to Java byte code (jar file).
– Use jd-gui to view the java source codes.h
9. What to look for?
• Look for api information, database connection strings, internal
/ external IP disclosures and ports, etc.
• If you are lucky, you might get a password too, Believe me
developers are crazy.
• If you can go for social engineering stuff, lot of emails can be
found.
• Tip: A pair of /* and */ holds a lot of information.
11. Dynamic Analysis
• Load emulator.
• Set up an Interception Proxy
• Figure out SSL issues.
• And follow the generic logic test cases you
follow in web applications.
14. Local Storage Inspection
• Check for sensitive data getting stored on client side.
• XML files, database files are most commonly found
culprits.
• Inspect memory for information sensitive
information > memdump
• Inspect generated logs for sensitive information >
logcat.
• Uninstall and check if things remain in application
folder.
18. Challenges
• AppUse is quite slow:
– Save time in loading your Emulator.
– Save time in installing app.
• ADB always run behind device. If you are idle, adb don’t work, or restart your
emulator.
– Keep your ADB attached to device constantly.
• Commands for every push, apk installation, etc.
– Get Drag and Drop feature.
• Organization might ask you to get application from play store.
– Get Play Store.
• Genymotion
– give you all the above sweet cake.
– Supports Webcam, mike, GPS, etc. as well --------- Haven’t tested them however
– Not stable. --------- One bad out of six is never a bad.
19. Time UP : What next?
• OWASP mobile TOP 10
• Drozer (for Inter
Process
Communication)
• Explore new tools all
the time.
• Keep sharing.