Android security workshop

A presentation at Ground Zero Summit in November 2013 in New Delhi, Delhi, India by Anant Shrivastava

Slide 1

Slide 1

Deep Dive Android

Slide 2

Slide 2

Agenda ● Introduction to Android ● Application Architecture ● Pentesting Android ● Pentesting with Android

Slide 3

Slide 3

Trainer Profile Name: Anant Shrivastava Profession: Information Security Consultant. Certifications: RHCE, CEH, SANS-GWAPT Speaker / Trainer: Nullcon, ClubHack, c0c0n Membership: Null and Garage4Hackers Website: http://anantshri.info My Work : http://anantshri.info/work/ Whitepapers: http://anantshri.info/articles/ Android: https://play.google.com/store/apps/developer?id=Anantshri Email : anant@anantshri.info

Slide 4

Slide 4

Agenda ● Introduction to Android – Operating System Overview – File system Overview – Security Model ● Application Architecture ● Pentesting Android ● Pentesting with Android

Slide 5

Slide 5

USP : Android ● 56% Smartphone marketshare – Gartner May12 ● Sources Available free of cost ● Minimal license cost for developers (25USD). ● Easy to setup development environment. ● Based on Linux ● App-stores filled with large number of apps. ● By 2014, mobile internet to take over desktop internet usage (Source: Microsoft Tag, 2012)

Slide 6

Slide 6

History : Android • Android Inc. founded in 2003 in Palo Alto, California by Andy Rubin, Rich Miner, Nick Sears and Chris White. • Acquired in August 2005 by Google Inc. Key employees retained. • Design continued on a Linux powered mobile device. Marketed by Google to carriers as a flexible and easily upgradable OS. • On November 5, 2007, a consortium of mobile operators, software companies commercialization companies, semiconductor companies and handset manufacturers formed the Open Handset Consortium, with the stated aim of developing open standards for mobile devices. • On the same day, they released their first product …….…. Android.

Slide 7

Slide 7

Operating System Overview

Slide 8

Slide 8

System Architecture • A software stack for mobile devices. • Linux-based kernel (merged back to mainstream in 3.4 ) • Middleware, libraries and APIs in C. • Java-based application framework. • Custom Dalvik virtual machine with a JIT Java compiler. • Applications coded primarily in Java.

Slide 9

Slide 9

File System Overview

Slide 10

Slide 10

File System ● Block Devices (available as /dev/block/mtdblock*) Important Partitions ● /system : OS partition (generally RO) ● /data : User-Data (Application Storage) ● /sdcard : SD CARD storage location ● Partition Types ● /system,/data : Yaffs2 Or ext3/ext4 ● /sdcard : vfat (till 2.3.3) ● newer nexus devices don’t have separate /sdcard rather a folder which is mounted as MTP when connected to desktop Note : a detailed description of all files and folders is available here http://anantshri.info/andro/file_system.html

Slide 11

Slide 11

Security Model Overview

Slide 12

Slide 12

Security model System level Unix permission based restriction. SE Linux (4.3 onwards : Permissive mode in 4.3, enforced in 4.4) App sandboxing each application a unique id Permission Model Permission need to be taken first time (AppOps introduced as hidden feature in market and can be leveraged to fine tune the permission model) SEAndroid SE Linux port to Android

Slide 13

Slide 13

Demo ● File system navigation using ADB ● Permission model view using ● – ls -l (Long listing) – ls -lZ (SELinux Context) Permission view for Applications – /data/data/ – /data/app/

Slide 14

Slide 14

Agenda ● Introduction to Android ● Application Architecture – Application Components – Application Structure – The SDK and Android Tools – Developing a basic application ● Pentesting Android ● Pentesting with Android

Slide 15

Slide 15

Dalvik Virtual Machine ● Designed and written by Dan Bornstein ● Virtual machine for running android apps ● ● ● ● Android apps written in Java, compiled and converted to Dalvik bytecode format (dex – Dalvik Executable) Dalvik bytecode different from Java bytecode Dalvik was created to for computers with memory and performance constraints Dalvik is a register­based VM as apposed to stack based VM for Java and uses a different instruction set

Slide 16

Slide 16

Dex ● ● ● ● Dex file format details: http://www.dalvikvm.com/ Dex format is optimized for minimal memory footprint Dex contains multiple classes per file as opposed to one class per .java file Uses shared type­specific constant pools to conserve memory by decreasing redundancy

Slide 17

Slide 17

Source: http://davidehringer.com/software/android/The_Dalvik_Virtual_Machine.pdf Dex v/s Class

Slide 18

Slide 18

Zygote ● It is the VM process that starts at boot time ● Initializes core library classes and shares them across different forked VM instances. ● Listens on UDS /dev/socket/zygote for VMs (app) to fork and launch. ● Also sets appropriate UID/GID and groups based on the arguments and the requester ● Code – dalvik/* – dalvik/vm/* – frameworks/base/core/java/com/android/internal/os/Zygote*.java

Slide 19

Slide 19

Application Structure ● ● ● ● ● ● ● Majorly written in java. /AndroidManifest.xml  Project Details ➢ Permissions, Intents, Recievers ➢ Author, Application Name ➢ Max and min SDK supported /Res/Layout  GUI Layout for all Activities /src  Contains the whole Java source code /res/drawable  Icons and images /res/menu  Right click Menu entries /res/values  Static values to be used in Application

Slide 20

Slide 20

App components ● Activity ● Intent ● Service ● AndroidManifest.xml

Slide 21

Slide 21

Activities ● UI component for one focused task ● Usually a single screen in your application ● ● Stack based approach where visible activity/screen is topmost activity on stack. Activity association is defined in the AndroidManifest.xml

Slide 22

Slide 22

Activities Main Activity Java Code Android Manifest Definition

Slide 23

Slide 23

Intent ● Intents ==Operations / Actions ● Defined in Manifest (AndroidManifest.xml) ● application → activity → intent­filter

Slide 24

Slide 24

Intents Sample Main Activity plus Launcher Entry Registering yourself as browser

Slide 25

Slide 25

Service ● Background Jobs (No UI) ● Long running process. No effect on response. ● Declare Service application → service ● extends IntentService (one­time) or Service (Multiple) ● protected void onHandleIntent(Intent intent)

Slide 26

Slide 26

Android Manifest.xml ● XML structure defining properties including – Activities – Intents – User­permissions

Slide 27

Slide 27

Android Manifest.xml ● <uses­permission /> ­ list of required permissions from OS. ● <permission /> ­ list of permission calling party must have. ● <uses­sdk /> ­ min max and target sdk versions. ● <uses­configuration /> ­ hard and software configuration ● <uses­feature /> ­ specific features (filters) ● <application> ● <activity> ­ activities provided by the application ● <intent­filter> ­ various intents raised by application ● <service> ­ background activity. ● <receiver> ­ catch holder for system / broadcast intents.

Slide 28

Slide 28

Android SDK, NDK and Tools

Slide 29

Slide 29

Android SDK, NDK and tools ● SDK – Software Development Toolkit.

Slide 30

Slide 30

Android SDK, NDK and tools ● ● NDK – native development kit – Allows development of components in C / C++. – allows reuse existing code libraries. – possibly increased performance. Typical usage – Self­contained, – CPU­intensive operations, – Signal processing, – Physics simulation – Games

Slide 31

Slide 31

Tools provided by SDK / NDK ● GCC compiler for ARM ● Tools/android → sdk/avd manager ● Tools/ddms → debugging tool ● Tools/emulator → emulator executable ● Platform­tools/adb → debug bridge ● Platform­tools/fastboot → flashing utility

Slide 32

Slide 32

ADB : Android Debug Bridge ADB has ability to perform operations on android device remotely. Adb client -> adb server -> adb daemon (Development machine) -> (device) Some common usage push : Push data inside Device pull : Pull data from Device, file / folder install : Install software in device. (apk) logcat : realtime debug messages With Recent version’s adb connects only to verified devices. (verification taken on first connect)

Slide 33

Slide 33

Alternate Android VirtualMachines • Geanymotion (recommanded) – Virtualbox based x86 version of Android – OpenGL rendering supported (speed++) – Registration Required • Jar of Beans (community project) • BlueStack (non compatible with Android SDK)

Slide 34

Slide 34

Hello World App ● ● Exercise A simple application which prints hello world using a label with eclipse

Slide 35

Slide 35

Agenda ● Introduction to Android ● Application Architecture ● Pentesting Android Android Tamer & Environment Setup – Black Box PT – Reverse Engineering – Rooting basics – Understanding Pentesting Frameworks Pentesting with Android – ●

Slide 36

Slide 36

Android Tamer

Slide 37

Slide 37

What is Android Tamer • VM / Live ISO / Installable environment. • Specific focus on Android Security. • First Launched in Dec 2011 @ Clubhack 2011. • Second Release with large set of enhancement • Provides the most extensive Collection of tools for android security.

Slide 38

Slide 38

More • Based on Debian 7. • Environment customized to keep all tools in path. • Browser loaded with Pentesting toolkit + Bookmarks • All non essential software’s removed. But could be added once installed on local machine. • Next updates will be through repositories only.

Slide 39

Slide 39

Tools List • ROM Modding • – Rom kitchen – Flashing utility • – – – – – – – Rooting – Zergrush (GB) – adb restore (ICS / JB) – APK based rooting options • Development – Eclipse + ADT – SDK + NDK • Pentesting – OWASP ZAP proxy – BURP proxy – Firefox + pentest plugins RE and malware Analysis • Drozer (aka Mercury) Androguard Dex2Jar JD-GUI APKtool Baksmali / smali Bulb Pentesting Framework Wireless Capture – Wireshark – Tcpdump • Forensics – AF logical OSE – Sleuthkit

Slide 40

Slide 40

Rooting kits • ZergRush – Valid for GingerBread • Superoneclick – Zergrush – psneuter • Gingerbreak • Z4root • superandRoot

Slide 41

Slide 41

ROM Modding • ROM Kitchen – Allows to modify existing ROMs add or remove content or modify settings (ro.secure=?) • Flashing Utilities – Flashtool :SONY Xperia Series – Heimdall : SAMSUNG Galaxy Series – SBP_flash : MOTOROLA phones • Single Click ADB SHELL and LOGCAT access

Slide 42

Slide 42

Reversing toolset • JD-GUI • JED • DEX2JAR • Smali / Baksmali • APKtool

Slide 43

Slide 43

Malware Analysis • DroidBox • Mercury • Androguard

Slide 44

Slide 44

Agenda ● Introduction to Android ● Application Architecture ● Pentesting Android ● Pentesting with Android – Setting up the environment – Various tool usage – Writing custom tool in android

Slide 45

Slide 45

Pen Testing

Slide 46

Slide 46

Agenda • Understanding Mobile Security Issues • Setup Pen testing environment

Slide 47

Slide 47

Mobile Security Issues

Slide 48

Slide 48

Agenda Data / Activity Sniffing Unauthorized access to telephony layer (dialing, sms etc) Unauthorized network access Unsafe Data at transit / rest (XML / SQlite) Hardcoded values Password / key / salt Untrusted inputs / intents Data leakage Side channel Information Disclosure Logic / Time Bomb UI impersonation Rooting Application Security update cycles OS level security updates SQLi Click / Tap jacking Playing with Javascript

Slide 49

Slide 49

Data / Activity Sniffing • Data and activities could be monitored on real time – – – – – – – – – Messaging (SMS and Email) Audio (calls and open microphone recording) Video (still and full-motion) Location Contact list Call history Browsing history Input Data files • Example :Secret SMS Replicator

Slide 50

Slide 50

Access to telephony layer • Malware now a days are targeting SMS / Calls. • Premium SMS / Call -> high charge • USSD based purchases • Location specifics • Example – FakePlayer : Premium SMS sending app

Slide 51

Slide 51

Unsafe data at transit • Data Transmitted using insecure Channels. – HTTP – FTP – Unsigned XML • Protection : Use HTTPS • Ever Heard of sslstrip ?

Slide 52

Slide 52

Hardcoded values • Reverse Engineer the source Code and check for hardcoded values – Db connection strings – Api keys for third party apps.

Slide 53

Slide 53

Side channel leakage • Data leakage occurring through residual data like cache or temp files or keylogers. • Root Cause – Bad coding practice from developer. – Inherent OS specific features. • Identification Techniques – Before launching application take a snapshot of system. Launch application perform all operations and then again take a snapshot. Find the change in system look for residual file and data specially in temporary folders. • Action / Remediation: – Avoid web data caching by setting proper headers.

Slide 54

Slide 54

Information disclosure This risk is based on the fact that many developers hardcode the API or password, also lots of applications are now shifting business logic to client side. • Root Cause – Most of the web applications could be easily reverse engineered. – Hardcoded API Keys, passwords and other sensitive information. – Embedding business logic in client code. • Identification Techniques – Decompile application and check if some hardcoded values are visible and if business logic could be altered. (especially in case of financial applications) • Action / Remediation: – Values should not be hardcoded. – Business logic should be kept separate at server side only.

Slide 55

Slide 55

Logic / Time Bomb • Code to be activated – Specific dates – connecting to a network – Dialing a number – Receiving an sms – You can think of some more …….

Slide 56

Slide 56

UI Impersonation • Application Posing as a known legitimate Apps or websites. • Prevention : Google app store has started rejecting and banning applications performing such tactics. (other app stores ??? And side loading)

Slide 57

Slide 57

Rooting • Devices are by default running in a restricted user environment (refer permissions section) • Root user holds ultimate authority over system. • All released android versions are vulnerable. • Exploits used to gain root access are – OS based (Os level binary flaws) – Devices specific files

Slide 58

Slide 58

Application Updates • Application Updates are send over the air. • If update happening over Wifi sniffing is easy. • Google play store may apply security. But not all stores are having all securities in place. • Play store is only available with Google authorized phone manufacturers

Slide 59

Slide 59

OS level updates • Android updates are largely carrier and manufacturer dependent. • Google updates AOSP others (manufacturers and carriers) download and distribute. • Only independent devices as of now – Google nexus series

Slide 60

Slide 60

Current OS distribution

Slide 61

Slide 61

SQLi • Large amount of application have backend running on a web server + db server backend. • So tradition SQLi still works the deal is to find the backend.

Slide 62

Slide 62

Click / Tap jacking • Clickjacking for mobile is Tap jacking. • Simmilar techniques like clickjacking. • Transparent frame placed on top of legitimate looking button’s. • Could be used to earn ad revenue on clicks.

Slide 63

Slide 63

Javascript • Javascript is the new playground. • Iframes and various javascript calls are hard to detect on mobile browser. • With HTML5 in picture now the vectors availability has increased multifolds.

Slide 64

Slide 64

Setup Pentesting Environment

Slide 65

Slide 65

Setup • Static Analysis Tools – Reversing the apk • Dex2jar + Jd-gui / jad • Smali • Network traffic interception – OWASP ZAP – Burp suite • Backend and frontend scanning – Emulator as isolated environment. – Server side scanning (nikto, w3af, nmap)

Slide 66

Slide 66

Reversing the APK • APK == JAR == TAR • .dex ~~~ .classes merged • Simplest process – Unzip – Dex2jar convert .dex to jar file – Jd-gui / jad to decompile jar. – Apktools : extract resources and correct binary xml

Slide 67

Slide 67

Network traffic interception • Using emulator or device define proxy. • Emulator –http-proxy http :// 127.0.0.1:8080 –avd <name> • Settings -> networks -> access point -> proxy host -> port • For emulator localhost / base machine’s ip = 10.0.2.2

Slide 68

Slide 68

Network interception cont… • Issues in listed approach 1) SSL traffic most of the time will not be intercepted and app will crash with connection failure due to invalid certification. 1) Solution is to import the certificate of the proxy server. 2) Export proxy cert from application 3) Adb push .cer /sdcard/ 4) Settings -> security -> install from sdcard 1) Will have to set a pin for device.

Slide 69

Slide 69

Network traffic interception cont.. • Application traffic not proxified For emulator’s this is applicable till 2.3.3 emulator. Tested above settings on 4.0 and 4.1 series and all apps are by default proxified.

Slide 70

Slide 70

IPTables Based App level intercept ● ● ● Android runs each app with individal userid IPTables can be used to set rules for each user. Combine these two and you can do all the traffic interception you want.

Slide 71

Slide 71

SandroProxy

Slide 72

Slide 72

Tests at a Glance

Slide 73

Slide 73

device level tests • Data by app stored in – /data/data/<app_package_name> • /sdcard content. • Look for xml or db’s for unencrypted data • File system could be scanned for changes before and after install / usage / removal of application

Slide 74

Slide 74

Backend Scanning • During Network interception you can easily identify the backend server ip’s / url’s • nmap,w3af,nikto scan on backend could be made to assess it. • Server side flaws need not be web flaws only, any service running of server could be our potential target.

Slide 75

Slide 75

Excercise • App Protector. – Protects your phone specific functions from unauthorized access – Or does it. – Refer : /data/data/com.ruimaninfo.approtect/ • Defender – A simple application where you can play and earn powers at offline level and then compete with opponent online.

Slide 76

Slide 76

Pentesting Frameworks ● Mercury / Drozer ● AFE (Android Framework for Exploitation) ● Smartphone Pentest Framework

Slide 77

Slide 77

Pentesting Through Android

Slide 78

Slide 78

Available Toolset ● DroidSheep ● Dsploit ● Interceptor ● Network Discovery ● Shark ● Network Tools ● zAnti

Slide 79

Slide 79

Pentesting through Android ● Setup Environment – SL4A – Py4a – Pl4a – setup standalone shell for them ● Porting Existing tools ● write basic scripts for python to perform basic operations ● – username password bruteforce attack – task automation using python – username enumeration wordpress script creating packages from scripts

Slide 80

Slide 80

Sample Scripts and Demo ● ● Python Based Wordpress Username Enumeration Python based bruteforcing tool

Slide 81

Slide 81

Recap We Learned – What is Android – Internal Working – Application development – Vulnerabilities – How to Pentest an android application – Penetration Testing Using Android

Slide 82

Slide 82

Any Questions

Slide 83

Slide 83

Thank You