SlideShare a Scribd company logo

Securing Android Applications

Infosys
Infosys

Securing Android Applications

Technology
1 of 69
Download to read offline
PRESENTED BY Manish Chasta | CISSP, CHFI, ITIL Principal Consultant, Indusface Securing Android Applications 01 www.indusface.com | Copyright 2012
Agenda Introduction to Android and Mobile Applications Working with Android SDK and Emulator Setting up GoatDroid Application Memory Analysis Intercepting Layer 7 traffic Reverse Engineering Android Applications SQLite Database Analysis Demo: ExploitMe application 02 www.indusface.com | Copyright 2012
What NUMBERS say!!!  Gartner Says:  8.2 Billion mobile applications have been downloaded in 2010  17.7 Billion by 2011  185 Billion application will have been downloaded by 2014 03 www.indusface.com | Copyright 2012
Market Share 04 www.indusface.com | Copyright 2012
Introduction to Android  Most widely used mobile OS  Developed by Google  OS + Middleware + Applications  Android Open Source Project (AOSP) is responsible for maintenance and further development 05 www.indusface.com | Copyright 2012
Android Architecture 06 www.indusface.com | Copyright 2012
Android Architecture: Linux Kernel  Linux kernel with system services:  Security  Memory and process management  Network stack  Provide driver to access hardware:  Camera  Display and audio  Wifi  … 07 www.indusface.com | Copyright 2012
Android Architecture: Android RunTime  Core Libraries:  Written in Java  Provides the functionality of Java programming language  Interpreted by Dalvik VM  Dalvik VM:  Java based VM, a lightweight substitute to JVM  Unlike JVM, DVM is a register based Virtual Machine  DVM is optimized to run on limited main memory and less CPU usage  Java code (.class files) converted into .dex format to be able to run on Android platform 08 www.indusface.com | Copyright 2012
Android Applications 09 www.indusface.com | Copyright 2012
Mobile Apps vs Web Applications  Thick and Thin Client  Security Measures  User Awareness 010 www.indusface.com | Copyright 2012
Setting-up Environment  Handset / Android Device  Android SDK and Eclipse  Emulator  Wireless Connectivity  And of course… Application file 011 www.indusface.com | Copyright 2012
Setting-up Lab  What we need:  Android SDK  Eclips  GoatDroid (Android App from OWASP)  MySQL  .Net Framwork  Proxy tool (Burp)  Agnitio  Android Device (Optional)  SQLitebrowser 012 www.indusface.com | Copyright 2012
Working with Android SDK 013 www.indusface.com | Copyright 2012
Android SDK  Development Environment for Android Application Development  Components:  SDK Manager  AVD Manager  Emulator 014 www.indusface.com | Copyright 2012
Android SDK  Can be downloaded from : developer.android.com/sdk/  Requires JDK to be installed  Install Eclipse  Install ADT Plugin for Eclipse 015 www.indusface.com | Copyright 2012
Android SDK : Installing SDK  Simple Next-next process 016 www.indusface.com | Copyright 2012
Android SDK: Configuring Eclipse  Go to Help->Install new Software  Click Add  Give Name as ADT Plugin  Provide the below address in Location: http://dl- ssl.google.com/android/eclipse/  Press OK  Check next to ‘Developer Tool’ and press next  Click next and accept the ‘Terms and Conditions’  Click Finish 017 www.indusface.com | Copyright 2012
Android SDK: Configuring Eclipse  Now go to Window -> Preferences  Click on Android in left panel  Browse the Android SDK directory  Press OK 018 www.indusface.com | Copyright 2012
SDK Manager 019 www.indusface.com | Copyright 2012
AVD Manager 020 www.indusface.com | Copyright 2012
Emulator: Running Click on Start 021 www.indusface.com | Copyright 2012
Emulator: Running from Command Line 022 www.indusface.com | Copyright 2012
Emulator: Running with proxy 023 www.indusface.com | Copyright 2012
ADB: Android Debug Bridge  Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device.  You can find the adb tool in <sdk>/platform-tools/ 024 www.indusface.com | Copyright 2012
ADB: Important Commands Install an application to emulator or device: 025 www.indusface.com | Copyright 2012
ADB: Important Commands  Push data to emulator / device  adb push <local> <remote>  Pull data to emulator / device  adb pull <remote> <local>  Remote - > Emulator and Local -> Machine 026 www.indusface.com | Copyright 2012
ADB: Important Commands  Getting Shell of Emulator or Device  adb shell  Reading Logs  adb logcat 027 www.indusface.com | Copyright 2012
ADB: Important Commands  Reading SQLite3 database  adb shell  Go to the path  SQLite3 database_name.db  .dump to see content of the db file and .schema to print the schema of the database on the screen  Reading Logs  adb logcat 028 www.indusface.com | Copyright 2012
Auditing Application from Android Phone 029 www.indusface.com | Copyright 2012
Need of Rooting What is Android Rooting? 030 www.indusface.com | Copyright 2012
Rooting Android Phone Step 1: Download CF Rooted Kernel files and Odin3 Software 031 www.indusface.com | Copyright 2012
Rooting Android Phone Step 2: Keep handset on debugging mode 032 www.indusface.com | Copyright 2012
Rooting Android Phone Step 3: Run Odin3 033 www.indusface.com | Copyright 2012
Rooting Android Phone Step 4: Reboot the phone in download mode Step 5: Connect to the PC 034 www.indusface.com | Copyright 2012
Rooting Android Phone Step 6: Select required file i.e: PDA, Phone, CSC files Step 7: Click on Auto Reboot and F. Reset Time and hit Start button 035 www.indusface.com | Copyright 2012
Rooting Android Phone If your phone is Rooted... You will see PASS!! In Odin3 036 www.indusface.com | Copyright 2012
Important Tools  Terminal Emulator  Proxy tool (transproxy) 037 www.indusface.com | Copyright 2012
Setting Proxy  Both Android Phone and laptop (machine to be used in auditing) needs to be in same wireless LAN.  Provide Laptops IP address and port where proxy is listening in proxy tool (transproxy) installed in machine. 038 www.indusface.com | Copyright 2012
Intercepting Traffic (Burp)  Burp is a HTTP proxy tool  Able to intercept layer 7 traffic and allows users to manipulate the HTTP Requests and Response 039 www.indusface.com | Copyright 2012
Memory Analysis with Terminal Emulator  DD Command:  dd if=filename.xyz of=/sdcard/SDA.dd  Application path on Android Device:  /data/data/com.application_name 040 www.indusface.com | Copyright 2012
Memory Analysis with Terminal Emulator 041 www.indusface.com | Copyright 2012
Memory Analysis with Terminal Emulator 042 www.indusface.com | Copyright 2012
Lab: GoatDroid A vulnerable Android application from the OW ASP 043 www.indusface.com | Copyright 2012
GoatDroid : Setting up  Install MySQL  Install fourgoats database.  Create a user with name as "goatboy", password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to have insert, delete, update, select on fourgoats database. 044 www.indusface.com | Copyright 2012
GoatDroid : Setting up  Run goatdroid-beta-v0.1.2.jar file  Set the path for Android SDK Root directory and Virtual Devices:  Click Configure -> edit and click on Android tab  Set path for Android SDK, typically it should be  C:Program FilesAndroidandroid-sdk  Set path for Virtual Devices, typically it should be  C:Documents and SettingsManishandroidavd 045 www.indusface.com | Copyright 2012
GoatDroid : Setting up  Start web services  Start emulator through GoatDroid jar file  Push / Install the application to Device  Run FourGoat application from emulator  Click on Menu and then click on Destination Info  Provide following information in required fields:  Server: 10.0.2.2 and Port 8888 046 www.indusface.com | Copyright 2012
GoatDroid : Setting up Demo / Hands On 047 www.indusface.com | Copyright 2012
GoatDroid : Setting up proxy  Assuming FourGoat is already installed  Run goatdroid-beta-v0.1.2.jar file and start web services  Start any HTTP Proxy (Burp) tool on port 7000  Configure Burp to forward the incoming traffic to port 8888  Start emulator from command line by giving following command:  emulator –avd test2 –http-proxy 127.0.0.1:7000 048 www.indusface.com | Copyright 2012
GoatDroid : Setting up proxy  Open the FourGoat application in emulator  Click on Mene to set Destination Info  Set Destination Info as below:  Server: 10.0.2.2 and port as 7000  Now see if you are able to intercept the trrafic in Burp  049 www.indusface.com | Copyright 2012
GoatDroid : Setting up Proxy Demo / Hands On 050 www.indusface.com | Copyright 2012
GoatDroid: Intercepting Traffic Demo / Hands On 051 www.indusface.com | Copyright 2012
GoatDroid: Parameter Manipulation Attack Demo / Hands On 052 www.indusface.com | Copyright 2012
GoatDroid: Handset Memory Analysis Demo / Hands On 053 www.indusface.com | Copyright 2012
GoatDroid: Auditing from Android Device  Install the app in Android device  Set the destination info as below:  Server: IP address (WLAN) of your laptop and port as 8888 (incase no proxy is listening)  Memory Analysis through Terminal Emulator and DD command 054 www.indusface.com | Copyright 2012
GoatDroid: Reverse Engineering Next Topic 055 www.indusface.com | Copyright 2012
Reverse Engineering Android Applications 056 www.indusface.com | Copyright 2012
Reverse Engineering Android Application  Vulnerabilities can be found through Reverse Engineering :  Vulnerabilities in Source Code  Re-compile the application  Commented Code  Hard coded information 057 www.indusface.com | Copyright 2012
Reverse Engineering Android Application  Dex to jar (dex2jar)  C:dex2jar-versiondex2jar.bat someApk.apk  Open code files in any Java decompile 058 www.indusface.com | Copyright 2012
Reverse Engineering Android Application Demo / Hands On 059 www.indusface.com | Copyright 2012
Agnitio  Mobile Application Coder Review tool  Install: Next-Next process  Can analyze Codebase as well as .apk file 060 www.indusface.com | Copyright 2012
Agnitio Demo / Hands On 061 www.indusface.com | Copyright 2012
Analyzing SQLite Database 062 www.indusface.com | Copyright 2012
Analyzing SQLite Database  SQLite Database:  SQLite is a widely used, lightweight database  Used by most mobile OS i.e. iPhone, Android, Symbian, webOS  SQLite is a free to use and open source database  Zero-configuration - no setup or administration needed.  A complete database is stored in a single cross-platform disk file. 063 www.indusface.com | Copyright 2012
Analyzing SQLite Database  Pull the .db files out of the emulator / Device as explained eirler  Tools  SQLite browser  Epilog 064 www.indusface.com | Copyright 2012
Analyzing SQLite Database Demo / Hands On 065 www.indusface.com | Copyright 2012
ExploitMe One more Vulnerable application from Security Compass 066 www.indusface.com | Copyright 2012
ExploitMe Demo / Hands On 067 www.indusface.com | Copyright 2012
Manish Chasta Email: manish.chasta@indusface.com 068 www.indusface.com | Copyright 2012
Thank You Sales : sales@indusface.com Marketing : marketing@indusface.com Technical : support@indusface.com VADODARA, INDIA BANGALORE, INDIA MUMBAI, INDIA A/2-3, 3rd Floor, Status Plaza 408, 2nd Floor 1357 / 1359, Regus Serviced Opp Relish Resort Regency Enclave Offices, Level 13, Platinum Atladara Old Padra Road 4, Magrath Road Techno Park 17 & 18, Sector 30, Vadodara – 390020 Bangalore – 560025 Vashi, Navi Mumbai – 400705 Gujarat, India Karnataka, India Maharashtra, India. T: +91 265 3933000 T: +91 80 65608570 T : +91 22 61214961 F: +91 265 2355820 +91 80 65608571 F : +91 80 41129296 OTTAWA, CANADA HOUSTON, USA 137 Goodman Drive 1001 Fannin Street, Ste 1250 Kanata, Ottawa K2W 1C7 Houston, Texas 77002 Ontario, Canada USA T : +1 613 721 9363 T : +1 832 295 1462 069 www.indusface.com | Copyright 2012

Recommended

Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application DevelopmentRamesh Prasad
 
Intel XDK - Philly JS
Intel XDK - Philly JSIntel XDK - Philly JS
Intel XDK - Philly JSIan Maffett
 
Build HTML5 VR Apps using Intel® XDK
Build HTML5 VR Apps using Intel® XDKBuild HTML5 VR Apps using Intel® XDK
Build HTML5 VR Apps using Intel® XDKIntel® Software
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier Potonniée
 
Android development basic _ZuoSyuanWang
Android development basic _ZuoSyuanWangAndroid development basic _ZuoSyuanWang
Android development basic _ZuoSyuanWang佐軒 王
 
Android overview
Android overviewAndroid overview
Android overviewAhmed M. Abed
 
1 introduction of android
1 introduction of android1 introduction of android
1 introduction of androidakila_mano
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 

Recommended

Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application DevelopmentRamesh Prasad
 
Intel XDK - Philly JS
Intel XDK - Philly JSIntel XDK - Philly JS
Intel XDK - Philly JSIan Maffett
 
Build HTML5 VR Apps using Intel® XDK
Build HTML5 VR Apps using Intel® XDKBuild HTML5 VR Apps using Intel® XDK
Build HTML5 VR Apps using Intel® XDKIntel® Software
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier Potonniée
 
Android development basic _ZuoSyuanWang
Android development basic _ZuoSyuanWangAndroid development basic _ZuoSyuanWang
Android development basic _ZuoSyuanWang佐軒 王
 
Android overview
Android overviewAndroid overview
Android overviewAhmed M. Abed
 
1 introduction of android
1 introduction of android1 introduction of android
1 introduction of androidakila_mano
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Basics of Android
Basics of Android Basics of Android
Basics of Android sabi_123
 
Introduction to Android - Mobile Portland
Introduction to Android - Mobile PortlandIntroduction to Android - Mobile Portland
Introduction to Android - Mobile Portlandsullis
 
Evolution of Android Operating System and it’s Versions
Evolution of Android Operating System and it’s VersionsEvolution of Android Operating System and it’s Versions
Evolution of Android Operating System and it’s Versionsijtsrd
 
An brief introduction to android operating system
An brief introduction to android operating systemAn brief introduction to android operating system
An brief introduction to android operating systemAlexander Decker
 
Crosswalk and the Intel XDK
Crosswalk and the Intel XDKCrosswalk and the Intel XDK
Crosswalk and the Intel XDKIntel® Software
 
Os eclipse-androidwidget-pdf
Os eclipse-androidwidget-pdfOs eclipse-androidwidget-pdf
Os eclipse-androidwidget-pdfweerabahu
 
Introduction to Android, Architecture & Components
Introduction to Android, Architecture & ComponentsIntroduction to Android, Architecture & Components
Introduction to Android, Architecture & ComponentsVijay Rastogi
 
Mobile Web Apps and the Intel® XDK
Mobile Web Apps and the Intel® XDKMobile Web Apps and the Intel® XDK
Mobile Web Apps and the Intel® XDKIntel® Software
 
Android
AndroidAndroid
AndroidNikhil Malde
 
Android Apps Development Basic
Android Apps Development BasicAndroid Apps Development Basic
Android Apps Development BasicMonir Zzaman
 
ANDROID
ANDROIDANDROID
ANDROIDRanjan Som
 
Android Overview
Android OverviewAndroid Overview
Android OverviewRaju Kadam
 
JCON 2020: Mobile Java Web Applications with MVC and OpenDDR
JCON 2020: Mobile Java Web Applications with MVC and OpenDDRJCON 2020: Mobile Java Web Applications with MVC and OpenDDR
JCON 2020: Mobile Java Web Applications with MVC and OpenDDRWerner Keil
 
Android versions
Android versionsAndroid versions
Android versionssriramakhil
 
iSalesDoc - Make your own sales Apps
iSalesDoc - Make your own sales AppsiSalesDoc - Make your own sales Apps
iSalesDoc - Make your own sales Appsi2dnetwork
 
Introduction to Android - Mobile Fest Singapore 2009
Introduction to Android - Mobile Fest Singapore 2009Introduction to Android - Mobile Fest Singapore 2009
Introduction to Android - Mobile Fest Singapore 2009sullis
 
Multichannel User Interfaces
Multichannel User InterfacesMultichannel User Interfaces
Multichannel User InterfacesPedro J. Molina
 
Android Report
Android ReportAndroid Report
Android ReportGanesh Waghmare
 
Introduction to Android Environment
Introduction to Android EnvironmentIntroduction to Android Environment
Introduction to Android EnvironmentCompare Infobase Limited
 
Architecture your android_application
Architecture your android_applicationArchitecture your android_application
Architecture your android_applicationMark Brady
 
Spawn the shell
Spawn the shellSpawn the shell
Spawn the shellInfosys
 
Android forensics
Android forensicsAndroid forensics
Android forensicsInfosys
 

More Related Content

What's hot

Basics of Android
Basics of Android Basics of Android
Basics of Android sabi_123
 
Introduction to Android - Mobile Portland
Introduction to Android - Mobile PortlandIntroduction to Android - Mobile Portland
Introduction to Android - Mobile Portlandsullis
 
Evolution of Android Operating System and it’s Versions
Evolution of Android Operating System and it’s VersionsEvolution of Android Operating System and it’s Versions
Evolution of Android Operating System and it’s Versionsijtsrd
 
An brief introduction to android operating system
An brief introduction to android operating systemAn brief introduction to android operating system
An brief introduction to android operating systemAlexander Decker
 
Crosswalk and the Intel XDK
Crosswalk and the Intel XDKCrosswalk and the Intel XDK
Crosswalk and the Intel XDKIntel® Software
 
Os eclipse-androidwidget-pdf
Os eclipse-androidwidget-pdfOs eclipse-androidwidget-pdf
Os eclipse-androidwidget-pdfweerabahu
 
Introduction to Android, Architecture & Components
Introduction to Android, Architecture & ComponentsIntroduction to Android, Architecture & Components
Introduction to Android, Architecture & ComponentsVijay Rastogi
 
Mobile Web Apps and the Intel® XDK
Mobile Web Apps and the Intel® XDKMobile Web Apps and the Intel® XDK
Mobile Web Apps and the Intel® XDKIntel® Software
 
Android Apps Development Basic
Android Apps Development BasicAndroid Apps Development Basic
Android Apps Development BasicMonir Zzaman
 
Android Overview
Android OverviewAndroid Overview
Android OverviewRaju Kadam
 
JCON 2020: Mobile Java Web Applications with MVC and OpenDDR
JCON 2020: Mobile Java Web Applications with MVC and OpenDDRJCON 2020: Mobile Java Web Applications with MVC and OpenDDR
JCON 2020: Mobile Java Web Applications with MVC and OpenDDRWerner Keil
 
Android versions
Android versionsAndroid versions
Android versionssriramakhil
 
iSalesDoc - Make your own sales Apps
iSalesDoc - Make your own sales AppsiSalesDoc - Make your own sales Apps
iSalesDoc - Make your own sales Appsi2dnetwork
 
Introduction to Android - Mobile Fest Singapore 2009
Introduction to Android - Mobile Fest Singapore 2009Introduction to Android - Mobile Fest Singapore 2009
Introduction to Android - Mobile Fest Singapore 2009sullis
 
Multichannel User Interfaces
Multichannel User InterfacesMultichannel User Interfaces
Multichannel User InterfacesPedro J. Molina
 
Architecture your android_application
Architecture your android_applicationArchitecture your android_application
Architecture your android_applicationMark Brady
 

What's hot (20)

Basics of Android
Basics of Android Basics of Android
Basics of Android
 
Introduction to Android - Mobile Portland
Introduction to Android - Mobile PortlandIntroduction to Android - Mobile Portland
Introduction to Android - Mobile Portland
 
Evolution of Android Operating System and it’s Versions
Evolution of Android Operating System and it’s VersionsEvolution of Android Operating System and it’s Versions
Evolution of Android Operating System and it’s Versions
 
An brief introduction to android operating system
An brief introduction to android operating systemAn brief introduction to android operating system
An brief introduction to android operating system
 
Crosswalk and the Intel XDK
Crosswalk and the Intel XDKCrosswalk and the Intel XDK
Crosswalk and the Intel XDK
 
Os eclipse-androidwidget-pdf
Os eclipse-androidwidget-pdfOs eclipse-androidwidget-pdf
Os eclipse-androidwidget-pdf
 
Introduction to Android, Architecture & Components
Introduction to Android, Architecture & ComponentsIntroduction to Android, Architecture & Components
Introduction to Android, Architecture & Components
 
Mobile Web Apps and the Intel® XDK
Mobile Web Apps and the Intel® XDKMobile Web Apps and the Intel® XDK
Mobile Web Apps and the Intel® XDK
 
Android
AndroidAndroid
Android
 
Android Apps Development Basic
Android Apps Development BasicAndroid Apps Development Basic
Android Apps Development Basic
 
ANDROID
ANDROIDANDROID
ANDROID
 
Android Overview
Android OverviewAndroid Overview
Android Overview
 
JCON 2020: Mobile Java Web Applications with MVC and OpenDDR
JCON 2020: Mobile Java Web Applications with MVC and OpenDDRJCON 2020: Mobile Java Web Applications with MVC and OpenDDR
JCON 2020: Mobile Java Web Applications with MVC and OpenDDR
 
Android versions
Android versionsAndroid versions
Android versions
 
iSalesDoc - Make your own sales Apps
iSalesDoc - Make your own sales AppsiSalesDoc - Make your own sales Apps
iSalesDoc - Make your own sales Apps
 
Introduction to Android - Mobile Fest Singapore 2009
Introduction to Android - Mobile Fest Singapore 2009Introduction to Android - Mobile Fest Singapore 2009
Introduction to Android - Mobile Fest Singapore 2009
 
Multichannel User Interfaces
Multichannel User InterfacesMultichannel User Interfaces
Multichannel User Interfaces
 
Android Report
Android ReportAndroid Report
Android Report
 
Introduction to Android Environment
Introduction to Android EnvironmentIntroduction to Android Environment
Introduction to Android Environment
 
Architecture your android_application
Architecture your android_applicationArchitecture your android_application
Architecture your android_application
 

Viewers also liked

Spawn the shell
Spawn the shellSpawn the shell
Spawn the shellInfosys
 
Android forensics
Android forensicsAndroid forensics
Android forensicsInfosys
 
Hybrid website security from Indusface
Hybrid website security from IndusfaceHybrid website security from Indusface
Hybrid website security from IndusfaceInfosys
 
Megashopping_proiecte print
Megashopping_proiecte printMegashopping_proiecte print
Megashopping_proiecte printneagust_mirela
 
Corp cultures
Corp culturesCorp cultures
Corp culturesAmany1910
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 

Viewers also liked (6)

Spawn the shell
Spawn the shellSpawn the shell
Spawn the shell
 
Android forensics
Android forensicsAndroid forensics
Android forensics
 
Hybrid website security from Indusface
Hybrid website security from IndusfaceHybrid website security from Indusface
Hybrid website security from Indusface
 
Megashopping_proiecte print
Megashopping_proiecte printMegashopping_proiecte print
Megashopping_proiecte print
 
Corp cultures
Corp culturesCorp cultures
Corp cultures
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
 

Similar to Securing Android Applications

Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsPositive Hack Days
 
AN ANDROID APP FOR BUILDING STUDENT PROFILES
AN ANDROID APP FOR BUILDING STUDENT PROFILESAN ANDROID APP FOR BUILDING STUDENT PROFILES
AN ANDROID APP FOR BUILDING STUDENT PROFILESIRJET Journal
 
Mobile Application Development-Lecture 03 & 04.pdf
Mobile Application Development-Lecture 03 & 04.pdfMobile Application Development-Lecture 03 & 04.pdf
Mobile Application Development-Lecture 03 & 04.pdfAbdullahMunir32
 
Introduction to Android
Introduction to Android Introduction to Android
Introduction to Android Ranjith Kumar
 
Android_Studio_Structure.docx
Android_Studio_Structure.docxAndroid_Studio_Structure.docx
Android_Studio_Structure.docxKNANTHINIMCA
 
ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013Rupesh Kumar
 
Introduction to Mobile Development
Introduction to Mobile DevelopmentIntroduction to Mobile Development
Introduction to Mobile DevelopmentPragnesh Vaghela
 
Android Web app
Android Web app Android Web app
Android Web app Sumit Kumar
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidamitgb
 
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...CODE BLUE
 
androidPramming.ppt
androidPramming.pptandroidPramming.ppt
androidPramming.pptBijayKc16
 
Android and its feature
Android and its featureAndroid and its feature
Android and its featureShubham Kumar
 
Code and Conquer with Globe Labs, October 27, 2012
Code and Conquer with Globe Labs, October 27, 2012Code and Conquer with Globe Labs, October 27, 2012
Code and Conquer with Globe Labs, October 27, 2012jobandesther
 
Android App Development Intro at ESC SV 2012
Android App Development Intro at ESC SV 2012Android App Development Intro at ESC SV 2012
Android App Development Intro at ESC SV 2012Opersys inc.
 
Phonebook Directory or Address Book In Android
Phonebook Directory or Address Book In AndroidPhonebook Directory or Address Book In Android
Phonebook Directory or Address Book In AndroidABHISHEK DINKAR
 
Introduction_to_android_and_android_studio
Introduction_to_android_and_android_studioIntroduction_to_android_and_android_studio
Introduction_to_android_and_android_studioAbdul Basit
 

Similar to Securing Android Applications (20)

Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
AN ANDROID APP FOR BUILDING STUDENT PROFILES
AN ANDROID APP FOR BUILDING STUDENT PROFILESAN ANDROID APP FOR BUILDING STUDENT PROFILES
AN ANDROID APP FOR BUILDING STUDENT PROFILES
 
Notes Unit2.pptx
Notes Unit2.pptxNotes Unit2.pptx
Notes Unit2.pptx
 
Mobile Application Development-Lecture 03 & 04.pdf
Mobile Application Development-Lecture 03 & 04.pdfMobile Application Development-Lecture 03 & 04.pdf
Mobile Application Development-Lecture 03 & 04.pdf
 
Introduction to Android
Introduction to Android Introduction to Android
Introduction to Android
 
Android_Studio_Structure.docx
Android_Studio_Structure.docxAndroid_Studio_Structure.docx
Android_Studio_Structure.docx
 
ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013
 
Introduction to Mobile Development
Introduction to Mobile DevelopmentIntroduction to Mobile Development
Introduction to Mobile Development
 
Android Web app
Android Web app Android Web app
Android Web app
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...
 
Android platform
Android platform Android platform
Android platform
 
androidPramming.ppt
androidPramming.pptandroidPramming.ppt
androidPramming.ppt
 
Android and its feature
Android and its featureAndroid and its feature
Android and its feature
 
Code and Conquer with Globe Labs, October 27, 2012
Code and Conquer with Globe Labs, October 27, 2012Code and Conquer with Globe Labs, October 27, 2012
Code and Conquer with Globe Labs, October 27, 2012
 
Android App Development Intro at ESC SV 2012
Android App Development Intro at ESC SV 2012Android App Development Intro at ESC SV 2012
Android App Development Intro at ESC SV 2012
 
Phonebook Directory or Address Book In Android
Phonebook Directory or Address Book In AndroidPhonebook Directory or Address Book In Android
Phonebook Directory or Address Book In Android
 
My android
My androidMy android
My android
 
My android
My androidMy android
My android
 
Introduction_to_android_and_android_studio
Introduction_to_android_and_android_studioIntroduction_to_android_and_android_studio
Introduction_to_android_and_android_studio
 

Recently uploaded

QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 

Recently uploaded (20)

QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 

Securing Android Applications

  • 1. PRESENTED BY Manish Chasta | CISSP, CHFI, ITIL Principal Consultant, Indusface Securing Android Applications 01 www.indusface.com | Copyright 2012
  • 2. Agenda Introduction to Android and Mobile Applications Working with Android SDK and Emulator Setting up GoatDroid Application Memory Analysis Intercepting Layer 7 traffic Reverse Engineering Android Applications SQLite Database Analysis Demo: ExploitMe application 02 www.indusface.com | Copyright 2012
  • 3. What NUMBERS say!!!  Gartner Says:  8.2 Billion mobile applications have been downloaded in 2010  17.7 Billion by 2011  185 Billion application will have been downloaded by 2014 03 www.indusface.com | Copyright 2012
  • 4. Market Share 04 www.indusface.com | Copyright 2012
  • 5. Introduction to Android  Most widely used mobile OS  Developed by Google  OS + Middleware + Applications  Android Open Source Project (AOSP) is responsible for maintenance and further development 05 www.indusface.com | Copyright 2012
  • 6. Android Architecture 06 www.indusface.com | Copyright 2012
  • 7. Android Architecture: Linux Kernel  Linux kernel with system services:  Security  Memory and process management  Network stack  Provide driver to access hardware:  Camera  Display and audio  Wifi  … 07 www.indusface.com | Copyright 2012
  • 8. Android Architecture: Android RunTime  Core Libraries:  Written in Java  Provides the functionality of Java programming language  Interpreted by Dalvik VM  Dalvik VM:  Java based VM, a lightweight substitute to JVM  Unlike JVM, DVM is a register based Virtual Machine  DVM is optimized to run on limited main memory and less CPU usage  Java code (.class files) converted into .dex format to be able to run on Android platform 08 www.indusface.com | Copyright 2012
  • 9. Android Applications 09 www.indusface.com | Copyright 2012
  • 10. Mobile Apps vs Web Applications  Thick and Thin Client  Security Measures  User Awareness 010 www.indusface.com | Copyright 2012
  • 11. Setting-up Environment  Handset / Android Device  Android SDK and Eclipse  Emulator  Wireless Connectivity  And of course… Application file 011 www.indusface.com | Copyright 2012
  • 12. Setting-up Lab  What we need:  Android SDK  Eclips  GoatDroid (Android App from OWASP)  MySQL  .Net Framwork  Proxy tool (Burp)  Agnitio  Android Device (Optional)  SQLitebrowser 012 www.indusface.com | Copyright 2012
  • 13. Working with Android SDK 013 www.indusface.com | Copyright 2012
  • 14. Android SDK  Development Environment for Android Application Development  Components:  SDK Manager  AVD Manager  Emulator 014 www.indusface.com | Copyright 2012
  • 15. Android SDK  Can be downloaded from : developer.android.com/sdk/  Requires JDK to be installed  Install Eclipse  Install ADT Plugin for Eclipse 015 www.indusface.com | Copyright 2012
  • 16. Android SDK : Installing SDK  Simple Next-next process 016 www.indusface.com | Copyright 2012
  • 17. Android SDK: Configuring Eclipse  Go to Help->Install new Software  Click Add  Give Name as ADT Plugin  Provide the below address in Location: http://dl- ssl.google.com/android/eclipse/  Press OK  Check next to ‘Developer Tool’ and press next  Click next and accept the ‘Terms and Conditions’  Click Finish 017 www.indusface.com | Copyright 2012
  • 18. Android SDK: Configuring Eclipse  Now go to Window -> Preferences  Click on Android in left panel  Browse the Android SDK directory  Press OK 018 www.indusface.com | Copyright 2012
  • 21. Emulator: Running Click on Start 021 www.indusface.com | Copyright 2012
  • 22. Emulator: Running from Command Line 022 www.indusface.com | Copyright 2012
  • 23. Emulator: Running with proxy 023 www.indusface.com | Copyright 2012
  • 24. ADB: Android Debug Bridge  Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device.  You can find the adb tool in <sdk>/platform-tools/ 024 www.indusface.com | Copyright 2012
  • 25. ADB: Important Commands Install an application to emulator or device: 025 www.indusface.com | Copyright 2012
  • 26. ADB: Important Commands  Push data to emulator / device  adb push <local> <remote>  Pull data to emulator / device  adb pull <remote> <local>  Remote - > Emulator and Local -> Machine 026 www.indusface.com | Copyright 2012
  • 27. ADB: Important Commands  Getting Shell of Emulator or Device  adb shell  Reading Logs  adb logcat 027 www.indusface.com | Copyright 2012
  • 28. ADB: Important Commands  Reading SQLite3 database  adb shell  Go to the path  SQLite3 database_name.db  .dump to see content of the db file and .schema to print the schema of the database on the screen  Reading Logs  adb logcat 028 www.indusface.com | Copyright 2012
  • 29. Auditing Application from Android Phone 029 www.indusface.com | Copyright 2012
  • 30. Need of Rooting What is Android Rooting? 030 www.indusface.com | Copyright 2012
  • 31. Rooting Android Phone Step 1: Download CF Rooted Kernel files and Odin3 Software 031 www.indusface.com | Copyright 2012
  • 32. Rooting Android Phone Step 2: Keep handset on debugging mode 032 www.indusface.com | Copyright 2012
  • 33. Rooting Android Phone Step 3: Run Odin3 033 www.indusface.com | Copyright 2012
  • 34. Rooting Android Phone Step 4: Reboot the phone in download mode Step 5: Connect to the PC 034 www.indusface.com | Copyright 2012
  • 35. Rooting Android Phone Step 6: Select required file i.e: PDA, Phone, CSC files Step 7: Click on Auto Reboot and F. Reset Time and hit Start button 035 www.indusface.com | Copyright 2012
  • 36. Rooting Android Phone If your phone is Rooted... You will see PASS!! In Odin3 036 www.indusface.com | Copyright 2012
  • 37. Important Tools  Terminal Emulator  Proxy tool (transproxy) 037 www.indusface.com | Copyright 2012
  • 38. Setting Proxy  Both Android Phone and laptop (machine to be used in auditing) needs to be in same wireless LAN.  Provide Laptops IP address and port where proxy is listening in proxy tool (transproxy) installed in machine. 038 www.indusface.com | Copyright 2012
  • 39. Intercepting Traffic (Burp)  Burp is a HTTP proxy tool  Able to intercept layer 7 traffic and allows users to manipulate the HTTP Requests and Response 039 www.indusface.com | Copyright 2012
  • 40. Memory Analysis with Terminal Emulator  DD Command:  dd if=filename.xyz of=/sdcard/SDA.dd  Application path on Android Device:  /data/data/com.application_name 040 www.indusface.com | Copyright 2012
  • 41. Memory Analysis with Terminal Emulator 041 www.indusface.com | Copyright 2012
  • 42. Memory Analysis with Terminal Emulator 042 www.indusface.com | Copyright 2012
  • 43. Lab: GoatDroid A vulnerable Android application from the OW ASP 043 www.indusface.com | Copyright 2012
  • 44. GoatDroid : Setting up  Install MySQL  Install fourgoats database.  Create a user with name as "goatboy", password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to have insert, delete, update, select on fourgoats database. 044 www.indusface.com | Copyright 2012
  • 45. GoatDroid : Setting up  Run goatdroid-beta-v0.1.2.jar file  Set the path for Android SDK Root directory and Virtual Devices:  Click Configure -> edit and click on Android tab  Set path for Android SDK, typically it should be  C:Program FilesAndroidandroid-sdk  Set path for Virtual Devices, typically it should be  C:Documents and SettingsManishandroidavd 045 www.indusface.com | Copyright 2012
  • 46. GoatDroid : Setting up  Start web services  Start emulator through GoatDroid jar file  Push / Install the application to Device  Run FourGoat application from emulator  Click on Menu and then click on Destination Info  Provide following information in required fields:  Server: 10.0.2.2 and Port 8888 046 www.indusface.com | Copyright 2012
  • 47. GoatDroid : Setting up Demo / Hands On 047 www.indusface.com | Copyright 2012
  • 48. GoatDroid : Setting up proxy  Assuming FourGoat is already installed  Run goatdroid-beta-v0.1.2.jar file and start web services  Start any HTTP Proxy (Burp) tool on port 7000  Configure Burp to forward the incoming traffic to port 8888  Start emulator from command line by giving following command:  emulator –avd test2 –http-proxy 127.0.0.1:7000 048 www.indusface.com | Copyright 2012
  • 49. GoatDroid : Setting up proxy  Open the FourGoat application in emulator  Click on Mene to set Destination Info  Set Destination Info as below:  Server: 10.0.2.2 and port as 7000  Now see if you are able to intercept the trrafic in Burp  049 www.indusface.com | Copyright 2012
  • 50. GoatDroid : Setting up Proxy Demo / Hands On 050 www.indusface.com | Copyright 2012
  • 51. GoatDroid: Intercepting Traffic Demo / Hands On 051 www.indusface.com | Copyright 2012
  • 52. GoatDroid: Parameter Manipulation Attack Demo / Hands On 052 www.indusface.com | Copyright 2012
  • 53. GoatDroid: Handset Memory Analysis Demo / Hands On 053 www.indusface.com | Copyright 2012
  • 54. GoatDroid: Auditing from Android Device  Install the app in Android device  Set the destination info as below:  Server: IP address (WLAN) of your laptop and port as 8888 (incase no proxy is listening)  Memory Analysis through Terminal Emulator and DD command 054 www.indusface.com | Copyright 2012
  • 55. GoatDroid: Reverse Engineering Next Topic 055 www.indusface.com | Copyright 2012
  • 56. Reverse Engineering Android Applications 056 www.indusface.com | Copyright 2012
  • 57. Reverse Engineering Android Application  Vulnerabilities can be found through Reverse Engineering :  Vulnerabilities in Source Code  Re-compile the application  Commented Code  Hard coded information 057 www.indusface.com | Copyright 2012
  • 58. Reverse Engineering Android Application  Dex to jar (dex2jar)  C:dex2jar-versiondex2jar.bat someApk.apk  Open code files in any Java decompile 058 www.indusface.com | Copyright 2012
  • 59. Reverse Engineering Android Application Demo / Hands On 059 www.indusface.com | Copyright 2012
  • 60. Agnitio  Mobile Application Coder Review tool  Install: Next-Next process  Can analyze Codebase as well as .apk file 060 www.indusface.com | Copyright 2012
  • 61. Agnitio Demo / Hands On 061 www.indusface.com | Copyright 2012
  • 62. Analyzing SQLite Database 062 www.indusface.com | Copyright 2012
  • 63. Analyzing SQLite Database  SQLite Database:  SQLite is a widely used, lightweight database  Used by most mobile OS i.e. iPhone, Android, Symbian, webOS  SQLite is a free to use and open source database  Zero-configuration - no setup or administration needed.  A complete database is stored in a single cross-platform disk file. 063 www.indusface.com | Copyright 2012
  • 64. Analyzing SQLite Database  Pull the .db files out of the emulator / Device as explained eirler  Tools  SQLite browser  Epilog 064 www.indusface.com | Copyright 2012
  • 65. Analyzing SQLite Database Demo / Hands On 065 www.indusface.com | Copyright 2012
  • 66. ExploitMe One more Vulnerable application from Security Compass 066 www.indusface.com | Copyright 2012
  • 67. ExploitMe Demo / Hands On 067 www.indusface.com | Copyright 2012
  • 68. Manish Chasta Email: manish.chasta@indusface.com 068 www.indusface.com | Copyright 2012
  • 69. Thank You Sales : sales@indusface.com Marketing : marketing@indusface.com Technical : support@indusface.com VADODARA, INDIA BANGALORE, INDIA MUMBAI, INDIA A/2-3, 3rd Floor, Status Plaza 408, 2nd Floor 1357 / 1359, Regus Serviced Opp Relish Resort Regency Enclave Offices, Level 13, Platinum Atladara Old Padra Road 4, Magrath Road Techno Park 17 & 18, Sector 30, Vadodara – 390020 Bangalore – 560025 Vashi, Navi Mumbai – 400705 Gujarat, India Karnataka, India Maharashtra, India. T: +91 265 3933000 T: +91 80 65608570 T : +91 22 61214961 F: +91 265 2355820 +91 80 65608571 F : +91 80 41129296 OTTAWA, CANADA HOUSTON, USA 137 Goodman Drive 1001 Fannin Street, Ste 1250 Kanata, Ottawa K2W 1C7 Houston, Texas 77002 Ontario, Canada USA T : +1 613 721 9363 T : +1 832 295 1462 069 www.indusface.com | Copyright 2012