SlideShare ist ein Scribd-Unternehmen logo

My Null Android Penetration Session

‱
‱
Avinash Sinha
Avinash Sinha

I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at Flipkart and it was beautiful venue. As I was sure that I may forget it later, I documented the entire session so that it will help me to revise it later as well. I have tried to make it as comprehensive as possible which gives you precise step by step instructions. It also covers most of the errors and solutions we all faced during the session. This will help all of us to revise whatever we were taught in the Humla Session. It covers everything except the challenges. I am sure once you go through this document it will help you and others as well who were not able to attend. Cheers !!!

Technologie
1 von 40
Downloaden Sie, um offline zu lesen
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 1 Hi Everyone, I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at Flipkart and it was beautiful venue. As I was sure that I may forget it later, I documented the entire session so that it will help me to revise it later as well. I have tried to make it as comprehensive as possible which gives you precise step by step instructions. It also covers most of the errors and solutions we all faced during the session. This will help all of us to revise whatever we were taught in the Humla Session. It covers everything except the challenges. I am sure once you go through this document it will help you and others as well who were not able to attend. Cheers !!!
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 2 Install the AppUse VM Open Android SDK Manager root@dev-virtual-machine:~/Desktop/AppUse# android Go to Tool Manage Avd New
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 3
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 4 Emulator is rooted Own device needs to be rooted for this. root@dev-virtual-machine:~/Desktop/AppUse/.Android/android-sdk-linux_86/tools# emulator -avd Null Before that lets view which tools are available within AppUse
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 5 For those comfortable with explorer Got to- On desktop  Appuse folder Cntrl+H to view hidden files
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 6 To open and configure Burp Right click Use java to open Configure as seen below
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 7 Remember to Tick the selected line for the configuration to be active Scale is size -cpu-deplay 0 This tells us that the delay is set to zero i.e there should not be delay root@dev-virtual-machine:~/Desktop/AppUse/.Android/android-sdk-linux_86/tools# emulator -avd Null -scale 0.7 -cpu-delay 0 -http-proxy http://127.0.0.1:8080 Few may face errors such as your emulator didn’t open or hangs in that case you need to kill the process and repeat the above command .This usually happens if you have low RAM or scale value to set to a large number. Error 1:- If hangs follow below command ps aux | grep emulator kill -9 <pid> if any any avd is open Error 1:- If there is no DNS found error Configure your VM setting to Bridged mode
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 8
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 9 To capture https traffic Do the following Open Mozilla Edit tab- Preferences
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 10
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 11 Select Port Cwiigger CA and press export .Save it on your Desktop.
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 12 Rename certificate to PortSwiggerCA.crt { Abd- Android Debugging Bridge- Ref:- http://developer.android.com/tools/help/adb.html To check the attached devices use the below command:- root@dev-virtual-machine:~/Desktop/AppUse/Pentest# adb devices List of devices attached emulator-5554 device Lets Push the Certificate to sdcard
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 13 After pushing certificate into sdcard . Go to Device –Menu-Setting-Press security
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 14 Install from SD Card option
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 15
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 16 Give any pin here 1111 I used Port swigger installed We are storing certificate in external location .Certificate to be stored in sd card. Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. Install certificate in SD Card. Copy all apks provided during null session and place them in AppUse VM in any folder of your choice.
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 17 GoatDroid-Vulnerable Apps 1. -FourGoat 2. -Hear Financial
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 18 Install Apk of FOurgoat root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/FourGoats/android_app# adb install OWASP GoatDroid- FourGoats Android App.apk Fourgoat is installed and new icon can be seen in ur emulator After you reach the Apk file location press TAB and enter.
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 19 Now do the same process for installing other apk file as well. Rest we can see that after installation we see a success message .We can also confirm the looking at the device emulator. root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/HerdFinancial/android_app# adb install OWASP GoatDroid- Herd Financial Android App.apk
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 20 Open the below selected .You will be able to see the DB info (Server side). Using right click and run java Then start webservice for Hear Financial
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 21 Go to emulator and press the herd financial app We have server setup Click on Menu then click on destination info
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 22 Give default port 9888 Click save
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 23 After you have logged into the application. The Testing then is just as same as normal Web application security testing. Press check balance Alter the account id to /9876543210
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 24 To start the testing you are required to know other user account number Tools>utilities>Database browser To transfer fund testing 2
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 25 Alter account numbers Goat droid testing-Four Gaots
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 26 Do the same ip settings by pressing Menudestination info Let’s see files created by App- Goto Terminal and use below command adb shell Every apk will create some files inside
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 27 root@android:/ # cd /data/data root@android:/data/data # ls We can observe that after apk installation below files were created  org.owasp.goatdroid.fourgoats  org.owasp.goatdroid.herdfinancial (Location  data/data is used for all applications data storeed inside this folder) root@android:/data/data # cd org.owasp.goatdroid.fourgoats root@android:/data/data/org.owasp.goatdroid.fourgoats # We can view the file permissions on each file as well. Ref below link if you donot have understanding of file permissions format. (http://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions )
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 28 Let’s see what is stored in files by fourgoat. Read permission to all users. Open the credentials.xml file:-Terminal command Cat credentials.xml HardCoded –Username and Password can be seen.
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 29 root@android:/data/data/org.owasp.goatdroid.fourgoats/shared_prefs # exit
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 30 Now We Decompile the apk file for code review Memory error due to java may occur.If not you will end up with Code file Refer Below links helpful for tool downloads if any required
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 31 http://droiddudes.com/howto-extract-apk-into-readable-java-source-code-and-xml-files/ In this session the below jar was directly provided to me as I ran out of memory so save time :P
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 32 Highlighted line in below pic contains ‘1’ as mode set Ref link for understanding the Vulnerabilty  http://developer.android.com/reference/android/content/Context.html#getSharedPreferences%28java. lang.String,%20int%29
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 33  0 Private mode  1 World readable  2 World writable  4 Multiple process- defines permission for application to use Second Flaw:- Hardcoded password root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/FourGoats/android_app# adb shell root@android:/ # cd data/data root@android:/data/data # We will use sqlite to read the contents of files stored by fourgoat and herdFinancial in the data/data folder 
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 34 root@android:/data/data/org.owasp.goatdroid.fourgoats/databases #sqlite3 userinfo.db Error  Y Bcoz you need to end your sql statement using semicolon at the end.  sqlite> .tables
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 35 (List the table inside- .tables) android_metadata info sqlite> select * from info; 1|881b71832d7fc841f498f54bf698e0344a557ec42e562981b88f81136175d688dc66b9d4d9fddcec652c8 52a977d789799d7f0745d9f95fe8a625d9942b29c09|goatdroid|true|true|false Now let’s go for another app which is supposed to be a financial application(Herd Financial). Error:- File Contents are Encrypted  Need not worry .We have Decrypting method Lets decompile the app first .Let’s see if we have any clues
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 36 this.db = localUserInfoOpenHelper.getWritableDatabase("hammer"); hammer is the key From above pic we can see the key is stored which is a Bad Practice Now Installing App which will help us decipher the encrypted db as we have the key from the code
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 37 SQL Cipher Decrypt installed -Move db to sdcard as sd card is world readable root@android:/ # cp data/data/org.owasp.goatdroid.herdfinancial//databases/userinfo.db /mnt/sdcard (cp<copy> from <space> <to> location)
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 38 Open SQL Cipher Decrypt .Fill the details as above and press ok In device Press parameter- 1 is location of move file 2 is to be copied to location name 3 is key. Lets press decrypt  and open using sqlite
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 39 root@android:/mnt/sdcard # sqlite3 decryptbank.db Got the details 
Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 40 Each application has manifest file .Tool name apktool Apktool d root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/FourGoats/android_app# apktool d /Desktop/APK/OWASP-GoatDroid-0.9/OWASP- GoatDroid-0.9/goatdroid_apps/FourGoats/android_app/OWASP GoatDroid- FourGoats Android App.apk Three things to check in Manifest file. Export, Permission and Debugging Ref Link:- http://developer.android.com/guide/topics/security/permissions.html#manifest Permission will tell us which provision the app is assigned to use. Ref Link: https://developer.android.com/guide/topics/manifest/manifest-intro.html#perms Other Sample Applications :-  Geni motion  Anroid Tamer Hope you all Njoyed reading this article 

Empfohlen

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysisn|u - The Open Security Community
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsClåudio André
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 

Empfohlen

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysisn|u - The Open Security Community
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsClåudio André
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Is My App Secure ?
Is My App Secure ? Is My App Secure ?
Is My App Secure ?Herman Duarte
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROMAnant Shrivastava
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hackingAbhinav Mishra
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLandice Fu
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsPositive Hack Days
 
Advanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAdvanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAvinash Sinha
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Is My App Secure ?
Is My App Secure ? Is My App Secure ?
Is My App Secure ?Herman Duarte
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROMAnant Shrivastava
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hackingAbhinav Mishra
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLandice Fu
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 

Was ist angesagt? (20)

Is My App Secure ?
Is My App Secure ? Is My App Secure ?
Is My App Secure ?
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROM
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Android Security
Android SecurityAndroid Security
Android Security
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hacking
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security
Android SecurityAndroid Security
Android Security
 

Andere mochten auch

Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsPositive Hack Days
 
Advanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAdvanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAvinash Sinha
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]Ammar WK
 
Null mumbai-iot top 10
Null mumbai-iot top 10Null mumbai-iot top 10
Null mumbai-iot top 10Nitesh Malviya
 
Null mumbai-iot-workshop
Null mumbai-iot-workshopNull mumbai-iot-workshop
Null mumbai-iot-workshopNitesh Malviya
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNitesh Malviya
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnetOWASP
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Playin with Password
Playin with PasswordPlayin with Password
Playin with PasswordAmmar WK
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)Sam Bowne
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)Sam Bowne
 

Andere mochten auch (20)

Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Advanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAdvanced Phishing The Art of Stealing
Advanced Phishing The Art of Stealing
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android Aapplications
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
 
Null mumbai-iot top 10
Null mumbai-iot top 10Null mumbai-iot top 10
Null mumbai-iot top 10
 
Null mumbai-iot-workshop
Null mumbai-iot-workshopNull mumbai-iot-workshop
Null mumbai-iot-workshop
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Playin with Password
Playin with PasswordPlayin with Password
Playin with Password
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating Applications
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)
 

Ähnlich wie My Null Android Penetration Session

Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Android tools for testers
Android tools for testersAndroid tools for testers
Android tools for testersMaksim Kovalev
 
Backing Up Android
Backing Up AndroidBacking Up Android
Backing Up AndroidPOSSCON
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controlsjasonholtzapple
 
Mad&pwa practical no. 1
Mad&pwa practical no. 1Mad&pwa practical no. 1
Mad&pwa practical no. 1nikshaikh786
 
Android develop guideline
Android develop guidelineAndroid develop guideline
Android develop guidelineKan-Han (John) Lu
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database adminConcentrated Technology
 
Workshop: Functional testing made easy with PHPUnit & Selenium (phpCE Poland,...
Workshop: Functional testing made easy with PHPUnit & Selenium (phpCE Poland,...Workshop: Functional testing made easy with PHPUnit & Selenium (phpCE Poland,...
Workshop: Functional testing made easy with PHPUnit & Selenium (phpCE Poland,...Ondƙej Machulda
 
Phonegap Development & Debugging
Phonegap Development & DebuggingPhonegap Development & Debugging
Phonegap Development & DebuggingIvano Malavolta
 
Android's security architecture
Android's security architectureAndroid's security architecture
Android's security architectureOfer Rivlin, CISSP
 
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)OWASP Delhi
 
Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s waytitanlambda
 
Betabeers Android as a Digital Signage platform
Betabeers Android as a Digital Signage platformBetabeers Android as a Digital Signage platform
Betabeers Android as a Digital Signage platformOrestes Carracedo
 

Ähnlich wie My Null Android Penetration Session (20)

Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Android tools for testers
Android tools for testersAndroid tools for testers
Android tools for testers
 
Backing Up Android
Backing Up AndroidBacking Up Android
Backing Up Android
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controls
 
Security Issues in Android Custom Rom
Security Issues in Android Custom RomSecurity Issues in Android Custom Rom
Security Issues in Android Custom Rom
 
Appium- part 1
Appium- part 1Appium- part 1
Appium- part 1
 
Mad&pwa practical no. 1
Mad&pwa practical no. 1Mad&pwa practical no. 1
Mad&pwa practical no. 1
 
Android develop guideline
Android develop guidelineAndroid develop guideline
Android develop guideline
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Best free tools for w d a
Best free tools for w d aBest free tools for w d a
Best free tools for w d a
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database admin
 
Workshop: Functional testing made easy with PHPUnit & Selenium (phpCE Poland,...
Workshop: Functional testing made easy with PHPUnit & Selenium (phpCE Poland,...Workshop: Functional testing made easy with PHPUnit & Selenium (phpCE Poland,...
Workshop: Functional testing made easy with PHPUnit & Selenium (phpCE Poland,...
 
Phonegap Development & Debugging
Phonegap Development & DebuggingPhonegap Development & Debugging
Phonegap Development & Debugging
 
Android's security architecture
Android's security architectureAndroid's security architecture
Android's security architecture
 
The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)The art of android hacking by Abhinav Mishra (0ctac0der)
The art of android hacking by Abhinav Mishra (0ctac0der)
 
Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s way
 
Betabeers Android as a Digital Signage platform
Betabeers Android as a Digital Signage platformBetabeers Android as a Digital Signage platform
Betabeers Android as a Digital Signage platform
 

KĂŒrzlich hochgeladen

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

KĂŒrzlich hochgeladen (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

My Null Android Penetration Session

  • 1. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 1 Hi Everyone, I attended the Android Penetration testing session organized by Null Bangalore. It was an AWESOME session by Ashish and everyone enjoyed it. This is the first time the Humla session was organized at Flipkart and it was beautiful venue. As I was sure that I may forget it later, I documented the entire session so that it will help me to revise it later as well. I have tried to make it as comprehensive as possible which gives you precise step by step instructions. It also covers most of the errors and solutions we all faced during the session. This will help all of us to revise whatever we were taught in the Humla Session. It covers everything except the challenges. I am sure once you go through this document it will help you and others as well who were not able to attend. Cheers !!!
  • 2. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 2 Install the AppUse VM Open Android SDK Manager root@dev-virtual-machine:~/Desktop/AppUse# android Go to Tool Manage Avd New
  • 3. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 3
  • 4. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 4 Emulator is rooted Own device needs to be rooted for this. root@dev-virtual-machine:~/Desktop/AppUse/.Android/android-sdk-linux_86/tools# emulator -avd Null Before that lets view which tools are available within AppUse
  • 5. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 5 For those comfortable with explorer Got to- On desktop  Appuse folder Cntrl+H to view hidden files
  • 6. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 6 To open and configure Burp Right click Use java to open Configure as seen below
  • 7. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 7 Remember to Tick the selected line for the configuration to be active Scale is size -cpu-deplay 0 This tells us that the delay is set to zero i.e there should not be delay root@dev-virtual-machine:~/Desktop/AppUse/.Android/android-sdk-linux_86/tools# emulator -avd Null -scale 0.7 -cpu-delay 0 -http-proxy http://127.0.0.1:8080 Few may face errors such as your emulator didn’t open or hangs in that case you need to kill the process and repeat the above command .This usually happens if you have low RAM or scale value to set to a large number. Error 1:- If hangs follow below command ps aux | grep emulator kill -9 <pid> if any any avd is open Error 1:- If there is no DNS found error Configure your VM setting to Bridged mode
  • 8. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 8
  • 9. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 9 To capture https traffic Do the following Open Mozilla Edit tab- Preferences
  • 10. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 10
  • 11. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 11 Select Port Cwiigger CA and press export .Save it on your Desktop.
  • 12. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 12 Rename certificate to PortSwiggerCA.crt { Abd- Android Debugging Bridge- Ref:- http://developer.android.com/tools/help/adb.html To check the attached devices use the below command:- root@dev-virtual-machine:~/Desktop/AppUse/Pentest# adb devices List of devices attached emulator-5554 device Lets Push the Certificate to sdcard
  • 13. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 13 After pushing certificate into sdcard . Go to Device –Menu-Setting-Press security
  • 14. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 14 Install from SD Card option
  • 15. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 15
  • 16. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 16 Give any pin here 1111 I used Port swigger installed We are storing certificate in external location .Certificate to be stored in sd card. Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. Install certificate in SD Card. Copy all apks provided during null session and place them in AppUse VM in any folder of your choice.
  • 17. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 17 GoatDroid-Vulnerable Apps 1. -FourGoat 2. -Hear Financial
  • 18. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 18 Install Apk of FOurgoat root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/FourGoats/android_app# adb install OWASP GoatDroid- FourGoats Android App.apk Fourgoat is installed and new icon can be seen in ur emulator After you reach the Apk file location press TAB and enter.
  • 19. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 19 Now do the same process for installing other apk file as well. Rest we can see that after installation we see a success message .We can also confirm the looking at the device emulator. root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/HerdFinancial/android_app# adb install OWASP GoatDroid- Herd Financial Android App.apk
  • 20. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 20 Open the below selected .You will be able to see the DB info (Server side). Using right click and run java Then start webservice for Hear Financial
  • 21. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 21 Go to emulator and press the herd financial app We have server setup Click on Menu then click on destination info
  • 22. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 22 Give default port 9888 Click save
  • 23. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 23 After you have logged into the application. The Testing then is just as same as normal Web application security testing. Press check balance Alter the account id to /9876543210
  • 24. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 24 To start the testing you are required to know other user account number Tools>utilities>Database browser To transfer fund testing 2
  • 25. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 25 Alter account numbers Goat droid testing-Four Gaots
  • 26. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 26 Do the same ip settings by pressing Menudestination info Let’s see files created by App- Goto Terminal and use below command adb shell Every apk will create some files inside
  • 27. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 27 root@android:/ # cd /data/data root@android:/data/data # ls We can observe that after apk installation below files were created  org.owasp.goatdroid.fourgoats  org.owasp.goatdroid.herdfinancial (Location  data/data is used for all applications data storeed inside this folder) root@android:/data/data # cd org.owasp.goatdroid.fourgoats root@android:/data/data/org.owasp.goatdroid.fourgoats # We can view the file permissions on each file as well. Ref below link if you donot have understanding of file permissions format. (http://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions )
  • 28. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 28 Let’s see what is stored in files by fourgoat. Read permission to all users. Open the credentials.xml file:-Terminal command Cat credentials.xml HardCoded –Username and Password can be seen.
  • 29. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 29 root@android:/data/data/org.owasp.goatdroid.fourgoats/shared_prefs # exit
  • 30. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 30 Now We Decompile the apk file for code review Memory error due to java may occur.If not you will end up with Code file Refer Below links helpful for tool downloads if any required
  • 31. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 31 http://droiddudes.com/howto-extract-apk-into-readable-java-source-code-and-xml-files/ In this session the below jar was directly provided to me as I ran out of memory so save time :P
  • 32. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 32 Highlighted line in below pic contains ‘1’ as mode set Ref link for understanding the Vulnerabilty  http://developer.android.com/reference/android/content/Context.html#getSharedPreferences%28java. lang.String,%20int%29
  • 33. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 33  0 Private mode  1 World readable  2 World writable  4 Multiple process- defines permission for application to use Second Flaw:- Hardcoded password root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/FourGoats/android_app# adb shell root@android:/ # cd data/data root@android:/data/data # We will use sqlite to read the contents of files stored by fourgoat and herdFinancial in the data/data folder 
  • 34. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 34 root@android:/data/data/org.owasp.goatdroid.fourgoats/databases #sqlite3 userinfo.db Error  Y Bcoz you need to end your sql statement using semicolon at the end.  sqlite> .tables
  • 35. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 35 (List the table inside- .tables) android_metadata info sqlite> select * from info; 1|881b71832d7fc841f498f54bf698e0344a557ec42e562981b88f81136175d688dc66b9d4d9fddcec652c8 52a977d789799d7f0745d9f95fe8a625d9942b29c09|goatdroid|true|true|false Now let’s go for another app which is supposed to be a financial application(Herd Financial). Error:- File Contents are Encrypted  Need not worry .We have Decrypting method Lets decompile the app first .Let’s see if we have any clues
  • 36. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 36 this.db = localUserInfoOpenHelper.getWritableDatabase("hammer"); hammer is the key From above pic we can see the key is stored which is a Bad Practice Now Installing App which will help us decipher the encrypted db as we have the key from the code
  • 37. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 37 SQL Cipher Decrypt installed -Move db to sdcard as sd card is world readable root@android:/ # cp data/data/org.owasp.goatdroid.herdfinancial//databases/userinfo.db /mnt/sdcard (cp<copy> from <space> <to> location)
  • 38. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 38 Open SQL Cipher Decrypt .Fill the details as above and press ok In device Press parameter- 1 is location of move file 2 is to be copied to location name 3 is key. Lets press decrypt  and open using sqlite
  • 39. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 39 root@android:/mnt/sdcard # sqlite3 decryptbank.db Got the details 
  • 40. Android Penetration Testing-Goat Droid-Null Bangalore Avinash Sinha-Null Humla Session-Notes Page 40 Each application has manifest file .Tool name apktool Apktool d root@dev-virtual-machine:~/Desktop/APK/OWASP-GoatDroid-0.9/OWASP-GoatDroid- 0.9/goatdroid_apps/FourGoats/android_app# apktool d /Desktop/APK/OWASP-GoatDroid-0.9/OWASP- GoatDroid-0.9/goatdroid_apps/FourGoats/android_app/OWASP GoatDroid- FourGoats Android App.apk Three things to check in Manifest file. Export, Permission and Debugging Ref Link:- http://developer.android.com/guide/topics/security/permissions.html#manifest Permission will tell us which provision the app is assigned to use. Ref Link: https://developer.android.com/guide/topics/manifest/manifest-intro.html#perms Other Sample Applications :-  Geni motion  Anroid Tamer Hope you all Njoyed reading this article 