This document summarizes Daniel Bradberry's presentation on using the Mercury security assessment framework to test Android application security. It introduces Bradberry as the head of security tools development at MWR. The presentation covers Android security concepts like sandboxes and inter-process communication (IPC), common Android vulnerabilities, and how Mercury allows dynamic analysis of Android apps to identify vulnerabilities without debugging. It concludes with a demonstration of Mercury finding vulnerabilities in a sample Android password manager app.

1. Security Testing
Android
with Mercury
Daniel Bradberry
9th April 2013

2. Who is this guy?
Daniel Bradberry
Head of Security Tools Development at MWR
We build tools for security assessment and
assurance.

3. Agenda
• Introduction
• Android (In)Security
• Mercury
• Performing an Assessment
• Summary

4. Android Security
• Code runs in a Dalvik VM
• Apps are constrained by a “Sandbox”:
– one Unix user per app
– granular permissions.
• Apps interact through Inter-Process
Communication (IPC)

5. Android Insecurity
• ‘Normal’ Coding Issues
• Use of Native Code
• Use of the SD Card
• Misuse of IPC
• Apps shipped with Debugging enabled

6. Android IPC
• Apps export features to
share: com.ex.app1
– activities
– broadcast receivers
– content providers
Binder
– services
• The ‘Binder’ routes
com.ex.app2
messages between
apps.

7. Android IPC
<activity android:name=“.MainActivity”
android:exported=“true”>
<intent-filter>
<action
name="android.search.action.MAIN" />
<category
name="android.intent.category
.LAUNCHER" />
</intent-filter>
</activity>

8. Tools to Help
• adb
• aapt
• Custom Scripts
• Decompilers

9. Mercury
Security Assessment
Framework for Android
• Dynamic Analysis
• Rapid Iteration
• Does not require
debugging
• Can be used over the
Internet

10. mwr.to/mercury

11. How it Works
• Agent
– single permission Mobile
Android app Agent
Device
– runs on your device or
emulator.
• Console
– command-line interface
to interact with the Console PC
Agent
– runs on your PC.

12. Performing an Assessment
Investigate
Identify the Find
Potential Exploit
Attack Surface Vulnerabilities
Attack Vectors

13. Let’s Do It!
• Sieve is a Password Manager
• It’s installed in an Android 4.1.2 emulator,
along with the Mercury Agent.

14. Demo Time

15. Summary
• We seem to have largely forgotten security
when developing Android apps.
• These vulnerabilities expose our users and
businesses to risk.
• We can use Mercury to discover all sorts of
Android vulnerabilities.

16. mwr.to/mercury
Questions?
@droidhg