SlideShare a Scribd company logo

DEF CON 27 - workshop - POLOTO - hacking the android apk

Felipe Prado, profile picture
Felipe Prado

This document provides an agenda for a training session on hacking Android APK files at DEF CON 27 on August 8, 2019. The schedule includes introductions, static and dynamic analysis of APKs, forensic analysis, example teardowns, and a capture the flag exercise. The training team consists of three members - Ben Hughes, Liana Parakesyan, and Mattia Campagnano - and their bios are provided. An overview of the OWASP Mobile Top 10 security risks and the OWASP Mobile Security Testing Guide is also given to provide mobile security context. The document concludes by outlining approaches for setting up an Android testing environment including Android Studio, emulators, rooted devices, and common analysis tools.

Technology
Related topics:
Information Security
1 of 63
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Hacking the Android APK DEF CON 27 August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc.1 Hacking the Android APK DC27 08/08/2019, Thursday, 1430-1830 in Flamingo, Red Rock V 1
• 1430 Intro and VM • 1500 Static and Dynamic Analysis • 1630 Forensic Analysis • 1700 Example APK Teardowns • 1730 CTF! 2 Schedule & Agenda August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Hacking the Android APK DC27 08/08/2019, Thursday, 1430-1830 in Flamingo, Red Rock V 2
3 Training Team • Ben Hughes Senior Cyber Security Engineer & Director of Commercial Services • Liana Parakesyan Cyber Security Engineer & Penetration Tester • Mattia Campagnano Cyber Security Engineer & Penetration Tester August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Trainer intros/bios Ben (@CyberPraesidium) brings over 12 years of diverse experience in cyber security, IT, and law. He leads Polito's commercial services including vulnerability assessments, penetration testing, incident response, forensics, and threat hunting. Prior to joining Polito, Ben worked on APT hunt teams at federal and commercial clients. He holds CISSP, GCFA, GWAPT, and Splunk Power User certifications. Liana has a wide range of experience in cybersecurity. She has created tailored cybersecurity frameworks for companies and federal agencies. She has a background in building cybersecurity labs for clients, consulting on Defense-in-Depth strategies based on threat modeling, and performing penetration testing. She holds a Master’s degree in Cybersecurity and has earned the Security+, CEH, and CISSP certifications. Mattia brings a wide range of experience in IT and cybersecurity, including as Desktop Support with the Italian agency for foreign trade and as a SOC analyst with a major US cybersecurity company. He has worked with SIEMs and conducted penetration testing. He has two Associate’s of Applied Science degrees from Stark State College (Cyber Security & Forensics and Network Security, Linux Database Admin). He also 3
has an MBA from Università di Napoli Federico II (Italy) and Security+ certification. 3
4 Introduction to Android and Mobile Security Fundamentals August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 4
M1 - Improper Platform Usage M2 - Insecure Data Storage M3 - Insecure Communication M4 - Insecure Authentication M5 - Insufficient Cryptography M6 - Insecure Authorization M7 - Client Code Quality M8 - Code Tampering M9 - Reverse Engineering M10 - Extraneous Functionality 5 OWASP Mobile Top 10 August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. OWASP Mobile Top 10 (2016) Categories: M1 - Improper Platform Usage M2 - Insecure Data Storage M3 - Insecure Communication M4 - Insecure Authentication M5 - Insufficient Cryptography M6 - Insecure Authorization M7 - Client Code Quality M8 - Code Tampering M9 - Reverse Engineering M10 - Extraneous Functionality Walk through examples for each category. References: https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project https://github.com/OWASP/owasp-mstg 5
• “The MSTG is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS).” August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.6 OWASP Mobile Security Testing Guide (MSTG) Reference: https://github.com/OWASP/owasp-mstg 6
● For hackers, pen testers, and security researchers there are pros and cons with each platform ● Some generalizations: ○ For better or worse, the Android platform is not the iOS walled garden offered by Apple ○ Unlocking and rooting Android devices is easier and provides more options than jailbreaking iOS devices ○ Reversing APKs is easier than IPAs; e.g. often can reverse complete cleartext Java classes for APKs, but typically not going to see much actual source code for IPAs unless provided separately by devs ○ Tampering with / modifying APKs is easier than IPAs. ○ There are more open source / free and commercial tools for the Android platform ■ Tooling for iOS often breaks after major iOS updates; many iOS open source / free tools stopped working reliably or at all several iOS versions ago 7 Android vs. iOS Pen Testing August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 7
● Those general differences aside: ○ If the same app is available as an APK and IPA, start with analyzing the APK ○ The network/web/API traffic is often identical or virtually identical ○ The main SQLite databases and other on-device artifacts are often identical or virtually identical ○ Cross-compiling mobile apps for Android and iOS platforms is becoming increasingly popular 8 Android vs. iOS Pen Testing August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 8
9 Android Ecosystem To publish an app, a developer creates a Google Play developer account, fills out some forms in the Play Console about the app and store listing, and uploads the APK to be released. August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 9
10 Where to Obtain APKs ● Google Play Store ● APK repos ● GitHub ● Android Devices and Emulators ● Developers (test or pre-release versions) August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 10
11 Android APK Hacking Use Cases August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 11
12 Why Analyze APKs? ● Mobile appsec and mobile penetration testing ○ Specific APKs and Android platform itself ○ For pivoting elsewhere ● Bug bounties ● Mobile malware/adware/APT research ● Mobile forensics ● Curiosity – what are all the apps on your phone doing with your data? August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 12
August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.13 Setting Up Your Android Test Environment For testing an Android app, you can utilize a physical device or an emulator, such as the one provided by Android Studio. Pros and cons of each approach 13
• You can create a dedicated VMware or VirtualBox VM to be used as your Android Test Environment. • Your Test Environment can be hosted on Linux or Windows. • For example, you can download then customize a pre- built virtual machine from the following websites: • Kali Linux: https://www.kali.org/downloads/ • Windows: https://developer.microsoft.com/en-us/microsoft- edge/tools/vms/ 14 Setting Up Your Android Test Environment - VM August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 14
Android Studio and adb tools Android Studio is available for Windows, macOS and Linux and allows you to build and analyze an Android app in APK format and to run it in a device emulator. It can be downloaded from: https://developer.android.com/studio/ Android Debug Bridge (adb) is a versatile command-line tool providing a command shell on the Android device. It is included in the Android SDK Platform-Tools package, available within the SDK Manager, or as a standalone package: https://developer.android.com/studio/releases/platform- tools.html. 15 Setting Up Your Android Test Environment August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 15
Android Studio Emulator: Android Studio includes an emulator for all supported API levels / Android versions, allowing you to install any Android app by simply dragging and dropping it to the virtual device. Emulators have their pros and cons, compared with a physical Android device. 16 Setting Up Your Android Test Environment August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 16
Physical rooted device: You’ll need an Android device with readily available (and relatively trustworthy) root exploits and unlocked/unlockable bootloaders. Some examples of suitable devices include: ● Google Nexus - older models ● Samsung Galaxy S3 (rooted Verizon version) ● Some Motorola models 17 Setting Up Your Android Test Environment August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 17
• Apktool • dex2jar • JD-GUI • Jadx • Drozer August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.18 Additional Tools – Popular Free Tools References: https://ibotpeaches.github.io/Apktool/ https://github.com/pxb1988/dex2jar https://github.com/java-decompiler/jd-gui https://github.com/skylot/jadx https://labs.mwrinfosecurity.com/tools/drozer/ 18
19 Static Analysis Reversing the APK August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 19
● Static analysis is conducted to review the APK contents including the source code of the mobile application ● This type of analysis can potentially identify the following common issues: ○ M1 - Improper Platform Usage ○ M2 - Insecure Data Storage ○ M3 - Insecure Communication ○ M5 - Insufficient Cryptography ○ M7 - Client Code Quality ○ M8 - Code Tampering ○ M9 - Reverse Engineering ○ M10 - Extraneous Functionality 20 Static Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 20
● Install the app that you want to analyze on your rooted device or emulator ● Install APK Extractor from the Google Play Store on the same device https://play.google.com/store/apps/details?i d=com.invincible.apkextractor&hl=en ○ Use the APK Extractor app to extract the APK of the target app ● ADB (Android Debug Bridge) Tool ○ Connect rooted device to laptop and use ADB shell to extract the .apk file to your computer ○ adb devices -l ○ adb pull /data/app/<filename.apk> /root/APK 21 Obtaining the APK August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 21
22 APK Structure and File Contents Android Studio jadx August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 22
● Example 1: Android Studio – For example, decoding and analyzing AndroidManifest.xml ○ Open .apk file in Android Studio to view the AndroidManifest.xml and analyze ● Example 2: apktool and JD-GUI ○ Decode the .apk with apktool https://ibotpeaches.github.io/Apktool ○ Convert the classes.dex into a .jar file using dex2jar https://sourceforge.net/p/dex2jar/wiki/UserGuide ○ Download JD-GUI http://java-decompiler.github.io and open the new .jar file to view the classes and code ● Example 3: jadx ○ https://github.com/skylot/jadx ○ Combines dex2jar and JD-GUI functionality into 1 CLI and GUI app, as it decodes/deobfuscates and then displays the APK contents including its manifest.xml and DEX files (Java classes) 23 Decoding and Reserving an APK August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 23
• Contains official package name, app ID, app components, permissions, etc. • Sometimes contains hard-coded secrets or other sensitive data • Multiple tools and methods to decode the manifest file and view cleartext contents sudo java -jar axmlprinter-0.1.7.jar AndroidManifest.xml > AndroidManifest_decoded.txt August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.24 AndroidManifest.xml References: https://developer.android.com/guide/topics/manifest/manifest-intro https://github.com/rednaga/axmlprinter 24
● Look for API levels, versions, app components and intents, etc. ● Permissions - any excessive or unnecessary permissions? ● Look for hard-coded API keys, passwords, certificates, URLs, databases, and other potentially sensitive data ○ "crypt" ○ "https?://" ○ "password" ○ "key" ○ "cert" ○ "ssl" ○ "modulus" ○ "User-Agent" ○ "database" ○ "sqlite" ○ apikey 25 Looking for Interesting Strings August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://www.holidayhackchallenge.com/2016/winners/grigorescu/ 25
• jadx is recommended • Start with searching for low-hanging fruit (interesting strings) • Review interesting Java classes • Review dependencies and 3rd party integrations • Review for code vulnerabilities • Automated code scanners • Manual review – triage interesting/important classes • Sometimes the code has been obfuscated… August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.26 Decoding and Disassembling DEX Source code reversing triage techniques and tips Disclaimer: I am not a developer ☺ References: https://posts.specterops.io/dont-you-forget-about-re-e2c92d67c641 26
27 Dynamic Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 27
● Dynamic analysis is conducted to review the application while it is running ● This type of analysis can potentially identify the following issues: ○ M1 - Improper Platform Usage ○ M2 - Insecure Data Storage ○ M3 - Insecure Communication ○ M4 - Insecure Authentication ○ M5 - Insufficient Cryptography ○ M6 - Insecure Authorization ○ M8 - Code Tampering 28 Dynamic Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 28
● Review the mobile application ○ Go through all the pages, buttons, features ○ Learn what the app does ○ Test unauthenticated and authenticated; create users and review the app as a logged in user (if possible) ● Execute application while device is connected to a controlled network to observe traffic ○ Proxy Options ■ Burp Suite https://portswigger.net/burp ■ Frida/Brida https://github.com/federicodotta/Brida ■ Drozer https://labs.mwrinfosecurity.com/tools/drozer ● Run Android Studio and/or adb logcat to debug and view logs while the application is running 29 Conducting Dynamic Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 29
• Many mobile apps can be proxied as easily as a typical web app; the traffic is often very similar too • Mobile-specific user-agents are common • Some apps are proxy aware (bypasses exist) • Certificate pinning may be an obstacle, especially on newer versions of Android (bypasses exist) August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.30 Proxying Traffic with Burp Suite References: https://support.portswigger.net/customer/portal/articles/1841102-installing-burp-s- ca-certificate-in-an-android-device https://support.portswigger.net/customer/portal/articles/1841101-Mobile%20Set- up_Android%20Device.html https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/ 30
● Brida - Burp Suite to Frida ○ Brida extension in Burp to proxy mobile app traffic for analysis ○ This extension works as a bridge between Burp Suite and Frida ○ Allows to view and tamper with the traffic exchanged between the applications and their back-end services/servers 31 Brida August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://github.com/federicodotta/Brida 31
● Drozer - security testing framework for Android. ○ Drozer allows to test for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS ○ Install Drozer on the analysis host, start emulator, and install agent on rooted device: adb install drozer.apk ○ Start Drozer, observe and interact with the traffic 32 Drozer August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://labs.mwrinfosecurity.com/tools/drozer/ 32
● To debug app and view logs run adb logcat ● This will show actions the device/emulator is taking to run the application 33 Logs and Debug August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 33
34 Forensics Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Relation to static and dynamic analysis 34
Android filesystem and directory structure (brief overview) Android uses the Linux file system structure, which has a single root. (Image credit: http://www.stevesandroi dguide.com/android- files/) 35 Forensic Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Rooted vs. unrooted access Physical vs. logical image Reference: http://www.stevesandroidguide.com/android-files/ 35
Rooted vs. non-rooted devices: On a non-rooted device, system partitions and directories are protected and cannot be directly accessed, even though some file managers will display them. To get around these restrictions, you need to root the device. Rooting an Android device: ● Once root exploit achieved, install SuperSU ● Install RootChecker (optional) - to verify it is rooted properly (also good for checking root status occasionally as OS updates or other changes to device can break root) 36 Rooting Android Device August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Rooted vs. unrooted access Physical vs. logical image References: https://www.pcmag.com/article2/0,2817,2459892,00.asp 36
Physical disks and partitions appear under the root as a directories, but do not have a drive letter as in Windows. Android does not always come with a default file manager, and so you will need to install a file manager app. The sdcard partition is the main storage area for user data and files and it also contains app settings and data. It gets created whether or not a physical SD card is present. (partial listing of sdcard partition- Image credits: http://www.stevesandroidguide.com/android-files/ ) 37 Android File System Structure August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: http://www.stevesandroidguide.com/android-files/ 37
Android filesystem structure The ext-sdcard partition will only be visible if your device supports external storage, usually using a microSD slot. External sd cards use either the FAT, FAT32 or exFAT file system formats. Most devices support FAT and FAT32, but support for exFAT is limited. 38 Android FileSystem Structure August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 38
● Physical acquisition (or forensic image) is a bit-by-bit copy of the entire contents of the flash memory of a mobile device. This allows for the collection of all live data and also data that has been deleted or is protected/hidden. However, physical acquisition is not always possible, requiring root access to the device. ● Logical acquisition: Performed through forensic tools using the application API’s to communicate with the mobile device’s operating system and request the data from the system. This method allows for the acquisition of most of the user-accessible live data on the device, as it would be done for a live targeted collection of computer, and allows recovering live data, but not deleted or protected files. 39 Physical vs. Logical Acquisition August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: http://blog.specialcounsel.com/ediscovery/three-types-of-mobile-device-extractions- and-what-each-contains/ 39
● Filesystem acquisition: Unlike logical acquisitions, the forensic tool(s) can directly access the files on the mobile device’s internal memory, which allows to extract all files present in the internal memory, including database files, system files and logs. Filesystem extractions allow examining file structure, web browsing history and app usage history of a mobile device and grant full access to the database files on a mobile device, and to existing and deleted files for apps such as iMessage, SMS, MMS, Calendar and others. (Reference: http://blog.specialcounsel.com/ediscovery/three-types-of- mobile-device-extractions-and-what-each-contains/) 40 Filesystem Acquisition August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: http://blog.specialcounsel.com/ediscovery/three-types-of-mobile-device-extractions- and-what-each-contains/ 40
Recovering SQLite databases from a mobile app is a priority, because they could contain sensitive data. One of the best tools for the job is DB Browser for SQLite (aka sqlitebrowser, available at https://sqlitebrowser.org/) 41 Obtaining and Reviewing SQLite Databases August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://sqlitebrowser.org/ 41
DB Browser for SQLite (DB4S) is a high quality, visual, open source tool to create, design, and edit database files compatible with SQLite. DB4S uses a familiar spreadsheet-like interface, and complicated SQL commands do not have to be learned. It is a tool to be used by both developers and end users, and must remain as simple to use as possible in order to achieve these goals. Alternatively, use Android Studio, adb, or commercial mobile forensics tools such as Magnet Axiom to grab and analyze app SQLite databases and related forensic artifacts: 42 Obtaining and Reviewing SQLite Databases August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://sqlitebrowser.org/ 42
43 Intermediate and Advanced Topics August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 43
• Apps that leverage certificate pinning and newer versions of Android sometimes prevent proxying the mobile traffic • There are bypasses… 44 Bypassing Certificate Pinning August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/ 44
• APKs are signed • However, you can modify and re-sign an APK • This is required for one approach to bypassing certificate pinning and related proxy issues • Can be beneficial for other use cases too 45 Modifying and Re-signing APKs August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 45
• Sometimes the Java classes have been obfuscated • Some tools like jadx have limited deobfuscation capabilities • Sometimes the deobfuscation attempts fail or even make things worse (i.e. the code can become more obfuscated) 46 Deobfuscating Source Code August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. References: https://www.evilsocket.net/2016/04/18/how-i-defeated-an-obfuscated-and-anti- tamper-apk-with-some-python-and-a-home-made-smali-emulator/ https://posts.specterops.io/dont-you-forget-about-re-e2c92d67c641 46
● Mobile app traffic ● Web and app servers ● APIs ● App infrastructure ● Potential pivots during a pen test (e.g. hard-coded credentials and keys FTW) 47 Looking for Network and Server- side Issues August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 47
48 APK Teardown Example 1 August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 48
49 APK Teardown Example 2 August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 49
50 Questions? Q&A Session August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 50
51 Hacking the Android APK CTF Instructions and Objectives August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 51
● Super secure banking app ● You are a pen tester (or hacker?) tasked with finding security weaknesses ● Any mobile app fails can likely lead to fun and profit 52 CTF Scenario August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 52
● Flags have been planted in the custom APK ● Static, dynamic, and/or forensic analysis will be required to solve the challenges and find the flags ● Challenge difficulty ranges from very easy to very hard ● Prizes for the winner(s) 53 CTF Instructions August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Will provide short link to CTFd instance during workshop Add login instructions (individual and team self-register) Do live demo walkthrough 53
•https://www.politoinc.com/defcon-ctf •Click Register to create your own account • Provide Team Name, Email and Password • Can compete individually or join a team 54 CTFd Server August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Redirect will be operational during workshop 54
• Challenges are worth 100-400 points each • 100 Easy • 200 Moderate • 300 Hard • 400+ Really hard • No point deductions for wrong answers, but limited number of wrong submissions allowed • -50 points for every viewed hint 55 CTF Scoring Rules August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Scoring system subject to change 55
• Top Team • Max 3 members • Top Individual 56 CTF Prizes August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Prizes likely to be rooted Android test devices 56
• Do collaborate and team up. • Do use the hints if you get stuck and need help. (but remember hefty point penalty per hint) • Don’t intentionally interfere with the WiFi, CTFd server, app server, or other competitors. ☺ 57 CTF – Do’s and Don’ts August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 57
58 CTF – Ready... Set... Hack! August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 58
• Dates and Locations TBD 59 Future Workshops August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 59
www.politoinc.com/feedback • We would greatly appreciate your honest feedback • Submit your e-mail address to receive a copy of this presentation 60 How Did We Do? August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 60
● https://github.com/OWASP/owasp-mstg ● https://ibotpeaches.github.io/Apktool ● https://sourceforge.net/p/dex2jar/wiki/UserGuide ● https://github.com/java-decompiler/jd-gui/releases ● https://github.com/skylot/jadx ● https://github.com/federicodotta/Brida ● https://labs.mwrinfosecurity.com/tools/drozer ● https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer ● https://portswigger.net/burp ● https://conference.hitb.org/hitbsecconf2018ams/materials/D1T1%20- %20Federico%20Dotta%20and%20Piergiovanni%20Cipolloni%20- %20Brida%20When%20Burp%20Suite%20Meets%20Frida.pdf ● https://techblog.mediaservice.net/2018/04/brida-a-step-by-step-user-guide ● https://support.portswigger.net/customer/portal/articles/1841101-configuring-an-android-device-to-work-with-burp 61 References August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. References: ● https://github.com/OWASP/owasp-mstg ● https://ibotpeaches.github.io/Apktool ● https://sourceforge.net/p/dex2jar/wiki/UserGuide ● https://github.com/java-decompiler/jd-gui/releases ● https://github.com/skylot/jadx ● https://github.com/federicodotta/Brida ● https://labs.mwrinfosecurity.com/tools/drozer ● https://resources.infosecinstitute.com/android-penetration-tools- walkthrough-series-drozer ● https://portswigger.net/burp ● https://conference.hitb.org/hitbsecconf2018ams/materials/D1T1%20- %20Federico%20Dotta%20and%20Piergiovanni%20Cipolloni%20- %20Brida%20When%20Burp%20Suite%20Meets%20Frida.pdf ● https://techblog.mediaservice.net/2018/04/brida-a-step-by-step-user-guide ● https://support.portswigger.net/customer/portal/articles/1841101- configuring-an-android-device-to-work-with-burp 61
E-mail info@politoinc.com Website www.politoinc.com Blog www.politoinc.com/blog Twitter info@politoinc.com GitHub www.github.com/politoinc 62 Thank You! Lead Trainer Ben Hughes ben@politoinc.com @CyberPraesidium August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 62

More Related Content

PDF
Ce hv8 module 16 hacking mobile platforms
Mehrdad Jingoism
 
PPTX
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
Black Duck by Synopsys
 
PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
PPTX
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
TestDevLab
 
PPTX
Android pentesting
Mykhailo Antonishyn
 
PDF
Android pentesting
Mykhailo Antonishyn
 
PPTX
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Ce hv8 module 16 hacking mobile platforms
Mehrdad Jingoism
 
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
Black Duck by Synopsys
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
TestDevLab
 
Android pentesting
Mykhailo Antonishyn
 
Android pentesting
Mykhailo Antonishyn
 
Rapid Android Application Security Testing
Nutan Kumar Panda
 

Similar to DEF CON 27 - workshop - POLOTO - hacking the android apk (20)

PPTX
Mobile Application Penetration Testing - Android
UtpalSwain2
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
PDF
Getting started with hacking android &amp; i os apps tools, techniques and re...
n|u - The Open Security Community
 
PDF
Getting started with Android pentesting
Minali Arora
 
PPTX
Mobile application security
Shubhneet Goel
 
PPTX
Mobile Application Security
Ishan Girdhar
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Abhinav Mishra
 
PPTX
[Wroclaw #1] Android Security Workshop
OWASP
 
PPTX
Getting started with android
Vandana Verma
 
PDF
What is Android app Pentesting in 2022- DetoxTechnologies.pdf
Cyber security professional services- Detox techno
 
PDF
Embedded Android Workshop with Oreo
Opersys inc.
 
PDF
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
PPTX
Android Apps Testing in 2019
Ivan Katunou
 
DOCX
Mobile testingartifacts
Pragya Rastogi
 
PDF
Mobile Test Automation
Andreas Jakl
 
PPT
1668170.ppt
230405
 
PPTX
Powerpoint 2
precious6896
 
PDF
Attacking and Defending Mobile Applications
Jerod Brennen
 
PPT
Android 1
Jagan Nath University
 
PDF
Towards the methods of analysis malicious applications for Android
Sergey Staroletov
 
Mobile Application Penetration Testing - Android
UtpalSwain2
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Getting started with hacking android &amp; i os apps tools, techniques and re...
n|u - The Open Security Community
 
Getting started with Android pentesting
Minali Arora
 
Mobile application security
Shubhneet Goel
 
Mobile Application Security
Ishan Girdhar
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Abhinav Mishra
 
[Wroclaw #1] Android Security Workshop
OWASP
 
Getting started with android
Vandana Verma
 
What is Android app Pentesting in 2022- DetoxTechnologies.pdf
Cyber security professional services- Detox techno
 
Embedded Android Workshop with Oreo
Opersys inc.
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Android Apps Testing in 2019
Ivan Katunou
 
Mobile testingartifacts
Pragya Rastogi
 
Mobile Test Automation
Andreas Jakl
 
1668170.ppt
230405
 
Powerpoint 2
precious6896
 
Attacking and Defending Mobile Applications
Jerod Brennen
 
Android 1
Jagan Nath University
 
Towards the methods of analysis malicious applications for Android
Sergey Staroletov
 

More from Felipe Prado (20)

PDF
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
PDF
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
 
PDF
DEF CON 24 - Tamas Szakaly - help i got ants
Felipe Prado
 
PDF
DEF CON 24 - Ladar Levison - compelled decryption
Felipe Prado
 
PDF
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
 
PDF
DEF CON 24 - Chris Rock - how to overthrow a government
Felipe Prado
 
PDF
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Felipe Prado
 
PDF
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
Felipe Prado
 
PDF
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
 
PDF
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
 
PDF
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Felipe Prado
 
PDF
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Felipe Prado
 
PDF
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
PDF
DEF CON 24 - Grant Bugher - Bypassing captive portals
Felipe Prado
 
PDF
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
 
PDF
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Felipe Prado
 
PDF
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Felipe Prado
 
PDF
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Felipe Prado
 
PDF
DEF CON 24 - Antonio Joseph - fuzzing android devices
Felipe Prado
 
PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
Felipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
Felipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
Felipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Felipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Felipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Felipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
Felipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Felipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Felipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
Felipe Prado
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 

Recently uploaded (20)

PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
project resource management chapter-09.pdf
ssuser00e6e21
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 

DEF CON 27 - workshop - POLOTO - hacking the android apk

  • 1. Hacking the Android APK DEF CON 27 August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc.1 Hacking the Android APK DC27 08/08/2019, Thursday, 1430-1830 in Flamingo, Red Rock V 1
  • 2. • 1430 Intro and VM • 1500 Static and Dynamic Analysis • 1630 Forensic Analysis • 1700 Example APK Teardowns • 1730 CTF! 2 Schedule & Agenda August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Hacking the Android APK DC27 08/08/2019, Thursday, 1430-1830 in Flamingo, Red Rock V 2
  • 3. 3 Training Team • Ben Hughes Senior Cyber Security Engineer & Director of Commercial Services • Liana Parakesyan Cyber Security Engineer & Penetration Tester • Mattia Campagnano Cyber Security Engineer & Penetration Tester August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Trainer intros/bios Ben (@CyberPraesidium) brings over 12 years of diverse experience in cyber security, IT, and law. He leads Polito's commercial services including vulnerability assessments, penetration testing, incident response, forensics, and threat hunting. Prior to joining Polito, Ben worked on APT hunt teams at federal and commercial clients. He holds CISSP, GCFA, GWAPT, and Splunk Power User certifications. Liana has a wide range of experience in cybersecurity. She has created tailored cybersecurity frameworks for companies and federal agencies. She has a background in building cybersecurity labs for clients, consulting on Defense-in-Depth strategies based on threat modeling, and performing penetration testing. She holds a Master’s degree in Cybersecurity and has earned the Security+, CEH, and CISSP certifications. Mattia brings a wide range of experience in IT and cybersecurity, including as Desktop Support with the Italian agency for foreign trade and as a SOC analyst with a major US cybersecurity company. He has worked with SIEMs and conducted penetration testing. He has two Associate’s of Applied Science degrees from Stark State College (Cyber Security & Forensics and Network Security, Linux Database Admin). He also 3
  • 4. has an MBA from Università di Napoli Federico II (Italy) and Security+ certification. 3
  • 5. 4 Introduction to Android and Mobile Security Fundamentals August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 4
  • 6. M1 - Improper Platform Usage M2 - Insecure Data Storage M3 - Insecure Communication M4 - Insecure Authentication M5 - Insufficient Cryptography M6 - Insecure Authorization M7 - Client Code Quality M8 - Code Tampering M9 - Reverse Engineering M10 - Extraneous Functionality 5 OWASP Mobile Top 10 August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. OWASP Mobile Top 10 (2016) Categories: M1 - Improper Platform Usage M2 - Insecure Data Storage M3 - Insecure Communication M4 - Insecure Authentication M5 - Insufficient Cryptography M6 - Insecure Authorization M7 - Client Code Quality M8 - Code Tampering M9 - Reverse Engineering M10 - Extraneous Functionality Walk through examples for each category. References: https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project https://github.com/OWASP/owasp-mstg 5
  • 7. • “The MSTG is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS).” August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.6 OWASP Mobile Security Testing Guide (MSTG) Reference: https://github.com/OWASP/owasp-mstg 6
  • 8. ● For hackers, pen testers, and security researchers there are pros and cons with each platform ● Some generalizations: ○ For better or worse, the Android platform is not the iOS walled garden offered by Apple ○ Unlocking and rooting Android devices is easier and provides more options than jailbreaking iOS devices ○ Reversing APKs is easier than IPAs; e.g. often can reverse complete cleartext Java classes for APKs, but typically not going to see much actual source code for IPAs unless provided separately by devs ○ Tampering with / modifying APKs is easier than IPAs. ○ There are more open source / free and commercial tools for the Android platform ■ Tooling for iOS often breaks after major iOS updates; many iOS open source / free tools stopped working reliably or at all several iOS versions ago 7 Android vs. iOS Pen Testing August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 7
  • 9. ● Those general differences aside: ○ If the same app is available as an APK and IPA, start with analyzing the APK ○ The network/web/API traffic is often identical or virtually identical ○ The main SQLite databases and other on-device artifacts are often identical or virtually identical ○ Cross-compiling mobile apps for Android and iOS platforms is becoming increasingly popular 8 Android vs. iOS Pen Testing August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 8
  • 10. 9 Android Ecosystem To publish an app, a developer creates a Google Play developer account, fills out some forms in the Play Console about the app and store listing, and uploads the APK to be released. August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 9
  • 11. 10 Where to Obtain APKs ● Google Play Store ● APK repos ● GitHub ● Android Devices and Emulators ● Developers (test or pre-release versions) August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 10
  • 12. 11 Android APK Hacking Use Cases August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 11
  • 13. 12 Why Analyze APKs? ● Mobile appsec and mobile penetration testing ○ Specific APKs and Android platform itself ○ For pivoting elsewhere ● Bug bounties ● Mobile malware/adware/APT research ● Mobile forensics ● Curiosity – what are all the apps on your phone doing with your data? August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 12
  • 14. August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.13 Setting Up Your Android Test Environment For testing an Android app, you can utilize a physical device or an emulator, such as the one provided by Android Studio. Pros and cons of each approach 13
  • 15. • You can create a dedicated VMware or VirtualBox VM to be used as your Android Test Environment. • Your Test Environment can be hosted on Linux or Windows. • For example, you can download then customize a pre- built virtual machine from the following websites: • Kali Linux: https://www.kali.org/downloads/ • Windows: https://developer.microsoft.com/en-us/microsoft- edge/tools/vms/ 14 Setting Up Your Android Test Environment - VM August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 14
  • 16. Android Studio and adb tools Android Studio is available for Windows, macOS and Linux and allows you to build and analyze an Android app in APK format and to run it in a device emulator. It can be downloaded from: https://developer.android.com/studio/ Android Debug Bridge (adb) is a versatile command-line tool providing a command shell on the Android device. It is included in the Android SDK Platform-Tools package, available within the SDK Manager, or as a standalone package: https://developer.android.com/studio/releases/platform- tools.html. 15 Setting Up Your Android Test Environment August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 15
  • 17. Android Studio Emulator: Android Studio includes an emulator for all supported API levels / Android versions, allowing you to install any Android app by simply dragging and dropping it to the virtual device. Emulators have their pros and cons, compared with a physical Android device. 16 Setting Up Your Android Test Environment August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 16
  • 18. Physical rooted device: You’ll need an Android device with readily available (and relatively trustworthy) root exploits and unlocked/unlockable bootloaders. Some examples of suitable devices include: ● Google Nexus - older models ● Samsung Galaxy S3 (rooted Verizon version) ● Some Motorola models 17 Setting Up Your Android Test Environment August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 17
  • 19. • Apktool • dex2jar • JD-GUI • Jadx • Drozer August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.18 Additional Tools – Popular Free Tools References: https://ibotpeaches.github.io/Apktool/ https://github.com/pxb1988/dex2jar https://github.com/java-decompiler/jd-gui https://github.com/skylot/jadx https://labs.mwrinfosecurity.com/tools/drozer/ 18
  • 20. 19 Static Analysis Reversing the APK August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 19
  • 21. ● Static analysis is conducted to review the APK contents including the source code of the mobile application ● This type of analysis can potentially identify the following common issues: ○ M1 - Improper Platform Usage ○ M2 - Insecure Data Storage ○ M3 - Insecure Communication ○ M5 - Insufficient Cryptography ○ M7 - Client Code Quality ○ M8 - Code Tampering ○ M9 - Reverse Engineering ○ M10 - Extraneous Functionality 20 Static Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 20
  • 22. ● Install the app that you want to analyze on your rooted device or emulator ● Install APK Extractor from the Google Play Store on the same device https://play.google.com/store/apps/details?i d=com.invincible.apkextractor&hl=en ○ Use the APK Extractor app to extract the APK of the target app ● ADB (Android Debug Bridge) Tool ○ Connect rooted device to laptop and use ADB shell to extract the .apk file to your computer ○ adb devices -l ○ adb pull /data/app/<filename.apk> /root/APK 21 Obtaining the APK August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 21
  • 23. 22 APK Structure and File Contents Android Studio jadx August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 22
  • 24. ● Example 1: Android Studio – For example, decoding and analyzing AndroidManifest.xml ○ Open .apk file in Android Studio to view the AndroidManifest.xml and analyze ● Example 2: apktool and JD-GUI ○ Decode the .apk with apktool https://ibotpeaches.github.io/Apktool ○ Convert the classes.dex into a .jar file using dex2jar https://sourceforge.net/p/dex2jar/wiki/UserGuide ○ Download JD-GUI http://java-decompiler.github.io and open the new .jar file to view the classes and code ● Example 3: jadx ○ https://github.com/skylot/jadx ○ Combines dex2jar and JD-GUI functionality into 1 CLI and GUI app, as it decodes/deobfuscates and then displays the APK contents including its manifest.xml and DEX files (Java classes) 23 Decoding and Reserving an APK August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 23
  • 25. • Contains official package name, app ID, app components, permissions, etc. • Sometimes contains hard-coded secrets or other sensitive data • Multiple tools and methods to decode the manifest file and view cleartext contents sudo java -jar axmlprinter-0.1.7.jar AndroidManifest.xml > AndroidManifest_decoded.txt August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.24 AndroidManifest.xml References: https://developer.android.com/guide/topics/manifest/manifest-intro https://github.com/rednaga/axmlprinter 24
  • 26. ● Look for API levels, versions, app components and intents, etc. ● Permissions - any excessive or unnecessary permissions? ● Look for hard-coded API keys, passwords, certificates, URLs, databases, and other potentially sensitive data ○ "crypt" ○ "https?://" ○ "password" ○ "key" ○ "cert" ○ "ssl" ○ "modulus" ○ "User-Agent" ○ "database" ○ "sqlite" ○ apikey 25 Looking for Interesting Strings August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://www.holidayhackchallenge.com/2016/winners/grigorescu/ 25
  • 27. • jadx is recommended • Start with searching for low-hanging fruit (interesting strings) • Review interesting Java classes • Review dependencies and 3rd party integrations • Review for code vulnerabilities • Automated code scanners • Manual review – triage interesting/important classes • Sometimes the code has been obfuscated… August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.26 Decoding and Disassembling DEX Source code reversing triage techniques and tips Disclaimer: I am not a developer ☺ References: https://posts.specterops.io/dont-you-forget-about-re-e2c92d67c641 26
  • 28. 27 Dynamic Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 27
  • 29. ● Dynamic analysis is conducted to review the application while it is running ● This type of analysis can potentially identify the following issues: ○ M1 - Improper Platform Usage ○ M2 - Insecure Data Storage ○ M3 - Insecure Communication ○ M4 - Insecure Authentication ○ M5 - Insufficient Cryptography ○ M6 - Insecure Authorization ○ M8 - Code Tampering 28 Dynamic Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 28
  • 30. ● Review the mobile application ○ Go through all the pages, buttons, features ○ Learn what the app does ○ Test unauthenticated and authenticated; create users and review the app as a logged in user (if possible) ● Execute application while device is connected to a controlled network to observe traffic ○ Proxy Options ■ Burp Suite https://portswigger.net/burp ■ Frida/Brida https://github.com/federicodotta/Brida ■ Drozer https://labs.mwrinfosecurity.com/tools/drozer ● Run Android Studio and/or adb logcat to debug and view logs while the application is running 29 Conducting Dynamic Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 29
  • 31. • Many mobile apps can be proxied as easily as a typical web app; the traffic is often very similar too • Mobile-specific user-agents are common • Some apps are proxy aware (bypasses exist) • Certificate pinning may be an obstacle, especially on newer versions of Android (bypasses exist) August 10, 2018Copyright © 2018 Ben Hughes and Polito, Inc.30 Proxying Traffic with Burp Suite References: https://support.portswigger.net/customer/portal/articles/1841102-installing-burp-s- ca-certificate-in-an-android-device https://support.portswigger.net/customer/portal/articles/1841101-Mobile%20Set- up_Android%20Device.html https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/ 30
  • 32. ● Brida - Burp Suite to Frida ○ Brida extension in Burp to proxy mobile app traffic for analysis ○ This extension works as a bridge between Burp Suite and Frida ○ Allows to view and tamper with the traffic exchanged between the applications and their back-end services/servers 31 Brida August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://github.com/federicodotta/Brida 31
  • 33. ● Drozer - security testing framework for Android. ○ Drozer allows to test for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS ○ Install Drozer on the analysis host, start emulator, and install agent on rooted device: adb install drozer.apk ○ Start Drozer, observe and interact with the traffic 32 Drozer August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://labs.mwrinfosecurity.com/tools/drozer/ 32
  • 34. ● To debug app and view logs run adb logcat ● This will show actions the device/emulator is taking to run the application 33 Logs and Debug August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 33
  • 35. 34 Forensics Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Relation to static and dynamic analysis 34
  • 36. Android filesystem and directory structure (brief overview) Android uses the Linux file system structure, which has a single root. (Image credit: http://www.stevesandroi dguide.com/android- files/) 35 Forensic Analysis August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Rooted vs. unrooted access Physical vs. logical image Reference: http://www.stevesandroidguide.com/android-files/ 35
  • 37. Rooted vs. non-rooted devices: On a non-rooted device, system partitions and directories are protected and cannot be directly accessed, even though some file managers will display them. To get around these restrictions, you need to root the device. Rooting an Android device: ● Once root exploit achieved, install SuperSU ● Install RootChecker (optional) - to verify it is rooted properly (also good for checking root status occasionally as OS updates or other changes to device can break root) 36 Rooting Android Device August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Rooted vs. unrooted access Physical vs. logical image References: https://www.pcmag.com/article2/0,2817,2459892,00.asp 36
  • 38. Physical disks and partitions appear under the root as a directories, but do not have a drive letter as in Windows. Android does not always come with a default file manager, and so you will need to install a file manager app. The sdcard partition is the main storage area for user data and files and it also contains app settings and data. It gets created whether or not a physical SD card is present. (partial listing of sdcard partition- Image credits: http://www.stevesandroidguide.com/android-files/ ) 37 Android File System Structure August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: http://www.stevesandroidguide.com/android-files/ 37
  • 39. Android filesystem structure The ext-sdcard partition will only be visible if your device supports external storage, usually using a microSD slot. External sd cards use either the FAT, FAT32 or exFAT file system formats. Most devices support FAT and FAT32, but support for exFAT is limited. 38 Android FileSystem Structure August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 38
  • 40. ● Physical acquisition (or forensic image) is a bit-by-bit copy of the entire contents of the flash memory of a mobile device. This allows for the collection of all live data and also data that has been deleted or is protected/hidden. However, physical acquisition is not always possible, requiring root access to the device. ● Logical acquisition: Performed through forensic tools using the application API’s to communicate with the mobile device’s operating system and request the data from the system. This method allows for the acquisition of most of the user-accessible live data on the device, as it would be done for a live targeted collection of computer, and allows recovering live data, but not deleted or protected files. 39 Physical vs. Logical Acquisition August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: http://blog.specialcounsel.com/ediscovery/three-types-of-mobile-device-extractions- and-what-each-contains/ 39
  • 41. ● Filesystem acquisition: Unlike logical acquisitions, the forensic tool(s) can directly access the files on the mobile device’s internal memory, which allows to extract all files present in the internal memory, including database files, system files and logs. Filesystem extractions allow examining file structure, web browsing history and app usage history of a mobile device and grant full access to the database files on a mobile device, and to existing and deleted files for apps such as iMessage, SMS, MMS, Calendar and others. (Reference: http://blog.specialcounsel.com/ediscovery/three-types-of- mobile-device-extractions-and-what-each-contains/) 40 Filesystem Acquisition August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: http://blog.specialcounsel.com/ediscovery/three-types-of-mobile-device-extractions- and-what-each-contains/ 40
  • 42. Recovering SQLite databases from a mobile app is a priority, because they could contain sensitive data. One of the best tools for the job is DB Browser for SQLite (aka sqlitebrowser, available at https://sqlitebrowser.org/) 41 Obtaining and Reviewing SQLite Databases August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://sqlitebrowser.org/ 41
  • 43. DB Browser for SQLite (DB4S) is a high quality, visual, open source tool to create, design, and edit database files compatible with SQLite. DB4S uses a familiar spreadsheet-like interface, and complicated SQL commands do not have to be learned. It is a tool to be used by both developers and end users, and must remain as simple to use as possible in order to achieve these goals. Alternatively, use Android Studio, adb, or commercial mobile forensics tools such as Magnet Axiom to grab and analyze app SQLite databases and related forensic artifacts: 42 Obtaining and Reviewing SQLite Databases August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://sqlitebrowser.org/ 42
  • 44. 43 Intermediate and Advanced Topics August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 43
  • 45. • Apps that leverage certificate pinning and newer versions of Android sometimes prevent proxying the mobile traffic • There are bypasses… 44 Bypassing Certificate Pinning August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Reference: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/ 44
  • 46. • APKs are signed • However, you can modify and re-sign an APK • This is required for one approach to bypassing certificate pinning and related proxy issues • Can be beneficial for other use cases too 45 Modifying and Re-signing APKs August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 45
  • 47. • Sometimes the Java classes have been obfuscated • Some tools like jadx have limited deobfuscation capabilities • Sometimes the deobfuscation attempts fail or even make things worse (i.e. the code can become more obfuscated) 46 Deobfuscating Source Code August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. References: https://www.evilsocket.net/2016/04/18/how-i-defeated-an-obfuscated-and-anti- tamper-apk-with-some-python-and-a-home-made-smali-emulator/ https://posts.specterops.io/dont-you-forget-about-re-e2c92d67c641 46
  • 48. ● Mobile app traffic ● Web and app servers ● APIs ● App infrastructure ● Potential pivots during a pen test (e.g. hard-coded credentials and keys FTW) 47 Looking for Network and Server- side Issues August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 47
  • 49. 48 APK Teardown Example 1 August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 48
  • 50. 49 APK Teardown Example 2 August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 49
  • 51. 50 Questions? Q&A Session August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 50
  • 52. 51 Hacking the Android APK CTF Instructions and Objectives August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 51
  • 53. ● Super secure banking app ● You are a pen tester (or hacker?) tasked with finding security weaknesses ● Any mobile app fails can likely lead to fun and profit 52 CTF Scenario August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 52
  • 54. ● Flags have been planted in the custom APK ● Static, dynamic, and/or forensic analysis will be required to solve the challenges and find the flags ● Challenge difficulty ranges from very easy to very hard ● Prizes for the winner(s) 53 CTF Instructions August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Will provide short link to CTFd instance during workshop Add login instructions (individual and team self-register) Do live demo walkthrough 53
  • 55. •https://www.politoinc.com/defcon-ctf •Click Register to create your own account • Provide Team Name, Email and Password • Can compete individually or join a team 54 CTFd Server August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Redirect will be operational during workshop 54
  • 56. • Challenges are worth 100-400 points each • 100 Easy • 200 Moderate • 300 Hard • 400+ Really hard • No point deductions for wrong answers, but limited number of wrong submissions allowed • -50 points for every viewed hint 55 CTF Scoring Rules August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Scoring system subject to change 55
  • 57. • Top Team • Max 3 members • Top Individual 56 CTF Prizes August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. Prizes likely to be rooted Android test devices 56
  • 58. • Do collaborate and team up. • Do use the hints if you get stuck and need help. (but remember hefty point penalty per hint) • Don’t intentionally interfere with the WiFi, CTFd server, app server, or other competitors. ☺ 57 CTF – Do’s and Don’ts August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 57
  • 59. 58 CTF – Ready... Set... Hack! August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 58
  • 60. • Dates and Locations TBD 59 Future Workshops August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 59
  • 61. www.politoinc.com/feedback • We would greatly appreciate your honest feedback • Submit your e-mail address to receive a copy of this presentation 60 How Did We Do? August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. 60
  • 62. ● https://github.com/OWASP/owasp-mstg ● https://ibotpeaches.github.io/Apktool ● https://sourceforge.net/p/dex2jar/wiki/UserGuide ● https://github.com/java-decompiler/jd-gui/releases ● https://github.com/skylot/jadx ● https://github.com/federicodotta/Brida ● https://labs.mwrinfosecurity.com/tools/drozer ● https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer ● https://portswigger.net/burp ● https://conference.hitb.org/hitbsecconf2018ams/materials/D1T1%20- %20Federico%20Dotta%20and%20Piergiovanni%20Cipolloni%20- %20Brida%20When%20Burp%20Suite%20Meets%20Frida.pdf ● https://techblog.mediaservice.net/2018/04/brida-a-step-by-step-user-guide ● https://support.portswigger.net/customer/portal/articles/1841101-configuring-an-android-device-to-work-with-burp 61 References August 8, 2019Copyright © 2019 Ben Hughes and Polito, Inc. References: ● https://github.com/OWASP/owasp-mstg ● https://ibotpeaches.github.io/Apktool ● https://sourceforge.net/p/dex2jar/wiki/UserGuide ● https://github.com/java-decompiler/jd-gui/releases ● https://github.com/skylot/jadx ● https://github.com/federicodotta/Brida ● https://labs.mwrinfosecurity.com/tools/drozer ● https://resources.infosecinstitute.com/android-penetration-tools- walkthrough-series-drozer ● https://portswigger.net/burp ● https://conference.hitb.org/hitbsecconf2018ams/materials/D1T1%20- %20Federico%20Dotta%20and%20Piergiovanni%20Cipolloni%20- %20Brida%20When%20Burp%20Suite%20Meets%20Frida.pdf ● https://techblog.mediaservice.net/2018/04/brida-a-step-by-step-user-guide ● https://support.portswigger.net/customer/portal/articles/1841101- configuring-an-android-device-to-work-with-burp 61