SlideShare a Scribd company logo

Rapid Android Application Security Testing

Download as PPTX, PDF
Nutan Kumar Panda
Nutan Kumar Panda

This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process. This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)

Mobile
1 of 20
Rapid Android Application Security Testing
Agenda • Introduction to Android Testing – Static Analysis – Dynamic Analysis – Local Storage Inspection • Challenge.txt
Android Security Testing • Can install apps on device and go hack the network. • Can install the application in the emulator and test it.
What’s inside? • Android is a Linux kernel based OS. • Dalvik VM (Dalvik Virtual Machine) makes the dex file (Dalvik Executables) reach execution. • APK (Android Application Package) contains all the resources, i.e. manifest file, signatures, dex file, and other resources in a zipped manner.
So what happens. • Java source code is compiled to Java byte Code using Java Compiler • Byte code is converted into Dalvik Code using Dex compiler • Dalvik Executable (Dex file) goes to “Dalvik VM” and executes within it.
…..Continued. Dalvik VM Dalvik Executable (Dex File) Java Source Code Java Byte CodeJava Compiler Dalvik Code Dex Compiler
Pentest. How to do? • Break the testing into three parts: – Static Testing – Dynamic Testing – Local Storage • Try to uncover issues in every phase.
Static Analysis • Get the .apk file. • Reverse Engineer it. • Decompile / Dis-assemble it. • Dis-assemble it using – Dedexer gives assembly like output) or – Baksmali (based on dedexer and gives code more easy to understand. • Decompile it using – Dex2jar (dalvik code turns to Java byte code (jar file). – Use jd-gui to view the java source codes.h
What to look for? • Look for api information, database connection strings, internal / external IP disclosures and ports, etc. • If you are lucky, you might get a password too, Believe me developers are crazy. • If you can go for social engineering stuff, lot of emails can be found. • Tip: A pair of /* and */ holds a lot of information.
m0bLiz3r Demo https://github.com/nkpanda/Android-Testing
Dynamic Analysis • Load emulator. • Set up an Interception Proxy • Figure out SSL issues. • And follow the generic logic test cases you follow in web applications.
Proxy Setup
Continued…
Local Storage Inspection • Check for sensitive data getting stored on client side. • XML files, database files are most commonly found culprits. • Inspect memory for information sensitive information > memdump • Inspect generated logs for sensitive information > logcat. • Uninstall and check if things remain in application folder.
Where to look?
How it look?
Tools Of Trade • Android SDK • ADB • BurpSuite • APKtools • Smali/baksmali • Dex2jar • Genymotion • Appuse/Android Tamer.
Challenges • AppUse is quite slow: – Save time in loading your Emulator. – Save time in installing app. • ADB always run behind device. If you are idle, adb don’t work, or restart your emulator. – Keep your ADB attached to device constantly. • Commands for every push, apk installation, etc. – Get Drag and Drop feature. • Organization might ask you to get application from play store. – Get Play Store. • Genymotion – give you all the above sweet cake. – Supports Webcam, mike, GPS, etc. as well --------- Haven’t tested them however – Not stable. --------- One bad out of six is never a bad.
Time UP : What next? • OWASP mobile TOP 10 • Drozer (for Inter Process Communication) • Explore new tools all the time. • Keep sharing.
Questions?

Recommended

Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-onsOWASP
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 

Recommended

Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-onsOWASP
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure CodingPrathan Phongthiproek
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechFernando Redondo Ramírez
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesAleksandar Bozinovski
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionMaulikLakhani
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 n|u - The Open Security Community
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
The Shellshocker
The ShellshockerThe Shellshocker
The ShellshockerSharath Unni
 

More Related Content

What's hot

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionMaulikLakhani
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 

What's hot (20)

Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking Intro
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 

Viewers also liked

IE Memory Protector
IE Memory ProtectorIE Memory Protector
IE Memory Protector3S Labs
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoAkash Mahajan
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015n|u - The Open Security Community
 
Android Performance Tips & Tricks
Android Performance Tips & TricksAndroid Performance Tips & Tricks
Android Performance Tips & TricksSergii Zhuk
 
Testing for Android: When, Where, and How to Successfully Use Test Automation
Testing for Android: When, Where, and How to Successfully Use Test AutomationTesting for Android: When, Where, and How to Successfully Use Test Automation
Testing for Android: When, Where, and How to Successfully Use Test AutomationTrent Peterson
 
Unit Testing Android Applications
Unit Testing Android ApplicationsUnit Testing Android Applications
Unit Testing Android ApplicationsRody Middelkoop
 
Introduction to android testing - oscon 2012
Introduction to android testing - oscon 2012Introduction to android testing - oscon 2012
Introduction to android testing - oscon 2012OSCON Byrum
 
Android Testing: An Overview
Android Testing: An OverviewAndroid Testing: An Overview
Android Testing: An OverviewSmartLogic
 
Testing Android Application, Droidcon Torino
Testing Android Application, Droidcon TorinoTesting Android Application, Droidcon Torino
Testing Android Application, Droidcon TorinoPietro Alberto Rossi
 
Inside Android Testing
Inside Android TestingInside Android Testing
Inside Android TestingFernando Cejas
 
Android Building, Testing and reversing
Android Building, Testing and reversingAndroid Building, Testing and reversing
Android Building, Testing and reversingEnrique López Mañas
 

Viewers also liked (20)

Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
 
The Shellshocker
The ShellshockerThe Shellshocker
The Shellshocker
 
Demystifying captcha Bangalore Meet April 18
Demystifying captcha Bangalore Meet April 18Demystifying captcha Bangalore Meet April 18
Demystifying captcha Bangalore Meet April 18
 
Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
 
IE Memory Protector
IE Memory ProtectorIE Memory Protector
IE Memory Protector
 
ESAPI
ESAPIESAPI
ESAPI
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014
 
Recon ng null meet April 2015
Recon ng null meet April 2015Recon ng null meet April 2015
Recon ng null meet April 2015
 
Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015
 
Android Performance Tips & Tricks
Android Performance Tips & TricksAndroid Performance Tips & Tricks
Android Performance Tips & Tricks
 
Testing for Android: When, Where, and How to Successfully Use Test Automation
Testing for Android: When, Where, and How to Successfully Use Test AutomationTesting for Android: When, Where, and How to Successfully Use Test Automation
Testing for Android: When, Where, and How to Successfully Use Test Automation
 
Unit Testing Android Applications
Unit Testing Android ApplicationsUnit Testing Android Applications
Unit Testing Android Applications
 
Introduction to android testing - oscon 2012
Introduction to android testing - oscon 2012Introduction to android testing - oscon 2012
Introduction to android testing - oscon 2012
 
Android Testing: An Overview
Android Testing: An OverviewAndroid Testing: An Overview
Android Testing: An Overview
 
Testing Android Application, Droidcon Torino
Testing Android Application, Droidcon TorinoTesting Android Application, Droidcon Torino
Testing Android Application, Droidcon Torino
 
Inside Android Testing
Inside Android TestingInside Android Testing
Inside Android Testing
 
Android Building, Testing and reversing
Android Building, Testing and reversingAndroid Building, Testing and reversing
Android Building, Testing and reversing
 

Similar to Rapid Android Application Security Testing

Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)TestDevLab
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)Sam Bowne
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNitesh Malviya
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionDefconRussia
 
Introduction to android sessions new
Introduction to android sessions newIntroduction to android sessions new
Introduction to android sessions newJoe Jacob
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 

Similar to Rapid Android Application Security Testing (20)

Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 
Introduction to android sessions new
Introduction to android sessions newIntroduction to android sessions new
Introduction to android sessions new
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 

More from Nutan Kumar Panda

Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social EngineeringNutan Kumar Panda
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!Nutan Kumar Panda
 

More from Nutan Kumar Panda (15)

Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social Engineering
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
 
Win 8 password cracking
Win 8 password crackingWin 8 password cracking
Win 8 password cracking
 
Backtrack Manual Part10
Backtrack Manual Part10Backtrack Manual Part10
Backtrack Manual Part10
 
Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
Backtrack Manual Part2
Backtrack Manual Part2Backtrack Manual Part2
Backtrack Manual Part2
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Google Hack
Google HackGoogle Hack
Google Hack
 

Rapid Android Application Security Testing

  • 2. Agenda • Introduction to Android Testing – Static Analysis – Dynamic Analysis – Local Storage Inspection • Challenge.txt
  • 3. Android Security Testing • Can install apps on device and go hack the network. • Can install the application in the emulator and test it.
  • 4. What’s inside? • Android is a Linux kernel based OS. • Dalvik VM (Dalvik Virtual Machine) makes the dex file (Dalvik Executables) reach execution. • APK (Android Application Package) contains all the resources, i.e. manifest file, signatures, dex file, and other resources in a zipped manner.
  • 5. So what happens. • Java source code is compiled to Java byte Code using Java Compiler • Byte code is converted into Dalvik Code using Dex compiler • Dalvik Executable (Dex file) goes to “Dalvik VM” and executes within it.
  • 6. …..Continued. Dalvik VM Dalvik Executable (Dex File) Java Source Code Java Byte CodeJava Compiler Dalvik Code Dex Compiler
  • 7. Pentest. How to do? • Break the testing into three parts: – Static Testing – Dynamic Testing – Local Storage • Try to uncover issues in every phase.
  • 8. Static Analysis • Get the .apk file. • Reverse Engineer it. • Decompile / Dis-assemble it. • Dis-assemble it using – Dedexer gives assembly like output) or – Baksmali (based on dedexer and gives code more easy to understand. • Decompile it using – Dex2jar (dalvik code turns to Java byte code (jar file). – Use jd-gui to view the java source codes.h
  • 9. What to look for? • Look for api information, database connection strings, internal / external IP disclosures and ports, etc. • If you are lucky, you might get a password too, Believe me developers are crazy. • If you can go for social engineering stuff, lot of emails can be found. • Tip: A pair of /* and */ holds a lot of information.
  • 11. Dynamic Analysis • Load emulator. • Set up an Interception Proxy • Figure out SSL issues. • And follow the generic logic test cases you follow in web applications.
  • 14. Local Storage Inspection • Check for sensitive data getting stored on client side. • XML files, database files are most commonly found culprits. • Inspect memory for information sensitive information > memdump • Inspect generated logs for sensitive information > logcat. • Uninstall and check if things remain in application folder.
  • 17. Tools Of Trade • Android SDK • ADB • BurpSuite • APKtools • Smali/baksmali • Dex2jar • Genymotion • Appuse/Android Tamer.
  • 18. Challenges • AppUse is quite slow: – Save time in loading your Emulator. – Save time in installing app. • ADB always run behind device. If you are idle, adb don’t work, or restart your emulator. – Keep your ADB attached to device constantly. • Commands for every push, apk installation, etc. – Get Drag and Drop feature. • Organization might ask you to get application from play store. – Get Play Store. • Genymotion – give you all the above sweet cake. – Supports Webcam, mike, GPS, etc. as well --------- Haven’t tested them however – Not stable. --------- One bad out of six is never a bad.
  • 19. Time UP : What next? • OWASP mobile TOP 10 • Drozer (for Inter Process Communication) • Explore new tools all the time. • Keep sharing.