1. Mansih Chasta | CISSP, CHFI, ITIL

2.  Principal Consultant @ Indusface, India
 Over 6 years experience in Information and
Application Security
 CISSP, CHFI, ITIL

3. What comes to any Indian’s mind when
they think of Russia?

5.  Introduction to Android and Mobile Applications
 Working with Android SDK and Emulator
 Setting up GoatDroid Application
 Memory Analysis
 Intercepting Layer 7 traffic
 Reverse Engineering Android Applications
 SQLite Database Analysis
 Demo: ExploitMe application

6.  Gartner Says:
 8.2 Billion mobile applications have been
downloaded in 2010
 17.7 Billion by 2011
 185 Billion application will have been downloaded
by 2014

8.  Most widely used mobile OS
 Developed by Google
 OS + Middleware + Applications
 Android Open Source Project (AOSP) is
responsible for maintenance and further
development

10.  Linux kernel with system services:
 Security
 Memory and process management
 Network stack
 Provide driver to access hardware:
 Camera
 Display and audio
 Wifi
 …

11.  Core Libraries:
 Written in Java
 Provides the functionality of Java programming language
 Interpreted by Dalvik VM
 Dalvik VM:
 Java based VM, a lightweight substitute to JVM
 Unlike JVM, DVM is a register based Virtual Machine
 DVM is optimized to run on limited main memory and less
CPU usage
 Java code (.class files) converted into .dex format to be
able to run on Android platform

13.  Thick and Thin Client
 Security Measures
 User Awareness

14.  Handset / Android Device
 Android SDK and Eclipse
 Emulator
 Wireless Connectivity
 And of course… Application file

15.  What we need:
 Android SDK
 Eclips
 GoatDroid (Android App from OWASP)
 MySQL
 .Net Framwork
 Proxy tool (Burp)
 Agnitio
 Android Device (Optional)
 SQLitebrowser

17.  Development Environment for Android
Application Development
 Components:
 SDK Manager
 AVD Manager
 Emulator

18.  Can be downloaded from :
developer.android.com/sdk/
 Requires JDK to be installed
 Install Eclipse
 Install ADT Plugin for Eclipse

19.  Simple Next-next process

20.  Go to Help->Install new Software
 Click Add
 Give Name as ADT Plugin
 Provide the below address in Location: http://dl-
ssl.google.com/android/eclipse/
 Press OK
 Check next to ‘Developer Tool’ and press next
 Click next and accept the ‘Terms and Conditions’
 Click Finish

21.  Now go to Window -> Preferences
 Click on Android in left panel
 Browse the Android SDK directory
 Press OK

24.  Click on Start

27.  Android Debug Bridge (adb) is a versatile command
line tool that lets you communicate with an
emulator instance or connected Android-powered
device.
 You can find the adb tool in <sdk>/platform-tools/

28.  Install an application to emulator or device:

29.  Push data to emulator / device
 adb push <local> <remote>
 Pull data to emulator / device
 adb pull <remote> <local>
 Remote - > Emulator and Local -> Machine

30.  Getting Shell of Emulator or Device
 adb shell
 Reading Logs
 adb logcat

31.  Reading SQLite3 database
 adb shell
 Go to the path
 SQLite3 database_name.db
 .dump to see content of the db file and .schema to print the
schema of the database on the screen
 Reading Logs
 adb logcat

33.  What is Android Rooting?

34. Step 1: Download CF Rooted Kernel
files and Odin3 Software

35.  Step 2: Keep handset on debugging mode

36.  Step 3: Run Odin3

37.  Step 4: Reboot the phone in download mode
 Step 5: Connect to the PC

38.  Step 6: Select required file i.e: PDA, Phone, CSC files
 Step 7: Click on Auto Reboot and F. Reset Time and hit Start button

39.  If your phone is Rooted... You will see PASS!! In Odin3

40.  Terminal Emulator
 Proxy tool (transproxy)

41.  Both Android Phone and laptop (machine to be used
in auditing) needs to be in same wireless LAN.
 Provide Laptops IP address and port where proxy is
listening in proxy tool (transproxy) installed in
machine.

42.  Burp is a HTTP proxy tool
 Able to intercept layer 7 traffic and allows
users to manipulate the HTTP Requests and
Response

43.  DD Command:
 dd if=filename.xyz of=/sdcard/SDA.dd
 Application path on Android Device:
 /data/data/com.application_name

47.  Install MySQL
 Install fourgoats database.
 Create a user with name as "goatboy", password as
"goatdroid" and Limit Connectivity to Hosts
Matching "localhost". Also "goatboy" needs to
have insert, delete, update, select on fourgoats
database.

48.  Run goatdroid-beta-v0.1.2.jar file
 Set the path for Android SDK Root directory
and Virtual Devices:
 Click Configure -> edit and click on Android tab
 Set path for Android SDK, typically it should be
▪ C:Program FilesAndroidandroid-sdk
 Set path for Virtual Devices, typically it should be
▪ C:Documents and SettingsManishandroidavd

49.  Start web services
 Start emulator through GoatDroid jar file
 Push / Install the application to Device
 Run FourGoat application from emulator
 Click on Menu and then click on Destination Info
 Provide following information in required fields:
 Server: 10.0.2.2 and Port 8888

50. Demo / Hands On

51.  Assuming FourGoat is already installed
 Run goatdroid-beta-v0.1.2.jar file and start web services
 Start any HTTP Proxy (Burp) tool on port 7000
 Configure Burp to forward the incoming traffic to port
8888
 Start emulator from command line by giving following
command:
 emulator –avd test2 –http-proxy 127.0.0.1:7000

52.  Open the FourGoat application in emulator
 Click on Mene to set Destination Info
 Set Destination Info as below:
 Server: 10.0.2.2 and port as 7000
 Now see if you are able to intercept the trrafic
in Burp 

53. Demo / Hands On

54. Demo / Hands On

55. Demo / Hands On

56. Demo / Hands On

57. • Install the app in Android device
• Set the destination info as below:
• Server: IP address (WLAN) of your laptop
and port as 8888 (incase no proxy is
listening)
• Memory Analysis through Terminal Emulator
and DD command

58. Next Topic

60.  Vulnerabilities can be found through Reverse
Engineering :
 Vulnerabilities in Source Code
 Re-compile the application
 Commented Code
 Hard coded information

61.  Dex to jar (dex2jar)
 C:dex2jar-versiondex2jar.bat someApk.apk
 Open code files in any Java decompile

62. Demo / Hands On

63.  Mobile Application Coder Review tool
 Install: Next-Next process
 Can analyze Codebase as well as .apk file

64. Demo / Hands On

66.  SQLite Database:
 SQLite is a widely used, lightweight database
 Used by most mobile OS i.e. iPhone, Android, Symbian,
webOS
 SQLite is a free to use and open source database
 Zero-configuration - no setup or administration needed.
 A complete database is stored in a single cross-platform
disk file.

67.  Pull the .db files out of the emulator / Device
as explained eirler
 Tools
 SQLite browser
 Epilog

68. Demo / Hands On

70. Demo / Hands On

71. Спасибо
Manish Chasta
Email: manish.chasta@owasp.org
Twitter: twitter.com/manish_chasta
LinkedIn: http://www.linkedin.com/pub/dir/Manish/Chasta