Pentesting Android Apps
Abdelhamid LimamiIT Security Consultant @ ITDefence
Overview What is Android ?
Android Architecture Android Applications Security Environment Setup Exploiting Apps Vulnerabilities
OWASP Top 10 Mobile Demo(s)
Tips for Developers Q&A
Past years… Mobile Phones :
Phone calls Sending text message or MMS Alarm clock Calculator & Calendar Listen on Radio Playing the snake game
And Now… Smart Phones !
Sending email Watching Tv & Movies Surf The internet Booking Flights & Hotels Online Banking transactions Social Network (Facebook, Twitter, Instagram, Etc …)
3G , 4G , 5G Mobile Network & WIFI & NFC support
What is Android ? Android is a Linux based platform developed by Google and
the open handset alliance.
Application programming for it is done in java (include XML & support HTML).
The android operating system software stack consist of java applications running on a Dalvik virtual machine (DVK).
Applications similars to web apps.
Android Architecture
Android Applications Security
Attack Surfaces
Client Software on Android Device
Communications Channel
Server Side Infrastructure
Client Software
Packages are Installed from Play Store , Company Website, Third party apps/websites
Access All the files of the application in the local system (Need Root)
Can be Tampered , Decomplied & Reverse Engineered
Client Software What exactly should I look for ?
Files on the local file system Application authentication & authorization Error Handling & Session Management Logic Flaws Decompiling and Analyzing
Communications Channel Channel between the client and the server (HTTP(s),
3G…)
Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate data
If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory
Communications Channel
What exactly Should I look For ?
Sniff sensitive information
Replay attack vulnerabilities
Secure transfer of sensitive information
Server-Side Infrastructure Vulns in the the web servers behind a mobile
application: OWASP TOP 10 Web (SQLI,RCE,CSRF…)
Perform host and service scans on the target system to identify running services : Information gathering (whois,host,dns….) Running services and version (scanning ports) Infrastructure vulnerability scanning
Environment Setup
Environment Setup Root Your Device !
Install Xposed + JustTrustMe (SSL Killer) / Android-SSL-TrustKiller
Configure your Proxy (Burp, Zap…)
Requirements: A Computer Java Eclipse (include ADT plugin) – Android Studio Android SDK
Exploiting Apps Vulnerabilities
App Analysis Insecure Storage
Capturing Requests
Reversing the Application Package
Logical Flaws / Malicious activities
Reading Stored Data Android Applications store the data in
/data/data/[PACKAGE_NAME] sharedpreferences
Context.MODE_PRIVATE Context.MODE_WORLD_READABLE Context.MODE_WORLD_WRITEABLE
Files may be stored using the filesystem at /data/data/[PACKAGE_NAME]/files/filename
Storage in the SQLite databases
Local Data Storage flaws
Capturing Requests Capture HTTP requests & responses
Parameter Manipulation and Data Tampering.
Set up a proxy in between the server & the client to intercept.
Capturing Requests
Reverse Engineering Reverse Engineer the application logic and source code Identify the flaws in the code base to exploit them Look for sensitive data like passwords, encryption algorithms
and keys of DB(s) JD-GUI
Dex2Jar
.apk .dex .class .java
Reverse Engineering
Logical Flaws Insecure Login:
Malicious Activities Identity Decloaking:
OWASP Top 10 Mobile
Showtime !
Developer Tips
Secure Your App ! Do Not store sensitive data locally (login creds, pwd, DB …) Do Not use weak encryption in your code (base64, md5 …) Do Not send sensitive data in Plain text requests (Token ,
Sessions , logins) Encrypt the stored data If using a webserver protect it against application layer
attacks Sanitize inputs, use prepared statements (protection
against client side injection) Encode your code before producing or at least use an
obfuscator
Thank You
Q&A ?
Top Related