Securing Android Applications

PRESENTED BY
Manish Chasta | CISSP, CHFI, ITIL
Principal Consultant, Indusface

Securing Android
Applications

01 www.indusface.com | Copyright 2012

Agenda

Introduction to Android and Mobile Applications

Working with Android SDK and Emulator

Setting up GoatDroid Application

Memory Analysis

Intercepting Layer 7 traffic

Reverse Engineering Android Applications

SQLite Database Analysis

Demo: ExploitMe application


What NUMBERS say!!!

 Gartner Says:
 8.2 Billion mobile applications have been
downloaded in 2010
 17.7 Billion by 2011
 185 Billion application will have been downloaded
by 2014


Market Share


Introduction to Android

 Most widely used mobile OS
 Developed by Google
 OS + Middleware + Applications
 Android Open Source Project (AOSP) is
responsible for maintenance and further
development


Android Architecture


Android Architecture: Linux Kernel

 Linux kernel with system services:
 Security
 Memory and process management
 Network stack
 Provide driver to access hardware:
 Camera
 Display and audio
 Wifi
 …


Android Architecture: Android RunTime

 Core Libraries:
 Written in Java
 Provides the functionality of Java programming language
 Interpreted by Dalvik VM

 Dalvik VM:
 Java based VM, a lightweight substitute to JVM
 Unlike JVM, DVM is a register based Virtual Machine
 DVM is optimized to run on limited main memory and less CPU
usage
 Java code (.class files) converted into .dex format to be able to
run on Android platform


Android Applications


Mobile Apps vs Web Applications

 Thick and Thin Client
 Security Measures
 User Awareness


Setting-up Environment

 Handset / Android Device

 Android SDK and Eclipse

 Emulator

 Wireless Connectivity

 And of course… Application file


Setting-up Lab

 What we need:
 Android SDK
 Eclips
 GoatDroid (Android App from OWASP)
 MySQL
 .Net Framwork
 Proxy tool (Burp)
 Agnitio
 Android Device (Optional)
 SQLitebrowser


Working with
Android SDK


Android SDK

 Development Environment for Android
Application Development
 Components:
 SDK Manager
 AVD Manager
 Emulator


Android SDK

 Can be downloaded from :
developer.android.com/sdk/

 Requires JDK to be installed

 Install Eclipse

 Install ADT Plugin for Eclipse


Android SDK : Installing SDK

 Simple Next-next process


Android SDK: Configuring Eclipse

 Go to Help->Install new Software
 Click Add
 Give Name as ADT Plugin
 Provide the below address in Location: http://dl-
ssl.google.com/android/eclipse/
 Press OK
 Check next to ‘Developer Tool’ and press next
 Click next and accept the ‘Terms and Conditions’
 Click Finish


Android SDK: Configuring Eclipse

 Now go to Window -> Preferences
 Click on Android in left panel
 Browse the Android SDK directory
 Press OK


SDK Manager


AVD Manager


Emulator: Running

Click on Start


Emulator: Running from Command Line


Emulator: Running with proxy


ADB: Android Debug Bridge

 Android Debug Bridge (adb) is a versatile command
line tool that lets you communicate with an emulator
instance or connected Android-powered device.

 You can find the adb tool in <sdk>/platform-tools/


ADB: Important Commands

Install an application to emulator or device:



 Push data to emulator / device
 adb push <local> <remote>

 Pull data to emulator / device

 adb pull <remote> <local>

 Remote - > Emulator and Local -> Machine



 Getting Shell of Emulator or Device

 adb shell

 Reading Logs

 adb logcat



 Reading SQLite3 database

 adb shell

 Go to the path

 SQLite3 database_name.db

 .dump to see content of the db file and .schema to print the
schema of the database on the screen

 Reading Logs

 adb logcat


Auditing
Application from
Android Phone


Need of Rooting

What is Android
Rooting?


Rooting Android Phone

Step 1: Download CF Rooted Kernel
files and Odin3 Software



Step 2: Keep handset on
debugging mode



Step 3: Run Odin3



Step 4: Reboot the phone in
download mode

Step 5: Connect to the PC



Step 6: Select required file i.e: PDA, Phone, CSC files
Step 7: Click on Auto Reboot and F. Reset Time and hit Start button



If your phone is Rooted... You will see PASS!! In Odin3


Important Tools

 Terminal Emulator

 Proxy tool (transproxy)


Setting Proxy

 Both Android Phone and laptop (machine to be used
in auditing) needs to be in same wireless LAN.

 Provide Laptops IP address and port where proxy is
listening in proxy tool (transproxy) installed in
machine.


Intercepting Traffic (Burp)

 Burp is a HTTP proxy tool

 Able to intercept layer 7 traffic and allows
users to manipulate the HTTP Requests and
Response


Memory Analysis with Terminal Emulator

 DD Command:

 dd if=filename.xyz of=/sdcard/SDA.dd

 Application path on Android Device:

 /data/data/com.application_name


Lab: GoatDroid
A vulnerable Android
application from the
OW ASP


GoatDroid : Setting up

 Install MySQL

 Install fourgoats database.

 Create a user with name as "goatboy", password as
"goatdroid" and Limit Connectivity to Hosts Matching
"localhost". Also "goatboy" needs to have insert,
delete, update, select on fourgoats database.



 Run goatdroid-beta-v0.1.2.jar file
 Set the path for Android SDK Root directory
and Virtual Devices:
 Click Configure -> edit and click on Android tab
 Set path for Android SDK, typically it should be
 C:Program FilesAndroidandroid-sdk
 Set path for Virtual Devices, typically it should be
 C:Documents and SettingsManishandroidavd



 Start web services
 Start emulator through GoatDroid jar file
 Push / Install the application to Device
 Run FourGoat application from emulator
 Click on Menu and then click on Destination Info
 Provide following information in required fields:
 Server: 10.0.2.2 and Port 8888



Demo / Hands On


GoatDroid : Setting up proxy

 Assuming FourGoat is already installed
 Run goatdroid-beta-v0.1.2.jar file and start web services
 Start any HTTP Proxy (Burp) tool on port 7000
 Configure Burp to forward the incoming traffic to port 8888
 Start emulator from command line by giving following
command:
 emulator –avd test2 –http-proxy 127.0.0.1:7000


GoatDroid : Setting up proxy

 Open the FourGoat application in emulator
 Click on Mene to set Destination Info
 Set Destination Info as below:
 Server: 10.0.2.2 and port as 7000

 Now see if you are able to intercept the trrafic
in Burp 


GoatDroid : Setting up Proxy

Demo / Hands On


GoatDroid: Intercepting Traffic

Demo / Hands On


GoatDroid: Parameter
Manipulation Attack

Demo / Hands On


GoatDroid: Handset Memory Analysis

Demo / Hands On


GoatDroid: Auditing from Android Device

 Install the app in Android device
 Set the destination info as below:
 Server: IP address (WLAN) of your laptop
and port as 8888 (incase no proxy is
listening)
 Memory Analysis through Terminal Emulator
and DD command


GoatDroid: Reverse Engineering

Next Topic


Reverse Engineering
Android Applications


Reverse Engineering Android Application

 Vulnerabilities can be found through Reverse
Engineering :
 Vulnerabilities in Source Code

 Re-compile the application

 Commented Code

 Hard coded information



 Dex to jar (dex2jar)
 C:dex2jar-versiondex2jar.bat someApk.apk

 Open code files in any Java decompile



Demo / Hands On


Agnitio

 Mobile Application Coder Review tool

 Install: Next-Next process

 Can analyze Codebase as well as .apk file


Agnitio

Demo / Hands On


Analyzing SQLite
Database


Analyzing SQLite Database

 SQLite Database:

 SQLite is a widely used, lightweight database

 Used by most mobile OS i.e. iPhone, Android, Symbian, webOS

 SQLite is a free to use and open source database

 Zero-configuration - no setup or administration needed.

 A complete database is stored in a single cross-platform disk file.



 Pull the .db files out of the emulator / Device
as explained eirler
 Tools
 SQLite browser
 Epilog



Demo / Hands On


ExploitMe
One more Vulnerable
application from
Security Compass


ExploitMe

Demo / Hands On


Manish Chasta
Email: manish.chasta@indusface.com


Thank You

Sales : sales@indusface.com
Marketing : marketing@indusface.com
Technical : support@indusface.com

VADODARA, INDIA BANGALORE, INDIA MUMBAI, INDIA
A/2-3, 3rd Floor, Status Plaza 408, 2nd Floor 1357 / 1359, Regus Serviced
Opp Relish Resort Regency Enclave Offices, Level 13, Platinum
Atladara Old Padra Road 4, Magrath Road Techno Park 17 & 18, Sector 30,
Vadodara – 390020 Bangalore – 560025 Vashi, Navi Mumbai – 400705
Gujarat, India Karnataka, India Maharashtra, India.

T: +91 265 3933000 T: +91 80 65608570 T : +91 22 61214961
F: +91 265 2355820 +91 80 65608571
F : +91 80 41129296

OTTAWA, CANADA HOUSTON, USA
137 Goodman Drive 1001 Fannin Street, Ste 1250
Kanata, Ottawa K2W 1C7 Houston, Texas 77002
Ontario, Canada USA

T : +1 613 721 9363 T : +1 832 295 1462


Securing Android Applications

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Securing Android Applications (20)

Recently uploaded (20)

Securing Android Applications