The document covers topics related to Android penetration testing including the Android security model, software stack, content providers, and secure coding practices. The Android security model uses app isolation and each app runs in its own Dalvik Virtual Machine. Content providers manage access to structured app data and enable inter-process communication. Reverse engineering the APK file by extracting and decompiling it is demonstrated as part of the app security testing process. Common insecure practices like hardcoding sensitive data and lack of encryption are also discussed.
6. Android security model
• Linux-based platform.
• App programming – done in Java
• App isolation.
• OS software stack consists of Java apps
running on a Dalvik Virtual Machine.
• Each app has its own DVM
7. Android security model (contd)
• Data storage location: /data/data/<package-
name>
• AndroidManifest.xml – very important
– Contains information about package, components
like activities, services, content providers, etc
– Responsible to protect the application by defining
permissions
9. Content providers
• Used to manage access to a structured set of
data.
• Provide mechanism for defining data security.
• Standard interface that connects data in one
process with code running in another process
(Inter process communication)
10.
11. Android debug bridge (ADB)
• Command line tool that lets you communicate
with an android device/emulator.
~demo
15. Steps to reverse apk
1. Rename <file>.apk to <file>.zip
2. Extract contents of zip
3. Convert application code (Dalvik bytecode) to
Java bytecode using dex2jar
4. Convert Java byte into Java source code
using JD-GUI
16.
17. Testing
• Pre-requisites
– PC with Android SDK installed
– Genymotion Android emulator
– Tools like apktool, dex2jar, etc
19. Common insecure practices
• Hardcoding sensitive information
• Encrypting passwords
• Lack of binary protection
• Insecure data storage. (~demo)
20. Application integrity challenges
• Hackers/malwares gaining physical access to
application binaries.
• “My application contains no programming
flaws”. But, application binaries are still open
to reverse-engineering and hacking tools.
• Most commonly found attack scenario:
• Attempt to insert malware and rebuild the original app(eg.
whatsapp, flappybird, etc) to create malicious apk.
• Spread malicious apk through email, social
network/forums.
• Victim installs apk and is compromised.