Hacking android apps by srini0x00

•

17 likes•3,444 views

srini0x00

Presented at NULL Hyderabad

Technology

SRINIVAS
Application Security Engineer
Tata Consultancy Services
I run www.androidpentesting.com
Hello!

Agenda…
 Android Basics
 Android Security Model
 Hello World in Android
 Reverse Engineering
 Setting up Burp Proxy
 Traffic Analysis with tcpdump & Wireshark
 Insecure Data Storage
Attacking Authentication
 Exploiting Application Components
 Side Channel Data Leakage
 Client Side Injection
 Directory Traversal Attacks
 Infecting Legitimate Apps
 Securing Android Apps

Disclaimer!
> This doesn’t show any automated tools to find and exploit vulnerabilities in Android
Applications.
Example: Appscan for web apps
> But we take help from some semi automated tools.
Example: Burp suite for web apps.
> We can have another Humla with automated tools. 

Android is an operating system based on the Linux kernel, and
designed primarily for touch screen mobile devices such as
smart phones and tablet computers.

Android Security Model
> Security at the OS level through the Linux kernel
> Application sand boxing.
> Secure inter-process communication.
> Application signing.
> Application-defined and user-granted permissions
> Google Bouncer

Android App Components
Activity
Service
Intents
Broadcast Receivers
Content Providers

Let’s say “Hello World”
Building your First App

Reverse Engineering
java
Byte code
Dalvik Code
Dalvik
VM
.java
.class
.dex
javac
dx
Engineering

Reverse Engineering
Reverse
Engineering
java
Dalvik Code
.java
.dex

Reverse Engineering
APKTOOL DEX2JAR
JD-GUI
.smali .java

Pentesting Android Apps
Profiling Your Application
Finding out a vulnerability
Exploiting
Securing
Methodology
We Follow
it in this
workshop

MITM Using Burp suite
1. Run Burp Suite on the machine
2. Set the system’s IP in your device as proxy
3. Start tampering the requests
Mobile based Web Apps

MITM Using Burp suite
Almost similar to regular web application pentesting.
So lets get into native applications.

Native Application Traffic Analysis
1. Get Cross Compiled tcpdump dump binary for your Android Device
2. Push it on to the device
3. Change it’s permissions to 777
4. Start tcpdump and save the packets in a .pcap file
5. Analyze the packets using Wireshark

Insecure Data Storage
1. Shared Preferences
2. SQLite Databases
3. Internal Storage
4. External Storage

Attacking Application Components
1. Activities
2. Services
3. Content Providers
4. Broadcast Receivers
5. Intents

Unintended Data Leakage
> Formerly known as Side Channel Data Leakage
> Occurs when Information processed by the code places
sensitive information some where on the device which can
be accessible to other apps.

Unintended Data Leakage
Leaking Content Providers
Copy/Paste Buffer
Information Disclosure in Logs
URL Caching
and many more….

Challenge
It’s Ur Turn
1 Problem
2 Solutions
Ur time starts now

Infecting Legitimate Apps
That’s your challenge solution 2

Contact Me
https://www.facebook.com/androidpentesting
@srini0x00
srini0x00@gmail.com

What's hot

Android Security & Penetration TestingSubho Halder

Andriod Pentesting and Malware Analysisn|u - The Open Security Community

Android pen test basicsOWASPKerala

Android Security Developmenthackstuff

[Wroclaw #1] Android Security WorkshopOWASP

Android system securityChong-Kuan Chen

Pentesting Android AppsAbdelhamid Limami

Android Application Penetration Testing - Mohammed AdamMohammed Adam

2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu

My Null Android Penetration Session Avinash Sinha

Android SecurityArqum Ahmad

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa

Mobile HackingNovizul Evendi

Android securityMobile Rtpl

Android SecurityLars Jacobs

Sperasoft talks: Android Security ThreatsSperasoft

Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council

Is My App Secure ?Herman Duarte

Deep Dive Into Android SecurityMarakana Inc.

The art of android hackingAbhinav Mishra

What's hot (20)

Android Security & Penetration Testing

Andriod Pentesting and Malware Analysis

Android pen test basics

Android Security Development

[Wroclaw #1] Android Security Workshop

Android system security

Pentesting Android Apps

Android Application Penetration Testing - Mohammed Adam

2015.04.24 Updated > Android Security Development - Part 1: App Development

My Null Android Penetration Session

Android Security

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...

Mobile Hacking

Android security

Android Security

Sperasoft talks: Android Security Threats

Hacker Halted 2014 - Reverse Engineering the Android OS

Is My App Secure ?

Deep Dive Into Android Security

The art of android hacking

Similar to Hacking android apps by srini0x00

Mobile application securityShubhneet Goel

Mobile Application SecurityIshan Girdhar

Smart Bombs: Mobile Vulnerability and ExploitationTom Eston

Mobile security and drozer tool demoGowthamraj Palani

Introduction To Information Securitybelsis

Android studio featurexvier3453

Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan

Web Application SecurityAbdul Wahid

Internet census 2012Giuliano Tavaroli

From Reversing to ExploitationSatria Ady Pradana

From Reversing to Exploitation: Android Application Security in EssenceSatria Ady Pradana

Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon

Untitled 1Sergey Kochergan

Hacking By NirmalNIRMAL RAJ

Manish Chasta - Securing Android ApplicationsPositive Hack Days

Final_Presentation_FlowDroidKruti Sharma

Android malware presentationSandeep Joshi

Android Security and Peneteration TestingSurabaya Blackhat

Security testing of mobile applicationsGTestClub

The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian

Similar to Hacking android apps by srini0x00 (20)

Mobile application security

Mobile Application Security

Smart Bombs: Mobile Vulnerability and Exploitation

Mobile security and drozer tool demo

Introduction To Information Security

Android studio feature

Reading Group Presentation: Why Eve and Mallory Love Android

Web Application Security

Internet census 2012

From Reversing to Exploitation

From Reversing to Exploitation: Android Application Security in Essence

Stephanie Vanroelen - Mobile Anti-Virus apps exposed

Untitled 1

Hacking By Nirmal

Manish Chasta - Securing Android Applications

Final_Presentation_FlowDroid

Android malware presentation

Android Security and Peneteration Testing

Security testing of mobile applications

The Top 10/20 Internet Security Vulnerabilities – A Primer

Recently uploaded

Advanced Computer Architecture – An IntroductionDilum Bandara

DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell

"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely

unit 4 immunoblotting technique complete.pptxBkGupta21

Take control of your SAP testing with UiPath Test SuiteDianaGray10

How to write a Business Continuity PlanDatabarracks

TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3

Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos

Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan

SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero

TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc

Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3

What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett

Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed

The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech

Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB

Recently uploaded (20)

Advanced Computer Architecture – An Introduction

DSPy a system for AI to Write Prompts and Do Fine Tuning

"Debugging python applications inside k8s environment", Andrii Soldatenko

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf

unit 4 immunoblotting technique complete.pptx

Take control of your SAP testing with UiPath Test Suite

How to write a Business Continuity Plan

TeamStation AI System Report LATAM IT Salaries 2024

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx

Unleash Your Potential - Namagunga Girls Coding Club

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

Generative AI for Technical Writer or Information Developers

SIP trunking in Janus @ Kamailio World 2024

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy

Nell’iperspazio con Rocket: il Framework Web di Rust!

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx

What's New in Teams Calling, Meetings and Devices March 2024

Scanning the Internet for External Cloud Exposures via SSL Certs

The Ultimate Guide to Choosing WordPress Pros and Cons

Developer Data Modeling Mistakes: From Postgres to NoSQL

Hacking android apps by srini0x00

1. Hacking and Securing Apps srini0x00

2. SRINIVAS Application Security Engineer Tata Consultancy Services I run www.androidpentesting.com Hello!

3. Agenda…  Android Basics  Android Security Model  Hello World in Android  Reverse Engineering  Setting up Burp Proxy  Traffic Analysis with tcpdump & Wireshark  Insecure Data Storage Attacking Authentication  Exploiting Application Components  Side Channel Data Leakage  Client Side Injection  Directory Traversal Attacks  Infecting Legitimate Apps  Securing Android Apps

4. Disclaimer! > This doesn’t show any automated tools to find and exploit vulnerabilities in Android Applications. Example: Appscan for web apps > But we take help from some semi automated tools. Example: Burp suite for web apps. > We can have another Humla with automated tools. 

5. Lets Begin…

6. What is Android

7. Android is an operating system based on the Linux kernel, and designed primarily for touch screen mobile devices such as smart phones and tablet computers.

8. Android Basics

9. Lets dig in..

10. Android Architecture

11. Android Security Model > Security at the OS level through the Linux kernel > Application sand boxing. > Secure inter-process communication. > Application signing. > Application-defined and user-granted permissions > Google Bouncer

12. Lets See..

13. Android App Components Activity Service Intents Broadcast Receivers Content Providers

14. Let’s say “Hello World” Building your First App

15. Reverse Engineering java Byte code Dalvik Code Dalvik VM .java .class .dex javac dx Engineering

16. Reverse Engineering Reverse Engineering java Dalvik Code .java .dex

17. Reverse Engineering APKTOOL DEX2JAR JD-GUI .smali .java

18. Lets do it..

19. Pentesting Android Apps Profiling Your Application Finding out a vulnerability Exploiting Securing Methodology We Follow it in this workshop

20. MITM Using Burp suite 1. Run Burp Suite on the machine 2. Set the system’s IP in your device as proxy 3. Start tampering the requests Mobile based Web Apps

21. MITM Using Burp suite Almost similar to regular web application pentesting. So lets get into native applications.

22. Native Application Traffic Analysis 1. Get Cross Compiled tcpdump dump binary for your Android Device 2. Push it on to the device 3. Change it’s permissions to 777 4. Start tcpdump and save the packets in a .pcap file 5. Analyze the packets using Wireshark

23. Demo..

24. Insecure Data Storage 1. Shared Preferences 2. SQLite Databases 3. Internal Storage 4. External Storage

25. Demo.. 1

26. Demo.. 2

27. Attacking Application Components 1. Activities 2. Services 3. Content Providers 4. Broadcast Receivers 5. Intents

28. Demo.. 1

29. Demo.. 2

30. Demo.. 3

31. Awww! SQL Injection in Android Demo..

32. Unintended Data Leakage > Formerly known as Side Channel Data Leakage > Occurs when Information processed by the code places sensitive information some where on the device which can be accessible to other apps.

33. Unintended Data Leakage Leaking Content Providers Copy/Paste Buffer Information Disclosure in Logs URL Caching and many more….

34. Content Provider Leakage DEMO 1

35. Copy/Paste Buffer DEMO 2

36. Information Disclosure in Logs DEMO 3

37. Lets look at a Real App DEMO

38. Challenge It’s Ur Turn 1 Problem 2 Solutions Ur time starts now

39. Did I Miss Anything

40. Infecting Legitimate Apps That’s your challenge solution 2

41. Contact Me https://www.facebook.com/androidpentesting @srini0x00 srini0x00@gmail.com

42. Thanks!