The document discusses various techniques for analyzing and exploiting Android applications, including using Drozer to bypass activity validation, replicating data exposure issues across apps, reversing APKs to analyze and patch detection of root access, exploiting vulnerabilities in app webviews through injected JavaScript, and demonstrating API attacks. The presentation encourages participation in the security community to share knowledge and ideas.
Android mobile app security offensive security workshop
1.
2. WHO AM I
Next Generation problem Solver
Researcher & Reader in free time
Speaker at
Facilitator at Weekend Testing
Bug bounty Hunter (eX .Crowd Tester)
Reported Security Vulnerabilities for 50+ unique customers all over the world
including Apple, yahoo, Outlook, adobe & etc.
Love to develop nasty code & Hack it :)
Works as Security Researcher at
Certified Ethical Hacker AKA. Bug Wrangler
Null & OWASP Co mmunity
Accenture Digital Mobility
3. DISCLAIMER
This Presentation is intended for educational purposes only and I cannot be held liable for
any kind of damages done whatsoever to your machine, or other damages.
Please - Don't try this attack on any others system without having context knowledge or
permission, this may harm to someone directly or indirectly.
Feel free to use this presentation for practice or education purpose.
It's no way related to my employer - its my own research and ideas.
^ I hope - You gotcha ^
12. The Mobile market is fragmented, stakeholders want their
better cheaper faster mobile app - Correct?
What is if it's has Vulnerable code? WOW :D
- Yet to update the stats -
58. 11. SIGN APK WITH JAR SIGNER
12. CHECK - ROOT DETECTION
* Updated apk has patched code *
59.
60. ~ SUMMARY ~
Demo on Missing Root Detection - Done
Demo on Reversing the APK - Done
Demo on rebuild the APK - Done
Demo on weak Binary - Done
Fix : Use the Dex Guard not the pro guard
Update the logical validation - Done
Identify attack surface at Smali code - Done
Demo on Patch the Smali code - Done
Demo on APK signing - Done
Finally done the root detection bypass - Done
61. ANDROID WEB-VIEW
Android allows apps to create a bridge in order to render
HTML , javascript code and allow interacting with the java
codes of the application using WebKit open source web
browser engine
70 % of applications use WebViews
62.
63. THERE IS TWEAK WITH USAGE
DISABLE SUPPORT FOR JAVASCRIPT
DISABLE SUPPORT FOR PLUGINS
DISABLE FILE SYSTEM ACCESS
64. WELL - HTTP VS HTTPS
WEBVIEW = NEW WEBVIEW(THIS);
WEBVIEW.GETSETTINGS().SETJAVASCRIPTENABLED(FALSE);
65. IDENTIFY THE APP WITH THE WEBKIT
- Reverse the binary -
Find the webview code with addJavascriptinterface
enabled
- Remember it's smali code -
66. IDENTIFY AND UNDERSTAND THE ACTIVITY WITH JAVASCRIPT ENABLE AT CLEAN JAVA CODE
72. YES - I'M DONE!
Feel free to write me at bug.wrangler at outlook.com
Or
Tweet me at Abhinav_Sejpal
73. We need you!
Attend Null Meets-up & give presentations.
Share your ideas & leanings.
Talk to our community champions.
Your feedback helps us to build a good community.
Looking forward for your ongoing support.
http://null.co.in/
Say 'Hello' @null0x00
74. ! THANK YOU !
@anantshri @oldmanlab @adi1391 @prateekg147
@5h1vang @exploitprotocol
#Nullblr Leads & Champions
Big thank you to @null0x00, Satish, Apoorva & you All
75. LICENSE AND COPYRIGHTS
copyrights 2015-2016
https://slides.com/abhinavsejpal/bangalore-android-null-
humla/ Abhinav Sejpal
-----
( CC BY-NC-ND 3.0)
Attribution-NonCommercial-NoDerivs 3.0 Unported
Dedicated to my lovely daddy