Elenkov_AnIntroductionToAndroidApplicationSecurityTesting
Elenkov_AnIntroductionToAndroidApplicationSecurityTesting
Android Application
Security Testing
Nikolay Elenkov
Android Security Symposium, March 2017
Vienna
Agenda
• Static analysis
• Traffic analysis
• Obtaining app data
• Dynamic analysis/hooking
• Common vulnerabilities
2
LINE apps
3
Static analysis overview
https://github.com/OWASP/OMTG-Hacking-Playground
Repack APK
$ apktool b ./AndroidManifest.xml
I: Using Apktool 2.2.0
I: Checking whether sources has changed...
./assets/server.p12
I: Smaling smali folder into classes.dex... ./lib/armeabi/libnative.so
I: Checking whether resources has changed...
./res/anim/abc_fade_in.xml
I: Building resources...
I: Copying libs... (/lib) ./res/values/strings.xml
I: Building apk file...
./smali/…/MyActivity.smali
I: Copying unknown files/dir...
$ zipalign -v 4 app.apk app-a.apk ./smali/…/MyApplication.smali
$ jarsigner -keystore test.ks app-a.apk sign …
jar signed.
https://github.com/OWASP/OMTG-Hacking-Playground
Examine AndroidManifest.xml
<manifest package=“com.example.app”>
<uses-permission a:name=”WRITE_EXTERNAL_STORAGE"/> • Package name: com.example.app
<uses-permission a:name=“INTERNET"/> • Permissions
<application a:allowBackup="true"
a:name=“.MyApplication” >
• can write to external storage
<activity a:name=“.MyActivity"> • can access Internet
<intent-filter>
• Backup is enabled
•
<action android:name=“MAIN"/>
<category android:name=“LAUNCHER"/>
Main activity: MyActivity
</intent-filter> • Other activities (not shown)
</activity>
<service a:exported="false”
• Has one service
a:name="org.acra.sender.SenderService" • Uses ACRA for error reporting
a:process=":acra"/> • Multi-process app
7
</manifest>
Smali vs Java
https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html
Native code
12
Reverse tethering (Mac)
System Preferences Sharing Internet Sharing: On
14
Defeating certificate pinning
<network-security-config>
<domain-config> • Custom trusted CAs
<domain>example.com</domain> • CAs for debugging
<pin-set expiration="2018-01-01"> • Disallow cleartext traffic
<pin digest="SHA-256">...</pin> • Certificate pinning
</pin-set> • Only trust certain issuers for a given domain
</domain-config> • Can set expiration time
</network-security-config>
16
Network Security Config Implementation
• RootTrustManager false));
17
Disabling Network Security Config
Java.perform(function() {
• Repack APK and target API < 23 var rootTm =Java.use("android.security.net.config.RootTrustManager");
• will use certs in User trust store
rootTm.checkServerTrusted.overload("[Ljava.security.cert.X509Certificat
• (same as pre-Nougat) e;", "java.lang.String", "java.net.Socket").implementation =
function(certs, authType, socket) {
• Hook RootTrustManager, etc.
"]");
send("cert subject: [" + certs[0].getSubjectDN().getName() +
});
18
Protocol Analysis
19
Obtaining data via backup
• Backup is on by default (unless disabled in manifest), no root required
$ adb backup org.nick.kanjirecognizer
Now unlock your device and confirm the backup operation...
$ java -jar abe-all.jar unpack backup.ab backup.tar password
21893120 bytes written to backup.tar.
OR (for unencypted devices)
$ dd if=backup.ab bs=24 skip=1|openssl zlib –d > backup.tar
$ tar xvf backup.tar
apps/org.nick.kanjirecognizer/_manifest
apps/org.nick.kanjirecognizer/r/app_webview
…
apps/org.nick.kanjirecognizer/r/app_webview/databases
apps/org.nick.kanjirecognizer/r/app_webview/databases/Databases.db-journal 20
apps/org.nick.kanjirecognizer/r/app_webview/databases/Databases.db
Copying data directly
• Requires rooted device for sandboxed files
• Sandboxed app data is in /data/data/<package name>/
• Shared app data is in /sdcard/Android/data/<package name>/files
$ adb shell
$ su
# cd /data/data
# tar cvf /sdcard/kr-data.tar org.nick.kanjirecognizer/
# tar cvf /sdcard/kr-sdata.tar /sdcard/Android/data/org.nick.kanjirecognizer/files/
(on desktop)
$ adb pull /sdcard/kr-data.tar
$ adb pull /sdcard/kr-sdata.tar
21
Cloud storage
• Firebase Storage
• Dropbox, etc.
• Custom server-side storage
22
Obtaining cloud data
• Databases – databases/
• SQLite, SQLCipher (encrypted)
• may be accessible via content providers
• Shared preferences – shared_prefs/
• XML
• Files – files/
• app-specific format
• noSQL -- realm DB, etc.
• WebView files – app_webview/, cache/
• cache
• cookies 24
Dynamic analysis -- debugging
https://github.com/Fuzion24/JustTrustMe
Hooking -- Frida
Java.perform(function() {
var secretKey = Java.use("javax.crypto.spec.SecretKeySpec");
• Mobile games are not really Android apps… • Threat model – cheating
• Unity3D -- .NET (Mono) • attacker == user
• or IL2CPP compile to native code • local – memory cheats
• Cocos2d-x – C++ • network – replay, packet modification
• Tools • game bots
• ILSpy • item purchase bypass
• .NET Reflector • Mitigations
• Hopper • binary packing/obfuscation
• IDA Pro • monitoring, abuse/bot detection
• protocol obfuscation/encryption
29
Common vulnerabilities
• Unsecured Android components
• Insecure storage
• Information leakage
• Insecure communication
• Weak crypto
• Broken authentication/session management
• Insecure WebViews
• Lack of OS bug mitigations
• Lack of code protection
• (obfuscation/root detection/tamper detection, etc.) 30
Unsecured Android components
• Exported components
• services/content providers/activities
• has <intent-filter> == exported
• content providers exported by default for API level < 17
• Unsecured custom permissions
• permission level != signature -- insecure
• dangerous permissions require user interaction if targeting Android 6.0+
• How to check
• examine AndroidManifest.xml
• Watch out for <permission protectionLevel="normal|dangerous">
• try to access suspicious components from other app/ADB shell 31
• am start –a /am broadcast -a/am startservice/service call <service> <code> [params]
Insecure storage
• Sensitive data stored without encryption
• credentials, cryptographic keys, keystores, auth tokens
• in DBs/shared prefs/files/account manager
• External storage (SD card)
• Accessible to all applications with
READ_EXTERNAL_STORAGE permission
• Internal storage
• normally protected by OS sandbox
• may leak via backup/data export (local or cloud),
compromised OS or WORLD_READABLE files
• How to check
• check for world readable files on internal storage
• obtain all app data
32
• search for/match potentially sensitive data
Information leakage
• use nogotofail
Weak cryptography – usual suspects
• No obfuscation
• dex files
• native libs
• No tamper detection
• hash of classes.dex, hash of signing certificate
• How to check
• decompile, change smali code, repackage and run
• run on developer, rooted, custom ROM device 41
No OS integrity check
• Rooting, etc. effectively break the OS security model • Google SafetyNet -- checks if running on
• Common mitigation -- ‘root’ detection certified device
• checks for multiple indicators
• check for SuperSU package, su binary, other SUID binaries
• not 100% reliable, usually insufficient
• Other indicators that OS security may be weakened
• signed with test-keys
• code injection in dalvik-cache/
• rogue device admin apps
• unknown CA certificates in User trust store
• SELinux, dm-verity disabled
• core system properties modified
•
42
OS-wide proxy or VPN installed
Tools and more
• https://github.com/frida/frida
• https://ibotpeaches.github.io/Apktool
• https://github.com/crmulliner/adbi
• https://github.com/skylot/jadx
• https://github.com/CalebFenton/simplify
• https://github.com/JesusFreke/smali/wiki/smalidea
• https://github.com/rednaga/APKiD
• https://github.com/google/enjarify
• https://github.com/google/nogotofail
• https://portswigger.net/burp/proxy.html
• https://github.com/scottyab/rootbeer
• https://mitmproxy.org/
• https://developer.android.com/training/safetynet/index.html
• https://github.com/rovo89/Xposed
• https://github.com/poliva/random-scripts/tree/master/android
• https://github.com/Fuzion24/JustTrustMe
• https://github.com/MobSF
• https://github.com/nelenkov/android-backup-extractor
• https://github.com/ucsb-seclab/agrigento
• https://github.com/AndroBugs
43
Resources
• OWASP Mobile
• https://github.com/OWASP/owasp-masvs
• https://github.com/OWASP/owasp-mstg/
• https://www.nowsecure.com/resources/secure-mobile-development/
• https://github.com/doridori/Android-Security-Reference
• http://www.droidsec.org/wiki/
• https://www.jssec.org/dl/android_securecoding_en.pdf
• https://www.enisa.europa.eu/publications/smartphone-secure-development-guidelines-2016
44
Questions?
• Twitter: @kapitanpetko
• Blog: https://nelenkov.blogspot.com
45