SlideShare ist ein Scribd-Unternehmen logo

Android application analyzer

Als PPTX, PDF herunterladen
Sanjay Gondaliya
Sanjay Gondaliya

The android application analyzer is the GUI to do the process of static analysis during the android application penetration testing with single-click support of jd-gui, apktool, MobSF, frida script hook and android logcat.

Mobil
1 von 30
Android Application Analyzer - Sanjay Gondaliya
Agenda - Android Application Penetration Testing - Static Analysis - Dynamic Analysis - Common tools used - Demo - Android Application Analyzer
#Whoami - 8+ Years of experience in Information Technology - Sr. Security Consultant @NotSoSecure - Website: sanjaygondaliya.com
Android Application Penetration Testing - Static Analysis - Android Manifest Analysis - Exported Component - Debuggable, Backup Flag - Shared Preferences - SQLite Database - Sensitive information in logcat - Application Source Analysis - Source code obfuscation - Root Detection Check - SSL Pinning Implementation - Application Memory Dump - Dynamic Analysis - API Testing (OWASP Web Top 10)
Common Tools Used - Application manifest and code analysis (MobSF) - Apktool (To reverse the APK file) - Sandbox content analysis (shared preference file, SQLite DB) - sqlite3, cat, grep command in “adb shell” - Sensitive information in logcat (adb logcat) - Source code obfuscation (dex2jar -> jd-gui) - Frida universal ssl unpinning (To bypass ssl pinning) - Fridump (Memory dump analysis)
Static Analysis To check for Source-code obfuscation
Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes
Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider
Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
Shared Preference Analysis
Sqlite Database Analysis
Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat To bypass checks and carryon penetration testing
Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To Hook the code, To Bypass SSL Pinning and other client- side validation To check Sensitive information in Logcat To bypass checks and carryon penetration testing
Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat
Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat To dump App Memory
Android Application Analyzer - GUI for Android Application static analysis - To Save Time - To cover all the test cases during penetration testing
Android Application Analyzer Android Application Analyzer
Prerequisites - Python3 - Frida client installed on host machine - MobSF available on http://localhost:8000 - For Universal Frida SSL Unpinning, Replace the burp certificate in “tools” directory - For Fridump, Application needs to be running on the device
Android Application Analyzer - Setup - Clone Repo from Git - git clone https://github.com/NotSoSecure/android_application_analyzer.git - Install pre-requisite - Linux/Unix - ./setup.sh - Windows - ./setup.bat
Demo - Sandbox content analysis (shared pref file, sqlite db) - Source code obfuscation (dex2jar -> jd-gui) - Apktool (To reverse the apk file) - Fridump (Memory dump analysis) - Frida universal ssl unpinning (To bypass ssl pinning) - Sensitive information in logcat (adb logcat) - Application manifest and code analysis (MobSF) - Smali debug/ apk code injection (Required uninstall app -> build app using apktool -> install app again) - Application sandbox snapshot for future reference
Demo Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder
Demo Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder To check Sensitive information in Logcat
Demo Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To Hook the code, To Bypass SSL Pinning and other client- side validation To check Sensitive information in Logcat To bypass checks and carryon penetration testing
Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat
Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat To dump App Memory
Thank you :)

Empfohlen

Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Testing Android App Bundle with Appium
Testing Android App Bundle with AppiumTesting Android App Bundle with Appium
Testing Android App Bundle with Appium
Masayuki Wakizaka
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
The Many Ways to Test Your React App
The Many Ways to Test Your React AppThe Many Ways to Test Your React App
The Many Ways to Test Your React App
All Things Open
 

Empfohlen

Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Testing Android App Bundle with Appium
Testing Android App Bundle with AppiumTesting Android App Bundle with Appium
Testing Android App Bundle with Appium
Masayuki Wakizaka
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
The Many Ways to Test Your React App
The Many Ways to Test Your React AppThe Many Ways to Test Your React App
The Many Ways to Test Your React App
All Things Open
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
Client Side Exploits using PDF
Client Side Exploits using PDFClient Side Exploits using PDF
Client Side Exploits using PDF
n|u - The Open Security Community
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
Precise Testing Solution
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018
Adam Englander
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
Horusec - Security & Vulnerability
Horusec - Security & VulnerabilityHorusec - Security & Vulnerability
Horusec - Security & Vulnerability
Knoldus Inc.
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
IBM Security
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)
Dimitri Gielis
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 

Weitere ähnliche Inhalte

Was ist angesagt?

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
IBM Security
 

Was ist angesagt? (20)

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Client Side Exploits using PDF
Client Side Exploits using PDFClient Side Exploits using PDF
Client Side Exploits using PDF
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Horusec - Security & Vulnerability
Horusec - Security & VulnerabilityHorusec - Security & Vulnerability
Horusec - Security & Vulnerability
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 

Ähnlich wie Android application analyzer

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга Свиридова
Mail.ru Group
 
Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試
Secview
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBox
Kelwin Yang
 

Ähnlich wie Android application analyzer (20)

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
In app search 1
In app search 1In app search 1
In app search 1
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга Свиридова
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
 
[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
Android Malware and Machine Learning
Android Malware and Machine LearningAndroid Malware and Machine Learning
Android Malware and Machine Learning
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBox
 
Mobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und KibanaMobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und Kibana
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 

Kürzlich hochgeladen

FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
nishacall1
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
anilsa9823
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
anilsa9823
 

Kürzlich hochgeladen (7)

Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 

Android application analyzer

  • 2. Agenda - Android Application Penetration Testing - Static Analysis - Dynamic Analysis - Common tools used - Demo - Android Application Analyzer
  • 3. #Whoami - 8+ Years of experience in Information Technology - Sr. Security Consultant @NotSoSecure - Website: sanjaygondaliya.com
  • 4. Android Application Penetration Testing - Static Analysis - Android Manifest Analysis - Exported Component - Debuggable, Backup Flag - Shared Preferences - SQLite Database - Sensitive information in logcat - Application Source Analysis - Source code obfuscation - Root Detection Check - SSL Pinning Implementation - Application Memory Dump - Dynamic Analysis - API Testing (OWASP Web Top 10)
  • 5. Common Tools Used - Application manifest and code analysis (MobSF) - Apktool (To reverse the APK file) - Sandbox content analysis (shared preference file, SQLite DB) - sqlite3, cat, grep command in “adb shell” - Sensitive information in logcat (adb logcat) - Source code obfuscation (dex2jar -> jd-gui) - Frida universal ssl unpinning (To bypass ssl pinning) - Fridump (Memory dump analysis)
  • 6. Static Analysis To check for Source-code obfuscation
  • 7. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes
  • 8. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider
  • 9. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
  • 10. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
  • 13. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat To bypass checks and carryon penetration testing
  • 14. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To Hook the code, To Bypass SSL Pinning and other client- side validation To check Sensitive information in Logcat To bypass checks and carryon penetration testing
  • 15. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat
  • 16. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat To dump App Memory
  • 17. Android Application Analyzer - GUI for Android Application static analysis - To Save Time - To cover all the test cases during penetration testing
  • 18. Android Application Analyzer Android Application Analyzer
  • 19. Prerequisites - Python3 - Frida client installed on host machine - MobSF available on http://localhost:8000 - For Universal Frida SSL Unpinning, Replace the burp certificate in “tools” directory - For Fridump, Application needs to be running on the device
  • 20. Android Application Analyzer - Setup - Clone Repo from Git - git clone https://github.com/NotSoSecure/android_application_analyzer.git - Install pre-requisite - Linux/Unix - ./setup.sh - Windows - ./setup.bat
  • 21. Demo - Sandbox content analysis (shared pref file, sqlite db) - Source code obfuscation (dex2jar -> jd-gui) - Apktool (To reverse the apk file) - Fridump (Memory dump analysis) - Frida universal ssl unpinning (To bypass ssl pinning) - Sensitive information in logcat (adb logcat) - Application manifest and code analysis (MobSF) - Smali debug/ apk code injection (Required uninstall app -> build app using apktool -> install app again) - Application sandbox snapshot for future reference
  • 22. Demo Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder
  • 23. Demo Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder To check Sensitive information in Logcat
  • 24. Demo Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
  • 25. Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
  • 26. Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To Hook the code, To Bypass SSL Pinning and other client- side validation To check Sensitive information in Logcat To bypass checks and carryon penetration testing
  • 27. Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat
  • 28. Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat To dump App Memory
  • 29.