Mobile Application Security Testing

3 Angles to perform a successful security testing 1. Client Side Checks;2. Dynamic / Runtime / Local Storage /

DB / SD Checks &3. Static Code Analysis (a.k.a Reverse

Engg.) By : Abhilash @ IBM

Static Code Analysis

Why Static Code Analysis is required ?

In Lay-man terms Code analysis of ApK file….

M1, M4, M5, M1 : Improper Platform Usage : Android Intents,

permissions M4 : Insecure Authorization : Identifying Session

keys, session mgmt. logicM5 – Insufficient Cryptography : covering

cryptographic keys (like Md5, SHA keys) and encryption logic

M7, M8, M9,M10 M7 – Client Code Quality : like buffer overflows, format

string vulnerabilities, and various other code-level mistakes

M8 – Code Tampering : covers binary patching, local resource modification, method hooking and dynamic memory modification.

M9 – Reverse Engineering : analysis of  libraries, algorithms, and other assets.

M10 – Extraneous Functionality : Hidden backdoor functionalities , commented code (accidently left by developer)

7/10 M’s are covered in Static Code Analysis

Which is >50%

Fetching APK

For enterprise / intranet Applications Product Team Via Online

https://apkpure.com/ http://apps.evozi.com/apk-downloader/?id=com.v

ng.g6.a.zombiehttps://play.google.com/store/apps/details?id=c

om.vng.g6.a.zombie&hl=en

Conversion of APK to Source Code

Manual via dex2jar/Apktool http://stackoverflow.com/questions/12732882/reverse-engineering-from-an

-apk-file-to-a-project

Via Online http://www.javadecompilers.com/apk

Apk files are nothing but zip files. Zip files contains resources and assembled java code But unzip will miss classes.dex and resources.arsc files

ANDROID APP STRUCTURE

Methods to perform Code Analysis

Manual Automated

Manual Code Analysis

Installing and Configuring Text Editors

Android Studio (or) Sublime Text

Why Sublime Text ?Goto Anything functionality Search of Key strokesQuick File Switching

Demo

What needs to be looked :

Samples - hardcoded passwords

Samples - Encryption

Automated Code Analysis

MobSF (Mobile Security Framework) QARK (Quick Android Review Kit) ApkTool & Many more…… both commercial and open source

tools available…

*These are open source tools

Installing and Configuring MobSF

Demo

Installing and Configuring QARK

Demo

Installing and Configuring ApkTool

Demo

Android Intents An intent is a Messaging

Object which can be used to

request an Action from an another App Component.

App Components can be Activities ; Services ; Broadcast Receivers ; Content Providers

2 types of Intents Explicit Implicit

Some of the uses of Intents are

Start a Service Launch an Activity Display a web page Display List of Contacts Broadcast a Message and Many More …………………………….

Doubt !!!Y intents are used Y not APIs ?

API IntentAPI calls are Synchronous Intent based calls are

Asynchronous

API calls are compile-time binding

Intent based calls are run-time binding

BUT …. Intents can similarly be used as APIs Explicit

Implicit Intents Implicit intents are often used to activate components in other applications.

Doesn’t Specify the Component…

Common Flaws

Dangerous to send/broadcast sensitive information / data across implicit intents Since unprivileged implicit intent can use the

same data Intercept your data

Malicious Injection at Broadcast Level Activity Level Service Launch

Explicit Intents

An explicit intent is most commonly used when launching an activity (from another one) within the same application. 

Specifies the component

Example

Next Time

Playing around Intents Deep-drive in Intent Filters Malicious Intents Intent Spoofing and intent traffic analysis Prevention techniques

Self signing of Android app for reverse engg.

Thankyou….