![Page 1: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/1.jpg)
Testing Android SecurityJosé Manuel Ortega @jmortegac
AMSTERDAM 11-12 MAY 2016
![Page 2: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/2.jpg)
https://speakerdeck.com/jmortegahttp://jmortega.github.io
![Page 3: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/3.jpg)
AGENDA
▪ Development Cycle▪ Static and Dynamic Analysis▪ Components Security▪ Hybrid Automatic tools▪ Best Practices & OWASP
![Page 4: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/4.jpg)
DEVELOPMENT CYCLE
![Page 5: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/5.jpg)
WHITE BOX /BLACK BOX
✓✓✓
✓✓✓
![Page 6: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/6.jpg)
TESTING ANDROID SECURITY
![Page 7: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/7.jpg)
FORENSICS
![Page 8: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/8.jpg)
FORENSICS
▪▪
▪▪
▪▪
![Page 9: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/9.jpg)
STATIC ANALYSIS
✓✓✓✓✓✓✓
![Page 10: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/10.jpg)
CODE REVIEW / SOURCE CODE ANALYSIS
![Page 11: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/11.jpg)
ANDROID LINT
![Page 12: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/12.jpg)
ANDROID STUDIO INSPECT CODE
![Page 13: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/13.jpg)
ANDROID SONAR PLUGIN
![Page 14: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/14.jpg)
ANDROID SONAR PLUGIN >RULES
![Page 15: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/15.jpg)
SONAR SECURITY
![Page 17: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/17.jpg)
QARK
▪ Quick Android Review Kit
▪ https://github.com/linkedin/qark
▪ Static code analysis tool
▪ Look for potential vulnerabilities
![Page 18: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/18.jpg)
QARK
▪ Identifies permissions and exported components(activities,services..) on Manifest
▪ Looks for WORLD_READABLE and WORLD_WRITABLE files
▪ Looks for X.509 certificates validation issues
![Page 19: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/19.jpg)
QARK
![Page 20: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/20.jpg)
QARK REPORT
![Page 21: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/21.jpg)
REVERSE ENGINEERING
▪ Decompile dalvik to smali▪ classes.dex in APK▪ APKTOOL▪ DEX2JAR▪ Java Decompiler
![Page 22: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/22.jpg)
APK STRUCTURE
![Page 23: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/23.jpg)
DISASSEMBLY AND DECOMPILATION
![Page 24: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/24.jpg)
JADX-GUI
![Page 25: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/25.jpg)
APKTOOL
![Page 26: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/26.jpg)
DYNAMIC ANALYSIS TOOLS
![Page 27: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/27.jpg)
WIRESHARK
![Page 28: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/28.jpg)
BURP SUITE
▪ Intercepting network traffic▪ HTTP proxy tool▪ Able to intercept layer traffic and allows users to
manipulate the HTTP request and response
![Page 29: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/29.jpg)
DROZER
▪ https://labs.mwrinfosecurity.com/tools/drozer/▪ Find vulnerabilities automatically▪ Automate security testing▪ Interact with your Apps with debugging
disabled
![Page 30: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/30.jpg)
INSIDE DROZER
![Page 31: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/31.jpg)
DROZER
![Page 32: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/32.jpg)
DROZER PACKAGE INFO
▪ app.package.info
![Page 33: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/33.jpg)
DROZER COMMANDS
![Page 34: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/34.jpg)
DROZER CONTENT PROVIDERS
![Page 35: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/35.jpg)
FINDING SQL INJECTION IN CONTENT PROVIDERS
![Page 36: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/36.jpg)
EXPLOITING SQL INJECTION VULNERABILITY
![Page 37: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/37.jpg)
ANDROID MANIFEST
android:debuggable=true
android:exported=true
![Page 38: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/38.jpg)
ANDROID MANIFEST EXPORTED ATTRIBUTE
…
…
…
![Page 39: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/39.jpg)
COMPONENTS SECURITY
▪ AndroidManifest.xml▪ Activities▪ Content Providers▪ Services▪ Shared Preferences▪ Webview
![Page 40: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/40.jpg)
LOG INFORMATION
public static final boolean SHOW_LOG = BuildConfig.DEBUG;
public static void d(final String tag, final String msg) {if (SHOW_LOG)
Log.d(tag, msg);}
![Page 41: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/41.jpg)
THRID PARTY LIBRARIES
![Page 42: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/42.jpg)
VULNERABILITIES IN CORDOVA 3.5
![Page 43: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/43.jpg)
SECURITY IN CONTENT PROVIDERS
▪ Components provide a standardized interface for sharing data between applications
▪ URI addressing scheme▪ Can perform queries equivalent to SELECT,
UPDATE,INSERT, DELETE
![Page 44: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/44.jpg)
SQLCIPHER
▪ SQLCipher is a SQL extension that provides transparent AES encryption of database files
▪ 256-bit AES Encrypt SQLite database▪ http://sqlcipher.net/sqlcipher-for-android
![Page 45: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/45.jpg)
SECURED PREFERENCES
▪ https://github.com/scottyab/secure-preferences▪ Encrypt your app’s shared preferences
▪ Android Share Preferences wrapper that provides encryption for keys and values
![Page 46: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/46.jpg)
SECURED PREFERENCES
![Page 47: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/47.jpg)
DATA STORAGE
![Page 48: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/48.jpg)
PROTECTING DATA FILES
![Page 49: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/49.jpg)
SECURE COMMUNICATIONS
▪ Ensure that all sensitive data is encrypted
▪ Certificate pinning for avoid MITM attacks
![Page 50: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/50.jpg)
CERTIFICATES
SSLSocketFactory.ALLOW_ALLHOSTNAME_VERIFIER
TrustManager where checkServerTrusted() always returns true
![Page 51: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/51.jpg)
CERTIFICATE PINNING
![Page 52: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/52.jpg)
X.509 CERTIFICATES
![Page 53: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/53.jpg)
HTTPS Connection
![Page 54: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/54.jpg)
HTTPS Connection
![Page 55: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/55.jpg)
ENCRYPT NETWORK REQUESTS
▪ Best practice is to always encrypt network communications
▪ HTTPS and SSL can protect against MitM attacks and prevent casual sniffing traffic.
▪ Server certificate validity is checked by default
![Page 56: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/56.jpg)
VALIDATE SERVER CERTIFICATE
▪ https://www.ssllabs.com/ssltest
![Page 57: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/57.jpg)
CHECK CERTIFICATES TOOLS
▪ OpenSSL
▪ Keytool
▪ Jarsigner
![Page 58: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/58.jpg)
Runtime Permissions
▪ All permissions granted at install time▪ Dangerous permissions require user
confirmation▪ Prompt for dangerous permissions at
runtime▪ Granted/revoked by permission group▪ Managed per app, per user
▪ /data/system/users/0/runtime-permissions.xml
![Page 59: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/59.jpg)
Group permissions on Android M
![Page 60: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/60.jpg)
Permissions FLOW on Android M
![Page 61: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/61.jpg)
Permissions on Android M
![Page 62: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/62.jpg)
Permissions on Android M
![Page 63: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/63.jpg)
OBFUSCATION
▪ The obfuscator can use several techniques to protect a Java/Android application:
▪ change names of classes, methods, fields▪ modify the control flow▪ code optimization▪ dynamic code loading▪ change instructions with metamorphic technique
![Page 64: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/64.jpg)
PROGUARD
▪ File shrinker: detects and removes unused classes, fields, methods,and attributes
▪ Optimizer: optimizes bytecode and removes unused instructions
▪ Obfuscator: renames classes, fields, and methods using short meaningless names
![Page 65: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/65.jpg)
OBFUSCATION WITH PROGUARD
![Page 67: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/67.jpg)
HYBRID AUTOMATIC ONLINE TOOLS
▪ SandDroid▪ ApkScan▪ Visual Threat▪ TraceDroid▪ CopperDroid▪ APK Analyzer▪ ForeSafe▪ AndroTotal▪ NowSecure Lab
![Page 68: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/68.jpg)
VULNERABILTIY ANALYSIS
![Page 69: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/69.jpg)
HYBRID AUTOMATIC ONLINE TOOLS
▪ http://sanddroid.xjtu.edu.cn/#home
![Page 70: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/70.jpg)
SANDROID
![Page 71: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/71.jpg)
SANDROID
![Page 74: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/74.jpg)
NOWSECURE LAB
![Page 75: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/75.jpg)
NOWSECURE LAB
![Page 76: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/76.jpg)
BEST PRACTICES
▪ Don’t hardcode sensitive information▪ Don’t store sensitive information ▪ Don’t store at easily readable location like
memory card▪ Encrypt the stored data▪ Implement SSL
![Page 77: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/77.jpg)
BEST PRACTICES
▪ Protect the webserver against application layer attacks
▪ Prefer encryption over encoding or obfuscation▪ Sanitize inputs, use prepared statements
(protection against sql injection)
![Page 78: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/78.jpg)
BEST PRACTICES
![Page 79: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/79.jpg)
Android Secure Coding Checklist
▪ Use least privilege in request permissions▪ Don’t unnecessarily export components▪ Handle intents carefully▪ Justify any custom permissions▪ Mutually authenticate services▪ Use APIs to construct ContentProvider URIs▪ Use HTTPS▪ Follow best practices from OWASP project http://owasp.
org/index.php/OWASP_Mobile_Security_Project
![Page 80: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/80.jpg)
OWASP MOBILE TOP 10 RISKS
![Page 81: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/81.jpg)
OWASP MOBILE TOP 10 RISKS
![Page 82: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/82.jpg)
Open Android Security Assesment Methodology
![Page 83: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/83.jpg)
PENTESTING TOOLS / SANTOKU LINUX
ooo
![Page 84: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/84.jpg)
PENTESTING TOOLS / NOWSECURE
▪ https://www.nowsecure.com/resources/freetools/
![Page 85: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/85.jpg)
REFERENCES
▪ http://proguard.sourceforge.net▪ http://code.google.com/p/dex2jar▪ http://code.google.com/p/android-apktool▪ https://labs.mwrinfosecurity.com/tools/drozer▪ http://sqlcipher.net/sqlcipher-for-android▪ https://www.owasp.org/index.
php/OWASP_Mobile_Security_Project▪ https://developer.android.
com/training/articles/security-tips.html
![Page 86: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/86.jpg)
BOOKS
![Page 87: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/87.jpg)
BOOKS
![Page 88: Testing Android Security Codemotion Amsterdam edition](https://reader034.vdocuments.us/reader034/viewer/2022042619/587059901a28aba2118b626f/html5/thumbnails/88.jpg)
Thanks!
@jmortegac
AMSTERDAM 9-12 MAY 2016