SlideShare a Scribd company logo

hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy

A
Area41

The document discusses the vulnerabilities and security issues related to Android app development, primarily focusing on reverse engineering techniques for pentesters. It highlights past issues with lock screen circumvention, malware presence in the Google Market, and the ease of decompiling Android applications. Additionally, it provides an overview of techniques for downloading, disassembling, and analyzing Android apps, as well as recommendations for improving security practices.

TechnologyNews & Politics
Related topics:
Reverse Engineering
1 of 65
Downloaded 65 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Reversing  Android  Apps   Hacking  and  cracking  Android  apps  is  easy   Tobias  Ospelt  
Agenda   •  Issues  (in  the  past)   •  Android  security  /  code  concept   •  Techniques  for  pentesters  /  reverse  engineers   •  My  experiences  and  the  general  quality  of   apps  
My  approach   •  Bought  HTC  Desire/Bravo  with  Android  2.0   (now  2.2.0)  in  2010   •  Finding  security  related  issues  
Issues  (in  the  past?)  
Losing  phones  
CircumvenNng  lock  screen  
CircumvenNng  lock  screen   •  Poor  lock  screen  implementaNon   –  Home  buPon  mashing,  not  all  brands<=  2.2   –  Back  buPon  during  call,  not  all  brands  <=  2.0   –  Plug  into  car  dock,  unknown   –  Gmail  address  &  password  „null“,  unknown   •  Lock  screen  not  acNvated   •  USB  debug  on  (adb  shell)   •  Associated  Google  account   •  OpenRecovery,  Milestone  <=  2.1   •  Acquire  physical  memory  (forensic  tools)  
Android  or  Google?   •  Android  is  Open  Source   –  Google  is  the  strong  force  behind  it   •  Google  Market  is  not  (it‘s  Google‘s)   •  You  can  create  your  own  market  
Google  Market  –  a  feel  free   environment  
Malware   •  Malware  in  the  Google  Market   –  DroidDream  aka  Rootcager   •  Other  malware  (o]en  in  Chinese  markets)   –  Bgserv,  Pjabbs,  Geinimi,  FakePlayer,   GingerMaster,  Zeus,  SpyEye  
Bring  malware  to  the  mobile   •  Convince  users  (aka  put  on  market)   •  XSS  on  Google  Market  website   •  App  without  permissions  installs  apps  with   permissions   –  Angry  Birds  extra  level  malware,  fixed   –  Browser  vulnerability  (cookie  stealing),  <  2.3.5   –  New  technique  going  to  be  released  in  November   •  Oberheide/Lanie,  Source  Barcelona  
Android  Browser   •  Puts  nice  liPle  bookmark  pics  on  your  SD  card  
Other  issues   •  Facebook-­‐App  V.  1.6  is  able  to  read/write/edit   SMS/MMS   •  Plain  authenNcaNon  tokens,  fixed   •  SMS  receiver  incorrect,  fixed   •  Htclogger,  HTC  only   •  App  reversing   •  Many  more  
Nuclear  chain  of  command...   xkcd.com  
...  is  similar  to  the  Android  chain  of   security  
My  situaNon   •  Bought  HTC  Desire  in  2010   •  SNll  on  Android  2.2.0,  means:   –  Screen  lock  circumvenNon  (buPon  mashing)   –  Vulnerable  to  DroidDream  malware   –  Browser  vulnerability     •  Cookie  stealing  /  XSS   •  Can  be  used  to  install  apps  
Android  security  /  code  concept  
Android  code   •  Write  app  in  Java  and  HTML/Javascript  (Android  SDK)   –  The  obvious  approach   –  Most  apps  from  the  Google  Market   –  Easy  to  decompile/disassemble/reassemble   •  Write  app  in  ARM  naNve  code  (Android  NDK)   –  Together  with  Java  code   –  ARM  Assembler  Reverse  Engineering  and  JNI   •  Use  a  framework/generator   –  appmakr.com   –  PhoneGap   –  Others?  
Techniques  for  pentesters  /   reverse  engineers  
1.  Gemng  hundrets  of  Android   Apps  (apk  files)  
Obvious  download  approach   •  Open  market  app  on  mobile   •  Click  app  and  install   •  SCP  apk  file  from  phone   à  Too  slow,  not  enough  space  on  mobile,  etc    
How  to  download  all  Android  apps   •  Connect  mobile  to  laptop  Wi-­‐Fi  with  airbase-­‐ ng  /  dnsmasq   •  Use  iptables  to  redirect  to  local  Burp   –  thx  Android  for  not  having  a  proxy  opNon   •  BurpExtender  to  save  responses  with  apk  files   •  Send  mobile  a  HTTP  404  not  found  
Install  all  apps?   •  One  HTTPS  request  to  market.android.com   •  Change  the  app  name   –  com.google.android.youtube   •  Modified  w3af  spider  /  regex  plugin   –  Search  for  terms  A  ...  ZZ  on  market.android.com   –  No  restricNons  (e.g.  captcha)  as  in  Google  search   •  Wrote  script  that  sends  HTTPS  requests  with   app  name  
Download  environment  
Metadata   •  About  300’000  apps  in  market   •  Crawled  about  10’000  app  names   •  Successfully  downloaded  and  decompiled   about  3’500  apps  (about  15  GB)   –  Took  about  3  days  to  download  all  these  apps  
2.  Decompile/disassemble  
The  apktool  disassembled  structure   •  Apk  unzipped   à          apktool  disassembled   +assets +assets +res +res +drawable +drawable -icon.png -icon.png +layout +layout -main.xml -main.xml +values +values -strings.xml -strings.xml +META-INF -AndroidManifest.xml -AndroidManifest.xml -classes.dex +smali +com +... -apktool.yml
Two  approaches   •  Disassembling  to  smali   –  Similar  to  Jasmin  syntax  (Java  assembler  code)   –  Apktool   •  Correct  smali  code   •  Didn’t  use  dexdump/dedexer   •  Decompiling  to  Java   –  Dex2Jar  +  Java-­‐Decompiler   •  SomeNmes  incorrect  Java  code  
Disassembling  how-­‐to   •  Apktool   me$ java -jar apktool.jar d app.apk output-folder
Disassembled  example  
Reassembling  how-­‐to   •  Apktool   me$ echo "change something" change something me$ java -jar apktool.jar b output-folder/ fake.apk […] me$ keytool -genkey -alias someone -validity 100000 - keystore someone.keystore […] me$ jarsigner -keystore someone.keystore fake.apk someone me$ adb install fake-app.apk
3.  Other  techniques  for   pentesters  
Heap  dump   me$ su me# ps | grep kee 949 10082 183m S com.android.keepass 960 0 1964 S grep kee me# kill -10 949 me# grep password /data/misc/heap-dump-tm1312268434- pid949.hprof thisisasecretpassword •  In  Android  >  2.3   –  BuPon  in  DDMS  tool  or  call   android.os.Debug.dumpHprofData(fileName)  
Invoking  AcNviNes   •  AcNviNes  are  basically  user  interfaces   –  „one  screen“   me$ dumpsys package > packages.txt me$ am start -n com.android.keepass/ com.keepassdroid.PasswordActivity •  Fortunately  this  example  doesn‘t  work  
Tons  of  other  tools   •  Androguard   •  Apkinspector   –  GUI  combining  apktool,  dex2jar,  a  Java  decompiler,  byte   code,  etc.   •  DED   •  androidAuditTools   •  Smartphonesdumbapps   •  Taintdroid  (Privacy  issues)   •  Android  Forensic  Toolkit   •  viaExtract   •  More  
Experiences  when  decompiling/ disassembling  3‘500  apps   Finding  security  related  issues  
Metadata   •  About  3’500  apps   –  2’300  unique  email  addresses   –  1’000  «fuck»   –  Several  twiPer  /  facebook  /  flickr  /  geocaching  API   keys  
Low  hanging  fruits  
Hashing  and  encrypNon  –  a  short  best   pracNces  refresh   •  Secure  algorithms/implementaNons   •  Random,  long  salts/keys   •  Hashing   –  Separate  salt  for  every  hash   –  Several  hashing  rounds   •  E.g.  hash(hash(  ...  hash(pwd+salt)+salt  ...  ))   •  EncrypNon   –  Keep  the  key  secret  
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy
Key:  MSB  always  0   r  sending  passwords  in  HTTPS   Used  f o
rver  that  in-­‐ Used  t o  signalise  the  se ame  goods  wer e  purchased   g
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy
Obfuscated  code   o  calls  this  „ah“  constructor?   Wh
Obfuscated  code   •  4  greps  later...   •  c.f  includes  the  key   –  c.f  calls  a.bs(key)   •  a.bs  calls  a.ah(key)   –  a.ah  uses  the  key  and  locale  variables  for  encrypNon   •  We  know  all  the  input  data  for  the  encrypNon   rouNne   •  It‘s  symmetric  crypto   •  We  can  decrypt  „it“  (whatever  it  might  be)  
TestXXXXX.java   •  Yeah,  let’s  copy/paste  a  test  email!  
TestXXXXX2.java   •  And  credenNals  for  the  test  server...  
Some  apps  I  looked  at  more   closely   (it’s  gemng  worse)  
App  1  -­‐  banking  app   •  Who  really  wants  banking  on  the  mobile?   •  A  lot  of  banking  apps!  Yay!   •  App  1   –  No  obfuscaNon  +  can  easily  be  recompiled   –  App  simply  shows  the  website   –  Hides  the  URL  and  SSL  cert/lock  from  the  user   –  Can  only  be  used  with  mTAN  
App  2   •  Server  had  self-­‐signed  SSL  cerNficate   •  SSL  MITM  Dump:     /usernam e=B1436A 13E85D20 F2428D6E 232C2B93 FE....pa ssword=2 C30F3866 016E6C59 52655C06 400BCC6. imei=405 23204606 E450... ... Wow,  it’s  e ncrypted... need  a  key  Don’t  we    for  that?  
App  2   •  AES  key   public byte[] cryptKey42 = {-31, -21, 4, 24, -21, 54, -63, -40, -38, 61, -47, -115, -95, -36, -142, 64, 53, 120, -85, -96, -69, 85, 81, 16, -36, 80, -102, 95, -20, 110, 36, -11};  
App  3  –  root  detecNon   private boolean deviceRoot(){ try{ Runtime.getRuntime().exec("su"); return true; } catch (IOException localIOException){ return false; } }
App  3  –  CircumvenNng  root  detecNon   •  Not  necessary  
App  4    –  Another  root  detecNon   public static boolean isDeviceRooted(){ File f = new File(“/system/sbin/su”) return f.exists() }  
App  4  -­‐  Removing  root  detecNon   me$ java -jar apktool.jar d app.apk source […] me$ sed -i "" 's/system/sbin/su/system/sbin/ CEW1PFSLK/g' source/smali/net/example/checks.smali me$ java -jar apktool.jar b source/ fake.apk […] me$ keytool -genkey -alias someone -validity 100000 -keystore someone.keystore […] me$ jarsigner -keystore someone.keystore fake.apk someone me$ adb install fake.apk
App  4  –  Was  that  a  good  method  to   remove  the  root  detecNon?   •  Altering  the  app   –  No  updates   •  We  only  want  to  fail  that  simple  check  
App  4  -­‐  Prevent  root  detecNon   root  stays  r o ot!   me$ adb shell $ su # cd /system/bin/; mount -o remount,rw -o rootfs rootfs /; mount -o remount,rw -o yaffs2 /dev/block/mtdblock3 /system # echo $PATH /sbin:/system/sbin:/system/bin:/system/xbin # mv /system/sbin/su /system/xbin/
A  special  secret  key   •  445  apps  use  the  same  AES  key   –  byte[]  a  =  {  10,  55,  -­‐112,  -­‐47,  -­‐6,  7,  11,  75,  -­‐7,  -­‐121,   121,  69,  80,  -­‐61,  15,  5  }  
Google  Ads   •  Encrypt  last  known  locaNon   –  All  locaNon  providers  (GPS,  Wifi,  ...)   •  Send  via  the  „uule“  JSON  parameter   •  NoNfied  Google  on  the  23th  of  June   –  No  response  yet   •  To  be  honest  I  haven‘t  seen  the  „uule“   parameter  in  my  network  yet  
Google  Ads   •  Why  didn‘t  they  use  asymmetric  crypto?  
Countermeasures   •  Use  asymmetric  crypto  instead  of  symmetric   when  transferring  data  to  a  server   •  Store  hashes/session  tokens  instead  of   passwords   •  Good  obfuscaNon  is  Security  Through   Obscurity   •  Pentest  your  apps   •  Know  the  limitaNons   –  root  stays  root  
References   •  hPp://designora.com/graphics/android-­‐logo/   •  hPp://blog.duosecurity.com/2011/05/when-­‐angry-­‐birds-­‐aPack-­‐android-­‐ediNon/   •  hPp://jon.oberheide.org/blog/2011/03/07/how-­‐i-­‐almost-­‐won-­‐pwn2own-­‐via-­‐xss/   •  hPp://www.h-­‐online.com/open/news/item/Android-­‐apps-­‐send-­‐unencrypted-­‐authenNcaNon-­‐token-­‐1243968.html   •  hPps://www.infosecisland.com/blogview/13459-­‐Google-­‐Sued-­‐for-­‐SurrepNNous-­‐Android-­‐LocaNon-­‐Tracking.html   •  hPp://www.h-­‐online.com/open/news/item/Android-­‐malware-­‐acNvates-­‐itself-­‐through-­‐incoming-­‐calls-­‐1253807.html   •  hPp://www.slideshare.net/bsideslondon/bsideslondon-­‐spo#text-­‐version   •  hPps://www.hashdays.ch/assets/files/slides/burns_android_security_the%20fun%20details.pdf   •  hPps://theassurer.com/p/756.html   •  hPp://thomascannon.net/blog/2011/02/android-­‐lock-­‐screen-­‐bypass/   •  hPp://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf? om_ext_cid=biz_socmed_twiPer_facebook_marketwire_linkedin_2011Jun_worldwide_mobilesecuritywp   •  hPp://www.xkcd.com/898   •  hPp://www.madaxeman.com/general/2009/11/lost-­‐phone.html   •  hPp://thomascannon.net/projects/android-­‐reversing/   •  hPp://www.infsec.cs.uni-­‐saarland.de/projects/android-­‐vuln/   •  hPp://www.madaxeman.com/general/2009/11/lost-­‐phone.html   •  hPp://www.heise.de/mobil/meldung/Android-­‐verschickt-­‐SMS-­‐an-­‐falsche-­‐Empfaenger-­‐2-­‐Update-­‐1162685.html   •  hPp://blog.duosecurity.com/2011/09/android-­‐vulnerabiliNes-­‐and-­‐source-­‐barcelona/  
Thx!   •  TwiPer:  floyd_ch   •  hPp://floyd.ch  
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy

More Related Content

PDF
Password (in)security
Enrico Zimuel
 
PDF
Password Security
CSCJournals
 
PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
PDF
Cryptography in PHP: use cases
Enrico Zimuel
 
PDF
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Shakacon
 
PPTX
Passwords presentation
Greg MacPherson
 
ODP
PLMCE - Security and why you need to review yours
David Busby, CISSP
 
PDF
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
Password (in)security
Enrico Zimuel
 
Password Security
CSCJournals
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Cryptography in PHP: use cases
Enrico Zimuel
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Shakacon
 
Passwords presentation
Greg MacPherson
 
PLMCE - Security and why you need to review yours
David Busby, CISSP
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 

What's hot (19)

PPTX
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
ODP
Password Security
Alex Hyer
 
ODP
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
PDF
Two scoops of Django - Security Best Practices
Spin Lai
 
PDF
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT - Multimediatreff
 
PDF
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 
PDF
Practical Phishing Automation with PhishLulz - KiwiCon X
Michele Orru
 
PPTX
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
PDF
Cryptography in PHP: Some Use Cases
Zend by Rogue Wave Software
 
ODP
Security its-more-than-just-your-database-you-should-worry-about
David Busby, CISSP
 
PDF
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
PDF
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 
PDF
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
PDF
IoThings you don't even need to hack
Slawomir Jasek
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
PDF
Applications secure by default
SecuRing
 
PDF
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
PPTX
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
PPTX
Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
HeadlessZeke
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
Password Security
Alex Hyer
 
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
Two scoops of Django - Security Best Practices
Spin Lai
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT - Multimediatreff
 
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Michele Orru
 
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Cryptography in PHP: Some Use Cases
Zend by Rogue Wave Software
 
Security its-more-than-just-your-database-you-should-worry-about
David Busby, CISSP
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
IoThings you don't even need to hack
Slawomir Jasek
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Applications secure by default
SecuRing
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
HeadlessZeke
 

Viewers also liked (6)

PPT
Reverse Engineering Android Application
n|u - The Open Security Community
 
PDF
How to reverse engineer Android applications—using a popular word game as an ...
Christoph Matthies
 
PDF
Understanding the Dalvik bytecode with the Dedexer tool
Gabor Paller
 
PDF
Android Forensics: Exploring Android Internals and Android Apps
Moe Tanabian
 
PDF
Attacking and Defending Mobile Applications
Jerod Brennen
 
PDF
Learning by hacking - android application hacking tutorial
Landice Fu
 
Reverse Engineering Android Application
n|u - The Open Security Community
 
How to reverse engineer Android applications—using a popular word game as an ...
Christoph Matthies
 
Understanding the Dalvik bytecode with the Dedexer tool
Gabor Paller
 
Android Forensics: Exploring Android Internals and Android Apps
Moe Tanabian
 
Attacking and Defending Mobile Applications
Jerod Brennen
 
Learning by hacking - android application hacking tutorial
Landice Fu
 

Similar to hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy (20)

PDF
Hacking your Droid (Aditya Gupta)
ClubHack
 
PPT
Outsmarting SmartPhones
saurabhharit
 
PDF
михаил дударев
apps4allru
 
PPT
Securely Deploying Android Device - ISSA (Ireland)
Angelill0
 
PDF
Hacking your Android (slides)
Justin Hoang
 
PPTX
Rhodes mobile Framework
Yoshi Sakai
 
PDF
Securing Android
Marakana Inc.
 
PPT
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
 
KEY
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
davyjones
 
PPTX
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
TestDevLab
 
PDF
Cracking the mobile application code
Sreenarayan A
 
PDF
Droidcon Spain 2105 - One app to rule them all: Methodologies, Tools & Tricks...
Daniel Gallego Vico
 
PDF
I haz you and pwn your maal
c0c0n - International Cyber Security and Policing Conference
 
PPTX
Cracking the Mobile Application Code
c0c0n - International Cyber Security and Policing Conference
 
PDF
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
 
PPTX
I haz you and pwn your maal
Harsimran Walia
 
PDF
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
PDF
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
PDF
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
PPTX
Dissecting Android APK
Cysinfo Cyber Security Community
 
Hacking your Droid (Aditya Gupta)
ClubHack
 
Outsmarting SmartPhones
saurabhharit
 
михаил дударев
apps4allru
 
Securely Deploying Android Device - ISSA (Ireland)
Angelill0
 
Hacking your Android (slides)
Justin Hoang
 
Rhodes mobile Framework
Yoshi Sakai
 
Securing Android
Marakana Inc.
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
 
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
davyjones
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
TestDevLab
 
Cracking the mobile application code
Sreenarayan A
 
Droidcon Spain 2105 - One app to rule them all: Methodologies, Tools & Tricks...
Daniel Gallego Vico
 
I haz you and pwn your maal
c0c0n - International Cyber Security and Policing Conference
 
Cracking the Mobile Application Code
c0c0n - International Cyber Security and Policing Conference
 
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
 
I haz you and pwn your maal
Harsimran Walia
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
Dissecting Android APK
Cysinfo Cyber Security Community
 

More from Area41 (11)

PDF
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Area41
 
PDF
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Area41
 
PDF
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Area41
 
PDF
Rob "Mubix" Fuller: Attacker Ghost Stories
Area41
 
PPTX
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
PDF
hashdays 2011: Mikko Hypponen - Keynote
Area41
 
PDF
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
Area41
 
PDF
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
Area41
 
PDF
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
Area41
 
PDF
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
PDF
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
Area41
 
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Area41
 
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Area41
 
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Area41
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Area41
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
hashdays 2011: Mikko Hypponen - Keynote
Area41
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
Area41
 
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
Area41
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
Area41
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
Area41
 

Recently uploaded (20)

DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Encapsulation theory and applications.pdf
gurumoop
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
KodekX | Application Modernization Development
KodekX
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Cloud computing and distributed systems.
kkkkkhan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 

hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy

  • 1. Reversing  Android  Apps   Hacking  and  cracking  Android  apps  is  easy   Tobias  Ospelt  
  • 2. Agenda   •  Issues  (in  the  past)   •  Android  security  /  code  concept   •  Techniques  for  pentesters  /  reverse  engineers   •  My  experiences  and  the  general  quality  of   apps  
  • 3. My  approach   •  Bought  HTC  Desire/Bravo  with  Android  2.0   (now  2.2.0)  in  2010   •  Finding  security  related  issues  
  • 4. Issues  (in  the  past?)  
  • 7. CircumvenNng  lock  screen   •  Poor  lock  screen  implementaNon   –  Home  buPon  mashing,  not  all  brands<=  2.2   –  Back  buPon  during  call,  not  all  brands  <=  2.0   –  Plug  into  car  dock,  unknown   –  Gmail  address  &  password  „null“,  unknown   •  Lock  screen  not  acNvated   •  USB  debug  on  (adb  shell)   •  Associated  Google  account   •  OpenRecovery,  Milestone  <=  2.1   •  Acquire  physical  memory  (forensic  tools)  
  • 8. Android  or  Google?   •  Android  is  Open  Source   –  Google  is  the  strong  force  behind  it   •  Google  Market  is  not  (it‘s  Google‘s)   •  You  can  create  your  own  market  
  • 9. Google  Market  –  a  feel  free   environment  
  • 10. Malware   •  Malware  in  the  Google  Market   –  DroidDream  aka  Rootcager   •  Other  malware  (o]en  in  Chinese  markets)   –  Bgserv,  Pjabbs,  Geinimi,  FakePlayer,   GingerMaster,  Zeus,  SpyEye  
  • 11. Bring  malware  to  the  mobile   •  Convince  users  (aka  put  on  market)   •  XSS  on  Google  Market  website   •  App  without  permissions  installs  apps  with   permissions   –  Angry  Birds  extra  level  malware,  fixed   –  Browser  vulnerability  (cookie  stealing),  <  2.3.5   –  New  technique  going  to  be  released  in  November   •  Oberheide/Lanie,  Source  Barcelona  
  • 12. Android  Browser   •  Puts  nice  liPle  bookmark  pics  on  your  SD  card  
  • 13. Other  issues   •  Facebook-­‐App  V.  1.6  is  able  to  read/write/edit   SMS/MMS   •  Plain  authenNcaNon  tokens,  fixed   •  SMS  receiver  incorrect,  fixed   •  Htclogger,  HTC  only   •  App  reversing   •  Many  more  
  • 14. Nuclear  chain  of  command...   xkcd.com  
  • 15. ...  is  similar  to  the  Android  chain  of   security  
  • 16. My  situaNon   •  Bought  HTC  Desire  in  2010   •  SNll  on  Android  2.2.0,  means:   –  Screen  lock  circumvenNon  (buPon  mashing)   –  Vulnerable  to  DroidDream  malware   –  Browser  vulnerability     •  Cookie  stealing  /  XSS   •  Can  be  used  to  install  apps  
  • 17. Android  security  /  code  concept  
  • 18. Android  code   •  Write  app  in  Java  and  HTML/Javascript  (Android  SDK)   –  The  obvious  approach   –  Most  apps  from  the  Google  Market   –  Easy  to  decompile/disassemble/reassemble   •  Write  app  in  ARM  naNve  code  (Android  NDK)   –  Together  with  Java  code   –  ARM  Assembler  Reverse  Engineering  and  JNI   •  Use  a  framework/generator   –  appmakr.com   –  PhoneGap   –  Others?  
  • 19. Techniques  for  pentesters  /   reverse  engineers  
  • 20. 1.  Gemng  hundrets  of  Android   Apps  (apk  files)  
  • 21. Obvious  download  approach   •  Open  market  app  on  mobile   •  Click  app  and  install   •  SCP  apk  file  from  phone   à  Too  slow,  not  enough  space  on  mobile,  etc    
  • 22. How  to  download  all  Android  apps   •  Connect  mobile  to  laptop  Wi-­‐Fi  with  airbase-­‐ ng  /  dnsmasq   •  Use  iptables  to  redirect  to  local  Burp   –  thx  Android  for  not  having  a  proxy  opNon   •  BurpExtender  to  save  responses  with  apk  files   •  Send  mobile  a  HTTP  404  not  found  
  • 23. Install  all  apps?   •  One  HTTPS  request  to  market.android.com   •  Change  the  app  name   –  com.google.android.youtube   •  Modified  w3af  spider  /  regex  plugin   –  Search  for  terms  A  ...  ZZ  on  market.android.com   –  No  restricNons  (e.g.  captcha)  as  in  Google  search   •  Wrote  script  that  sends  HTTPS  requests  with   app  name  
  • 25. Metadata   •  About  300’000  apps  in  market   •  Crawled  about  10’000  app  names   •  Successfully  downloaded  and  decompiled   about  3’500  apps  (about  15  GB)   –  Took  about  3  days  to  download  all  these  apps  
  • 27. The  apktool  disassembled  structure   •  Apk  unzipped   à          apktool  disassembled   +assets +assets +res +res +drawable +drawable -icon.png -icon.png +layout +layout -main.xml -main.xml +values +values -strings.xml -strings.xml +META-INF -AndroidManifest.xml -AndroidManifest.xml -classes.dex +smali +com +... -apktool.yml
  • 28. Two  approaches   •  Disassembling  to  smali   –  Similar  to  Jasmin  syntax  (Java  assembler  code)   –  Apktool   •  Correct  smali  code   •  Didn’t  use  dexdump/dedexer   •  Decompiling  to  Java   –  Dex2Jar  +  Java-­‐Decompiler   •  SomeNmes  incorrect  Java  code  
  • 29. Disassembling  how-­‐to   •  Apktool   me$ java -jar apktool.jar d app.apk output-folder
  • 31. Reassembling  how-­‐to   •  Apktool   me$ echo "change something" change something me$ java -jar apktool.jar b output-folder/ fake.apk […] me$ keytool -genkey -alias someone -validity 100000 - keystore someone.keystore […] me$ jarsigner -keystore someone.keystore fake.apk someone me$ adb install fake-app.apk
  • 32. 3.  Other  techniques  for   pentesters  
  • 33. Heap  dump   me$ su me# ps | grep kee 949 10082 183m S com.android.keepass 960 0 1964 S grep kee me# kill -10 949 me# grep password /data/misc/heap-dump-tm1312268434- pid949.hprof thisisasecretpassword •  In  Android  >  2.3   –  BuPon  in  DDMS  tool  or  call   android.os.Debug.dumpHprofData(fileName)  
  • 34. Invoking  AcNviNes   •  AcNviNes  are  basically  user  interfaces   –  „one  screen“   me$ dumpsys package > packages.txt me$ am start -n com.android.keepass/ com.keepassdroid.PasswordActivity •  Fortunately  this  example  doesn‘t  work  
  • 35. Tons  of  other  tools   •  Androguard   •  Apkinspector   –  GUI  combining  apktool,  dex2jar,  a  Java  decompiler,  byte   code,  etc.   •  DED   •  androidAuditTools   •  Smartphonesdumbapps   •  Taintdroid  (Privacy  issues)   •  Android  Forensic  Toolkit   •  viaExtract   •  More  
  • 36. Experiences  when  decompiling/ disassembling  3‘500  apps   Finding  security  related  issues  
  • 37. Metadata   •  About  3’500  apps   –  2’300  unique  email  addresses   –  1’000  «fuck»   –  Several  twiPer  /  facebook  /  flickr  /  geocaching  API   keys  
  • 39. Hashing  and  encrypNon  –  a  short  best   pracNces  refresh   •  Secure  algorithms/implementaNons   •  Random,  long  salts/keys   •  Hashing   –  Separate  salt  for  every  hash   –  Several  hashing  rounds   •  E.g.  hash(hash(  ...  hash(pwd+salt)+salt  ...  ))   •  EncrypNon   –  Keep  the  key  secret  
  • 41. Key:  MSB  always  0   r  sending  passwords  in  HTTPS   Used  f o
  • 42. rver  that  in-­‐ Used  t o  signalise  the  se ame  goods  wer e  purchased   g
  • 45. Obfuscated  code   o  calls  this  „ah“  constructor?   Wh
  • 46. Obfuscated  code   •  4  greps  later...   •  c.f  includes  the  key   –  c.f  calls  a.bs(key)   •  a.bs  calls  a.ah(key)   –  a.ah  uses  the  key  and  locale  variables  for  encrypNon   •  We  know  all  the  input  data  for  the  encrypNon   rouNne   •  It‘s  symmetric  crypto   •  We  can  decrypt  „it“  (whatever  it  might  be)  
  • 47. TestXXXXX.java   •  Yeah,  let’s  copy/paste  a  test  email!  
  • 48. TestXXXXX2.java   •  And  credenNals  for  the  test  server...  
  • 49. Some  apps  I  looked  at  more   closely   (it’s  gemng  worse)  
  • 50. App  1  -­‐  banking  app   •  Who  really  wants  banking  on  the  mobile?   •  A  lot  of  banking  apps!  Yay!   •  App  1   –  No  obfuscaNon  +  can  easily  be  recompiled   –  App  simply  shows  the  website   –  Hides  the  URL  and  SSL  cert/lock  from  the  user   –  Can  only  be  used  with  mTAN  
  • 51. App  2   •  Server  had  self-­‐signed  SSL  cerNficate   •  SSL  MITM  Dump:     /usernam e=B1436A 13E85D20 F2428D6E 232C2B93 FE....pa ssword=2 C30F3866 016E6C59 52655C06 400BCC6. imei=405 23204606 E450... ... Wow,  it’s  e ncrypted... need  a  key  Don’t  we    for  that?  
  • 52. App  2   •  AES  key   public byte[] cryptKey42 = {-31, -21, 4, 24, -21, 54, -63, -40, -38, 61, -47, -115, -95, -36, -142, 64, 53, 120, -85, -96, -69, 85, 81, 16, -36, 80, -102, 95, -20, 110, 36, -11};  
  • 53. App  3  –  root  detecNon   private boolean deviceRoot(){ try{ Runtime.getRuntime().exec("su"); return true; } catch (IOException localIOException){ return false; } }
  • 54. App  3  –  CircumvenNng  root  detecNon   •  Not  necessary  
  • 55. App  4    –  Another  root  detecNon   public static boolean isDeviceRooted(){ File f = new File(“/system/sbin/su”) return f.exists() }  
  • 56. App  4  -­‐  Removing  root  detecNon   me$ java -jar apktool.jar d app.apk source […] me$ sed -i "" 's/system/sbin/su/system/sbin/ CEW1PFSLK/g' source/smali/net/example/checks.smali me$ java -jar apktool.jar b source/ fake.apk […] me$ keytool -genkey -alias someone -validity 100000 -keystore someone.keystore […] me$ jarsigner -keystore someone.keystore fake.apk someone me$ adb install fake.apk
  • 57. App  4  –  Was  that  a  good  method  to   remove  the  root  detecNon?   •  Altering  the  app   –  No  updates   •  We  only  want  to  fail  that  simple  check  
  • 58. App  4  -­‐  Prevent  root  detecNon   root  stays  r o ot!   me$ adb shell $ su # cd /system/bin/; mount -o remount,rw -o rootfs rootfs /; mount -o remount,rw -o yaffs2 /dev/block/mtdblock3 /system # echo $PATH /sbin:/system/sbin:/system/bin:/system/xbin # mv /system/sbin/su /system/xbin/
  • 59. A  special  secret  key   •  445  apps  use  the  same  AES  key   –  byte[]  a  =  {  10,  55,  -­‐112,  -­‐47,  -­‐6,  7,  11,  75,  -­‐7,  -­‐121,   121,  69,  80,  -­‐61,  15,  5  }  
  • 60. Google  Ads   •  Encrypt  last  known  locaNon   –  All  locaNon  providers  (GPS,  Wifi,  ...)   •  Send  via  the  „uule“  JSON  parameter   •  NoNfied  Google  on  the  23th  of  June   –  No  response  yet   •  To  be  honest  I  haven‘t  seen  the  „uule“   parameter  in  my  network  yet  
  • 61. Google  Ads   •  Why  didn‘t  they  use  asymmetric  crypto?  
  • 62. Countermeasures   •  Use  asymmetric  crypto  instead  of  symmetric   when  transferring  data  to  a  server   •  Store  hashes/session  tokens  instead  of   passwords   •  Good  obfuscaNon  is  Security  Through   Obscurity   •  Pentest  your  apps   •  Know  the  limitaNons   –  root  stays  root  
  • 63. References   •  hPp://designora.com/graphics/android-­‐logo/   •  hPp://blog.duosecurity.com/2011/05/when-­‐angry-­‐birds-­‐aPack-­‐android-­‐ediNon/   •  hPp://jon.oberheide.org/blog/2011/03/07/how-­‐i-­‐almost-­‐won-­‐pwn2own-­‐via-­‐xss/   •  hPp://www.h-­‐online.com/open/news/item/Android-­‐apps-­‐send-­‐unencrypted-­‐authenNcaNon-­‐token-­‐1243968.html   •  hPps://www.infosecisland.com/blogview/13459-­‐Google-­‐Sued-­‐for-­‐SurrepNNous-­‐Android-­‐LocaNon-­‐Tracking.html   •  hPp://www.h-­‐online.com/open/news/item/Android-­‐malware-­‐acNvates-­‐itself-­‐through-­‐incoming-­‐calls-­‐1253807.html   •  hPp://www.slideshare.net/bsideslondon/bsideslondon-­‐spo#text-­‐version   •  hPps://www.hashdays.ch/assets/files/slides/burns_android_security_the%20fun%20details.pdf   •  hPps://theassurer.com/p/756.html   •  hPp://thomascannon.net/blog/2011/02/android-­‐lock-­‐screen-­‐bypass/   •  hPp://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf? om_ext_cid=biz_socmed_twiPer_facebook_marketwire_linkedin_2011Jun_worldwide_mobilesecuritywp   •  hPp://www.xkcd.com/898   •  hPp://www.madaxeman.com/general/2009/11/lost-­‐phone.html   •  hPp://thomascannon.net/projects/android-­‐reversing/   •  hPp://www.infsec.cs.uni-­‐saarland.de/projects/android-­‐vuln/   •  hPp://www.madaxeman.com/general/2009/11/lost-­‐phone.html   •  hPp://www.heise.de/mobil/meldung/Android-­‐verschickt-­‐SMS-­‐an-­‐falsche-­‐Empfaenger-­‐2-­‐Update-­‐1162685.html   •  hPp://blog.duosecurity.com/2011/09/android-­‐vulnerabiliNes-­‐and-­‐source-­‐barcelona/  
  • 64. Thx!   •  TwiPer:  floyd_ch   •  hPp://floyd.ch