This document summarizes Daniel Bradberry's presentation on using the Mercury security assessment framework to test Android application security. It introduces Bradberry as the head of security tools development at MWR. The presentation covers Android security concepts like sandboxes and inter-process communication (IPC), common Android vulnerabilities, and how Mercury allows dynamic analysis of Android apps to identify vulnerabilities without debugging. It concludes with a demonstration of Mercury finding vulnerabilities in a sample Android password manager app.
4. Android Security
• Code runs in a Dalvik VM
• Apps are constrained by a “Sandbox”:
– one Unix user per app
– granular permissions.
• Apps interact through Inter-Process
Communication (IPC)
5. Android Insecurity
• ‘Normal’ Coding Issues
• Use of Native Code
• Use of the SD Card
• Misuse of IPC
• Apps shipped with Debugging enabled
6. Android IPC
• Apps export features to
share: com.ex.app1
– activities
– broadcast receivers
– content providers
Binder
– services
• The ‘Binder’ routes
com.ex.app2
messages between
apps.
11. How it Works
• Agent
– single permission Mobile
Android app Agent
Device
– runs on your device or
emulator.
• Console
– command-line interface
to interact with the Console PC
Agent
– runs on your PC.
12. Performing an Assessment
Investigate
Identify the Find
Potential Exploit
Attack Surface Vulnerabilities
Attack Vectors
13. Let’s Do It!
• Sieve is a Password Manager
• It’s installed in an Android 4.1.2 emulator,
along with the Mercury Agent.
15. Summary
• We seem to have largely forgotten security
when developing Android apps.
• These vulnerabilities expose our users and
businesses to risk.
• We can use Mercury to discover all sorts of
Android vulnerabilities.