Breaking Android Apps (Freakend 2016)

Transcript

1. eaking A roid A ps BY PABLO GUARDIOLA

2. TWITTER @Guardiola31337 BLOG pguardiola.com

3. SECURITY???

4. None

5. Android SECURITY Analysis ENVIRONMENT Android SDK

6. Android SECURITY Analysis ENVIRONMENT Android SDK SDK Manager (android)

7. Android SECURITY Analysis ENVIRONMENT Android SDK SDK Manager (android) AVD

   Manager (android avd)

8. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator SDK Manager

   (android) AVD Manager (android avd)

9. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator SDK Manager

   (android) AVD Manager (android avd) HAXM

10. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator SDK Manager

    (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM

11. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator Analysis apps:

    SuperSU, RootChecker, ProxyDroid SDK Manager (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM

12. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator Analysis apps:

    SuperSU, RootChecker, ProxyDroid SDK Manager (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM Python

13. $ emulator -avd Android511 -scale 0.9 -no-boot-anim -partition-size 384 -qemu

    -redir tcp:22222::22 Android EMULATOR

14. $ adb -d (device) $ adb -e (emulator) $ adb

    -s <device_id> $ adb devices $ adb pull <remote-file> <local-file> $ adb logcat $ adb install file.apk $ adb shell [command] $ adb push <local-file> <remote-file> $ adb uninstall com.package.name $ adb forward tcp:<local_port> tcp:<device_port> Android Debug Bridge

15. > geo fix <LAT> <LON> > redir list > redir

    add tcp:22222:22 $ nc localhost 5554 > network status > sms send <PHONE_NUMBER> <MSG> > network delay [gprs | edge | …] > power ac [on | off] > power display > network speed <up> <down> > gsm call <PHONE_NUMBER> Android Emulator CONSOLE

16. $ adb -s emulator-5554 push su /system/bin/su $ adb -s

    emulator-5554 install supersu_v2.46.apk $ adb -s emulator-5554 shell mount -o remount,rw /system $ adb -s emulator-5554 start-server $ adb -s emulator-5554 shell chmod 0755 /system/xbin/su $ adb -s emulator-5554 shell mount -o remount,ro /system $ adb -s emulator-5554 shell su --install $ adb -s emulator-5554 shell chmod 0755 /system/bin/su $ adb -s emulator-5554 push su /system/xbin/su $ adb -s emulator-5554 shell “su --daemon&” $ adb -s emulator-5554 shell setenforce 0 ROOT Android Emulator

17. Security Analysis METHODOLOGIES BEHAVIORAL

18. Security Analysis METHODOLOGIES BEHAVIORAL STATIC

19. Security Analysis METHODOLOGIES BEHAVIORAL STATIC DYNAMIC

20. BEHAVIORAL Analysis NETWORK

21. NETWORK Analysis CAPTURE and INTERCEPT network TRAFFIC End-points Data transmitted

    Protocols and ports Encoding Encryption DETERMINE

22. EVALUATING traffic and certificate validation Does app VALIDATE ANY “TRUSTED”

    certificate? Does app ACCEPT ANY certificate as VALID? Does app CONTINUE after a certificate WARNING or ERROR? Does app LEVERAGE certificate PINNING? WHERE is the LOCAL certificate copy?

23. Android EMULATOR $ emulator -avd Android511 -scale 0.9 -http-proxy 127.0.0.1:8081

    -no-boot-anim -partition-size 384 -qemu -redir tcp:22222::22

24. Run BURP proxy $ java -jar burpsuite_free_v1.6.28.jar Proxy > Options

    > Proxy Listeners > Add > Binding > Port 8081 All interfaces

25. Let’s hack!!!

26. None
27. None

28. Network PROTECTIONS HTTPS - TLS: Digital certificate + CA Self-signed

    server certificate Missing intermediate CA Unknown CA Verifying server certificate: HttpsURLConnection Not relay on end-user trust decisions Use a custom X509TrustManager Not relay on root or intermediate authority chains Certificate Pinning

29. Network PROTECTIONS ENCRYPTING network connections Change to “false” NetworkSecurityPolicy Is

    clear-text network traffic allowed? Android Marshmallow StrictMode detectCleartextNetwork DETECT and LOG Unencrypted traffic android:usesCleartextTraffic https://koz.io/android-m-and-the-war-on-cleartext-traffic/

30. BEHAVIORAL Analysis NETWORK FILESYSTEM

31. FYLESYSTEM Analysis INSPECT App SANDBOX /data/data/com.organization.app DISABLE backup SENSITIVE DATA

    <manifest>
 <application
 android:allowBackup="false">
 </application>
 </manifest>

32. Get a BACKUP $ java -jar abe.jar unpack backup.ab backup.tar

    $ adb shell pm list packages | grep “<NAME>” $ adb backup -apk -obb com.organization.app $ tar xvf backup.tar
33. None

34. Storing PROTECTIONS INTERNAL storage Encrypt data with a key not

    available from the app EXTERNAL storage Perform input validation CONTENT PROVIDERS Keep them private android:exported="false" Android keystore supported 4.3+

35. BEHAVIORAL Analysis NETWORK FILESYSTEM LOGGING

36. LOGGING Analysis $ adb logcat -s <TAG> (Filters by <TAG>)

    $ adb shell > logcat $ adb logcat $ adb logcat -c (Clear log) $ adb logcat -d (Show log and stop) $ adb logcat -d | findstr /I /R “http https user pass…” $ adb logcat -d -b main > main.txt (Main log)

37. Logging PROTECTIONS LOGS should NOT contain SENSITIVE info BEFORE 4.1

    (API 16) 3rd party apps could ACCESS system LOGS Be careful with Log.d() statements

38. STATIC Analysis Retrieving APKs

39. RETRIEVING APKs /data/app/*.apk /system/[priv-]app/*.apk DOWNLOADING http://apps.evozi.com/apk-downloader/ https://apkpure.com/ ROOTED device

40. Retrieving APKs aapt (build-tools) STATIC Analysis

41. aNDROID aSSET pACKAGING tOOL $ aapt dump permissions app.apk (App

    permissions) $ aapt list -a app.apk (List app contents) $ aapt dump xmltree app.apk AndroidManifest.xml (non-xml) $ aapt dump strings app.apk (App strings) $ aapt dump resources app.apk (App resources) $ aapt package … INSPECT APK contents CHANGE APK contents

42. Retrieving APKs aapt (build-tools) Manifest.xml analysis STATIC Analysis

43. Manifest.xml Analysis API levels Android permissions App components declaration AXMLPrinter2

    $ java -jar AXMLPrinter2.jar AndroidManifest.xml > AndroidManifest.xml.txt
44. None

45. STATIC Analysis Retrieving APKs aapt (build-tools) Manifest.xml analysis Decompiling apps

46. DECOMPILING Apps Understand FUNCTIONALITY Understand app COMPONENTS Inspect source CODE

    Perform SENSITIVE searches

47. DECOMPILING Apps dex2jar enjarify jd-gui jadx $ sh d2j-dex2jar.sh base.apk

    $ sh enjarify.sh base.apk -o base.jar $ java -jar jd-gui-1.4.0.jar $ bin/jadx-gui lib/jadx-core-*.jar
48. None

49. Retrieving APKs aapt (build-tools) Manifest.xml analysis Decompiling apps Protections STATIC

    Analysis

50. Static PROTECTIONS Minimize PERMISSIONS required Minimize app components EXPOSURE Validate

    Signing CERTIFICATE …

51. DYNAMIC Analysis Manipulating components

52. Manipulating COMPONENTS Evaluate AndroidManifest Inspect source code Custom code to

    invoke components drozer

53. drozer $ drozer console connect Run Embedded Server from drozer

    Agent $ adb forward tcp:31415 tcp:31415 $ adb install agent.apk (drozer Agent) dz> run app.package.debuggable (List debuggable apps) dz> run app.activity.start --component com.organization.name com.organization.name.Activity dz> run app.package.info -a com.organization.name (App info) dz> list (List available modules) dz> run app.package.list (List all apps installed) dz> run app.package.attacksurface com.organization.name (App attack surface)
54. None

55. DYNAMIC Analysis Manipulating components Debugging apps

56. DEBUGGING Apps CONTROL execution Debuggable apps Play Store ≈5% Tools:

    AS or Device Monitor dz> run app.package.debuggable -f com.organization.name android:debuggable=“true”

57. DYNAMIC Analysis Manipulating components Debugging apps Manipulating apps

58. Disassembling APPS Disassembly + Re-assembly = Valid app Disable emulator

    or root detection Force HTTP instead of HTTPS Change app functionality

59. $ apktool b <target-app> (dist) <Modify the app assembly code>

    $ apktool d <target-app>.apk Disassembling APPS apktool $ jarsigner -verify -verbose -certs target.apk $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 - keystore keys/keyName.keystore target.apk keyNameAlias $ keytool -genkey -v -keystore keys/keyName.keystore -alias keyNameAlias -keyalg RSA -keysize 2048 -validity 7300 Sign, verify and align APK $ zipalign -v 4 target.apk target-aligned.apk
60. None

61. DYNAMIC Analysis Manipulating components Debugging apps Manipulating apps MitM

62. Man in the Middle Manipulate HTTP(S) traffic: Requests/Responses Burp ProxyDroid

63. DYNAMIC Analysis Manipulating components Debugging apps Manipulating apps MitM Protections

64. Dynamic PROTECTIONS WebView: Be careful with setJavaScriptEnabled()

65. Dynamic PROTECTIONS WebView: Be careful with setJavaScriptEnabled() Check Emulation

66. Check EMULATION public boolean checkEmulation() { TelephonyManager mng = (TelephonyManager)

    getApplicationContext() .getSystemService(Context.TELEPHONY_SERVICE); if (mng.getSimOperatorName().equals("Android") || mng.getNetworkOperatorName().equals("Android")) { return true; } return false; }

67. Dynamic PROTECTIONS WebView: Be careful with setJavaScriptEnabled() Check Emulation Check

    Debugging

68. Check DEBUGGING public boolean checkDebugging() { if (Debug.isDebuggerConnected()) { return

    true; } return false; }

69. CONCLUSIONS We should BE HACKERS from time to time

70. CONCLUSIONS We should BE HACKERS from time to time It’s

    EASY

71. CONCLUSIONS It’s EASY SECURITY means QUALITY QUALITY means SUCCESS We

    should BE HACKERS from time to time

72. Thank you! @Guardiola31337 pguardiola.com [email protected]

73. REFERENCES http://developer.android.com/ https://portswigger.net/burp/ https://koz.io/android-m-and-the-war-on-cleartext-traffic/ https://code.google.com/archive/p/android4me/downloads https://github.com/pxb1988/dex2jar https://github.com/google/enjarify https://github.com/java-decompiler/jd-gui https://github.com/skylot/jadx https://labs.mwrinfosecurity.com/tools/drozer/

    http://ibotpeaches.github.io/Apktool/