Humla workshop on Android Security Testing - null Singapore
Download as PPTX, PDF3 likes967 views
The document outlines an Android penetration testing workshop conducted by MWR InfoSecurity, detailing key aspects of Android application architecture and security assessments. It explains the roles of different Android components like activities, services, and content providers, as well as the use of tools like Drozer for vulnerability assessment. Additionally, it covers methodologies for both static and dynamic analysis of Android apps.
Humla workshop on Android Security Testing - null Singapore
- 1. mwrinfosecurity.com | MWR InfoSecurity 1 mwrinfosecurity.com | MWR InfoSecurity Android Penetration Testing Workshop 31st March 2016 Hamla (Null – SG)
- 2. mwrinfosecurity.com | MWR InfoSecurity 2 About Me • I am working with MWR Infosecurity as a security consultant, offering professional penetration tests to help clients improve their level of IT security. • Double Masters (Research) in Information Security • OSCP/CRT/OSCE Certified
- 3. mwrinfosecurity.com | MWR InfoSecurity 3 Disclaimer No Android Architecture No Android Permission Model No Java Programming No Zero-Day Vulnerability
- 4. mwrinfosecurity.com | MWR InfoSecurity 4 Outline Android Basics Android Attack Surface Demo Reverse Engineering (.apk) Static Analysis Demo Dynamic Analysis Demo
- 5. mwrinfosecurity.com | MWR InfoSecurity 5 Environment Setup • VMPlayer • Ubuntu 14.04 • Genymotion (Android 4.1.1) • Tools – apktool, jd-gui, dex2jar, android studio • Vulnerable APKs
- 6. mwrinfosecurity.com | MWR InfoSecurity 6 Android Basic • The communication between applications is performed in a well-defined manner that is strictly facilitated by a kernel module named binder, which is an Inter-Process Communication (IPC) system. • Android applications can make use of four standard components that can be invoked via calls to binder – Activities, Services, Broadcast Receivers, Content Providers.
- 7. mwrinfosecurity.com | MWR InfoSecurity 7 Android Basic • Activities represent visual screens of an application with which users interact. For example, when you launch an application, you see its main activity. • Services are components that do not provide a graphical interface. They provide the facility to perform tasks that are long running in the background and run even when user has opened another application.
- 8. mwrinfosecurity.com | MWR InfoSecurity 8 Android Basic • Broadcast receivers are non-graphical components that allow an application to register for certain systems or application events. • Content providers are the data storehouses of an application, that provide a standard way to retrieve, modify, and delete data.
- 9. mwrinfosecurity.com | MWR InfoSecurity 9 Android Basic • Each Android package contains a file named AndroidManifest. xml in the root of the archive. This file defines the package configuration, application components, and security attributes. • An intent is a defined object used for messaging which is created and communicated to an intended application component.
- 10. mwrinfosecurity.com | MWR InfoSecurity 10 Attacking Android Application • Exploiting Activities • Exploiting Insecure Content Providers • Attacking Insecure Services • Abusing Broadcast Receivers
- 11. mwrinfosecurity.com | MWR InfoSecurity 11 Drozer • Drozer is an Android assessment tool. • Drozer has two distinct use cases – • Finding vulnerabilities in applications or devices • Providing exploits and useful payloads for known vulnerabilities. • For more information – https://labs.mwrinfosecurity.com/tools/drozer/
- 12. mwrinfosecurity.com | MWR InfoSecurity 12 How Drozer works • Drozer is a distributed system that makes use of some key components - • Agent— A lightweight Android application that runs on the device or emulator being used for testing. • Console—A command-line interface running on your computer that allows you to interact with the device through the agent • Server—Provides a central point where consoles and agents can route sessions between them.
- 13. mwrinfosecurity.com | MWR InfoSecurity 13 Demo
- 14. mwrinfosecurity.com | MWR InfoSecurity 14 Root Detection • Default Files and Configurations Check if release-keys tag is present on non-rooted device - /system/build.prop • Installed Files & Packages eu.chainfire.supersu, com.koushikdutta.superuser,/system/bin/su, /syste m/xbin/su • Directory Permissions Check write permission on the directories – /system, /system/bin, /syste m/sbin • Commands Execute commands - `id`, `busybox`
- 15. mwrinfosecurity.com | MWR InfoSecurity 15 Static Analysis .apk .dex .jar unzip dex2jar jd-gui .apk .smali apktool .java
- 16. mwrinfosecurity.com | MWR InfoSecurity 16 Demo
- 17. mwrinfosecurity.com | MWR InfoSecurity 17 Dynamic Analysis Debug android application using Android Studio. .apk .dex .jar unzip dex2jar jd-gui .java source package Android Studio apktool
- 18. mwrinfosecurity.com | MWR InfoSecurity 18 Demo
- 19. mwrinfosecurity.com | MWR InfoSecurity 19 Recommended Books
Editor's Notes
- #8: Services—Services are components that do not provide a graphical interface. They provide the facility to perform tasks that are long running in the background and continue to work even when the user has opened another application or has closed all activities of the application that contains the service. Two different modes of operation exist for services. They can be started or bound to. A service that is started is typically one that does not require the ability to communicate back to the application that started it. A bound service provides an interface to communicate back results to the calling application. A started service continues to function even if the calling application has been terminated. A bound service only stays alive for the time that an application is bound to it. Broadcast receivers—Broadcast receivers are non-graphical components that allow an application to register for certain system or application events. For instance, an application that requires a notification when receiving an SMS would register for this event using a broadcast receiver. This allows a piece of code from an application to be executed only when a certain event takes place. This avoids a situation where any polling needs to take place and provides a powerful event-driven model for applications. In contrast to other application components, a broadcast receiver can be created at runtime. Content providers—These are the data storehouses of an application that provide a standard way to retrieve, modify, and delete data. The terminology used to define and interact with a content provider is similar to SQL: query, insert, update, and delete. This component is responsible for delivering an application’s data to another in a structured and secure manner.
- #11: In API version 17, which equates to Android 4.2 Jelly Bean, content providers are no longer exported by default. However, if the targetSdkVersion of an application is set to 16 or lower, the content provider will still be exported by default.