SlideShare ist ein Scribd-Unternehmen logo

Rapid Android Application Security Testing

Als PPTX, PDF herunterladen
Nutan Kumar Panda
Nutan Kumar Panda

This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process. This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)

Mobil
1 von 20
Rapid Android Application Security Testing
Agenda • Introduction to Android Testing – Static Analysis – Dynamic Analysis – Local Storage Inspection • Challenge.txt
Android Security Testing • Can install apps on device and go hack the network. • Can install the application in the emulator and test it.
What’s inside? • Android is a Linux kernel based OS. • Dalvik VM (Dalvik Virtual Machine) makes the dex file (Dalvik Executables) reach execution. • APK (Android Application Package) contains all the resources, i.e. manifest file, signatures, dex file, and other resources in a zipped manner.
So what happens. • Java source code is compiled to Java byte Code using Java Compiler • Byte code is converted into Dalvik Code using Dex compiler • Dalvik Executable (Dex file) goes to “Dalvik VM” and executes within it.
…..Continued. Dalvik VM Dalvik Executable (Dex File) Java Source Code Java Byte CodeJava Compiler Dalvik Code Dex Compiler
Pentest. How to do? • Break the testing into three parts: – Static Testing – Dynamic Testing – Local Storage • Try to uncover issues in every phase.
Static Analysis • Get the .apk file. • Reverse Engineer it. • Decompile / Dis-assemble it. • Dis-assemble it using – Dedexer gives assembly like output) or – Baksmali (based on dedexer and gives code more easy to understand. • Decompile it using – Dex2jar (dalvik code turns to Java byte code (jar file). – Use jd-gui to view the java source codes.h
What to look for? • Look for api information, database connection strings, internal / external IP disclosures and ports, etc. • If you are lucky, you might get a password too, Believe me developers are crazy. • If you can go for social engineering stuff, lot of emails can be found. • Tip: A pair of /* and */ holds a lot of information.
m0bLiz3r Demo https://github.com/nkpanda/Android-Testing
Dynamic Analysis • Load emulator. • Set up an Interception Proxy • Figure out SSL issues. • And follow the generic logic test cases you follow in web applications.
Proxy Setup
Continued…
Local Storage Inspection • Check for sensitive data getting stored on client side. • XML files, database files are most commonly found culprits. • Inspect memory for information sensitive information > memdump • Inspect generated logs for sensitive information > logcat. • Uninstall and check if things remain in application folder.
Where to look?
How it look?
Tools Of Trade • Android SDK • ADB • BurpSuite • APKtools • Smali/baksmali • Dex2jar • Genymotion • Appuse/Android Tamer.
Challenges • AppUse is quite slow: – Save time in loading your Emulator. – Save time in installing app. • ADB always run behind device. If you are idle, adb don’t work, or restart your emulator. – Keep your ADB attached to device constantly. • Commands for every push, apk installation, etc. – Get Drag and Drop feature. • Organization might ask you to get application from play store. – Get Play Store. • Genymotion – give you all the above sweet cake. – Supports Webcam, mike, GPS, etc. as well --------- Haven’t tested them however – Not stable. --------- One bad out of six is never a bad.
Time UP : What next? • OWASP mobile TOP 10 • Drozer (for Inter Process Communication) • Explore new tools all the time. • Keep sharing.
Questions?

Empfohlen

Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
amiable_indian
 

Empfohlen

Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
amiable_indian
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking Intro
Aditya Kamat
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
Prathan Phongthiproek
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
Information Technology
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
Niranjanaa Ragupathy
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
Fernando Redondo Ramírez
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
MaulikLakhani
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
NotSoSecure Global Services
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
Micah Hoffman
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
n|u - The Open Security Community
 
The Shellshocker
The ShellshockerThe Shellshocker
The Shellshocker
Sharath Unni
 

Weitere ähnliche Inhalte

Was ist angesagt?

[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 

Was ist angesagt? (20)

Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking Intro
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 

Andere mochten auch

Andere mochten auch (20)

Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
 
The Shellshocker
The ShellshockerThe Shellshocker
The Shellshocker
 
Demystifying captcha Bangalore Meet April 18
Demystifying captcha Bangalore Meet April 18Demystifying captcha Bangalore Meet April 18
Demystifying captcha Bangalore Meet April 18
 
Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
 
IE Memory Protector
IE Memory ProtectorIE Memory Protector
IE Memory Protector
 
ESAPI
ESAPIESAPI
ESAPI
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014
 
Recon ng null meet April 2015
Recon ng null meet April 2015Recon ng null meet April 2015
Recon ng null meet April 2015
 
Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015
 
Android Performance Tips & Tricks
Android Performance Tips & TricksAndroid Performance Tips & Tricks
Android Performance Tips & Tricks
 
Testing for Android: When, Where, and How to Successfully Use Test Automation
Testing for Android: When, Where, and How to Successfully Use Test AutomationTesting for Android: When, Where, and How to Successfully Use Test Automation
Testing for Android: When, Where, and How to Successfully Use Test Automation
 
Unit Testing Android Applications
Unit Testing Android ApplicationsUnit Testing Android Applications
Unit Testing Android Applications
 
Introduction to android testing - oscon 2012
Introduction to android testing - oscon 2012Introduction to android testing - oscon 2012
Introduction to android testing - oscon 2012
 
Android Testing: An Overview
Android Testing: An OverviewAndroid Testing: An Overview
Android Testing: An Overview
 
Testing Android Application, Droidcon Torino
Testing Android Application, Droidcon TorinoTesting Android Application, Droidcon Torino
Testing Android Application, Droidcon Torino
 
Inside Android Testing
Inside Android TestingInside Android Testing
Inside Android Testing
 
Android Building, Testing and reversing
Android Building, Testing and reversingAndroid Building, Testing and reversing
Android Building, Testing and reversing
 

Ähnlich wie Rapid Android Application Security Testing

DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
Salesforce Engineering
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
DefconRussia
 
Introduction to android sessions new
Introduction to android sessions newIntroduction to android sessions new
Introduction to android sessions new
Joe Jacob
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 

Ähnlich wie Rapid Android Application Security Testing (20)

Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 
Introduction to android sessions new
Introduction to android sessions newIntroduction to android sessions new
Introduction to android sessions new
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 

Mehr von Nutan Kumar Panda

OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 

Mehr von Nutan Kumar Panda (15)

Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social Engineering
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
 
Win 8 password cracking
Win 8 password crackingWin 8 password cracking
Win 8 password cracking
 
Backtrack Manual Part10
Backtrack Manual Part10Backtrack Manual Part10
Backtrack Manual Part10
 
Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
Backtrack Manual Part2
Backtrack Manual Part2Backtrack Manual Part2
Backtrack Manual Part2
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Google Hack
Google HackGoogle Hack
Google Hack
 

Kürzlich hochgeladen

FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
nishacall1
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Cara Menggugurkan Kandungan 087776558899
 
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
nishacall1
 

Kürzlich hochgeladen (8)

Leading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfLeading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdf
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
 
Mobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsMobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s Tools
 
Mobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsMobile Application Development-Components and Layouts
Mobile Application Development-Components and Layouts
 
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
 
Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...
Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...
Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...
 
Android Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesAndroid Application Components with Implementation & Examples
Android Application Components with Implementation & Examples
 

Rapid Android Application Security Testing

  • 2. Agenda • Introduction to Android Testing – Static Analysis – Dynamic Analysis – Local Storage Inspection • Challenge.txt
  • 3. Android Security Testing • Can install apps on device and go hack the network. • Can install the application in the emulator and test it.
  • 4. What’s inside? • Android is a Linux kernel based OS. • Dalvik VM (Dalvik Virtual Machine) makes the dex file (Dalvik Executables) reach execution. • APK (Android Application Package) contains all the resources, i.e. manifest file, signatures, dex file, and other resources in a zipped manner.
  • 5. So what happens. • Java source code is compiled to Java byte Code using Java Compiler • Byte code is converted into Dalvik Code using Dex compiler • Dalvik Executable (Dex file) goes to “Dalvik VM” and executes within it.
  • 6. …..Continued. Dalvik VM Dalvik Executable (Dex File) Java Source Code Java Byte CodeJava Compiler Dalvik Code Dex Compiler
  • 7. Pentest. How to do? • Break the testing into three parts: – Static Testing – Dynamic Testing – Local Storage • Try to uncover issues in every phase.
  • 8. Static Analysis • Get the .apk file. • Reverse Engineer it. • Decompile / Dis-assemble it. • Dis-assemble it using – Dedexer gives assembly like output) or – Baksmali (based on dedexer and gives code more easy to understand. • Decompile it using – Dex2jar (dalvik code turns to Java byte code (jar file). – Use jd-gui to view the java source codes.h
  • 9. What to look for? • Look for api information, database connection strings, internal / external IP disclosures and ports, etc. • If you are lucky, you might get a password too, Believe me developers are crazy. • If you can go for social engineering stuff, lot of emails can be found. • Tip: A pair of /* and */ holds a lot of information.
  • 11. Dynamic Analysis • Load emulator. • Set up an Interception Proxy • Figure out SSL issues. • And follow the generic logic test cases you follow in web applications.
  • 14. Local Storage Inspection • Check for sensitive data getting stored on client side. • XML files, database files are most commonly found culprits. • Inspect memory for information sensitive information > memdump • Inspect generated logs for sensitive information > logcat. • Uninstall and check if things remain in application folder.
  • 17. Tools Of Trade • Android SDK • ADB • BurpSuite • APKtools • Smali/baksmali • Dex2jar • Genymotion • Appuse/Android Tamer.
  • 18. Challenges • AppUse is quite slow: – Save time in loading your Emulator. – Save time in installing app. • ADB always run behind device. If you are idle, adb don’t work, or restart your emulator. – Keep your ADB attached to device constantly. • Commands for every push, apk installation, etc. – Get Drag and Drop feature. • Organization might ask you to get application from play store. – Get Play Store. • Genymotion – give you all the above sweet cake. – Supports Webcam, mike, GPS, etc. as well --------- Haven’t tested them however – Not stable. --------- One bad out of six is never a bad.
  • 19. Time UP : What next? • OWASP mobile TOP 10 • Drozer (for Inter Process Communication) • Explore new tools all the time. • Keep sharing.