pentesting android apps

Pentesting Android Apps

Abdelhamid LimamiIT Security Consultant @ ITDefence

Overview What is Android ?

Android Architecture Android Applications Security Environment Setup Exploiting Apps Vulnerabilities

OWASP Top 10 Mobile Demo(s)

Tips for Developers Q&A

Past years… Mobile Phones :

Phone calls Sending text message or MMS Alarm clock Calculator & Calendar Listen on Radio Playing the snake game

And Now… Smart Phones !

Sending email Watching Tv & Movies Surf The internet Booking Flights & Hotels Online Banking transactions Social Network (Facebook, Twitter, Instagram, Etc …)

3G , 4G , 5G Mobile Network & WIFI & NFC support

What is Android ? Android is a Linux based platform developed by Google and

the open handset alliance.

Application programming for it is done in java (include XML & support HTML).

The android operating system software stack consist of java applications running on a Dalvik virtual machine (DVK).

Applications similars to web apps.

Android Architecture

Android Applications Security

Attack Surfaces

Client Software on Android Device

Communications Channel

Server Side Infrastructure

Client Software

Packages are Installed from Play Store , Company Website, Third party apps/websites

Access All the files of the application in the local system (Need Root)

Can be Tampered , Decomplied & Reverse Engineered

Client Software What exactly should I look for ?

Files on the local file system Application authentication & authorization Error Handling & Session Management Logic Flaws Decompiling and Analyzing

Communications Channel Channel between the client and the server (HTTP(s),

3G…)

Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate data

If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory

Communications Channel

What exactly Should I look For ?

Sniff sensitive information

Replay attack vulnerabilities

Secure transfer of sensitive information

Server-Side Infrastructure Vulns in the the web servers behind a mobile

application: OWASP TOP 10 Web (SQLI,RCE,CSRF…)

Perform host and service scans on the target system to identify running services : Information gathering (whois,host,dns….) Running services and version (scanning ports) Infrastructure vulnerability scanning

Environment Setup

Environment Setup Root Your Device !

Install Xposed + JustTrustMe (SSL Killer) / Android-SSL-TrustKiller

Configure your Proxy (Burp, Zap…)

Requirements: A Computer Java Eclipse (include ADT plugin) – Android Studio Android SDK

Exploiting Apps Vulnerabilities

App Analysis Insecure Storage

Capturing Requests

Reversing the Application Package

Logical Flaws / Malicious activities

Reading Stored Data Android Applications store the data in

/data/data/[PACKAGE_NAME] sharedpreferences

Context.MODE_PRIVATE Context.MODE_WORLD_READABLE Context.MODE_WORLD_WRITEABLE

Files may be stored using the filesystem at /data/data/[PACKAGE_NAME]/files/filename

Storage in the SQLite databases

Local Data Storage flaws

Capturing Requests Capture HTTP requests & responses

Parameter Manipulation and Data Tampering.

Set up a proxy in between the server & the client to intercept.

Capturing Requests

Reverse Engineering Reverse Engineer the application logic and source code Identify the flaws in the code base to exploit them Look for sensitive data like passwords, encryption algorithms

and keys of DB(s) JD-GUI

Dex2Jar

.apk .dex .class .java

Reverse Engineering

Logical Flaws Insecure Login:

Malicious Activities Identity Decloaking:

OWASP Top 10 Mobile

Showtime !

Developer Tips

Secure Your App ! Do Not store sensitive data locally (login creds, pwd, DB …) Do Not use weak encryption in your code (base64, md5 …) Do Not send sensitive data in Plain text requests (Token ,

Sessions , logins) Encrypt the stored data If using a webserver protect it against application layer

attacks Sanitize inputs, use prepared statements (protection

against client side injection) Encode your code before producing or at least use an

obfuscator

Thank You

Q&A ?