2. SOME STATISTICS…
• 25% OF MOBILE APPS INCLUDE AT LEAST
ONE HIGH RISK SECURITY FLAW.
• 35% OF MOBILE COMMUNICATIONS ARE
UNENCRYPTED.
• MOBILE MALWARE INCIDENTS HAVE
DOUBLED
25%
35%
2X
Source:
NowSecure Mobile Security Report 2016
Intel Security Mobile Threat Report 2016
3. WHAT WE HOPE TO COVER TODAY
• ANDROID APPLICATION VULNERABILITIES & CATEGORIES
• HOW TO PERFORM PENETRATION TESTING ON AN ANDROID APPLICATION?
• INTERCEPTING ANDROID TRAFFIC
• REVERSE ENGINEERING ANDROID APPLICATIONS
4. OWASP MOBILE TOP 10
• M1: WEAK SERVER SIDE CONTROLS
• M2: INSECURE DATA STORAGE
• M3: INSUFFICIENT TRANSPORT LAYER PROTECTION
• M4: UNINTENDED DATA LEAKAGE
• M5: POOR AUTHORIZATION AND AUTHENTICATION
• M6: BROKEN CRYPTOGRAPHY
• M7: CLIENT SIDE INJECTION
• M8: SECURITY DECISIONS VIA UNTRUSTED INPUTS
• M9: IMPROPER SESSION HANDLING
• M10: LACK OF BINARY PROTECTIONS
• M1 - IMPROPER PLATFORM USAGE
• M2 - INSECURE DATA STORAGE
• M3 - INSECURE COMMUNICATION
• M4 - INSECURE AUTHENTICATION
• M5 - INSUFFICIENT CRYPTOGRAPHY
• M6 - INSECURE AUTHORIZATION
• M7 - CLIENT CODE QUALITY
• M8 - CODE TAMPERING
• M9 - REVERSE ENGINEERING
• M10 - EXTRANEOUS FUNCTIONALITY
2014
2016
5. THE KEY STEPS
• INTERCEPT THE TRAFFIC FROM APPLICATION TO IT’S SERVER
• TEST SERVER SIDE ACCESS CONTROLS
• PRIVILEGE ESCALATION BY MANIPULATING PARAMETERS
• AUTHENTICATION FLAWS
• DECOMPILE THE ANDROID APPLICATION
• IDENTIFY FLAWS IN THE NATIVE CODE
• BYPASS SECURITY CONTROLS LIKE SSL PINNING
• CHECK ANDROID LOCAL STORAGE FOR SENSITIVE INFORMATION LEAKAGE
• IN APPLICATION DIRECTORIES
• LOCAL DATABASES
• LOGS
6. INTERCEPTING THE NORMAL WEB TRAFFIC
• BROWSER ALERTS OF INVALID CERTIFICATE
• ADD A CERTIFICATE EXCEPTION
• THE APPLICATION USES HSTS
• ADD THE PROXY CERTIFICATE TO THE CERTIFICATE STORE OF THE BROWSER
7. CHALLENGES IN INTERCEPTING ANDROID TRAFFIC
• NATIVE APPS RELY ON CERTIFICATES IN THE DEVICE’S TRUSTED CREDENTIALS
• SOME NATIVE APPS USE THEIR OWN SET OF TRUSTED CREDENTIALS [SSL PINNING]
8. TOOLS AND PREREQUISITES
• A ROOTED ANDROID DEVICE/EMULATOR AND ADB TOOLS
• AVD, GENYMOTION…
• ADB TOOLS
• A WEB PROXY TOOL
• CHARLES PROXY, BURPSUITE
• TWEAKS FOR MANIPULATING THE TRUSTED CREDENTIALS
• CYDIA SUBSTRATE/XPOSED
• JUSTTRUSTME
• DECOMPILING TOOLS
• APK TOOL
• DEX2JAR
• JD GUI
12. INTERCEPTING NON-SSL ANDROID TRAFFIC
• MODIFY THE WIRELESS
NETWORK SETTINGS
• ADD THE PROXY HOST
NAME AND PORT IN
ADVANCED SETTINGS
13. INTERCEPTING NON-SSL ANDROID TRAFFIC
• ACCESS A NON-HTTPS SITE
FROM THE BROWSER OR START
AN APPLICATION WHICH
DOESN’T USE SSL
• THE REQUEST TO THE SERVER
AND RESPONSE CAN BE
CAPTURED USING BURP WHICH
WE SET UP EARLIER