android security & penetration testing
DESCRIPTION
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide DeckTRANSCRIPT
ANDROID SECURITY& PENETRATION TESTING
Subho Halder@sunnyrockzzs #AFE
Monday, 23 September 13
./AboutMe.shInformation Security Researcher
Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan.
Lead Developer of AFE (Android Framework for Exploitation)
Python Lovers
Co-founder of XYSEC (http://xysec.com)
Have found bug in some famous websites including Google, Apple, Microsoft, Skype, Adobe and many more
Monday, 23 September 13
Some Companies I have found Vulnerabilities in .....
And many more...
Monday, 23 September 13
./Agenda
Quick Introduction to Android Internals
Android Security Model
Android Coding Best Practices
Android Malware, Technique, Effectiveness using AFE (Android Framework for Exploitation)
Small Social Experiment !
Monday, 23 September 13
Android Internals.exe
Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS)
Application runs through Dalvik VM (Dalvik Virtual Machine)
Dalvik VM runs executable files like dex (Dalvik executable) or apk files
apk files are zipped content of Resources, Signatures, classes.dex and AndroidManifest.xml file
Monday, 23 September 13
Android Security Model.txt
Application are sandboxed (Runs with different UID and GID)
Zygote spawns a new process for each Application
Each Application runs with a separate instance of Dalvik VM
Special Permissions are provided to access Hardware API’s
Permissions are mentioned in AndroidManifest.xml file.
Monday, 23 September 13
Android Application.apk
Just an Archive !
Written mainly in Java and XML
Multiple Entry-points, such as Activity, Services,Intents, Content Providers, etc.
Monday, 23 September 13
AndroidManifest.xml
Monday, 23 September 13
CAN THESE PERMISSION BE BYPASSED?
Monday, 23 September 13
Uploading a sensitive file from SD-Card to Remote Server without any Permission!
Read Files from SD-Card
Uploads File to Remote Server
Upload a file through Browser
Permission not Required for
READING files from SD Card
Opening Browser through INTENT doesn’t requires
Permission
Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/"));
Save the Value in the GET parameter to a
file in Server
Monday, 23 September 13
QUICK-DEMO ( SHOULD I ) ?
Monday, 23 September 13
Android Coding Best Practices
Follow -> http://developer.android.com/guide/practices/index.html
Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
Attend more GDG Talks and other Security Conferences
Shoot me a tweet @sunnyrockzzs
Monday, 23 September 13
AndroidManifest.xml OMG !Activities, Services, Receivers should not be exported or else you can bypass those activities !
Monday, 23 September 13
AndroidManifest.xml OMG ! (Contd.)
android:exported= “True” in <provider> will turn into a nightmare !BTW by default it is “True” if either android:minSdkVersion or android:targetSdkVersion to “16” or lower. For applications that set either of these attributes to “17” or higher, the default is “false”.
Monday, 23 September 13
AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.)
AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.)
AndroidManifest.xml OMG ! (Contd.)Monday, 23 September 13
ANDROID MALWARE
Monday, 23 September 13
Android Malware (Common Features)
Send SMS to premium Number
Subscribe to premium Services
Dial Premium number
Steal messages, contact list, logs
Steal SD-Card files
Auto-respond to attackers’s text messages !
Monday, 23 September 13
Creating a Malware.vbs
Use CONTENT PROVIDERS
Make use of CURSORS & SQLITE databases
Write JAVA codes like crazy
Set up Server component
Get frustrated, start from bullet-point one.
Monday, 23 September 13
If you don’t have past relationship with JAVA
Monday, 23 September 13
Android Framework for Exploitation
Monday, 23 September 13
Let’s Create a Malware !
Monday, 23 September 13
What about GOOGLE?
Presenting GOOGLE Bouncer !
Monday, 23 September 13
“I am not Afraid” - Eminem
Monday, 23 September 13
Faking Legitimate Application?
Malware services generally injected in legitimate applications
How to do it?
legitimate apk Smali/Java Add malicious services/classes
RecompileFinal malware
Monday, 23 September 13
USE AFE TO AUTOMATE !!
Monday, 23 September 13
Android Framework for Exploitation.py
To make your life easier !
Find security vulnerabilities in your device+apps
Protect your device against malwares
Create automated malwares/botnets + send the data to a python listener
Inject malicious services in another applications
Use Android Exploits Crypt existing malwares to make them FUD
Monday, 23 September 13
AFE Perspective.c
Offensive Defensive
Malware Creation
BotNet Automation
Crypting
Injecting
Content Query
App Assesment
Fuzzing
Kernel Assesment
Monday, 23 September 13
AFE Internals.py
PythonBased
Plugin Based Architecure
Modules Libraries
Monday, 23 September 13
Let’s Make it FUDMatches the signature with its
database
Checks the activity, service and other class names
checks the names of the variables
Checks the control flow graph
Monday, 23 September 13
Let’s Make it FUDMatches the signature with its
database
Checks the activity, service and other class names
checks the names of the variables
Checks the control flow graph
Rebuild + Zipalign
Monday, 23 September 13
Let’s Make it FUDMatches the signature with its
database
Checks the activity, service and other class names
checks the names of the variables
Checks the control flow graph
Modifies the classnames and all its references within files
Example: Converts com.example.org to com.omg.lol
Monday, 23 September 13
Let’s Make it FUDMatches the signature with its
database
Checks the activity, service and other class names
checks the names of the variables
Checks the control flow graph
Split variables into two, and append at runtime
Example:
String a = “hello”
Will now become
String aa = “hel”
String ab = “lo”
String a = aa + ab
Monday, 23 September 13
Let’s Make it FUDMatches the signature with its
database
Checks the activity, service and other class names
checks the names of the variables
Checks the control flow graph Add dummy loops to change CFG
Example:goto end;start: //everything in this label will execute, only when it is called........end: //everything in this label will execute, only when it is calledgoto start;
Monday, 23 September 13
Statistics? ? ? ? ? ? ?.xls
Earlier Detection: 30/46
Monday, 23 September 13
Statistics? ? ? ? ? ? ?.xls
Detection after Crypting: 4/46
Monday, 23 September 13
OOPS CRYPTING MODULE IS NOT PUBLIC :)
Monday, 23 September 13
./Conclusion -h
Be safe
Don’t download apps from 3rd party markets
Turn USB debugging OFF
Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security
We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation for both Android and iOS
Monday, 23 September 13
HEY WAIT!! WHERE IS THE SOCIAL EXPERIMENT ?
Monday, 23 September 13
STILL CURIOUS ??MEET ME NOW !!!
Monday, 23 September 13