Hacking Android ApplicationsAnd how to make your Applications more Secure

1

DisclaimerEverything shown is to be used for educational purposes only. All Information exposed in this Presentation has the goal to teach you the techniques used by hackers in order to avoid their attacks. Please make sure before analyzing Applications that you have the Approval of the Owner/Author of the Applications you are analyzing. Hacking is a crime and I am not Responsible for the way you use it!

2

3

Angelo Rüggeberg

GDG Munich Organizer

Mobile Application Developer

+AngeloRüggeberg

4

Overview

- Overview of the Android Framework- Manifest Security- Reverse Engineering of .APK- SQL/Shared Preferences Injections- Play Store Payment Hacking

Android Framework

5

Android Framework

- Kind of UNIX sandboxing- IPC for Inter-App Communication

- Endpoints- Configuration and Security in

AndroidManifest.xml

6

7source https://code.google.com/p/androidteam/wiki/AndroidSystemArch

Android Framework

- Each Application has its own Username and Memory Space

- One App cannot access Resources of another App*- *almost

- Android Permission Enforcement

8

9

Android Framework

10

Application 1

shared_prefsfiles

cachedatabase

Application 1

shared_prefsfiles

cachedatabase

Application 2

shared_prefsfiles

cachedatabase

Android Manifest

11

source https://source.android.com/devices/tech/security/overview/app-security.html

12source http://qz.com/131436/contrary-to-what-youve-heard-android-is-almost-impenetrable-to-malware/

13source http://qz.com/131436/contrary-to-what-youve-heard-android-is-almost-impenetrable-to-malware/

For a detailed Presentation about Android Security checkout http://goo.gl/7xZ4cd

14

Conclusion about Android Security

- Android is Secure- Users are not

- Androids Security is to Protect the System- not your Data or Application

- Security can easily be Bypassed by Users- Unknown Sources- Rooting- etc….

15

Manifest Security

- All Activities, Services, Broadcasts can be exported- Default < API 17 is exported=true

- Intents to other Applications do not Require Permissions

- Manifest can always be read- Without Root

16

Secure your Manifest

- Make Sure only Desired Things are Exported

- Logic to Verify Intents and State- e.G. Logged In State

17

Reverse Engineering APK

18

Reverse Engineering APKs

- APKs are just containers like .jar or .zip- Tons of Decompile Tools

- apktool- dex2jar- etc...

19

20

Demo

Reverse Engineering APKs

- Use Proguard- Obfuscation

- Do not handle Sensitive Stuff inside your Application Code- keep your Clients dumb

21

SQL InjectionAnd shared Preferences

22

23

Demo

SQL/Shared Prefs Injection

- Do not handle Sensitive Stuff inside your Application Code- keep your Clients dumb

- Do not Persist Sensitive Data

24

Billing Servicesbetter known as InApp Purchases

25

26

Demo

Billing Services

- Do not let your Client Verify Purchases- Only Pull Ballance- Complete Checkout/Grant Process Should

be handled by your API-

27

28

Questions?

29

Thank you!