android hacking and protective measures - isaca...
TRANSCRIPT
Android application hacking demonstration
11 September 2017
Ivan Mercalina
Senior Information Security Officer BearingPoint
Android hacking and protective measures
2
Android App Hacking Demo. Disclaimer
� Today we will do a real life, low tech demo.
� This demo does not concern the hacking of an Android mobile device.
� This demo shows possible vulnerabilities in Android apps.
3
Android App Hacking Demo. Disclaimer
My area of expertise focuses on:
� Common security mistakes
➤ Find credentials if not saved correctly
➤ Bypass authentication
➤ Bypass encryption
� Recompiling apps
� Analyzing data traffic
� Attacks on the back-end server
What I am not
� An Android expert/developer
6
� Designed by Google
� Installed via an APK file
� Good security structure if applied
well
Android in a nutshell
Operating
System
4Q16 Units 4Q16 Market
Share (%)
4Q15 Units 4Q15 Market
Share (%)
Android 352,669.9 81.7 325,394.4 80.7
iOS 77,038.9 17.9 71,525.9 17.7
Windows 1,092.2 0.3 4,395.0 1.1
BlackBerry 207.9 0.0 906.9 0.2
Other Os 530.4 0.1 887.3 0.2
Total 431,539.3 100.0 403,109.4 100.0
Worldwide smartphone sales in the fourth quarter of 2016. (Thousands of units.) |Gardner
8
Open Web Application
Security Project (OWASP)
“Worldwide not-for-profit charitable
organization focused on improving the security
of software.
Our mission is to make software
security visible, so that individuals and
organizations are able to make informed
decisions.”
9
0. Hacking Demo | Common security mistakes
Hardcoded credentials in APK
� Remote Server Credentials
Insecure communication (OWASP M3) M3/M5)
� Credentials unencrypted
� No certificate pinning
Insecure login (OWASP M4)
� UserID enumeration
Insecure storage (OWASP M2)
� Credentials saved as MD5 in local database
� Insufficient local file permissions (OWASP M6)
� Remote Server Credentials stored locally
APK Analysis
Browse App
Data Analysis
Backend Analysis
11
1. Hacking Demo | Analysis APK file
� Decompile APK
� Analyze JAR file
� Analyze AndroidManifest.xml file
� Text search decompiled folder
Hardcoded credentials in APK
� (str1.equals("customerservice")) &&
� (str2.equals("Acc0uNTM@n@g3mEnT")))
APK Analysis
12
1. Install the APK in an Android emulator
2. Start the app and monitor the network
activity with a sniffer (eg. Wireshark)
� To which servers does the app connect?
� Which protocols are used in this
connection?
� Is transport encryption used in this
connection?
2. Hacking Demo | Transport data analysis
Data Analysis
13
3. Hacking Demo | Transport data analysis
� If the protocol is not HTTP => Use a TCP interception tool (eg. EchoMirage)
� If the protocol is HTTP => Use a local proxy
� If the protocol is HTTP and SSL => Use local HTTP proxy
Insecure communication (OWASP M3)
� SSL but still cleartext
14
3. Hacking Demo | Browse the app
FourGoats, a location-based social network
� Get a feeling of the functionality
� Browse local files
� Download interesting files
� Evaluate client-server traffic
Browse App
15
3. Hacking Demo | Browse the app
Hardcoded credentials in APK
� (str1.equals("customerservice")) &&
� (str2.equals("Acc0uNTM@n@g3mEnT")))
Insecure storage (OWASP M2)
� /data/data/org.owasp.goatdroid.fourgoats/shared_prefs/credentials.xml
� /data/data/org.owasp.goatdroid.fourgoats/databases/userinfo.db
Insecure login (OWASP M4)
� {"key":"isAdmin","value":"false"}
Browse App
16
Hardcoded credentials in APK
� (str1.equals("customerservice")) &&
� (str2.equals("Acc0uNTM@n@g3mEnT")))
Insecure storage (OWASP M2)
� /data/data/org.owasp.goatdroid.fourgoats/shared_prefs/credentials.xml
� /data/data/org.owasp.goatdroid.fourgoats/databases/checkins.db
� /data/data/org.owasp.goatdroid.fourgoats/databases/userinfo.db
Insecure login (OWASP M4)
� {"key":"isAdmin","value":"false"}
� Dolphin SharedPreferences
� Manually calling Intent: am start -n
org.owasp.goatdroid.fourgoats/.activities.Home
Insecure communication (OWASP M3)
� SSL but still cleartext
4. Hacking Demo | Found vulnerabilities
17
Hacking Demo | Protect your app
Secure Coding Best Practices for Android
Local storage of sensitive data always encrypted
HTTPS with certificate pinning
Least privilege principle
Server side authentication
18
Hacking Demo | Protect yourself
Check permissions
<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.CALL_PHONE" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.INTERNET" />
19
Resources
Mobile Top 10 2016-Top 10
� https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
OWASP Mobile Security Project Archive
� https://www.owasp.org/index.php/Mobile_Security_Project_Archive#tab=M-Security_Testing
Kaya Flamboyan 7
Willemstad, Curaçao
Phone +5999 734 3200
www.bearingpointcaribbean.com
Email [email protected]
Skype ReceptionBearingPointCaribbean
This image cannot currently be displayed.
This presentation and any attached documents may contain confidential or proprietary information and are intended solely for the addressee. If you are not the intended recipient, please
inform the sender immediately and delete this e-mail and all attached documents from your computer system. Any unauthorized disclosure, distribution or copying hereof is prohibited.
Questions?
Ivan Mercalina