Android application hacking demonstration

11 September 2017

Ivan Mercalina

Senior Information Security Officer BearingPoint

Android hacking and protective measures

2

Android App Hacking Demo. Disclaimer

� Today we will do a real life, low tech demo.

� This demo does not concern the hacking of an Android mobile device.

� This demo shows possible vulnerabilities in Android apps.

3

Android App Hacking Demo. Disclaimer

My area of expertise focuses on:

� Common security mistakes

➤ Find credentials if not saved correctly

➤ Bypass authentication

➤ Bypass encryption

� Recompiling apps

� Analyzing data traffic

� Attacks on the back-end server

What I am not

� An Android expert/developer

1. Android in a nutshell

2. Hacking demo

3. Protective measures

Agenda

5

Mobile security as

trending news

6

� Designed by Google

� Installed via an APK file

� Good security structure if applied

well

Android in a nutshell

Operating

System

4Q16 Units 4Q16 Market

Share (%)

4Q15 Units 4Q15 Market

Share (%)

Android 352,669.9 81.7 325,394.4 80.7

iOS 77,038.9 17.9 71,525.9 17.7

Windows 1,092.2 0.3 4,395.0 1.1

BlackBerry 207.9 0.0 906.9 0.2

Other Os 530.4 0.1 887.3 0.2

Total 431,539.3 100.0 403,109.4 100.0

Worldwide smartphone sales in the fourth quarter of 2016. (Thousands of units.) |Gardner

7

0. Hacking Demo | Common security mistakes

APK Analysis

Browse App

Data Analysis

Backend Analysis

8

Open Web Application

Security Project (OWASP)

“Worldwide not-for-profit charitable

organization focused on improving the security

of software.

Our mission is to make software

security visible, so that individuals and

organizations are able to make informed

decisions.”

9

0. Hacking Demo | Common security mistakes

Hardcoded credentials in APK

� Remote Server Credentials

Insecure communication (OWASP M3) M3/M5)

� Credentials unencrypted

� No certificate pinning

Insecure login (OWASP M4)

� UserID enumeration

Insecure storage (OWASP M2)

� Credentials saved as MD5 in local database

� Insufficient local file permissions (OWASP M6)

� Remote Server Credentials stored locally

APK Analysis

Browse App

Data Analysis

Backend Analysis

10

1 2 3 4

1. Hacking Demo | Get APK for analysis

11

1. Hacking Demo | Analysis APK file

� Decompile APK

� Analyze JAR file

� Analyze AndroidManifest.xml file

� Text search decompiled folder

Hardcoded credentials in APK

� (str1.equals("customerservice")) &&

� (str2.equals("Acc0uNTM@n@g3mEnT")))

APK Analysis

12

1. Install the APK in an Android emulator

2. Start the app and monitor the network

activity with a sniffer (eg. Wireshark)

� To which servers does the app connect?

� Which protocols are used in this

connection?

� Is transport encryption used in this

connection?

2. Hacking Demo | Transport data analysis

Data Analysis

13

3. Hacking Demo | Transport data analysis

� If the protocol is not HTTP => Use a TCP interception tool (eg. EchoMirage)

� If the protocol is HTTP => Use a local proxy

� If the protocol is HTTP and SSL => Use local HTTP proxy

Insecure communication (OWASP M3)

� SSL but still cleartext

14

3. Hacking Demo | Browse the app

FourGoats, a location-based social network

� Get a feeling of the functionality

� Browse local files

� Download interesting files

� Evaluate client-server traffic

Browse App

15

3. Hacking Demo | Browse the app

Hardcoded credentials in APK

� (str1.equals("customerservice")) &&

� (str2.equals("Acc0uNTM@n@g3mEnT")))

Insecure storage (OWASP M2)

� /data/data/org.owasp.goatdroid.fourgoats/shared_prefs/credentials.xml

� /data/data/org.owasp.goatdroid.fourgoats/databases/userinfo.db

Insecure login (OWASP M4)

� {"key":"isAdmin","value":"false"}

Browse App

16

Hardcoded credentials in APK

� (str1.equals("customerservice")) &&

� (str2.equals("Acc0uNTM@n@g3mEnT")))

Insecure storage (OWASP M2)

� /data/data/org.owasp.goatdroid.fourgoats/shared_prefs/credentials.xml

� /data/data/org.owasp.goatdroid.fourgoats/databases/checkins.db

� /data/data/org.owasp.goatdroid.fourgoats/databases/userinfo.db

Insecure login (OWASP M4)

� {"key":"isAdmin","value":"false"}

� Dolphin SharedPreferences

� Manually calling Intent: am start -n

org.owasp.goatdroid.fourgoats/.activities.Home

Insecure communication (OWASP M3)

� SSL but still cleartext

4. Hacking Demo | Found vulnerabilities

17

Hacking Demo | Protect your app

Secure Coding Best Practices for Android

Local storage of sensitive data always encrypted

HTTPS with certificate pinning

Least privilege principle

Server side authentication

18

Hacking Demo | Protect yourself

Check permissions

<uses-permission android:name="android.permission.SEND_SMS" />

<uses-permission android:name="android.permission.CALL_PHONE" />

<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />

<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />

<uses-permission android:name="android.permission.INTERNET" />

19

Resources

Mobile Top 10 2016-Top 10

� https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

OWASP Mobile Security Project Archive

� https://www.owasp.org/index.php/Mobile_Security_Project_Archive#tab=M-Security_Testing

Kaya Flamboyan 7

Willemstad, Curaçao

Phone +5999 734 3200

www.bearingpointcaribbean.com

Email info@bearingpointcaribbean.com

Skype ReceptionBearingPointCaribbean

This image cannot currently be displayed.

This presentation and any attached documents may contain confidential or proprietary information and are intended solely for the addressee. If you are not the intended recipient, please

inform the sender immediately and delete this e-mail and all attached documents from your computer system. Any unauthorized disclosure, distribution or copying hereof is prohibited.

Questions?

Ivan Mercalina

Ivan.Mercalina@bearingpointcaribbean.com