SlideShare a Scribd company logo

Android security and penetration testing | DIVA | Yogesh Ojha

Y
Yogesh Ojha

This document provides an overview of Android security and penetration testing. It discusses the Android runtime environment and application fundamentals. It then examines the contents of an Android APK file, including the AndroidManifest.xml and code files. The document outlines the Android sandbox security model and various tools for decompiling and analyzing APKs. It introduces the DIVA vulnerable Android app and demonstrates several common security issues like insecure data storage, input validation problems, and ways to capture network traffic.

Technology
Related topics:
Penetration-Testing Information Security
1 of 39
Downloaded 21 times
1
2
3
4
Most read
5
6
7
8
9
10
11
Most read
12
Most read
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Android Security & Penetration Testing Beginners guide to Penetration Testing Mobile Application (Android) Using DIVA
Android Architecture Android Runtime (ART): 1. Alternative to Dalvik Virtual Machine 2. Released with 4.4 as an experimental, 5.0 it completely replaced Dalvik Virtual Machine. 3. Major change in ART is because of Ahead-of-time(AOT) Compilation and Garbage Collection. 4. In Ahead-of-time(AOT) Compilation ,android apps will be compiled when user installs them on their device whereas in the Dalvik used Just-in-time(JIT) compilation in which bytecode are compiled when user runs the app.
Android Application Fundamentals 1. Written in JAVA or Kotlin (Native) 2. Hybrid could be written using frameworks like ionic (HTML) or Xamarin When you get an apk, it's more than a resource!
What’s inside the apk? AndroidManifest.xml : Contains all the top level components like Activities, Services, Broadcast Receivers etc. Contains permissions as well. All the dangerous permissions has to be in Manifest file! Keep your eye on: 1. Debug Mode : Defines whether the application can be debugged or not! If the application can be debugged then it can provide plenty of information to an attacker. Android applications not in the production state can have it set to true otherwise it must be false. 2. BackUp Flag: Defines whether application data can be backed up and restored by a user who has enabled usb debugging. Applications that handle and store sensitive information such as card details, passwords etc. should have this setting set to false to prevent such risks. 3. External Storage Applications that have the permission to copy data to external storage should be reviewed to ensure that no sensitive information is stored. 4. Permissions!!! Keep an eye on permissions to check if application is asking for dangerous permissions that do NOT require!
Android security and penetration testing | DIVA | Yogesh Ojha
What’s more inside the apk? ● Java Files Activity Activity represents a single screen with a user interface. Services Component that runs on background. Broadcast Receiver Component that responds to system-wide broadcast announcements. “Hey, is the device booted?” ● Resource Directory Values has Strings.xml file
Android Sandbox Each Android app lives in its own security sandbox! The Android operating system is a multi-user Linux system in which each app is a different user. The Android system assigns each app a unique Linux UID known only to system and not the app! The system sets permissions for all the files in an app so that only the UID assigned to that app can access them. Each process has its own virtual machine (VM), so an app’s code runs in isolation from other apps. By default, every app runs in its own Linux process. Android starts the process when any of the app’s components need to be executed, then shuts down the process when it’s no longer needed or when the system must recover memory for other apps. The Android system implements the principle of least privilege, that is each app by default has access only to the components that it requires to do its work and no more. This creates a very secure environment in which an app cannot access parts of the system for which it is not having permission. As every Android app runs in its own sandbox environment and cannot affect other apps by default but two apps can have same Linux User ID and can also share the same Dalvik VM if they are signed with the same Certificates.
What’s in the Arsenal? Know your tools! Android Debug Bridge: $adb logcat
What’s in the Arsenal? Apktool
What’s in the Arsenal? How do I decompile the apk?
What’s in the Arsenal? Dex2Jar : convert an APK file in to a jar file containing reconstructed source code Jd-gui: To open that jar file in JD-GUI and view that reconstructed source code. GeanyMotion as well!
DIVA Damn insecure and vulnerable App
1. Insecure Logging adb logcat
1. Insecure Logging Vulnerable Code
2. HardCoding Issues
2. HardCoding Issues
2. Insecure Data Storage Where is the android data being stored?
2. Insecure Data Storage Vulnerable Code
3. Insecure Data Storage Shared Preference
4. Insecure Data Storage - II Vulnerable Code
4. Insecure Data Storage - II
4. Insecure Data Storage - II How do I pull the database?
4. Insecure Data Storage - II How do I pull the database? $ sqlite3 ids2 SQLite version 3.8.5 2014-08-15 22:37:57 Enter “. help” for usage hints. sqlite> .tables android_metadata myuser sqlite> select * from myuser; SECRET|SECRET sqlite>
5. Insecure Data Storage - III Vulnerable Code
5. Insecure Data Storage - III
6. Insecure Data Storage - IV Vulnerable Code
6. Insecure Data Storage - IV Any Guess where this file could be stored?
6. Insecure Data Storage - IV Any Guess where this file could be stored?
7. Input Validation Issues - I What could be done here?
7. Input Validation Issues - I What could be done here? Let’s try ‘ ? 😉
7. Input Validation Issues - I What could be done here? Let’s try ‘ ? 😉 You Know it 😉 Possible SQL Injection
7. Input Validation Issues - I How about 1′ or ‘1’ != ‘2 ?
7. Input Validation Issues - I Vulnerable Code
8. Input Validation Issues - II More Dangerous!!!
8. Input Validation Issues - II How about file:///sdcard/.uinfo.txt Can we take this to next level? To read shared prefs? 😉
How about file:///sdcard/.uinfo.txt Can we take this to next level? To read shared prefs? 😉 file:///data/data/jakhar.aseem.diva/shared_prefs/ jakhar.aseem.diva_preferences.xml Problem? Remember that permission External Storage? 8. Input Validation Issues - II
How to capture packets in Burp?
Summary Insecure Data Storage Shared Preferences, Database, Cache Pretty much everything inside /data/data Binary Protections Remember you decompile an apk? Application Code can be obfuscated with the help of Proguard. For security conscious application’s application, Dexguard can be used. Dexguard is a commercial version of Proguard. Besides encrypting classes, strings, native libraries, it also adds tamper detection to let your application react accordingly if a hacker has tried to modify it or is accessing it illegitimately.
Will be continued... Any Questions?

More Related Content

PPTX
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
PDF
Android Hacking
antitree
 
PPTX
Android Hacking + Pentesting
Sina Manavi
 
PDF
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
PDF
Mobile Application Security
cclark_isec
 
PPTX
Mobile Application Security
Ishan Girdhar
 
PDF
Mobile Security
MarketingArrowECS_CZ
 
PPTX
Android pentesting
Mykhailo Antonishyn
 
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Android Hacking
antitree
 
Android Hacking + Pentesting
Sina Manavi
 
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
Mobile Application Security
cclark_isec
 
Mobile Application Security
Ishan Girdhar
 
Mobile Security
MarketingArrowECS_CZ
 
Android pentesting
Mykhailo Antonishyn
 

What's hot (20)

PPTX
Android– forensics and security testing
Santhosh Kumar
 
PDF
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
PDF
Android Operating System (Androrid OS)
Siddharth Belbase
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
PDF
Security testing in mobile applications
Jose Manuel Ortega Candel
 
PDF
Penetration testing
Ammar WK
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PPTX
Mobile device security
Lisa Herrera
 
PPTX
Security testing fundamentals
Cygnet Infotech
 
PDF
Web application security & Testing
Deepu S Nath
 
PPTX
Owasp mobile top 10
Pawel Rzepa
 
PDF
Android Security
Lars Jacobs
 
PPT
Understanding Android Security
Asanka Dilruk
 
PPT
Port scanning
Hemanth Pasumarthi
 
PPTX
Cyber crime
Jayant Raj
 
PPTX
Android Security
Arqum Ahmad
 
PPTX
Hacking and securing ios applications
Satish b
 
PPTX
iOS Operating System
Jawaher Abdulwahab Fadhil
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PDF
iOS Application Penetration Testing
n|u - The Open Security Community
 
Android– forensics and security testing
Santhosh Kumar
 
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
Android Operating System (Androrid OS)
Siddharth Belbase
 
OWASP API Security Top 10 - API World
42Crunch
 
Security testing in mobile applications
Jose Manuel Ortega Candel
 
Penetration testing
Ammar WK
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Mobile device security
Lisa Herrera
 
Security testing fundamentals
Cygnet Infotech
 
Web application security & Testing
Deepu S Nath
 
Owasp mobile top 10
Pawel Rzepa
 
Android Security
Lars Jacobs
 
Understanding Android Security
Asanka Dilruk
 
Port scanning
Hemanth Pasumarthi
 
Cyber crime
Jayant Raj
 
Android Security
Arqum Ahmad
 
Hacking and securing ios applications
Satish b
 
iOS Operating System
Jawaher Abdulwahab Fadhil
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
iOS Application Penetration Testing
n|u - The Open Security Community
 
Ad

Similar to Android security and penetration testing | DIVA | Yogesh Ojha (20)

PDF
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
 
PDF
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
PDF
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
PPT
Outsmarting smartphones
SensePost
 
PPTX
Mobile application security
Shubhneet Goel
 
PPTX
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Rizal Aditya
 
PDF
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
PPTX
Android vs ios System Architecture in OS perspective
Raj Pratim Bhattacharya
 
PPTX
Getting started with android
Vandana Verma
 
PPTX
Introduction to Android Development Part 1
Kainda Kiniel Daka
 
PPTX
Android Overview
Raju Kadam
 
PDF
Getting started with Android pentesting
Minali Arora
 
PPTX
Android Penetration testing - Day 2
Mohammed Adam
 
PPTX
Androidoverview 100405150711-phpapp01
Santosh Sh
 
PDF
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
DOC
Google android white paper
Sravan Reddy
 
PPTX
Manish Chasta - Securing Android Applications
Positive Hack Days
 
PDF
Introduction to everything around Android
Bipin Jethwani
 
PDF
Android Patching & Client-Side CyberSecurity
Ariel Tubul
 
PDF
Mobile Forensics on a Shoestring Budget
Brent Muir
 
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
 
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Outsmarting smartphones
SensePost
 
Mobile application security
Shubhneet Goel
 
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Rizal Aditya
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
Android vs ios System Architecture in OS perspective
Raj Pratim Bhattacharya
 
Getting started with android
Vandana Verma
 
Introduction to Android Development Part 1
Kainda Kiniel Daka
 
Android Overview
Raju Kadam
 
Getting started with Android pentesting
Minali Arora
 
Android Penetration testing - Day 2
Mohammed Adam
 
Androidoverview 100405150711-phpapp01
Santosh Sh
 
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
Google android white paper
Sravan Reddy
 
Manish Chasta - Securing Android Applications
Positive Hack Days
 
Introduction to everything around Android
Bipin Jethwani
 
Android Patching & Client-Side CyberSecurity
Ariel Tubul
 
Mobile Forensics on a Shoestring Budget
Brent Muir
 
Ad

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Teaching material agriculture food technology
LiaRayya
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Approach and Philosophy of On baking technology
30anthuong17
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 

Android security and penetration testing | DIVA | Yogesh Ojha

  • 1. Android Security & Penetration Testing Beginners guide to Penetration Testing Mobile Application (Android) Using DIVA
  • 2. Android Architecture Android Runtime (ART): 1. Alternative to Dalvik Virtual Machine 2. Released with 4.4 as an experimental, 5.0 it completely replaced Dalvik Virtual Machine. 3. Major change in ART is because of Ahead-of-time(AOT) Compilation and Garbage Collection. 4. In Ahead-of-time(AOT) Compilation ,android apps will be compiled when user installs them on their device whereas in the Dalvik used Just-in-time(JIT) compilation in which bytecode are compiled when user runs the app.
  • 3. Android Application Fundamentals 1. Written in JAVA or Kotlin (Native) 2. Hybrid could be written using frameworks like ionic (HTML) or Xamarin When you get an apk, it's more than a resource!
  • 4. What’s inside the apk? AndroidManifest.xml : Contains all the top level components like Activities, Services, Broadcast Receivers etc. Contains permissions as well. All the dangerous permissions has to be in Manifest file! Keep your eye on: 1. Debug Mode : Defines whether the application can be debugged or not! If the application can be debugged then it can provide plenty of information to an attacker. Android applications not in the production state can have it set to true otherwise it must be false. 2. BackUp Flag: Defines whether application data can be backed up and restored by a user who has enabled usb debugging. Applications that handle and store sensitive information such as card details, passwords etc. should have this setting set to false to prevent such risks. 3. External Storage Applications that have the permission to copy data to external storage should be reviewed to ensure that no sensitive information is stored. 4. Permissions!!! Keep an eye on permissions to check if application is asking for dangerous permissions that do NOT require!
  • 6. What’s more inside the apk? ● Java Files Activity Activity represents a single screen with a user interface. Services Component that runs on background. Broadcast Receiver Component that responds to system-wide broadcast announcements. “Hey, is the device booted?” ● Resource Directory Values has Strings.xml file
  • 7. Android Sandbox Each Android app lives in its own security sandbox! The Android operating system is a multi-user Linux system in which each app is a different user. The Android system assigns each app a unique Linux UID known only to system and not the app! The system sets permissions for all the files in an app so that only the UID assigned to that app can access them. Each process has its own virtual machine (VM), so an app’s code runs in isolation from other apps. By default, every app runs in its own Linux process. Android starts the process when any of the app’s components need to be executed, then shuts down the process when it’s no longer needed or when the system must recover memory for other apps. The Android system implements the principle of least privilege, that is each app by default has access only to the components that it requires to do its work and no more. This creates a very secure environment in which an app cannot access parts of the system for which it is not having permission. As every Android app runs in its own sandbox environment and cannot affect other apps by default but two apps can have same Linux User ID and can also share the same Dalvik VM if they are signed with the same Certificates.
  • 8. What’s in the Arsenal? Know your tools! Android Debug Bridge: $adb logcat
  • 9. What’s in the Arsenal? Apktool
  • 10. What’s in the Arsenal? How do I decompile the apk?
  • 11. What’s in the Arsenal? Dex2Jar : convert an APK file in to a jar file containing reconstructed source code Jd-gui: To open that jar file in JD-GUI and view that reconstructed source code. GeanyMotion as well!
  • 12. DIVA Damn insecure and vulnerable App
  • 17. 2. Insecure Data Storage Where is the android data being stored?
  • 18. 2. Insecure Data Storage Vulnerable Code
  • 19. 3. Insecure Data Storage Shared Preference
  • 20. 4. Insecure Data Storage - II Vulnerable Code
  • 21. 4. Insecure Data Storage - II
  • 22. 4. Insecure Data Storage - II How do I pull the database?
  • 23. 4. Insecure Data Storage - II How do I pull the database? $ sqlite3 ids2 SQLite version 3.8.5 2014-08-15 22:37:57 Enter “. help” for usage hints. sqlite> .tables android_metadata myuser sqlite> select * from myuser; SECRET|SECRET sqlite>
  • 24. 5. Insecure Data Storage - III Vulnerable Code
  • 25. 5. Insecure Data Storage - III
  • 26. 6. Insecure Data Storage - IV Vulnerable Code
  • 27. 6. Insecure Data Storage - IV Any Guess where this file could be stored?
  • 28. 6. Insecure Data Storage - IV Any Guess where this file could be stored?
  • 29. 7. Input Validation Issues - I What could be done here?
  • 30. 7. Input Validation Issues - I What could be done here? Let’s try ‘ ? 😉
  • 31. 7. Input Validation Issues - I What could be done here? Let’s try ‘ ? 😉 You Know it 😉 Possible SQL Injection
  • 32. 7. Input Validation Issues - I How about 1′ or ‘1’ != ‘2 ?
  • 33. 7. Input Validation Issues - I Vulnerable Code
  • 34. 8. Input Validation Issues - II More Dangerous!!!
  • 35. 8. Input Validation Issues - II How about file:///sdcard/.uinfo.txt Can we take this to next level? To read shared prefs? 😉
  • 36. How about file:///sdcard/.uinfo.txt Can we take this to next level? To read shared prefs? 😉 file:///data/data/jakhar.aseem.diva/shared_prefs/ jakhar.aseem.diva_preferences.xml Problem? Remember that permission External Storage? 8. Input Validation Issues - II
  • 37. How to capture packets in Burp?
  • 38. Summary Insecure Data Storage Shared Preferences, Database, Cache Pretty much everything inside /data/data Binary Protections Remember you decompile an apk? Application Code can be obfuscated with the help of Proguard. For security conscious application’s application, Dexguard can be used. Dexguard is a commercial version of Proguard. Besides encrypting classes, strings, native libraries, it also adds tamper detection to let your application react accordingly if a hacker has tried to modify it or is accessing it illegitimately.