Testing Android Security Codemotion Amsterdam edition

Testing Android Security
José Manuel Ortega
@jmortegac
AMSTERDAM 11-12 MAY 2016

https://speakerdeck.com/jmortega
http://jmortega.github.io

AGENDA
▪ Development Cycle
▪ Static and Dynamic Analysis
▪ Components Security
▪ Hybrid Automatic tools
▪ Best Practices & OWASP

WHITE BOX /BLACK BOX
✓
✓
✓
✓
✓
✓

FORENSICS
▪
▪
▪
▪
▪
▪

STATIC ANALYSIS
✓
✓
✓
✓
✓
✓
✓

CODE REVIEW / SOURCE CODE ANALYSIS

QARK
▪ Quick Android Review Kit
▪ https://github.com/linkedin/qark
▪ Static code analysis tool
▪ Look for potential vulnerabilities

QARK
▪ Identifies permissions and exported components
(activities,services..) on Manifest
▪ Looks for WORLD_READABLE and
WORLD_WRITABLE files
▪ Looks for X.509 certificates validation issues

REVERSE ENGINEERING
▪ Decompile dalvik to smali
▪ classes.dex in APK
▪ APKTOOL
▪ DEX2JAR
▪ Java Decompiler

BURP SUITE
▪ Intercepting network traffic
▪ HTTP proxy tool
▪ Able to intercept layer traffic and allows users to
manipulate the HTTP request and response

DROZER
▪ https://labs.mwrinfosecurity.com/tools/drozer/
▪ Find vulnerabilities automatically
▪ Automate security testing
▪ Interact with your Apps with debugging
disabled

DROZER PACKAGE INFO
▪ app.package.info

FINDING SQL INJECTION IN CONTENT PROVIDERS

EXPLOITING SQL INJECTION VULNERABILITY

ANDROID MANIFEST
android:debuggable=true
android:exported=true

ANDROID MANIFEST EXPORTED ATTRIBUTE
…
…
…

COMPONENTS SECURITY
▪ AndroidManifest.xml
▪ Activities
▪ Content Providers
▪ Services
▪ Shared Preferences
▪ Webview

LOG INFORMATION
public static final boolean SHOW_LOG =
BuildConfig.DEBUG;
public static void d(final String tag, final String
msg) {
if (SHOW_LOG)
Log.d(tag, msg);
}

VULNERABILITIES IN CORDOVA 3.5

SECURITY IN CONTENT PROVIDERS
▪ Components provide a standardized interface
for sharing data between applications
▪ URI addressing scheme
▪ Can perform queries equivalent to SELECT,
UPDATE,INSERT, DELETE

SQLCIPHER
▪ SQLCipher is a SQL extension that provides
transparent AES encryption of database files
▪ 256-bit AES Encrypt SQLite database
▪ http://sqlcipher.net/sqlcipher-for-android

SECURED PREFERENCES
▪ https://github.com/scottyab/secure-preferences
▪ Encrypt your app’s shared preferences
▪ Android Share Preferences wrapper that
provides encryption for keys and values

SECURE COMMUNICATIONS
▪ Ensure that all sensitive data is encrypted
▪ Certificate pinning for avoid MITM attacks

CERTIFICATES
SSLSocketFactory.ALLOW_ALLHOSTNAME_VERIFIER
TrustManager where checkServerTrusted() always
returns true

ENCRYPT NETWORK REQUESTS
▪ Best practice is to always encrypt network
communications
▪ HTTPS and SSL can protect against MitM attacks
and prevent casual sniffing traffic.
▪ Server certificate validity is checked by default

VALIDATE SERVER CERTIFICATE
▪ https://www.ssllabs.com/ssltest

CHECK CERTIFICATES TOOLS
▪ OpenSSL
▪ Keytool
▪ Jarsigner

Runtime Permissions
▪ All permissions granted at install time
▪ Dangerous permissions require user
confirmation
▪ Prompt for dangerous permissions at
runtime
▪ Granted/revoked by permission group
▪ Managed per app, per user
▪ /data/system/users/0/runtime-permissions.xml

Group permissions on Android M

OBFUSCATION
▪ The obfuscator can use several techniques to protect
a Java/Android application:
▪ change names of classes, methods, fields
▪ modify the control flow
▪ code optimization
▪ dynamic code loading
▪ change instructions with metamorphic technique

PROGUARD
▪ File shrinker: detects and removes unused
classes, fields, methods,and attributes
▪ Optimizer: optimizes bytecode and removes
unused instructions
▪ Obfuscator: renames classes, fields, and
methods using short meaningless names

HYBRID AUTOMATIC ONLINE TOOLS
▪ SandDroid
▪ ApkScan
▪ Visual Threat
▪ TraceDroid
▪ CopperDroid
▪ APK Analyzer
▪ ForeSafe
▪ AndroTotal
▪ NowSecure Lab

HYBRID AUTOMATIC ONLINE TOOLS
▪ http://sanddroid.xjtu.edu.cn/#home

BEST PRACTICES
▪ Don’t hardcode sensitive information
▪ Don’t store sensitive information
▪ Don’t store at easily readable location like
memory card
▪ Encrypt the stored data
▪ Implement SSL

BEST PRACTICES
▪ Protect the webserver against application layer
attacks
▪ Prefer encryption over encoding or obfuscation
▪ Sanitize inputs, use prepared statements
(protection against sql injection)

Android Secure Coding Checklist
▪ Use least privilege in request permissions
▪ Don’t unnecessarily export components
▪ Handle intents carefully
▪ Justify any custom permissions
▪ Mutually authenticate services
▪ Use APIs to construct ContentProvider URIs
▪ Use HTTPS
▪ Follow best practices from OWASP project http://owasp.
org/index.php/OWASP_Mobile_Security_Project

Open Android Security Assesment Methodology

PENTESTING TOOLS / SANTOKU LINUX
o
o
o

PENTESTING TOOLS / NOWSECURE
▪ https://www.nowsecure.com/resources/freetools/

REFERENCES
▪ http://proguard.sourceforge.net
▪ http://code.google.com/p/dex2jar
▪ http://code.google.com/p/android-apktool
▪ https://labs.mwrinfosecurity.com/tools/drozer
▪ http://sqlcipher.net/sqlcipher-for-android
▪ https://www.owasp.org/index.
php/OWASP_Mobile_Security_Project
▪ https://developer.android.
com/training/articles/security-tips.html

Thanks!
@jmortegac
AMSTERDAM 9-12 MAY 2016

Testing Android Security Codemotion Amsterdam edition

More Related Content

What's hot

Viewers also liked

Similar to Testing Android Security Codemotion Amsterdam edition

More from Jose Manuel Ortega Candel

Recently uploaded

Testing Android Security Codemotion Amsterdam edition