This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
Services – Componente que corre operações em background sem user interface
BroadCast Receivers – Componente que permite receber notifcações de sistema ou de outras aplicações.
Content Provider – Componente que gere acesso a dados estruturados tipicamente SQLite
Pentesting Android Applications
Pentester at Integrity S.A.
Web applications, Mobile applications and
BSc in Management InformationTechnology and
- Environment Setup
- Tools OfTheTrade
- App Analysis
- Developers Heads Up
Physical Equipment Android SDK Emulator Android x86
Mouse insideVM : Disable Mouse Integration (Host+i)
Portrait Resolution : Edit /mnt/grub/menu.lst and
insert UVESA_MODE=320X480 DPI=160
Black screen(locked screen): ACPI Shutdown(Host+h)
Android Shell: Ctrl+F1 / Ctrl+F7
- Root your device *
- Allow Unknown Sources (Settings->Security)
- Install proxy app (ProxyDroid,AutoProxy,etc...)
- Connect to favorite proxy server (Burp
*Physical approach only
Software Development Kit containing api libraries
and developer tools to build, test and debug
For our context, the more important ones are
adb,aapt,ddms and the emulator.
Dalvik Debug Monitor Server(DDMS)
Debugging tool that provides port-forwarding,
screen capture, heap dump, logcat, file manager
and many other features.
Android Manager. Filemanager and applications
manager, access to logs and shell,take
*Requires aapt that comes with Android SDK.
Tool for converting .dex Android format to .class
Java Decompiler with GUI to display java source
code of class files.
Extract plain-text AndroidManifest.xml from
Tool to analyse app behaviour during runtime
and help to identify potential security issues.
Introspy-Android + Introspy-Analyser
Tool to Generate HTML reports based on the
database generated by Introspy-Android.
Tool to bypass SSL certificate pinning for most
*Custom pinning implementations may need custom hooking
Install Cydia Substrate + AndroidSSLTrustKiller
Turn off SSLTrustKiller:
Proxy Server CA Certificate
Hint (Validate Pinning)
#1 Browse to proxy
server address and
#2 Open file via
#3 Save Certificate
Integrated platform for security testing of web
applications. For our context the main interest is
in the Proxy funcionallity to intercept and
inspect requests between the app and the
Android Environment Sandboxing
Process UID (10000) Process UID (10001)
Contains Dalvik class files, assets, resources and
Stored at /data/app
Android Application Package File (.apk)
Presents information about the app to the
Describes app components
XML format file with key-value pairs.
Single file relational database used to store
application data and settings.
OWASPTop 10 Mobile Risks
M1:Weak Server Side Controls
M2: Insecure Data Storage
M3: InsufficientTransport Layer Protection
. . . . . . . . .
FourGoats is a location-based social network built for sharing everything about your life with
everyone. Using FourGoats, you can check in at various places, earn loyalty rewards, and see
what your friends are doing as well as where they are doing it.
FourGoats also provides an API to other applications to allow their users to share even more
of their activities than ever before!
The Lost Art of Keeping a Secret
Developers Heads Up
• Insecure Data Storage
- Shared Preferences without MODE_WORLD_READABLE.
- Sensitive information should not be stored. If needed, should be encrypted
from derivation of user Password/PIN and not with hardcoded encryption keys.
Still vulnerable to offline brute-force. Enforce strong password policy.
• InsufficientTransport Layer Protection
- Apply SSL/TLS transport in channels that the app transmits sensitive
information to the backend.
- Implement Certificate Pinning if very sensitive information is transmitted.
• Client Side Injection
- Only export components(Activities,Services,Broadcast Receivers,Content
Providers) that make sense and that cannot bypass access controls and leak
• Lack of Binary Protection
- Obfuscate your code, at minimum with ProGuard. Dont make your attacker
Developers Heads Up