Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to Penetrating Android Aapplications
Similar to Penetrating Android Aapplications (20)
Recently uploaded
Recently uploaded (20)
Penetrating Android Aapplications
- 1. PENETRATING ANDROID APPLICATIONS ROSHAN THOMAS | @ROSHANPTY | SECVIBE.COM ANURAG DWIVEDY |@ANURAGDWIVEDYNortheastern University OWASP BASC 2016
- 2. SOME STATISTICS… • 25% OF MOBILE APPS INCLUDE AT LEAST ONE HIGH RISK SECURITY FLAW. • 35% OF MOBILE COMMUNICATIONS ARE UNENCRYPTED. • MOBILE MALWARE INCIDENTS HAVE DOUBLED 25% 35% 2X Source: NowSecure Mobile Security Report 2016 Intel Security Mobile Threat Report 2016
- 3. WHAT WE HOPE TO COVER TODAY • ANDROID APPLICATION VULNERABILITIES & CATEGORIES • HOW TO PERFORM PENETRATION TESTING ON AN ANDROID APPLICATION? • INTERCEPTING ANDROID TRAFFIC • REVERSE ENGINEERING ANDROID APPLICATIONS
- 4. OWASP MOBILE TOP 10 • M1: WEAK SERVER SIDE CONTROLS • M2: INSECURE DATA STORAGE • M3: INSUFFICIENT TRANSPORT LAYER PROTECTION • M4: UNINTENDED DATA LEAKAGE • M5: POOR AUTHORIZATION AND AUTHENTICATION • M6: BROKEN CRYPTOGRAPHY • M7: CLIENT SIDE INJECTION • M8: SECURITY DECISIONS VIA UNTRUSTED INPUTS • M9: IMPROPER SESSION HANDLING • M10: LACK OF BINARY PROTECTIONS • M1 - IMPROPER PLATFORM USAGE • M2 - INSECURE DATA STORAGE • M3 - INSECURE COMMUNICATION • M4 - INSECURE AUTHENTICATION • M5 - INSUFFICIENT CRYPTOGRAPHY • M6 - INSECURE AUTHORIZATION • M7 - CLIENT CODE QUALITY • M8 - CODE TAMPERING • M9 - REVERSE ENGINEERING • M10 - EXTRANEOUS FUNCTIONALITY 2014 2016
- 5. THE KEY STEPS • INTERCEPT THE TRAFFIC FROM APPLICATION TO IT’S SERVER • TEST SERVER SIDE ACCESS CONTROLS • PRIVILEGE ESCALATION BY MANIPULATING PARAMETERS • AUTHENTICATION FLAWS • DECOMPILE THE ANDROID APPLICATION • IDENTIFY FLAWS IN THE NATIVE CODE • BYPASS SECURITY CONTROLS LIKE SSL PINNING • CHECK ANDROID LOCAL STORAGE FOR SENSITIVE INFORMATION LEAKAGE • IN APPLICATION DIRECTORIES • LOCAL DATABASES • LOGS
- 6. INTERCEPTING THE NORMAL WEB TRAFFIC • BROWSER ALERTS OF INVALID CERTIFICATE • ADD A CERTIFICATE EXCEPTION • THE APPLICATION USES HSTS • ADD THE PROXY CERTIFICATE TO THE CERTIFICATE STORE OF THE BROWSER
- 7. CHALLENGES IN INTERCEPTING ANDROID TRAFFIC • NATIVE APPS RELY ON CERTIFICATES IN THE DEVICE’S TRUSTED CREDENTIALS • SOME NATIVE APPS USE THEIR OWN SET OF TRUSTED CREDENTIALS [SSL PINNING]
- 8. TOOLS AND PREREQUISITES • A ROOTED ANDROID DEVICE/EMULATOR AND ADB TOOLS • AVD, GENYMOTION… • ADB TOOLS • A WEB PROXY TOOL • CHARLES PROXY, BURPSUITE • TWEAKS FOR MANIPULATING THE TRUSTED CREDENTIALS • CYDIA SUBSTRATE/XPOSED • JUSTTRUSTME • DECOMPILING TOOLS • APK TOOL • DEX2JAR • JD GUI
- 9. DEMO – INTERCEPTING ANDROID TRAFFIC • HTTPS://WWW.YOUTUBE.COM/WATCH?V=YS9I-SDHLEI&FEATURE=YOUTU.BE
- 10. SETTING UP THE PROXY • START BURPSUITE • IN PROXY > OPTIONS, ADD A NEW PROXY LISTENER ON YOUR IP ON A DESIRED PORT
- 11. PREPARING YOUR ANDROID ENVIRONMENT • ROOTED ANDROID DEVICE / EMULATOR
- 12. INTERCEPTING NON-SSL ANDROID TRAFFIC • MODIFY THE WIRELESS NETWORK SETTINGS • ADD THE PROXY HOST NAME AND PORT IN ADVANCED SETTINGS
- 13. INTERCEPTING NON-SSL ANDROID TRAFFIC • ACCESS A NON-HTTPS SITE FROM THE BROWSER OR START AN APPLICATION WHICH DOESN’T USE SSL • THE REQUEST TO THE SERVER AND RESPONSE CAN BE CAPTURED USING BURP WHICH WE SET UP EARLIER
- 14. INTERCEPTING SSL TRAFFIC • ADD THE PROXY CERTIFICATE TO THE TRUSTED STORE
- 15. INTERCEPTING APPLICATIONS WHICH USES SSL PINNING • INSTALL XPOSED FRAMEWORK • INSTALL THE JUSTTRUSTME MODULE • ACTIVATE THE MODULE
- 17. LIFE OF AN APK FILE • APK? • DEX? Source: AnandTech|Andrei Frumusanu
- 18. VULNERABILITIES • INSECURE LOGGING • HARDCODED SENSITIVE DATA • INSECURE INFORMATION STORAGE • ALL INPUTS ARE EVIL
- 19. DEMO – DECOMPILING AND VULNERABILITIES https://www.youtube.com/watch?v=6F3fA1kA5BY&feature=youtu.be
- 20. QUESTIONS?