Android security workshop

A presentation at Ground Zero Summit in November 2013 in New Delhi, Delhi, India by Anant Shrivastava

Agenda ● Introduction to Android ● Application Architecture ● Pentesting Android ● Pentesting with Android

Trainer Profile Name: Anant Shrivastava Profession: Information Security Consultant. Certifications: RHCE, CEH, SANS-GWAPT Speaker / Trainer: Nullcon, ClubHack, c0c0n Membership: Null and Garage4Hackers Website: http://anantshri.info My Work : http://anantshri.info/work/ Whitepapers: http://anantshri.info/articles/ Android: https://play.google.com/store/apps/developer?id=Anantshri Email : anant@anantshri.info

Agenda ● Introduction to Android – Operating System Overview – File system Overview – Security Model ● Application Architecture ● Pentesting Android ● Pentesting with Android

USP : Android ● 56% Smartphone marketshare – Gartner May12 ● Sources Available free of cost ● Minimal license cost for developers (25USD). ● Easy to setup development environment. ● Based on Linux ● App-stores filled with large number of apps. ● By 2014, mobile internet to take over desktop internet usage (Source: Microsoft Tag, 2012)

History : Android • Android Inc. founded in 2003 in Palo Alto, California by Andy Rubin, Rich Miner, Nick Sears and Chris White. • Acquired in August 2005 by Google Inc. Key employees retained. • Design continued on a Linux powered mobile device. Marketed by Google to carriers as a flexible and easily upgradable OS. • On November 5, 2007, a consortium of mobile operators, software companies commercialization companies, semiconductor companies and handset manufacturers formed the Open Handset Consortium, with the stated aim of developing open standards for mobile devices. • On the same day, they released their first product …….…. Android.

System Architecture • A software stack for mobile devices. • Linux-based kernel (merged back to mainstream in 3.4 ) • Middleware, libraries and APIs in C. • Java-based application framework. • Custom Dalvik virtual machine with a JIT Java compiler. • Applications coded primarily in Java.

File System ● Block Devices (available as /dev/block/mtdblock*) Important Partitions ● /system : OS partition (generally RO) ● /data : User-Data (Application Storage) ● /sdcard : SD CARD storage location ● Partition Types ● /system,/data : Yaffs2 Or ext3/ext4 ● /sdcard : vfat (till 2.3.3) ● newer nexus devices don’t have separate /sdcard rather a folder which is mounted as MTP when connected to desktop Note : a detailed description of all files and folders is available here http://anantshri.info/andro/file_system.html

Security model System level Unix permission based restriction. SE Linux (4.3 onwards : Permissive mode in 4.3, enforced in 4.4) App sandboxing each application a unique id Permission Model Permission need to be taken first time (AppOps introduced as hidden feature in market and can be leveraged to fine tune the permission model) SEAndroid SE Linux port to Android

Demo ● File system navigation using ADB ● Permission model view using ● – ls -l (Long listing) – ls -lZ (SELinux Context) Permission view for Applications – /data/data/ – /data/app/

Agenda ● Introduction to Android ● Application Architecture – Application Components – Application Structure – The SDK and Android Tools – Developing a basic application ● Pentesting Android ● Pentesting with Android

Dalvik Virtual Machine ● Designed and written by Dan Bornstein ● Virtual machine for running android apps ● ● ● ● Android apps written in Java, compiled and converted to Dalvik bytecode format (dex – Dalvik Executable) Dalvik bytecode different from Java bytecode Dalvik was created to for computers with memory and performance constraints Dalvik is a registerbased VM as apposed to stack based VM for Java and uses a different instruction set

Dex ● ● ● ● Dex file format details: http://www.dalvikvm.com/ Dex format is optimized for minimal memory footprint Dex contains multiple classes per file as opposed to one class per .java file Uses shared typespecific constant pools to conserve memory by decreasing redundancy

Source: http://davidehringer.com/software/android/The_Dalvik_Virtual_Machine.pdf Dex v/s Class

Zygote ● It is the VM process that starts at boot time ● Initializes core library classes and shares them across different forked VM instances. ● Listens on UDS /dev/socket/zygote for VMs (app) to fork and launch. ● Also sets appropriate UID/GID and groups based on the arguments and the requester ● Code – dalvik/* – dalvik/vm/* – frameworks/base/core/java/com/android/internal/os/Zygote*.java

Application Structure ● ● ● ● ● ● ● Majorly written in java. /AndroidManifest.xml  Project Details ➢ Permissions, Intents, Recievers ➢ Author, Application Name ➢ Max and min SDK supported /Res/Layout  GUI Layout for all Activities /src  Contains the whole Java source code /res/drawable  Icons and images /res/menu  Right click Menu entries /res/values  Static values to be used in Application

App components ● Activity ● Intent ● Service ● AndroidManifest.xml

Activities ● UI component for one focused task ● Usually a single screen in your application ● ● Stack based approach where visible activity/screen is topmost activity on stack. Activity association is defined in the AndroidManifest.xml

Activities Main Activity Java Code Android Manifest Definition

Intent ● Intents ==Operations / Actions ● Defined in Manifest (AndroidManifest.xml) ● application → activity → intentfilter

Intents Sample Main Activity plus Launcher Entry Registering yourself as browser

Service ● Background Jobs (No UI) ● Long running process. No effect on response. ● Declare Service application → service ● extends IntentService (onetime) or Service (Multiple) ● protected void onHandleIntent(Intent intent)

Android Manifest.xml ● XML structure defining properties including – Activities – Intents – Userpermissions

Android Manifest.xml ● <usespermission /> list of required permissions from OS. ● <permission /> list of permission calling party must have. ● <usessdk /> min max and target sdk versions. ● <usesconfiguration /> hard and software configuration ● <usesfeature /> specific features (filters) ● <application> ● <activity> activities provided by the application ● <intentfilter> various intents raised by application ● <service> background activity. ● <receiver> catch holder for system / broadcast intents.

Android SDK, NDK and tools ● SDK – Software Development Toolkit.

Android SDK, NDK and tools ● ● NDK – native development kit – Allows development of components in C / C++. – allows reuse existing code libraries. – possibly increased performance. Typical usage – Selfcontained, – CPUintensive operations, – Signal processing, – Physics simulation – Games

Tools provided by SDK / NDK ● GCC compiler for ARM ● Tools/android → sdk/avd manager ● Tools/ddms → debugging tool ● Tools/emulator → emulator executable ● Platformtools/adb → debug bridge ● Platformtools/fastboot → flashing utility

ADB : Android Debug Bridge ADB has ability to perform operations on android device remotely. Adb client -> adb server -> adb daemon (Development machine) -> (device) Some common usage push : Push data inside Device pull : Pull data from Device, file / folder install : Install software in device. (apk) logcat : realtime debug messages With Recent version’s adb connects only to verified devices. (verification taken on first connect)

Alternate Android VirtualMachines • Geanymotion (recommanded) – Virtualbox based x86 version of Android – OpenGL rendering supported (speed++) – Registration Required • Jar of Beans (community project) • BlueStack (non compatible with Android SDK)

Hello World App ● ● Exercise A simple application which prints hello world using a label with eclipse

Agenda ● Introduction to Android ● Application Architecture ● Pentesting Android Android Tamer & Environment Setup – Black Box PT – Reverse Engineering – Rooting basics – Understanding Pentesting Frameworks Pentesting with Android – ●

What is Android Tamer • VM / Live ISO / Installable environment. • Specific focus on Android Security. • First Launched in Dec 2011 @ Clubhack 2011. • Second Release with large set of enhancement • Provides the most extensive Collection of tools for android security.

More • Based on Debian 7. • Environment customized to keep all tools in path. • Browser loaded with Pentesting toolkit + Bookmarks • All non essential software’s removed. But could be added once installed on local machine. • Next updates will be through repositories only.

Tools List • ROM Modding • – Rom kitchen – Flashing utility • – – – – – – – Rooting – Zergrush (GB) – adb restore (ICS / JB) – APK based rooting options • Development – Eclipse + ADT – SDK + NDK • Pentesting – OWASP ZAP proxy – BURP proxy – Firefox + pentest plugins RE and malware Analysis • Drozer (aka Mercury) Androguard Dex2Jar JD-GUI APKtool Baksmali / smali Bulb Pentesting Framework Wireless Capture – Wireshark – Tcpdump • Forensics – AF logical OSE – Sleuthkit

Rooting kits • ZergRush – Valid for GingerBread • Superoneclick – Zergrush – psneuter • Gingerbreak • Z4root • superandRoot

ROM Modding • ROM Kitchen – Allows to modify existing ROMs add or remove content or modify settings (ro.secure=?) • Flashing Utilities – Flashtool :SONY Xperia Series – Heimdall : SAMSUNG Galaxy Series – SBP_flash : MOTOROLA phones • Single Click ADB SHELL and LOGCAT access

Reversing toolset • JD-GUI • JED • DEX2JAR • Smali / Baksmali • APKtool

Malware Analysis • DroidBox • Mercury • Androguard

Agenda ● Introduction to Android ● Application Architecture ● Pentesting Android ● Pentesting with Android – Setting up the environment – Various tool usage – Writing custom tool in android

Agenda • Understanding Mobile Security Issues • Setup Pen testing environment

Agenda Data / Activity Sniffing Unauthorized access to telephony layer (dialing, sms etc) Unauthorized network access Unsafe Data at transit / rest (XML / SQlite) Hardcoded values Password / key / salt Untrusted inputs / intents Data leakage Side channel Information Disclosure Logic / Time Bomb UI impersonation Rooting Application Security update cycles OS level security updates SQLi Click / Tap jacking Playing with Javascript

Data / Activity Sniffing • Data and activities could be monitored on real time – – – – – – – – – Messaging (SMS and Email) Audio (calls and open microphone recording) Video (still and full-motion) Location Contact list Call history Browsing history Input Data files • Example :Secret SMS Replicator

Access to telephony layer • Malware now a days are targeting SMS / Calls. • Premium SMS / Call -> high charge • USSD based purchases • Location specifics • Example – FakePlayer : Premium SMS sending app

Unsafe data at transit • Data Transmitted using insecure Channels. – HTTP – FTP – Unsigned XML • Protection : Use HTTPS • Ever Heard of sslstrip ?

Hardcoded values • Reverse Engineer the source Code and check for hardcoded values – Db connection strings – Api keys for third party apps.

Side channel leakage • Data leakage occurring through residual data like cache or temp files or keylogers. • Root Cause – Bad coding practice from developer. – Inherent OS specific features. • Identification Techniques – Before launching application take a snapshot of system. Launch application perform all operations and then again take a snapshot. Find the change in system look for residual file and data specially in temporary folders. • Action / Remediation: – Avoid web data caching by setting proper headers.

Information disclosure This risk is based on the fact that many developers hardcode the API or password, also lots of applications are now shifting business logic to client side. • Root Cause – Most of the web applications could be easily reverse engineered. – Hardcoded API Keys, passwords and other sensitive information. – Embedding business logic in client code. • Identification Techniques – Decompile application and check if some hardcoded values are visible and if business logic could be altered. (especially in case of financial applications) • Action / Remediation: – Values should not be hardcoded. – Business logic should be kept separate at server side only.

Logic / Time Bomb • Code to be activated – Specific dates – connecting to a network – Dialing a number – Receiving an sms – You can think of some more …….

UI Impersonation • Application Posing as a known legitimate Apps or websites. • Prevention : Google app store has started rejecting and banning applications performing such tactics. (other app stores ??? And side loading)

Rooting • Devices are by default running in a restricted user environment (refer permissions section) • Root user holds ultimate authority over system. • All released android versions are vulnerable. • Exploits used to gain root access are – OS based (Os level binary flaws) – Devices specific files

Application Updates • Application Updates are send over the air. • If update happening over Wifi sniffing is easy. • Google play store may apply security. But not all stores are having all securities in place. • Play store is only available with Google authorized phone manufacturers

OS level updates • Android updates are largely carrier and manufacturer dependent. • Google updates AOSP others (manufacturers and carriers) download and distribute. • Only independent devices as of now – Google nexus series

SQLi • Large amount of application have backend running on a web server + db server backend. • So tradition SQLi still works the deal is to find the backend.

Click / Tap jacking • Clickjacking for mobile is Tap jacking. • Simmilar techniques like clickjacking. • Transparent frame placed on top of legitimate looking button’s. • Could be used to earn ad revenue on clicks.

Javascript • Javascript is the new playground. • Iframes and various javascript calls are hard to detect on mobile browser. • With HTML5 in picture now the vectors availability has increased multifolds.

Setup • Static Analysis Tools – Reversing the apk • Dex2jar + Jd-gui / jad • Smali • Network traffic interception – OWASP ZAP – Burp suite • Backend and frontend scanning – Emulator as isolated environment. – Server side scanning (nikto, w3af, nmap)

Reversing the APK • APK == JAR == TAR • .dex ~~~ .classes merged • Simplest process – Unzip – Dex2jar convert .dex to jar file – Jd-gui / jad to decompile jar. – Apktools : extract resources and correct binary xml

Network traffic interception • Using emulator or device define proxy. • Emulator –http-proxy http :// 127.0.0.1:8080 –avd <name> • Settings -> networks -> access point -> proxy host -> port • For emulator localhost / base machine’s ip = 10.0.2.2

Network interception cont… • Issues in listed approach 1) SSL traffic most of the time will not be intercepted and app will crash with connection failure due to invalid certification. 1) Solution is to import the certificate of the proxy server. 2) Export proxy cert from application 3) Adb push .cer /sdcard/ 4) Settings -> security -> install from sdcard 1) Will have to set a pin for device.

Network traffic interception cont.. • Application traffic not proxified For emulator’s this is applicable till 2.3.3 emulator. Tested above settings on 4.0 and 4.1 series and all apps are by default proxified.

IPTables Based App level intercept ● ● ● Android runs each app with individal userid IPTables can be used to set rules for each user. Combine these two and you can do all the traffic interception you want.

device level tests • Data by app stored in – /data/data/<app_package_name> • /sdcard content. • Look for xml or db’s for unencrypted data • File system could be scanned for changes before and after install / usage / removal of application

Backend Scanning • During Network interception you can easily identify the backend server ip’s / url’s • nmap,w3af,nikto scan on backend could be made to assess it. • Server side flaws need not be web flaws only, any service running of server could be our potential target.

Excercise • App Protector. – Protects your phone specific functions from unauthorized access – Or does it. – Refer : /data/data/com.ruimaninfo.approtect/ • Defender – A simple application where you can play and earn powers at offline level and then compete with opponent online.

Pentesting Frameworks ● Mercury / Drozer ● AFE (Android Framework for Exploitation) ● Smartphone Pentest Framework

Available Toolset ● DroidSheep ● Dsploit ● Interceptor ● Network Discovery ● Shark ● Network Tools ● zAnti

Pentesting through Android ● Setup Environment – SL4A – Py4a – Pl4a – setup standalone shell for them ● Porting Existing tools ● write basic scripts for python to perform basic operations ● – username password bruteforce attack – task automation using python – username enumeration wordpress script creating packages from scripts

Sample Scripts and Demo ● ● Python Based Wordpress Username Enumeration Python based bruteforcing tool

Recap We Learned – What is Android – Internal Working – Application development – Vulnerabilities – How to Pentest an android application – Penetration Testing Using Android

Anant Shrivastava
@anantshri

1 / 83

Android needs no introduction, it’s one of the fastest growing Smartphone / Tablet OS. Future plans to just include telecommunication equipment but also entertainment equipment like TV, Music Players and other house hold items. When the World is moving towards Android subsequently there is a rise in threat’s and potential risk’s in the same. This Workshop is geared towards Security professionals who want to remain on the edge of the fast paced technology and possess in-depth understanding of Android. This workshop will not only focus on Application Pen Testing but will also be looking at the overall OS as a platform and potential pitfalls around it. Besides just dissecting Android to analyse it we will also be looking at leveraging android platform and its mobility to perform conventional penetration testing tasks. The workshop will be conducted with live applications / targets (test authorized) as well as self-developed Demo in order to quickly understand the targets. Course Content • Android Architecturey o Operating System Overview o File system Overview o Security Model

• Developer Overview o Application Components o Application Structure o The SDK and Android Tools o Developing a basic application

• Intro to Pen Testing o Introduction to Android Tamer o Setting up the environment o Black Box PT o Reverse Engineering o Rooting basics o Understanding Pentesting Frameworks o Mercury o Smartphone Pentest Framework o Android Framework for Exploitation.

• Using android for Pentest o Setting up the environment o Various tool usage o Writing custom tool in android

Duration: 1Day (8 hours)

Participants Requirements • Laptop with virtualbox or VMWARE Player • Android device

Would be great if you have Android SDK configured otherwise Live OS will be provided with everything configured in it. Attendees need to bring an android device otherwise last one section they will have to just see and can’t practice it with instructors.

Minimum system config should be 2 GB RAM with 1.7Ghz processor.

Remaining all software will be provided

Who should attend? Anyone Interested to Learn and Deep dive in Android. Mobile Security Enthusiast, Web Application Penetration Tester, Android Enthusiast, IT professionals, developers, testing, quality professionals and anyone who wants to get their hands dirty in Android.

Buzz and feedback

Here’s what was said about this presentation on social media.

Am in the Android Security workshop w/ AnanthSree art #g0s13
— Sas3 (@sastrytumuluri) November 9, 2013

Android security workshop

Link for this presentation:

HTML code for embedding:

Share on social media:

Buzz and feedback