Android Security & Penetration Testing

ANDROID SECURITY
& PENETRATION TESTING
Subho Halder
@sunnyrockzzs #AFE
Monday, 23 September 13

./AboutMe.sh
Information Security Researcher
Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan.
Lead Developer of AFE (Android Framework for Exploitation)
Python Lovers
Co-founder of XYSEC (http://xysec.com)
Have found bug in some famous websites including Google, Apple, Microsoft,
Skype, Adobe and many more

Some Companies I have found Vulnerabilities in .....
And many more...

./Agenda
Quick Introduction to Android Internals
Android Security Model
Android Coding Best Practices
Android Malware, Technique, Effectiveness using AFE (Android Framework for
Exploitation)
Small Social Experiment !

Android Internals.exe
Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS)
Application runs through Dalvik VM (Dalvik Virtual Machine)
Dalvik VM runs executable files like dex (Dalvik executable) or apk files
apk files are zipped content of Resources, Signatures, classes.dex and
AndroidManifest.xml file

Android Security Model.txt
Application are sandboxed (Runs with different UID and GID)
Zygote spawns a new process for each Application
Each Application runs with a separate instance of Dalvik VM
Special Permissions are provided to access Hardware API’s
Permissions are mentioned in AndroidManifest.xml file.

Android Application.apk
Just an Archive !
Written mainly in Java and XML
Multiple Entry-points, such as Activity, Services,
Intents, Content Providers, etc.

AndroidManifest.xml

CAN THESE PERMISSION BE BYPASSED?

Uploading a sensitive file from SD-Card to
Remote Server without any Permission!
Read Files from
SD-Card
Uploads File to
Remote Server
Upload a file through
Browser
Permission not
Required for
READING files from
SD Card
Opening Browser
through INTENT
doesn’t requires
Permission
Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/"));
Save theValue in the
GET parameter to a
file in Server

QUICK-DEMO ( SHOULD I ) ?

Android Coding Best Practices
Follow -> http://developer.android.com/guide/practices/index.html
Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/
Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
Attend more GDG Talks and other Security Conferences
Shoot me a tweet @sunnyrockzzs

AndroidManifest.xml OMG !
Activities, Services, Receivers should not be exported or else you
can bypass those activities !

AndroidManifest.xml OMG ! (Contd.)
android:exported= “True” in <provider> will turn into a nightmare !
BTW by default it is “True” if either android:minSdkVersion or
android:targetSdkVersion to “16” or lower. For applications that set either of
these attributes to “17” or higher, the default is “false”.

AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.)
AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.)
AndroidManifest.xml OMG ! (Contd.)Monday, 23 September 13

ANDROID MALWARE

Android Malware (Common Features)
Send SMS to premium Number
Subscribe to premium Services
Dial Premium number
Steal messages, contact list, logs
Steal SD-Card files
Auto-respond to attackers’s text messages !

Creating a Malware.vbs
Use CONTENT PROVIDERS
Make use of CURSORS & SQLITE databases
Write JAVA codes like crazy
Set up Server component
Get frustrated, start from bullet-point one.

If you don’t have past relationship with JAVA

Android Framework for Exploitation

Let’s Create a Malware !

What about GOOGLE?
Presenting GOOGLE Bouncer !

“I am not Afraid” - Eminem

Faking Legitimate Application?
Malware services generally injected in legitimate applications
How to do it?
legitimate apk Smali/Java
Add malicious
services/classes
RecompileFinal malware

USE AFE TO AUTOMATE !!

Android Framework for Exploitation.py
To make your life easier !
Find security vulnerabilities in your device+apps
Protect your device against malwares
Create automated malwares/botnets + send the data to a python listener
Inject malicious services in another applications
Use Android Exploits Crypt existing malwares to make them FUD

AFE Perspective.c
Offensive Defensive
Malware Creation
BotNet Automation
Crypting
Injecting
Content Query
App Assesment
Fuzzing
Kernel Assesment

AFE Internals.py
Python
Based
Plugin Based
Architecure
Modules Libraries

Let’s Make it FUD
Matches the signature with its
database
Checks the activity, service and
other class names
checks the names of the variables
Checks the control ﬂow graph

Let’s Make it FUD
database
other class names
Rebuild + Zipalign

Let’s Make it FUD
database
other class names
Modiﬁes the classnames and all its
references within ﬁles
Example: Converts com.example.org to com.omg.lol

Let’s Make it FUD
database
other class names
Split variables into two, and
append at runtime
Example:
String a = “hello”
Will now become
String aa = “hel”
String ab = “lo”
String a = aa + ab

Let’s Make it FUD
database
other class names
Add dummy loops to change
CFG
Example:
goto end;
start: //everything in this label will execute, only when it is called
........
end: //everything in this label will execute, only when it is called
goto start;

Statistics? ? ? ? ? ? ?.xls
Earlier Detection: 30/46

Statistics? ? ? ? ? ? ?.xls
Detection after Crypting: 4/46

OOPS CRYPTING MODULE IS NOT
PUBLIC :)

./Conclusion -h
Be safe
Don’t download apps from 3rd party markets
Turn USB debugging OFF
Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security
We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation
for both Android and iOS

HEY WAIT!! WHERE IS THE
SOCIAL EXPERIMENT ?

./QUESTIONS
subho.halder@gmail.com
security@xysec.com
http://xysec.com
@sunnyrockzzs

STILL CURIOUS ??
MEET ME NOW !!!

Android Security & Penetration Testing

More Related Content

What's hot

Viewers also liked

Similar to Android Security & Penetration Testing

More from Subho Halder

Recently uploaded

Android Security & Penetration Testing