SlideShare uma empresa Scribd logo

Android Security & Penetration Testing

Subho Halder
Subho Halder

These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck

Tecnologia
1 de 40
Baixar para ler offline
ANDROID SECURITY & PENETRATION TESTING Subho Halder @sunnyrockzzs #AFE Monday, 23 September 13
./AboutMe.sh Information Security Researcher Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan. Lead Developer of AFE (Android Framework for Exploitation) Python Lovers Co-founder of XYSEC (http://xysec.com) Have found bug in some famous websites including Google, Apple, Microsoft, Skype, Adobe and many more Monday, 23 September 13
Some Companies I have found Vulnerabilities in ..... And many more... Monday, 23 September 13
./Agenda Quick Introduction to Android Internals Android Security Model Android Coding Best Practices Android Malware, Technique, Effectiveness using AFE (Android Framework for Exploitation) Small Social Experiment ! Monday, 23 September 13
Android Internals.exe Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS) Application runs through Dalvik VM (Dalvik Virtual Machine) Dalvik VM runs executable files like dex (Dalvik executable) or apk files apk files are zipped content of Resources, Signatures, classes.dex and AndroidManifest.xml file Monday, 23 September 13
Android Security Model.txt Application are sandboxed (Runs with different UID and GID) Zygote spawns a new process for each Application Each Application runs with a separate instance of Dalvik VM Special Permissions are provided to access Hardware API’s Permissions are mentioned in AndroidManifest.xml file. Monday, 23 September 13
Android Application.apk Just an Archive ! Written mainly in Java and XML Multiple Entry-points, such as Activity, Services, Intents, Content Providers, etc. Monday, 23 September 13
AndroidManifest.xml Monday, 23 September 13
CAN THESE PERMISSION BE BYPASSED? Monday, 23 September 13
Uploading a sensitive file from SD-Card to Remote Server without any Permission! Read Files from SD-Card Uploads File to Remote Server Upload a file through Browser Permission not Required for READING files from SD Card Opening Browser through INTENT doesn’t requires Permission Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/")); Save theValue in the GET parameter to a file in Server Monday, 23 September 13
QUICK-DEMO ( SHOULD I ) ? Monday, 23 September 13
Android Coding Best Practices Follow -> http://developer.android.com/guide/practices/index.html Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/ Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Attend more GDG Talks and other Security Conferences Shoot me a tweet @sunnyrockzzs Monday, 23 September 13
AndroidManifest.xml OMG ! Activities, Services, Receivers should not be exported or else you can bypass those activities ! Monday, 23 September 13
AndroidManifest.xml OMG ! (Contd.) android:exported= “True” in <provider> will turn into a nightmare ! BTW by default it is “True” if either android:minSdkVersion or android:targetSdkVersion to “16” or lower. For applications that set either of these attributes to “17” or higher, the default is “false”. Monday, 23 September 13
AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)Monday, 23 September 13
ANDROID MALWARE Monday, 23 September 13
Android Malware (Common Features) Send SMS to premium Number Subscribe to premium Services Dial Premium number Steal messages, contact list, logs Steal SD-Card files Auto-respond to attackers’s text messages ! Monday, 23 September 13
Creating a Malware.vbs Use CONTENT PROVIDERS Make use of CURSORS & SQLITE databases Write JAVA codes like crazy Set up Server component Get frustrated, start from bullet-point one. Monday, 23 September 13
If you don’t have past relationship with JAVA Monday, 23 September 13
Android Framework for Exploitation Monday, 23 September 13
Let’s Create a Malware ! Monday, 23 September 13
What about GOOGLE? Presenting GOOGLE Bouncer ! Monday, 23 September 13
“I am not Afraid” - Eminem Monday, 23 September 13
Faking Legitimate Application? Malware services generally injected in legitimate applications How to do it? legitimate apk Smali/Java Add malicious services/classes RecompileFinal malware Monday, 23 September 13
USE AFE TO AUTOMATE !! Monday, 23 September 13
Android Framework for Exploitation.py To make your life easier ! Find security vulnerabilities in your device+apps Protect your device against malwares Create automated malwares/botnets + send the data to a python listener Inject malicious services in another applications Use Android Exploits Crypt existing malwares to make them FUD Monday, 23 September 13
AFE Perspective.c Offensive Defensive Malware Creation BotNet Automation Crypting Injecting Content Query App Assesment Fuzzing Kernel Assesment Monday, 23 September 13
AFE Internals.py Python Based Plugin Based Architecure Modules Libraries Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Rebuild + Zipalign Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Modifies the classnames and all its references within files Example: Converts com.example.org to com.omg.lol Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Split variables into two, and append at runtime Example: String a = “hello” Will now become String aa = “hel” String ab = “lo” String a = aa + ab Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Add dummy loops to change CFG Example: goto end; start: //everything in this label will execute, only when it is called ........ end: //everything in this label will execute, only when it is called goto start; Monday, 23 September 13
Statistics? ? ? ? ? ? ?.xls Earlier Detection: 30/46 Monday, 23 September 13
Statistics? ? ? ? ? ? ?.xls Detection after Crypting: 4/46 Monday, 23 September 13
OOPS CRYPTING MODULE IS NOT PUBLIC :) Monday, 23 September 13
./Conclusion -h Be safe Don’t download apps from 3rd party markets Turn USB debugging OFF Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation for both Android and iOS Monday, 23 September 13
HEY WAIT!! WHERE IS THE SOCIAL EXPERIMENT ? Monday, 23 September 13
./QUESTIONS subho.halder@gmail.com security@xysec.com http://xysec.com @sunnyrockzzs Monday, 23 September 13
STILL CURIOUS ?? MEET ME NOW !!! Monday, 23 September 13

Recomendados

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 

Recomendados

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxdeepikakumari643428
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2Krisshhna Daasaarii
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 

Mais conteúdo relacionado

Mais procurados

Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxdeepikakumari643428
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 

Mais procurados (20)

Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Mobile security
Mobile securityMobile security
Mobile security
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Application Security
Application SecurityApplication Security
Application Security
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 

Destaque

Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating systemSalma Begum
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and PrivacyAnika Tasnim Hafiz
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]Ammar WK
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesBulent Buyukkahraman
 
Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_osbaroqueworksdev
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва it-people
 
Data Storage In Android
Data Storage In Android Data Storage In Android
Data Storage In Android Aakash Ugale
 

Destaque (20)

Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Android security
Android securityAndroid security
Android security
 
Android ppt
Android ppt Android ppt
Android ppt
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating system
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and Privacy
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing Services
 
Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_os
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
 
Data Storage In Android
Data Storage In Android Data Storage In Android
Data Storage In Android
 

Semelhante a Android Security & Penetration Testing

Engineering culture
Engineering cultureEngineering culture
Engineering culturePamela Fox
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Matt training-html-halfday
Matt training-html-halfdayMatt training-html-halfday
Matt training-html-halfdayMatthew Dobson
 
(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensicsINSIGHT FORENSIC
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackSoya Aoyama
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Tools/Processes for serious android app development
Tools/Processes for serious android app developmentTools/Processes for serious android app development
Tools/Processes for serious android app developmentGaurav Lochan
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Continuous Delivery at Netflix
Continuous Delivery at NetflixContinuous Delivery at Netflix
Continuous Delivery at NetflixRob Spieldenner
 
[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...BeMyApp
 
Windows 10 URI persistence technique
Windows 10 URI persistence techniqueWindows 10 URI persistence technique
Windows 10 URI persistence techniqueGiulio Comi
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareAchim D. Brucker
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Native apps in html5 with chrome packaged apps
Native apps in html5 with chrome packaged appsNative apps in html5 with chrome packaged apps
Native apps in html5 with chrome packaged appsTom Wilson
 

Semelhante a Android Security & Penetration Testing (20)

Engineering culture
Engineering cultureEngineering culture
Engineering culture
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
Matt training-html-halfday
Matt training-html-halfdayMatt training-html-halfday
Matt training-html-halfday
 
(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Tools/Processes for serious android app development
Tools/Processes for serious android app developmentTools/Processes for serious android app development
Tools/Processes for serious android app development
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Continuous Delivery at Netflix
Continuous Delivery at NetflixContinuous Delivery at Netflix
Continuous Delivery at Netflix
 
Android TCJUG
Android TCJUGAndroid TCJUG
Android TCJUG
 
[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...
 
Windows 10 URI persistence technique
Windows 10 URI persistence techniqueWindows 10 URI persistence technique
Windows 10 URI persistence technique
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
A false digital alibi on mac os x
A false digital alibi on mac os xA false digital alibi on mac os x
A false digital alibi on mac os x
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Native apps in html5 with chrome packaged apps
Native apps in html5 with chrome packaged appsNative apps in html5 with chrome packaged apps
Native apps in html5 with chrome packaged apps
 

Mais de Subho Halder

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Subho Halder
 
Android App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserAndroid App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserSubho Halder
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 

Mais de Subho Halder (6)

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
 
Android App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserAndroid App (Vulner)ability - Teaser
Android App (Vulner)ability - Teaser
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 

Último

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Último (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Android Security & Penetration Testing

  • 1. ANDROID SECURITY & PENETRATION TESTING Subho Halder @sunnyrockzzs #AFE Monday, 23 September 13
  • 2. ./AboutMe.sh Information Security Researcher Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan. Lead Developer of AFE (Android Framework for Exploitation) Python Lovers Co-founder of XYSEC (http://xysec.com) Have found bug in some famous websites including Google, Apple, Microsoft, Skype, Adobe and many more Monday, 23 September 13
  • 3. Some Companies I have found Vulnerabilities in ..... And many more... Monday, 23 September 13
  • 4. ./Agenda Quick Introduction to Android Internals Android Security Model Android Coding Best Practices Android Malware, Technique, Effectiveness using AFE (Android Framework for Exploitation) Small Social Experiment ! Monday, 23 September 13
  • 5. Android Internals.exe Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS) Application runs through Dalvik VM (Dalvik Virtual Machine) Dalvik VM runs executable files like dex (Dalvik executable) or apk files apk files are zipped content of Resources, Signatures, classes.dex and AndroidManifest.xml file Monday, 23 September 13
  • 6. Android Security Model.txt Application are sandboxed (Runs with different UID and GID) Zygote spawns a new process for each Application Each Application runs with a separate instance of Dalvik VM Special Permissions are provided to access Hardware API’s Permissions are mentioned in AndroidManifest.xml file. Monday, 23 September 13
  • 7. Android Application.apk Just an Archive ! Written mainly in Java and XML Multiple Entry-points, such as Activity, Services, Intents, Content Providers, etc. Monday, 23 September 13
  • 9. CAN THESE PERMISSION BE BYPASSED? Monday, 23 September 13
  • 10. Uploading a sensitive file from SD-Card to Remote Server without any Permission! Read Files from SD-Card Uploads File to Remote Server Upload a file through Browser Permission not Required for READING files from SD Card Opening Browser through INTENT doesn’t requires Permission Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/")); Save theValue in the GET parameter to a file in Server Monday, 23 September 13
  • 11. QUICK-DEMO ( SHOULD I ) ? Monday, 23 September 13
  • 12. Android Coding Best Practices Follow -> http://developer.android.com/guide/practices/index.html Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/ Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Attend more GDG Talks and other Security Conferences Shoot me a tweet @sunnyrockzzs Monday, 23 September 13
  • 13. AndroidManifest.xml OMG ! Activities, Services, Receivers should not be exported or else you can bypass those activities ! Monday, 23 September 13
  • 14. AndroidManifest.xml OMG ! (Contd.) android:exported= “True” in <provider> will turn into a nightmare ! BTW by default it is “True” if either android:minSdkVersion or android:targetSdkVersion to “16” or lower. For applications that set either of these attributes to “17” or higher, the default is “false”. Monday, 23 September 13
  • 15. AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)Monday, 23 September 13
  • 17. Android Malware (Common Features) Send SMS to premium Number Subscribe to premium Services Dial Premium number Steal messages, contact list, logs Steal SD-Card files Auto-respond to attackers’s text messages ! Monday, 23 September 13
  • 18. Creating a Malware.vbs Use CONTENT PROVIDERS Make use of CURSORS & SQLITE databases Write JAVA codes like crazy Set up Server component Get frustrated, start from bullet-point one. Monday, 23 September 13
  • 19. If you don’t have past relationship with JAVA Monday, 23 September 13
  • 20. Android Framework for Exploitation Monday, 23 September 13
  • 21. Let’s Create a Malware ! Monday, 23 September 13
  • 22. What about GOOGLE? Presenting GOOGLE Bouncer ! Monday, 23 September 13
  • 23. “I am not Afraid” - Eminem Monday, 23 September 13
  • 24. Faking Legitimate Application? Malware services generally injected in legitimate applications How to do it? legitimate apk Smali/Java Add malicious services/classes RecompileFinal malware Monday, 23 September 13
  • 25. USE AFE TO AUTOMATE !! Monday, 23 September 13
  • 26. Android Framework for Exploitation.py To make your life easier ! Find security vulnerabilities in your device+apps Protect your device against malwares Create automated malwares/botnets + send the data to a python listener Inject malicious services in another applications Use Android Exploits Crypt existing malwares to make them FUD Monday, 23 September 13
  • 27. AFE Perspective.c Offensive Defensive Malware Creation BotNet Automation Crypting Injecting Content Query App Assesment Fuzzing Kernel Assesment Monday, 23 September 13
  • 29. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Monday, 23 September 13
  • 30. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Rebuild + Zipalign Monday, 23 September 13
  • 31. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Modifies the classnames and all its references within files Example: Converts com.example.org to com.omg.lol Monday, 23 September 13
  • 32. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Split variables into two, and append at runtime Example: String a = “hello” Will now become String aa = “hel” String ab = “lo” String a = aa + ab Monday, 23 September 13
  • 33. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Add dummy loops to change CFG Example: goto end; start: //everything in this label will execute, only when it is called ........ end: //everything in this label will execute, only when it is called goto start; Monday, 23 September 13
  • 34. Statistics? ? ? ? ? ? ?.xls Earlier Detection: 30/46 Monday, 23 September 13
  • 35. Statistics? ? ? ? ? ? ?.xls Detection after Crypting: 4/46 Monday, 23 September 13
  • 36. OOPS CRYPTING MODULE IS NOT PUBLIC :) Monday, 23 September 13
  • 37. ./Conclusion -h Be safe Don’t download apps from 3rd party markets Turn USB debugging OFF Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation for both Android and iOS Monday, 23 September 13
  • 38. HEY WAIT!! WHERE IS THE SOCIAL EXPERIMENT ? Monday, 23 September 13
  • 40. STILL CURIOUS ?? MEET ME NOW !!! Monday, 23 September 13