rapid android application security testing

Rapid Android Application Security Testing

Agenda

• Introduction to Android Testing

– Static Analysis

– Dynamic Analysis

– Local Storage Inspection

• Challenge.txt

Android Security Testing

• Can install apps on device and go hack the network.

• Can install the application in the emulator and test it.

What’s inside?

• Android is a Linux kernel based OS.

• Dalvik VM (Dalvik Virtual Machine) makes the dex file (Dalvik Executables) reach execution.

• APK (Android Application Package) contains all the resources, i.e. manifest file, signatures, dex file, and other resources in a zipped manner.

So what happens.

• Java source code is compiled to Java byte Code using Java Compiler

• Byte code is converted into Dalvik Code using Dex compiler

• Dalvik Executable (Dex file) goes to “Dalvik VM” and executes within it.

…..Continued.

Dalvik VM

Dalvik Executable (Dex File)

Java Source Code

Java Byte CodeJava Compiler

Dalvik Code

Dex Compiler

Pentest. How to do?

• Break the testing into three parts:

– Static Testing

– Dynamic Testing

– Local Storage

• Try to uncover issues in every phase.

Static Analysis

• Get the .apk file.

• Reverse Engineer it.

• Decompile / Dis-assemble it.

• Dis-assemble it using– Dedexer gives assembly like output) or

– Baksmali (based on dedexer and gives code more easy to understand.

• Decompile it using – Dex2jar (dalvik code turns to Java byte code (jar file).

– Use jd-gui to view the java source codes.h

What to look for?

• Look for api information, database connection strings, internal / external IP disclosures and ports, etc.

• If you are lucky, you might get a password too, Believe me developers are crazy.

• If you can go for social engineering stuff, lot of emails can be found.

• Tip: A pair of /* and */ holds a lot of information.

m0bLiz3r Demo

https://github.com/nkpanda/Android-Testing

Dynamic Analysis

• Load emulator.

• Set up an Interception Proxy

• Figure out SSL issues.

• And follow the generic logic test cases you follow in web applications.

Proxy Setup

Continued…

Local Storage Inspection

• Check for sensitive data getting stored on client side.

• XML files, database files are most commonly found culprits.

• Inspect memory for information sensitive information > memdump

• Inspect generated logs for sensitive information > logcat.

• Uninstall and check if things remain in application folder.

Where to look?

How it look?

Tools Of Trade

• Android SDK

• ADB

• BurpSuite

• APKtools

• Smali/baksmali

• Dex2jar

• Genymotion

• Appuse/Android Tamer.

Challenges• AppUse is quite slow:

– Save time in loading your Emulator.– Save time in installing app.

• ADB always run behind device. If you are idle, adb don’t work, or restart your emulator.– Keep your ADB attached to device constantly.

• Commands for every push, apk installation, etc. – Get Drag and Drop feature.

• Organization might ask you to get application from play store. – Get Play Store.

• Genymotion

– give you all the above sweet cake.

– Supports Webcam, mike, GPS, etc. as well --------- Haven’t tested them however

– Not stable. --------- One bad out of six is never a bad.

Time UP : What next?

• OWASP mobile TOP 10

• Drozer (for Inter Process Communication)

• Explore new tools all the time.

• Keep sharing.

Questions?