Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Penetrating Android Aapplications

6,404 views

Published on

A tutorial on how to perform Penetration Testing on Android Applications. The slides were presented in OWASP BASC 2016.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Penetrating Android Aapplications

  1. 1. PENETRATING ANDROID APPLICATIONS ROSHAN THOMAS | @ROSHANPTY | SECVIBE.COM ANURAG DWIVEDY |@ANURAGDWIVEDYNortheastern University OWASP BASC 2016
  2. 2. SOME STATISTICS… • 25% OF MOBILE APPS INCLUDE AT LEAST ONE HIGH RISK SECURITY FLAW. • 35% OF MOBILE COMMUNICATIONS ARE UNENCRYPTED. • MOBILE MALWARE INCIDENTS HAVE DOUBLED 25% 35% 2X Source: NowSecure Mobile Security Report 2016 Intel Security Mobile Threat Report 2016
  3. 3. WHAT WE HOPE TO COVER TODAY • ANDROID APPLICATION VULNERABILITIES & CATEGORIES • HOW TO PERFORM PENETRATION TESTING ON AN ANDROID APPLICATION? • INTERCEPTING ANDROID TRAFFIC • REVERSE ENGINEERING ANDROID APPLICATIONS
  4. 4. OWASP MOBILE TOP 10 • M1: WEAK SERVER SIDE CONTROLS • M2: INSECURE DATA STORAGE • M3: INSUFFICIENT TRANSPORT LAYER PROTECTION • M4: UNINTENDED DATA LEAKAGE • M5: POOR AUTHORIZATION AND AUTHENTICATION • M6: BROKEN CRYPTOGRAPHY • M7: CLIENT SIDE INJECTION • M8: SECURITY DECISIONS VIA UNTRUSTED INPUTS • M9: IMPROPER SESSION HANDLING • M10: LACK OF BINARY PROTECTIONS • M1 - IMPROPER PLATFORM USAGE • M2 - INSECURE DATA STORAGE • M3 - INSECURE COMMUNICATION • M4 - INSECURE AUTHENTICATION • M5 - INSUFFICIENT CRYPTOGRAPHY • M6 - INSECURE AUTHORIZATION • M7 - CLIENT CODE QUALITY • M8 - CODE TAMPERING • M9 - REVERSE ENGINEERING • M10 - EXTRANEOUS FUNCTIONALITY 2014 2016
  5. 5. THE KEY STEPS • INTERCEPT THE TRAFFIC FROM APPLICATION TO IT’S SERVER • TEST SERVER SIDE ACCESS CONTROLS • PRIVILEGE ESCALATION BY MANIPULATING PARAMETERS • AUTHENTICATION FLAWS • DECOMPILE THE ANDROID APPLICATION • IDENTIFY FLAWS IN THE NATIVE CODE • BYPASS SECURITY CONTROLS LIKE SSL PINNING • CHECK ANDROID LOCAL STORAGE FOR SENSITIVE INFORMATION LEAKAGE • IN APPLICATION DIRECTORIES • LOCAL DATABASES • LOGS
  6. 6. INTERCEPTING THE NORMAL WEB TRAFFIC • BROWSER ALERTS OF INVALID CERTIFICATE • ADD A CERTIFICATE EXCEPTION • THE APPLICATION USES HSTS • ADD THE PROXY CERTIFICATE TO THE CERTIFICATE STORE OF THE BROWSER
  7. 7. CHALLENGES IN INTERCEPTING ANDROID TRAFFIC • NATIVE APPS RELY ON CERTIFICATES IN THE DEVICE’S TRUSTED CREDENTIALS • SOME NATIVE APPS USE THEIR OWN SET OF TRUSTED CREDENTIALS [SSL PINNING]
  8. 8. TOOLS AND PREREQUISITES • A ROOTED ANDROID DEVICE/EMULATOR AND ADB TOOLS • AVD, GENYMOTION… • ADB TOOLS • A WEB PROXY TOOL • CHARLES PROXY, BURPSUITE • TWEAKS FOR MANIPULATING THE TRUSTED CREDENTIALS • CYDIA SUBSTRATE/XPOSED • JUSTTRUSTME • DECOMPILING TOOLS • APK TOOL • DEX2JAR • JD GUI
  9. 9. DEMO – INTERCEPTING ANDROID TRAFFIC • HTTPS://WWW.YOUTUBE.COM/WATCH?V=YS9I-SDHLEI&FEATURE=YOUTU.BE
  10. 10. SETTING UP THE PROXY • START BURPSUITE • IN PROXY > OPTIONS, ADD A NEW PROXY LISTENER ON YOUR IP ON A DESIRED PORT
  11. 11. PREPARING YOUR ANDROID ENVIRONMENT • ROOTED ANDROID DEVICE / EMULATOR
  12. 12. INTERCEPTING NON-SSL ANDROID TRAFFIC • MODIFY THE WIRELESS NETWORK SETTINGS • ADD THE PROXY HOST NAME AND PORT IN ADVANCED SETTINGS
  13. 13. INTERCEPTING NON-SSL ANDROID TRAFFIC • ACCESS A NON-HTTPS SITE FROM THE BROWSER OR START AN APPLICATION WHICH DOESN’T USE SSL • THE REQUEST TO THE SERVER AND RESPONSE CAN BE CAPTURED USING BURP WHICH WE SET UP EARLIER
  14. 14. INTERCEPTING SSL TRAFFIC • ADD THE PROXY CERTIFICATE TO THE TRUSTED STORE
  15. 15. INTERCEPTING APPLICATIONS WHICH USES SSL PINNING • INSTALL XPOSED FRAMEWORK • INSTALL THE JUSTTRUSTME MODULE • ACTIVATE THE MODULE
  16. 16. DECOMPILING ANDROID APPLICATIONS
  17. 17. LIFE OF AN APK FILE • APK? • DEX? Source: AnandTech|Andrei Frumusanu
  18. 18. VULNERABILITIES • INSECURE LOGGING • HARDCODED SENSITIVE DATA • INSECURE INFORMATION STORAGE • ALL INPUTS ARE EVIL
  19. 19. DEMO – DECOMPILING AND VULNERABILITIES https://www.youtube.com/watch?v=6F3fA1kA5BY&feature=youtu.be
  20. 20. QUESTIONS?

×