Penetrating Android Aapplications

•Download as PPTX, PDF•

0 likes•8,013 views

Roshan Thomas

A tutorial on how to perform Penetration Testing on Android Applications. The slides were presented in OWASP BASC 2016.

Technology

PENETRATING ANDROID
APPLICATIONS
ROSHAN THOMAS | @ROSHANPTY | SECVIBE.COM
ANURAG DWIVEDY |@ANURAGDWIVEDYNortheastern University
OWASP BASC 2016

SOME STATISTICS…
• 25% OF MOBILE APPS INCLUDE AT LEAST
ONE HIGH RISK SECURITY FLAW.
• 35% OF MOBILE COMMUNICATIONS ARE
UNENCRYPTED.
• MOBILE MALWARE INCIDENTS HAVE
DOUBLED
25%
35%
2X
Source:
NowSecure Mobile Security Report 2016
Intel Security Mobile Threat Report 2016

WHAT WE HOPE TO COVER TODAY
• ANDROID APPLICATION VULNERABILITIES & CATEGORIES
• HOW TO PERFORM PENETRATION TESTING ON AN ANDROID APPLICATION?
• INTERCEPTING ANDROID TRAFFIC
• REVERSE ENGINEERING ANDROID APPLICATIONS

OWASP MOBILE TOP 10
• M1: WEAK SERVER SIDE CONTROLS
• M2: INSECURE DATA STORAGE
• M3: INSUFFICIENT TRANSPORT LAYER PROTECTION
• M4: UNINTENDED DATA LEAKAGE
• M5: POOR AUTHORIZATION AND AUTHENTICATION
• M6: BROKEN CRYPTOGRAPHY
• M7: CLIENT SIDE INJECTION
• M8: SECURITY DECISIONS VIA UNTRUSTED INPUTS
• M9: IMPROPER SESSION HANDLING
• M10: LACK OF BINARY PROTECTIONS
• M1 - IMPROPER PLATFORM USAGE
• M2 - INSECURE DATA STORAGE
• M3 - INSECURE COMMUNICATION
• M4 - INSECURE AUTHENTICATION
• M5 - INSUFFICIENT CRYPTOGRAPHY
• M6 - INSECURE AUTHORIZATION
• M7 - CLIENT CODE QUALITY
• M8 - CODE TAMPERING
• M9 - REVERSE ENGINEERING
• M10 - EXTRANEOUS FUNCTIONALITY
2014
2016

THE KEY STEPS
• INTERCEPT THE TRAFFIC FROM APPLICATION TO IT’S SERVER
• TEST SERVER SIDE ACCESS CONTROLS
• PRIVILEGE ESCALATION BY MANIPULATING PARAMETERS
• AUTHENTICATION FLAWS
• DECOMPILE THE ANDROID APPLICATION
• IDENTIFY FLAWS IN THE NATIVE CODE
• BYPASS SECURITY CONTROLS LIKE SSL PINNING
• CHECK ANDROID LOCAL STORAGE FOR SENSITIVE INFORMATION LEAKAGE
• IN APPLICATION DIRECTORIES
• LOCAL DATABASES
• LOGS

INTERCEPTING THE NORMAL WEB TRAFFIC
• BROWSER ALERTS OF INVALID CERTIFICATE
• ADD A CERTIFICATE EXCEPTION
• THE APPLICATION USES HSTS
• ADD THE PROXY CERTIFICATE TO THE CERTIFICATE STORE OF THE BROWSER

CHALLENGES IN INTERCEPTING ANDROID TRAFFIC
• NATIVE APPS RELY ON CERTIFICATES IN THE DEVICE’S TRUSTED CREDENTIALS
• SOME NATIVE APPS USE THEIR OWN SET OF TRUSTED CREDENTIALS [SSL PINNING]

TOOLS AND PREREQUISITES
• A ROOTED ANDROID DEVICE/EMULATOR AND ADB TOOLS
• AVD, GENYMOTION…
• ADB TOOLS
• A WEB PROXY TOOL
• CHARLES PROXY, BURPSUITE
• TWEAKS FOR MANIPULATING THE TRUSTED CREDENTIALS
• CYDIA SUBSTRATE/XPOSED
• JUSTTRUSTME
• DECOMPILING TOOLS
• APK TOOL
• DEX2JAR
• JD GUI

DEMO – INTERCEPTING ANDROID TRAFFIC
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=YS9I-SDHLEI&FEATURE=YOUTU.BE

SETTING UP THE PROXY
• START BURPSUITE
• IN PROXY > OPTIONS, ADD A NEW PROXY LISTENER ON YOUR IP ON A DESIRED PORT

PREPARING YOUR ANDROID ENVIRONMENT
• ROOTED ANDROID DEVICE / EMULATOR

INTERCEPTING NON-SSL ANDROID TRAFFIC
• MODIFY THE WIRELESS
NETWORK SETTINGS
• ADD THE PROXY HOST
NAME AND PORT IN
ADVANCED SETTINGS

INTERCEPTING NON-SSL ANDROID TRAFFIC
• ACCESS A NON-HTTPS SITE
FROM THE BROWSER OR START
AN APPLICATION WHICH
DOESN’T USE SSL
• THE REQUEST TO THE SERVER
AND RESPONSE CAN BE
CAPTURED USING BURP WHICH
WE SET UP EARLIER

INTERCEPTING SSL TRAFFIC
• ADD THE PROXY CERTIFICATE TO THE TRUSTED STORE

INTERCEPTING APPLICATIONS WHICH USES SSL
PINNING
• INSTALL XPOSED FRAMEWORK
• INSTALL THE JUSTTRUSTME MODULE
• ACTIVATE THE MODULE

LIFE OF AN APK FILE
• APK?
• DEX?
Source: AnandTech|Andrei Frumusanu

VULNERABILITIES
• INSECURE LOGGING
• HARDCODED SENSITIVE DATA
• INSECURE INFORMATION STORAGE
• ALL INPUTS ARE EVIL

DEMO – DECOMPILING AND VULNERABILITIES
https://www.youtube.com/watch?v=6F3fA1kA5BY&feature=youtu.be

What's hot

Mobile Application Pentest [Fast-Track]Prathan Phongthiproek

Mobile_app_securityHassan El Hadary

Mobile App Security Testing -2Krisshhna Daasaarii

Mobile application securityShubhneet Goel

Is My App Secure ?Herman Duarte

Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council

Abusing Google Apps and Data API: Google is My Command and Control CenterAjin Abraham

Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies

Mobile Defense-in-Dev (Depth)Prathan Phongthiproek

Mobile Application Security – Effective methodology, efficient testing!espheresecurity

API Abuse - The Anatomy of An AttackNordic APIs

Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava

Android pen test basicsOWASPKerala

Mobile application security – effective methodology, efficient testing! hem...owaspindia

Pentesting Mobile Applications (Prashant Verma)ClubHack

Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR

Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata

API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy

Injecting Security into vulnerable web apps at RuntimeAjin Abraham

Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel

What's hot (20)

Mobile Application Pentest [Fast-Track]

Mobile_app_security

Mobile App Security Testing -2

Mobile application security

Is My App Secure ?

Hacker Halted 2014 - Reverse Engineering the Android OS

Abusing Google Apps and Data API: Google is My Command and Control Center

Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com

Mobile Defense-in-Dev (Depth)

Mobile Application Security – Effective methodology, efficient testing!

API Abuse - The Anatomy of An Attack

Owasp Mobile Risk Series : M4 : Unintended Data Leakage

Android pen test basics

Mobile application security – effective methodology, efficient testing! hem...

Pentesting Mobile Applications (Prashant Verma)

Dynamic Security Analysis & Static Security Analysis for Android Apps.

Mobile Application Security Testing (Static Code Analysis) of Android App

API Security - OWASP top 10 for APIs + tips for pentesters

Injecting Security into vulnerable web apps at Runtime

Testing Android Security Codemotion Amsterdam edition

Viewers also liked

SSL Pinning and Bypasses: Android and iOSAnant Shrivastava

Andriod Pentesting and Malware Analysisn|u - The Open Security Community

Certificate Pinning in Mobile ApplicationsLuca Bongiorni

Newbytes NullHydn|u - The Open Security Community

My Null Android Penetration Session Avinash Sinha

Ten Reasons Why You Should Prefer PostgreSQL to MySQLanandology

Viewers also liked (6)

SSL Pinning and Bypasses: Android and iOS

Andriod Pentesting and Malware Analysis

Certificate Pinning in Mobile Applications

Newbytes NullHyd

My Null Android Penetration Session

Ten Reasons Why You Should Prefer PostgreSQL to MySQL

Similar to Penetrating Android Aapplications

18-mobile-malware.pptxsundar110567

Primend praktiline konverents - Samsung Cloud. Management. SecurityPrimend

Security as a top of mind issue for mobile application developmentȘtefan Popa

Breached! App Attacks, Application Protection and Incident ResponseResilient Systems

Securing Your Mobile ApplicationsGreg Patton

Cloud Access Security BrokersAbhishek Tripathi

Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Advanced monitoring

Cyber_Security_CyberPact.pdfNaveenKumar470500

Cyber_Security_CyberPact.pdfCyberPactSolutions

Transforming Risky Mobile Apps into Self Defending AppsBlueboxer2014

Application visibility across the security estate the value and the vision ...AlgoSec

Application Hackers Have A Handbook. Why Shouldn't You?London School of Cyber Security

Bug deBug Chennai 2012 Talk - Future of testing impact of mobile devices by S...RIA RUI Society

Hacking mobile appskunwaratul hax0r

Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Skycure

Multi-Factor Authentication - "Moving Towards the Enterprise" mycroftinc

Website security statistics of 2012Bee_Ware

Three Secrets to Becoming a Mobile Security SuperheroSkycure

An Analysis of the Privacy and Security Risks of Android VPN Permission-enabl...Narseo Rodriguez

Similar to Penetrating Android Aapplications (20)

18-mobile-malware.pptx

Primend praktiline konverents - Samsung Cloud. Management. Security

Security as a top of mind issue for mobile application development

Breached! App Attacks, Application Protection and Incident Response

Securing Your Mobile Applications

Cloud Access Security Brokers

Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

Cyber_Security_CyberPact.pdf

Transforming Risky Mobile Apps into Self Defending Apps

Application visibility across the security estate the value and the vision ...

Application Hackers Have A Handbook. Why Shouldn't You?

Bug deBug Chennai 2012 Talk - Future of testing impact of mobile devices by S...

Hacking mobile apps

Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...

Multi-Factor Authentication - "Moving Towards the Enterprise"

Website security statistics of 2012

Three Secrets to Becoming a Mobile Security Superhero

An Analysis of the Privacy and Security Risks of Android VPN Permission-enabl...

Recently uploaded

Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3

How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3

DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre

Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3

TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3

"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan

Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB

SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays

From Family Reminiscence to Scholarly Archive .Alan Dix

Commit 2024 - Secret Management made easyAlfredo García Lavilla

What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett

TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey

DevEX - reference for building teams, processes, and platformsSergiu Bodiu

Recently uploaded (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx

How AI, OpenAI, and ChatGPT impact business and software.

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx

DMCC Future of Trade Web3 - Special Edition

Moving Beyond Passwords: FIDO Paris Seminar.pdf

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx

"Debugging python applications inside k8s environment", Andrii Soldatenko

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

Generative AI for Technical Writer or Information Developers

Developer Data Modeling Mistakes: From Postgres to NoSQL

SIP trunking in Janus @ Kamailio World 2024

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack

From Family Reminiscence to Scholarly Archive .

Commit 2024 - Secret Management made easy

What's New in Teams Calling, Meetings and Devices March 2024

TeamStation AI System Report LATAM IT Salaries 2024

DevEX - reference for building teams, processes, and platforms

Penetrating Android Aapplications

1. PENETRATING ANDROID APPLICATIONS ROSHAN THOMAS | @ROSHANPTY | SECVIBE.COM ANURAG DWIVEDY |@ANURAGDWIVEDYNortheastern University OWASP BASC 2016

2. SOME STATISTICS… • 25% OF MOBILE APPS INCLUDE AT LEAST ONE HIGH RISK SECURITY FLAW. • 35% OF MOBILE COMMUNICATIONS ARE UNENCRYPTED. • MOBILE MALWARE INCIDENTS HAVE DOUBLED 25% 35% 2X Source: NowSecure Mobile Security Report 2016 Intel Security Mobile Threat Report 2016

3. WHAT WE HOPE TO COVER TODAY • ANDROID APPLICATION VULNERABILITIES & CATEGORIES • HOW TO PERFORM PENETRATION TESTING ON AN ANDROID APPLICATION? • INTERCEPTING ANDROID TRAFFIC • REVERSE ENGINEERING ANDROID APPLICATIONS

4. OWASP MOBILE TOP 10 • M1: WEAK SERVER SIDE CONTROLS • M2: INSECURE DATA STORAGE • M3: INSUFFICIENT TRANSPORT LAYER PROTECTION • M4: UNINTENDED DATA LEAKAGE • M5: POOR AUTHORIZATION AND AUTHENTICATION • M6: BROKEN CRYPTOGRAPHY • M7: CLIENT SIDE INJECTION • M8: SECURITY DECISIONS VIA UNTRUSTED INPUTS • M9: IMPROPER SESSION HANDLING • M10: LACK OF BINARY PROTECTIONS • M1 - IMPROPER PLATFORM USAGE • M2 - INSECURE DATA STORAGE • M3 - INSECURE COMMUNICATION • M4 - INSECURE AUTHENTICATION • M5 - INSUFFICIENT CRYPTOGRAPHY • M6 - INSECURE AUTHORIZATION • M7 - CLIENT CODE QUALITY • M8 - CODE TAMPERING • M9 - REVERSE ENGINEERING • M10 - EXTRANEOUS FUNCTIONALITY 2014 2016

5. THE KEY STEPS • INTERCEPT THE TRAFFIC FROM APPLICATION TO IT’S SERVER • TEST SERVER SIDE ACCESS CONTROLS • PRIVILEGE ESCALATION BY MANIPULATING PARAMETERS • AUTHENTICATION FLAWS • DECOMPILE THE ANDROID APPLICATION • IDENTIFY FLAWS IN THE NATIVE CODE • BYPASS SECURITY CONTROLS LIKE SSL PINNING • CHECK ANDROID LOCAL STORAGE FOR SENSITIVE INFORMATION LEAKAGE • IN APPLICATION DIRECTORIES • LOCAL DATABASES • LOGS

6. INTERCEPTING THE NORMAL WEB TRAFFIC • BROWSER ALERTS OF INVALID CERTIFICATE • ADD A CERTIFICATE EXCEPTION • THE APPLICATION USES HSTS • ADD THE PROXY CERTIFICATE TO THE CERTIFICATE STORE OF THE BROWSER

7. CHALLENGES IN INTERCEPTING ANDROID TRAFFIC • NATIVE APPS RELY ON CERTIFICATES IN THE DEVICE’S TRUSTED CREDENTIALS • SOME NATIVE APPS USE THEIR OWN SET OF TRUSTED CREDENTIALS [SSL PINNING]

8. TOOLS AND PREREQUISITES • A ROOTED ANDROID DEVICE/EMULATOR AND ADB TOOLS • AVD, GENYMOTION… • ADB TOOLS • A WEB PROXY TOOL • CHARLES PROXY, BURPSUITE • TWEAKS FOR MANIPULATING THE TRUSTED CREDENTIALS • CYDIA SUBSTRATE/XPOSED • JUSTTRUSTME • DECOMPILING TOOLS • APK TOOL • DEX2JAR • JD GUI

9. DEMO – INTERCEPTING ANDROID TRAFFIC • HTTPS://WWW.YOUTUBE.COM/WATCH?V=YS9I-SDHLEI&FEATURE=YOUTU.BE

10. SETTING UP THE PROXY • START BURPSUITE • IN PROXY > OPTIONS, ADD A NEW PROXY LISTENER ON YOUR IP ON A DESIRED PORT

11. PREPARING YOUR ANDROID ENVIRONMENT • ROOTED ANDROID DEVICE / EMULATOR

12. INTERCEPTING NON-SSL ANDROID TRAFFIC • MODIFY THE WIRELESS NETWORK SETTINGS • ADD THE PROXY HOST NAME AND PORT IN ADVANCED SETTINGS

13. INTERCEPTING NON-SSL ANDROID TRAFFIC • ACCESS A NON-HTTPS SITE FROM THE BROWSER OR START AN APPLICATION WHICH DOESN’T USE SSL • THE REQUEST TO THE SERVER AND RESPONSE CAN BE CAPTURED USING BURP WHICH WE SET UP EARLIER

14. INTERCEPTING SSL TRAFFIC • ADD THE PROXY CERTIFICATE TO THE TRUSTED STORE

15. INTERCEPTING APPLICATIONS WHICH USES SSL PINNING • INSTALL XPOSED FRAMEWORK • INSTALL THE JUSTTRUSTME MODULE • ACTIVATE THE MODULE

16. DECOMPILING ANDROID APPLICATIONS

17. LIFE OF AN APK FILE • APK? • DEX? Source: AnandTech|Andrei Frumusanu

18. VULNERABILITIES • INSECURE LOGGING • HARDCODED SENSITIVE DATA • INSECURE INFORMATION STORAGE • ALL INPUTS ARE EVIL

19. DEMO – DECOMPILING AND VULNERABILITIES https://www.youtube.com/watch?v=6F3fA1kA5BY&feature=youtu.be

20. QUESTIONS?

Penetrating Android Aapplications

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to Penetrating Android Aapplications

Similar to Penetrating Android Aapplications (20)

Recently uploaded

Recently uploaded (20)

Penetrating Android Aapplications