Humla workshop on Android Security Testing by Sai Sathya narayan Venkatraman, MWR Infosecurity
This workshop gives you hands on experience in identifying and exploiting the latest categories of vulnerabilities against modern Android applications based on real world examples. You’ll use the latest testing tools to assess, unravel and exploit applications, and learn about vulnerability classes unique to Android.
You will learn:-
-To analyze applications from an attacker’s perspective.
- Basic understanding of the latest attack vectors against Android applications
- To perform black box security assessments against real world applications using the latest and widely used tools
more info here http://www.meetup.com/Null-Singapore-The-Open-Security-Community/events/229931768/
2. mwrinfosecurity.com | MWR InfoSecurity 2
About Me
• I am working with MWR Infosecurity as a security
consultant, offering professional penetration tests to
help clients improve their level of IT security.
• Double Masters (Research) in Information Security
• OSCP/CRT/OSCE Certified
3. mwrinfosecurity.com | MWR InfoSecurity 3
Disclaimer
No Android Architecture
No Android Permission Model
No Java Programming
No Zero-Day Vulnerability
6. mwrinfosecurity.com | MWR InfoSecurity 6
Android Basic
• The communication between applications is performed
in a well-defined manner that is strictly facilitated by a
kernel module named binder, which is an Inter-Process
Communication (IPC) system.
• Android applications can make use of four standard
components that can be invoked via calls to binder –
Activities, Services, Broadcast Receivers, Content
Providers.
7. mwrinfosecurity.com | MWR InfoSecurity 7
Android Basic
• Activities represent visual screens of an application
with which users interact. For example, when you
launch an application, you see its main activity.
• Services are components that do not provide a
graphical interface. They provide the facility to
perform tasks that are long running in the background
and run even when user has opened another
application.
8. mwrinfosecurity.com | MWR InfoSecurity 8
Android Basic
• Broadcast receivers are non-graphical components that
allow an application to register for certain
systems or application events.
• Content providers are the data storehouses of an
application, that provide a standard way to retrieve,
modify, and delete data.
9. mwrinfosecurity.com | MWR InfoSecurity 9
Android Basic
• Each Android package contains a file named
AndroidManifest. xml in the root of the archive. This file
defines the package configuration, application
components, and security attributes.
• An intent is a defined object used for messaging which is
created and communicated to an intended application
component.
11. mwrinfosecurity.com | MWR InfoSecurity 11
Drozer
• Drozer is an Android assessment tool.
• Drozer has two distinct use cases –
• Finding vulnerabilities in applications or devices
• Providing exploits and useful payloads for known
vulnerabilities.
• For more information –
https://labs.mwrinfosecurity.com/tools/drozer/
12. mwrinfosecurity.com | MWR InfoSecurity 12
How Drozer works
• Drozer is a distributed system that makes use of some key
components -
• Agent— A lightweight Android application that runs on the device
or emulator being used for testing.
• Console—A command-line interface running on your computer that
allows you to interact with the device through the agent
• Server—Provides a central point where consoles and agents can
route sessions between them.
Services—Services are components that do not provide a graphical interface. They provide the facility to perform tasks that arelong running in the background and continue to work even when the user has opened another application or has closed allactivities of the application that contains the service. Two different modes of operation exist for services. They can be started or bound to. A service that is started is typically one thatdoes not require the ability to communicate back to the application that started it. A bound service provides an interface tocommunicate back results to the calling application. A started service continues to function even if the calling application has beenterminated. A bound service only stays alive for the time that an application is bound to it.
Broadcast receivers—Broadcast receivers are non-graphical components that allow an application to register for certainsystem or application events. For instance, an application that requires a notification when receiving an SMS would register forthis event using a broadcast receiver. This allows a piece of code from an application to be executed only when a certain eventtakes place. This avoids a situation where any polling needs to take place and provides a powerful event-driven model forapplications. In contrast to other application components, a broadcast receiver can be created at runtime.Content providers—These are the data storehouses of an application that provide a standard way to retrieve, modify, anddelete data. The terminology used to define and interact with a content provider is similar to SQL: query, insert, update, anddelete. This component is responsible for delivering an application’s data to another in a structured and secure manner.
In API version 17, which equates to Android 4.2 Jelly Bean, content providers are no longer exported by default. However, if thetargetSdkVersion of an application is set to 16 or lower, the content provider will still be exported by default.