mobile application security testing (static code analysis) of android app
TRANSCRIPT
![Page 1: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/1.jpg)
Mobile Application Security Testing
3 Angles to perform a successful security testing 1. Client Side Checks;2. Dynamic / Runtime / Local Storage /
DB / SD Checks &3. Static Code Analysis (a.k.a Reverse
Engg.) By : Abhilash @ IBM
![Page 2: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/2.jpg)
Static Code Analysis
Why Static Code Analysis is required ?
In Lay-man terms Code analysis of ApK file….
![Page 3: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/3.jpg)
M1, M4, M5, M1 : Improper Platform Usage : Android Intents,
permissions M4 : Insecure Authorization : Identifying Session
keys, session mgmt. logicM5 – Insufficient Cryptography : covering
cryptographic keys (like Md5, SHA keys) and encryption logic
![Page 4: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/4.jpg)
M7, M8, M9,M10 M7 – Client Code Quality : like buffer overflows, format
string vulnerabilities, and various other code-level mistakes
M8 – Code Tampering : covers binary patching, local resource modification, method hooking and dynamic memory modification.
M9 – Reverse Engineering : analysis of libraries, algorithms, and other assets.
M10 – Extraneous Functionality : Hidden backdoor functionalities , commented code (accidently left by developer)
![Page 5: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/5.jpg)
7/10 M’s are covered in Static Code Analysis
Which is >50%
![Page 6: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/6.jpg)
Fetching APK
For enterprise / intranet Applications Product Team Via Online
https://apkpure.com/ http://apps.evozi.com/apk-downloader/?id=com.v
ng.g6.a.zombiehttps://play.google.com/store/apps/details?id=c
om.vng.g6.a.zombie&hl=en
![Page 7: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/7.jpg)
Conversion of APK to Source Code
Manual via dex2jar/Apktool http://stackoverflow.com/questions/12732882/reverse-engineering-from-an
-apk-file-to-a-project
Via Online http://www.javadecompilers.com/apk
Apk files are nothing but zip files. Zip files contains resources and assembled java code But unzip will miss classes.dex and resources.arsc files
![Page 8: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/8.jpg)
ANDROID APP STRUCTURE
![Page 9: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/9.jpg)
Methods to perform Code Analysis
Manual Automated
![Page 10: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/10.jpg)
Manual Code Analysis
![Page 11: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/11.jpg)
Installing and Configuring Text Editors
Android Studio (or) Sublime Text
Why Sublime Text ?Goto Anything functionality Search of Key strokesQuick File Switching
Demo
![Page 12: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/12.jpg)
![Page 13: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/13.jpg)
What needs to be looked :
![Page 14: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/14.jpg)
Samples - hardcoded passwords
![Page 15: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/15.jpg)
![Page 16: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/16.jpg)
Samples - Encryption
![Page 17: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/17.jpg)
![Page 18: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/18.jpg)
![Page 19: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/19.jpg)
![Page 20: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/20.jpg)
Automated Code Analysis
![Page 21: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/21.jpg)
MobSF (Mobile Security Framework) QARK (Quick Android Review Kit) ApkTool & Many more…… both commercial and open source
tools available…
*These are open source tools
![Page 22: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/22.jpg)
Installing and Configuring MobSF
Demo
![Page 23: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/23.jpg)
![Page 24: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/24.jpg)
![Page 25: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/25.jpg)
Installing and Configuring QARK
Demo
![Page 26: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/26.jpg)
![Page 27: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/27.jpg)
![Page 28: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/28.jpg)
Installing and Configuring ApkTool
Demo
![Page 29: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/29.jpg)
![Page 30: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/30.jpg)
![Page 31: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/31.jpg)
Android Intents An intent is a Messaging
Object which can be used to
request an Action from an another App Component.
App Components can be Activities ; Services ; Broadcast Receivers ; Content Providers
2 types of Intents Explicit Implicit
![Page 32: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/32.jpg)
Some of the uses of Intents are
Start a Service Launch an Activity Display a web page Display List of Contacts Broadcast a Message and Many More …………………………….
![Page 33: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/33.jpg)
Doubt !!!Y intents are used Y not APIs ?
API IntentAPI calls are Synchronous Intent based calls are
Asynchronous
API calls are compile-time binding
Intent based calls are run-time binding
BUT …. Intents can similarly be used as APIs Explicit
![Page 34: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/34.jpg)
Implicit Intents Implicit intents are often used to activate components in other applications.
Doesn’t Specify the Component…
![Page 35: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/35.jpg)
Common Flaws
Dangerous to send/broadcast sensitive information / data across implicit intents Since unprivileged implicit intent can use the
same data Intercept your data
Malicious Injection at Broadcast Level Activity Level Service Launch
![Page 36: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/36.jpg)
Explicit Intents
An explicit intent is most commonly used when launching an activity (from another one) within the same application.
Specifies the component
![Page 37: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/37.jpg)
Example
![Page 38: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/38.jpg)
Next Time
Playing around Intents Deep-drive in Intent Filters Malicious Intents Intent Spoofing and intent traffic analysis Prevention techniques
Self signing of Android app for reverse engg.
![Page 39: Mobile Application Security Testing (Static Code Analysis) of Android App](https://reader035.vdocument.in/reader035/viewer/2022062523/58ecfca61a28ab41168b45b1/html5/thumbnails/39.jpg)
Thankyou….