SlideShare a Scribd company logo

Android System Architecture And  Pen-testing of Android applications

Download as PPTX, PDF
Y
yavuzwb

This document discusses Android system architecture and penetration testing of Android applications. It describes Android as a software platform based on the Linux kernel that uses Java and other languages. The architecture includes applications, an application framework, libraries like SQLite and Webkit, the Android runtime with Dalvik VM, and the Linux kernel. It then covers penetration testing techniques like using ADB to access the filesystem and view logs, analyzing application data storage and permissions, decompiling APK files, and best practices around data protection on devices.

EducationTechnology
1 of 29
Downloaded 148 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Android System Architecture And Pen-testing of Android applications Yavuz Han
What is Android ? • A software platform and operating system for mobile devices • Based on the Linux kernel(Kernel 2.6) • Developed by Google and later Open Handset Aliance(OHA) • Also writing managed code in the Java Language • C/C++ also but not supported
Android Architecture
Applications • First layer in system architecture • These include the applications shipped with android like the email client, SMS client, maps, browsers and also the applications developed and distributed through the Android market.
Application Framework • Second layer in system architecture • These include the programs that manage the basic functions of the phone like resource allocation, voice call management, etc
Libraries • The layer above to the Linux kernel is the Android’s native libraries. • These libraries are written in C/C++ languages. • These libraries also run as processes within the underlying Linux kernel. • The libraries are nothing but a set of instructions that tell the device how to handle different kinds of data (e.g. The media libraries support playing or recording various audio/video formats)
Some of the key libraries are listed below: • SQLite:This is a lightweight yet powerful relational database engine available for all applications to store data. • Webkit:This is a browser engine providing tools for browsing web pages. • Surface Manager: This is responsible for the graphics on the device screens • OpenGL: Used to render 2D or 3D graphics to the screen
Android Runtime • This is located on the same layer as the libraries layer. • It consists of the core JAVA libraries and the Dalvik virtual machine. • The core Java libraries are used for developing Android based applications. • Dalvik VMs help in achieving the following: - better memory management -an application cannot interfere with other applications without permissions - threading support
• The diagram below is a pictorial representation of the Android environment. • It can be observed that each Android application runs under a separate virtual instance and each application has a unique user-id assigned to it.
Linux Kernel • This is last layer in system architecture • Device drivers, power management, process management and networking services depend on the layer • Android using Linux kernel 2.6 and android developed over time have been harmonized. • Android is not exactly Linux.
Penetration testing of Android apps • The applications in Android can be mainly classified into two categories: -Android browser-based applications -Android-based applications (Android application package files – .apk extension files)
Android Filesystem Access We want to analyze files within the device,so how do we do this ? ADB (windows,linux,mac)
Android FileSystem Access • Android Debug Bridge (adb) command -Access a shell -Pull/push files -Many more
Example of ADB
Quick look at some apps • We’re going to use Android’s default mail client (Note – this is for a rooted device) •Navigate to the shared_prefs directory of the application
Quick look at some apps • •cat (read) the file
Data Storage SQLite -Single file relational database -Supportet by Android & iPhone APIs to store Application settings/data
• Using the ADB shell, we can browse to the database folder and access the data as shown below:
Logging • Applications may leak data through gratuitous logging • In older versions of Android, the browser would log URLs visited -This also logged session Ids for websites that put it in the GET request
Viewing Android Logs • We can use ‘adb logcat’ command
Android Client Analysis • Android Application Layout -Apps are packaged in an APK file (zip archive) -What is in it ? -Dalvik class files(.dex) -Assets and Resources -Android Manifest.xml -APKs stored at /data/app on a device Can extract this
Android Application Layout
Android Application Layout
Android Manifest.xml • Enumerates permissions • We are most interested in permissions and metadata
Analyzing an APK • The files inside an APK are not directly useful -Need to unpack the XML,disassemble the dex class files We are using some tool for reverse engineering Android apk files
Decompilation • This way eassier than other ways • You may be familiar with jad or jdgui -Use dex2jar to get a (JVM) jar from an apk *Perform “source review” on decompiled app Does not work for all apks
Decompilation
Protection • • • • We must treat the mobile device as hostile Don’t store sensitive data unencrypted! Doing encryption well is HARD Best practice: don’t store any sensitive data on device
QUESTİONS THANK YOU

More Related Content

PDF
Android Workshop_1
Purvik Rana
 
PPTX
Tech presentation (part 1)
Abhijit Roy
 
PPTX
Android the new Mobile Technoogy
poojapainter
 
PPT
Android project architecture
Sourabh Sahu
 
PDF
OpenProdoc Overview
jhierrot
 
DOCX
Android architecture
fahim shahzad
 
PPTX
How to design a distributed system
Jinglun Li
 
PPTX
Assembly
Richa Handa
 
Android Workshop_1
Purvik Rana
 
Tech presentation (part 1)
Abhijit Roy
 
Android the new Mobile Technoogy
poojapainter
 
Android project architecture
Sourabh Sahu
 
OpenProdoc Overview
jhierrot
 
Android architecture
fahim shahzad
 
How to design a distributed system
Jinglun Li
 
Assembly
Richa Handa
 

What's hot (7)

PPTX
Dot net assembly
Dr.Neeraj Kumar Pandey
 
PPTX
Asp folders and web configurations
baabtra.com - No. 1 supplier of quality freshers
 
PDF
Android Architecture
Pietro Alberto Rossi
 
PPTX
Linq
Ariful Haque tutul
 
PPT
Apex ace update
Ayesha Fayyaz
 
PDF
SQLDay2013_DennyCherry_GettingSQLServiceBrokerUp&Running
Polish SQL Server User Group
 
PPTX
Android Handheld Systems
Vyakhya Shrivastava
 
Dot net assembly
Dr.Neeraj Kumar Pandey
 
Asp folders and web configurations
baabtra.com - No. 1 supplier of quality freshers
 
Android Architecture
Pietro Alberto Rossi
 
Linq
Ariful Haque tutul
 
Apex ace update
Ayesha Fayyaz
 
SQLDay2013_DennyCherry_GettingSQLServiceBrokerUp&Running
Polish SQL Server User Group
 
Android Handheld Systems
Vyakhya Shrivastava
 
Ad

Viewers also liked (20)

PPTX
Penetrating Android Aapplications
Roshan Thomas
 
PPTX
Pentesting Android Applications
Cláudio André
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
PDF
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
PPTX
Lviv MDDay 2014. Ігор Коробка “забезпечення базової безпеки в андроїд аплікац...
Lviv Startup Club
 
PDF
CocoaConf Austin 2014 | Demystifying Security Best Practices
Mutual Mobile
 
PDF
Pentesting iOS Apps
Herman Duarte
 
PDF
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
PDF
HIJACKING ATTACKS ON ANDROID DEVICES
Positive Hack Days
 
PDF
Certificate Pinning in Mobile Applications
Luca Bongiorni
 
PPTX
How to Test Security and Vulnerability of Your Android and iOS Apps
Bitbar
 
PDF
Security testing in mobile applications
Jose Manuel Ortega Candel
 
PDF
[2014/10/06] HITCON Freetalk - App Security on Android
DEVCORE
 
PPTX
Rapid Android Application Security Testing
Nutan Kumar Panda
 
PPTX
Android pen test basics
OWASPKerala
 
PPT
Mobile app testing services
Richard_S
 
PDF
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
PDF
Security Testing Mobile Applications
Denim Group
 
PPTX
[Wroclaw #1] Android Security Workshop
OWASP
 
PDF
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
Penetrating Android Aapplications
Roshan Thomas
 
Pentesting Android Applications
Cláudio André
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
Lviv MDDay 2014. Ігор Коробка “забезпечення базової безпеки в андроїд аплікац...
Lviv Startup Club
 
CocoaConf Austin 2014 | Demystifying Security Best Practices
Mutual Mobile
 
Pentesting iOS Apps
Herman Duarte
 
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
HIJACKING ATTACKS ON ANDROID DEVICES
Positive Hack Days
 
Certificate Pinning in Mobile Applications
Luca Bongiorni
 
How to Test Security and Vulnerability of Your Android and iOS Apps
Bitbar
 
Security testing in mobile applications
Jose Manuel Ortega Candel
 
[2014/10/06] HITCON Freetalk - App Security on Android
DEVCORE
 
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Android pen test basics
OWASPKerala
 
Mobile app testing services
Richard_S
 
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
Security Testing Mobile Applications
Denim Group
 
[Wroclaw #1] Android Security Workshop
OWASP
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
Ad

Similar to Android System Architecture And  Pen-testing of Android applications (20)

PPT
My androidpresentation
niteshnarayanlal
 
PDF
Wifi Direct Based Chat And File Transfer Android Application
Nitin Bhasin
 
PPTX
Android village @nullcon 2012
hakersinfo
 
PPTX
Android architecture
poojapainter
 
PPT
UPDATED Application fundamentals lec 1 &2.ppt
alizairam3
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
PDF
Android and its feature
Shubham Kumar
 
PDF
Ch1 hello, android
Jehad2012
 
PPT
Android zensar
Dr. Ramkumar Lakshminarayanan
 
PPTX
Introduction to android
zeelpatel0504
 
PDF
Introduction to android
krishnastudent88
 
PPTX
Androidoverview 100405150711-phpapp01
Santosh Sh
 
PPTX
Cross compiling android applications
sai krishna
 
DOCX
Android architecture
Hari Krishna
 
PDF
01 02 - introduction - adroid stack
Siva Kumar reddy Vasipally
 
PPTX
Android 1-intro n architecture
Dilip Singh
 
PDF
Android
Lina Shamiah
 
PPTX
Getting started with android
amitgb
 
PPTX
Presentation for Android OS
Mukul Cool
 
PDF
Android report.
Shivananda Rai
 
My androidpresentation
niteshnarayanlal
 
Wifi Direct Based Chat And File Transfer Android Application
Nitin Bhasin
 
Android village @nullcon 2012
hakersinfo
 
Android architecture
poojapainter
 
UPDATED Application fundamentals lec 1 &2.ppt
alizairam3
 
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Android and its feature
Shubham Kumar
 
Ch1 hello, android
Jehad2012
 
Android zensar
Dr. Ramkumar Lakshminarayanan
 
Introduction to android
zeelpatel0504
 
Introduction to android
krishnastudent88
 
Androidoverview 100405150711-phpapp01
Santosh Sh
 
Cross compiling android applications
sai krishna
 
Android architecture
Hari Krishna
 
01 02 - introduction - adroid stack
Siva Kumar reddy Vasipally
 
Android 1-intro n architecture
Dilip Singh
 
Android
Lina Shamiah
 
Getting started with android
amitgb
 
Presentation for Android OS
Mukul Cool
 
Android report.
Shivananda Rai
 

Recently uploaded (20)

PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PPTX
master seminar digital applications in india
ananyaray35
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Lesson notes of climatology university.
sgladness67
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
master seminar digital applications in india
ananyaray35
 

Android System Architecture And  Pen-testing of Android applications

  • 1. Android System Architecture And Pen-testing of Android applications Yavuz Han
  • 2. What is Android ? • A software platform and operating system for mobile devices • Based on the Linux kernel(Kernel 2.6) • Developed by Google and later Open Handset Aliance(OHA) • Also writing managed code in the Java Language • C/C++ also but not supported
  • 4. Applications • First layer in system architecture • These include the applications shipped with android like the email client, SMS client, maps, browsers and also the applications developed and distributed through the Android market.
  • 5. Application Framework • Second layer in system architecture • These include the programs that manage the basic functions of the phone like resource allocation, voice call management, etc
  • 6. Libraries • The layer above to the Linux kernel is the Android’s native libraries. • These libraries are written in C/C++ languages. • These libraries also run as processes within the underlying Linux kernel. • The libraries are nothing but a set of instructions that tell the device how to handle different kinds of data (e.g. The media libraries support playing or recording various audio/video formats)
  • 7. Some of the key libraries are listed below: • SQLite:This is a lightweight yet powerful relational database engine available for all applications to store data. • Webkit:This is a browser engine providing tools for browsing web pages. • Surface Manager: This is responsible for the graphics on the device screens • OpenGL: Used to render 2D or 3D graphics to the screen
  • 8. Android Runtime • This is located on the same layer as the libraries layer. • It consists of the core JAVA libraries and the Dalvik virtual machine. • The core Java libraries are used for developing Android based applications. • Dalvik VMs help in achieving the following: - better memory management -an application cannot interfere with other applications without permissions - threading support
  • 9. • The diagram below is a pictorial representation of the Android environment. • It can be observed that each Android application runs under a separate virtual instance and each application has a unique user-id assigned to it.
  • 10. Linux Kernel • This is last layer in system architecture • Device drivers, power management, process management and networking services depend on the layer • Android using Linux kernel 2.6 and android developed over time have been harmonized. • Android is not exactly Linux.
  • 11. Penetration testing of Android apps • The applications in Android can be mainly classified into two categories: -Android browser-based applications -Android-based applications (Android application package files – .apk extension files)
  • 12. Android Filesystem Access We want to analyze files within the device,so how do we do this ? ADB (windows,linux,mac)
  • 13. Android FileSystem Access • Android Debug Bridge (adb) command -Access a shell -Pull/push files -Many more
  • 15. Quick look at some apps • We’re going to use Android’s default mail client (Note – this is for a rooted device) •Navigate to the shared_prefs directory of the application
  • 16. Quick look at some apps • •cat (read) the file
  • 17. Data Storage SQLite -Single file relational database -Supportet by Android & iPhone APIs to store Application settings/data
  • 18. • Using the ADB shell, we can browse to the database folder and access the data as shown below:
  • 19. Logging • Applications may leak data through gratuitous logging • In older versions of Android, the browser would log URLs visited -This also logged session Ids for websites that put it in the GET request
  • 20. Viewing Android Logs • We can use ‘adb logcat’ command
  • 21. Android Client Analysis • Android Application Layout -Apps are packaged in an APK file (zip archive) -What is in it ? -Dalvik class files(.dex) -Assets and Resources -Android Manifest.xml -APKs stored at /data/app on a device Can extract this
  • 24. Android Manifest.xml • Enumerates permissions • We are most interested in permissions and metadata
  • 25. Analyzing an APK • The files inside an APK are not directly useful -Need to unpack the XML,disassemble the dex class files We are using some tool for reverse engineering Android apk files
  • 26. Decompilation • This way eassier than other ways • You may be familiar with jad or jdgui -Use dex2jar to get a (JVM) jar from an apk *Perform “source review” on decompiled app Does not work for all apks
  • 28. Protection • • • • We must treat the mobile device as hostile Don’t store sensitive data unencrypted! Doing encryption well is HARD Best practice: don’t store any sensitive data on device