[Webinar] SpiraTest - Setting New Standards in Quality Assurance
Securing Android Applications
1. PRESENTED BY
Manish Chasta | CISSP, CHFI, ITIL
Principal Consultant, Indusface
Securing Android
Applications
01 www.indusface.com | Copyright 2012
2. Agenda
Introduction to Android and Mobile Applications
Working with Android SDK and Emulator
Setting up GoatDroid Application
Memory Analysis
Intercepting Layer 7 traffic
Reverse Engineering Android Applications
SQLite Database Analysis
Demo: ExploitMe application
02 www.indusface.com | Copyright 2012
3. What NUMBERS say!!!
Gartner Says:
8.2 Billion mobile applications have been
downloaded in 2010
17.7 Billion by 2011
185 Billion application will have been downloaded
by 2014
03 www.indusface.com | Copyright 2012
5. Introduction to Android
Most widely used mobile OS
Developed by Google
OS + Middleware + Applications
Android Open Source Project (AOSP) is
responsible for maintenance and further
development
05 www.indusface.com | Copyright 2012
7. Android Architecture: Linux Kernel
Linux kernel with system services:
Security
Memory and process management
Network stack
Provide driver to access hardware:
Camera
Display and audio
Wifi
…
07 www.indusface.com | Copyright 2012
8. Android Architecture: Android RunTime
Core Libraries:
Written in Java
Provides the functionality of Java programming language
Interpreted by Dalvik VM
Dalvik VM:
Java based VM, a lightweight substitute to JVM
Unlike JVM, DVM is a register based Virtual Machine
DVM is optimized to run on limited main memory and less CPU
usage
Java code (.class files) converted into .dex format to be able to
run on Android platform
08 www.indusface.com | Copyright 2012
10. Mobile Apps vs Web Applications
Thick and Thin Client
Security Measures
User Awareness
010 www.indusface.com | Copyright 2012
11. Setting-up Environment
Handset / Android Device
Android SDK and Eclipse
Emulator
Wireless Connectivity
And of course… Application file
011 www.indusface.com | Copyright 2012
12. Setting-up Lab
What we need:
Android SDK
Eclips
GoatDroid (Android App from OWASP)
MySQL
.Net Framwork
Proxy tool (Burp)
Agnitio
Android Device (Optional)
SQLitebrowser
012 www.indusface.com | Copyright 2012
13. Working with
Android SDK
013 www.indusface.com | Copyright 2012
14. Android SDK
Development Environment for Android
Application Development
Components:
SDK Manager
AVD Manager
Emulator
014 www.indusface.com | Copyright 2012
15. Android SDK
Can be downloaded from :
developer.android.com/sdk/
Requires JDK to be installed
Install Eclipse
Install ADT Plugin for Eclipse
015 www.indusface.com | Copyright 2012
17. Android SDK: Configuring Eclipse
Go to Help->Install new Software
Click Add
Give Name as ADT Plugin
Provide the below address in Location: http://dl-
ssl.google.com/android/eclipse/
Press OK
Check next to ‘Developer Tool’ and press next
Click next and accept the ‘Terms and Conditions’
Click Finish
017 www.indusface.com | Copyright 2012
18. Android SDK: Configuring Eclipse
Now go to Window -> Preferences
Click on Android in left panel
Browse the Android SDK directory
Press OK
018 www.indusface.com | Copyright 2012
24. ADB: Android Debug Bridge
Android Debug Bridge (adb) is a versatile command
line tool that lets you communicate with an emulator
instance or connected Android-powered device.
You can find the adb tool in <sdk>/platform-tools/
024 www.indusface.com | Copyright 2012
25. ADB: Important Commands
Install an application to emulator or device:
025 www.indusface.com | Copyright 2012
26. ADB: Important Commands
Push data to emulator / device
adb push <local> <remote>
Pull data to emulator / device
adb pull <remote> <local>
Remote - > Emulator and Local -> Machine
026 www.indusface.com | Copyright 2012
27. ADB: Important Commands
Getting Shell of Emulator or Device
adb shell
Reading Logs
adb logcat
027 www.indusface.com | Copyright 2012
28. ADB: Important Commands
Reading SQLite3 database
adb shell
Go to the path
SQLite3 database_name.db
.dump to see content of the db file and .schema to print the
schema of the database on the screen
Reading Logs
adb logcat
028 www.indusface.com | Copyright 2012
34. Rooting Android Phone
Step 4: Reboot the phone in
download mode
Step 5: Connect to the PC
034 www.indusface.com | Copyright 2012
35. Rooting Android Phone
Step 6: Select required file i.e: PDA, Phone, CSC files
Step 7: Click on Auto Reboot and F. Reset Time and hit Start button
035 www.indusface.com | Copyright 2012
36. Rooting Android Phone
If your phone is Rooted... You will see PASS!! In Odin3
036 www.indusface.com | Copyright 2012
38. Setting Proxy
Both Android Phone and laptop (machine to be used
in auditing) needs to be in same wireless LAN.
Provide Laptops IP address and port where proxy is
listening in proxy tool (transproxy) installed in
machine.
038 www.indusface.com | Copyright 2012
39. Intercepting Traffic (Burp)
Burp is a HTTP proxy tool
Able to intercept layer 7 traffic and allows
users to manipulate the HTTP Requests and
Response
039 www.indusface.com | Copyright 2012
43. Lab: GoatDroid
A vulnerable Android
application from the
OW ASP
043 www.indusface.com | Copyright 2012
44. GoatDroid : Setting up
Install MySQL
Install fourgoats database.
Create a user with name as "goatboy", password as
"goatdroid" and Limit Connectivity to Hosts Matching
"localhost". Also "goatboy" needs to have insert,
delete, update, select on fourgoats database.
044 www.indusface.com | Copyright 2012
45. GoatDroid : Setting up
Run goatdroid-beta-v0.1.2.jar file
Set the path for Android SDK Root directory
and Virtual Devices:
Click Configure -> edit and click on Android tab
Set path for Android SDK, typically it should be
C:Program FilesAndroidandroid-sdk
Set path for Virtual Devices, typically it should be
C:Documents and SettingsManishandroidavd
045 www.indusface.com | Copyright 2012
46. GoatDroid : Setting up
Start web services
Start emulator through GoatDroid jar file
Push / Install the application to Device
Run FourGoat application from emulator
Click on Menu and then click on Destination Info
Provide following information in required fields:
Server: 10.0.2.2 and Port 8888
046 www.indusface.com | Copyright 2012
47. GoatDroid : Setting up
Demo / Hands On
047 www.indusface.com | Copyright 2012
48. GoatDroid : Setting up proxy
Assuming FourGoat is already installed
Run goatdroid-beta-v0.1.2.jar file and start web services
Start any HTTP Proxy (Burp) tool on port 7000
Configure Burp to forward the incoming traffic to port 8888
Start emulator from command line by giving following
command:
emulator –avd test2 –http-proxy 127.0.0.1:7000
048 www.indusface.com | Copyright 2012
49. GoatDroid : Setting up proxy
Open the FourGoat application in emulator
Click on Mene to set Destination Info
Set Destination Info as below:
Server: 10.0.2.2 and port as 7000
Now see if you are able to intercept the trrafic
in Burp
049 www.indusface.com | Copyright 2012
50. GoatDroid : Setting up Proxy
Demo / Hands On
050 www.indusface.com | Copyright 2012
54. GoatDroid: Auditing from Android Device
Install the app in Android device
Set the destination info as below:
Server: IP address (WLAN) of your laptop
and port as 8888 (incase no proxy is
listening)
Memory Analysis through Terminal Emulator
and DD command
054 www.indusface.com | Copyright 2012
57. Reverse Engineering Android Application
Vulnerabilities can be found through Reverse
Engineering :
Vulnerabilities in Source Code
Re-compile the application
Commented Code
Hard coded information
057 www.indusface.com | Copyright 2012
58. Reverse Engineering Android Application
Dex to jar (dex2jar)
C:dex2jar-versiondex2jar.bat someApk.apk
Open code files in any Java decompile
058 www.indusface.com | Copyright 2012
60. Agnitio
Mobile Application Coder Review tool
Install: Next-Next process
Can analyze Codebase as well as .apk file
060 www.indusface.com | Copyright 2012
63. Analyzing SQLite Database
SQLite Database:
SQLite is a widely used, lightweight database
Used by most mobile OS i.e. iPhone, Android, Symbian, webOS
SQLite is a free to use and open source database
Zero-configuration - no setup or administration needed.
A complete database is stored in a single cross-platform disk file.
063 www.indusface.com | Copyright 2012
64. Analyzing SQLite Database
Pull the .db files out of the emulator / Device
as explained eirler
Tools
SQLite browser
Epilog
064 www.indusface.com | Copyright 2012