Reverse Engineeringthe

Android OS

About MeEx Military “31 Mic” Microwave Communications - 34th Signal Battalion

Lab Developer for Jones and Bartlett Publishing

CEI – CEH V8

Martial Art Nutcase

Co-creator of Cyber Kung Fu

Reverse Engineering

• Understand how applications work

• Analyze them

• Find vulnerabilities

• Uncover hard coded information

Why do I want to Hack Mobile Devices

• Natural Curiosity

• MacGyver Fan

• CEH V8 mobile sucked

• Humongous Installed Base

• Self Defense

Lots of important information

• Contacts• Messages• Photos• Email• GPS co-ordinates• Personal notes• Stored accounts• Web traffic• Application configs and credentials

Double Edged Sword

• User moves between work and personal environments

• Carries Corporate Data

• Device can be compromised in less secure areas

• Compromised device is then connected to work environment

Theft and Loss

• Weak protective mechanisms

• Compounded by users turning off security features

• Rooted devices

More Problems

• Increasing everyday use

• Users not educated

• Mix of personal and business use

• Always connected to internet

Physical Security

• Phone is easily accessed

• SD Card

• Charging/io port access – Rubber Ducky

• Shoulder Surfing

• Smudge attack

Web Issues

• Small screen hides full URL

• XSS

• CSRF

• Phishing

Rogue Applications

• Malware

• Virus

• Trojans

• Spyware

History

• Cabir – 2004

• Skulls – 2004

• pbstealer

• Commwarrior

• Cardtrap

• All Symbion basesd but eventually spread to CE and Java (J2ME

Android and IOs

• Ikee – 2009/2010 - worm

• AndroidOS.FakePlayer – premuium SMS

• Geinimi Trojan

• SMS Replicator

• DroidDream

• GinerMaster

• DroidKungFu

Older Devices

• Out of date software

• Vulnerable to older fixed exploits

• Patching – no incentive for older hardware

• Carrier indifference

Architecture

KernelFirst layer to interact with Hardware

C/C++ Libraries

• Exposed to developer via Java API

• Kind of a transaction layer between kernel and application framework

• Provides common services for apps

Core Libraries

• SSL

• SLite

• Surface Manager

• WebKit

• Font, media, display libraries

Runtime

• DVM – Dalvik Virtual Machine

• Efficient and Secure mobile environment

Secure

• Each app runs in its own instance

• Unique ID and VM

• Separate memory and files

Application Framework

• Compiled java code running in DVM

• Provides services to multiple apps

• Layer that 3rd party developers interact with

• Abstract access to key resources

Application Layer• Contacts

• Phone

• Calendar

• Browser

• Maps

• Pictures

Privilege Separation & Sandboxing

• Based on Linux security model

• Each user is assigned a unique ID (UID)

• Each user can be assigned to Groups

• Each Group has an unique ID (GID)

Resource Permissions

• Owner

• Group

• Rest of world (everyone)

Sandboxing

• Two or more applications can communicate

• Provided they grant permissions

• Implemented in the kernel

• Extended to all software above 1st layer

App Separation

• Kernel assigns unique UID

• Runs as that user in separate process

• Different than multiuser OS

File Separation

• New apps get new UIDs

• Extended across memory cards

• All associated DB and files use the new UID

File Permissions

Separate File Permission Groups

• Note – only the associated UID and root UID have full privileges on these resources unless the developer exposes files to other apps.

SD Cards

• Everyone (Whole World) has access Storage

• Currently vfat fs

• Doesn’t support granular permissions

• Note – good place for privilege escalation

Data Storage on the Device

• Databases

• SharedPreferences

SharedPreferences

• Allows app to store and retrieve persistent key values

• Persist across device sessions

• Accesss using the SharedPreferences Object

• Stored as XML

• /data/data/”app”/shared_prefs

• Example

SQLite3

• Full Support

• Accessed via the UID of the related app

• /data/data/”app”/databases

Application Signing

• Ensures Integrity and Authenticity

• APK must be signed

• Inhibits tampering

• Aids confidentiality by insuring where it came from

• Apps signed with same key can share UID, Process, Memory, Data Storage and Sandbox

Signing Quirks

• Apps can be disassembled and changed

• Can be resigned with same certificate if you have key

• Multiple apps can use same certificate

• App can be manipulated to accept same certificate

• Debugging certificate

App access to resources

• Developer limits access to required resources

• Helps to inhibit rogue apps from taking over

• Text, GPS, MMS, camera, microphone, contacts

API Permissions

• AndroidManifest.xml

• Used by trusted applications

• Tracks what the user is allowed to do

• Each app must have an AndroidManifest.xml

Permission Model

• System displays permissions

• Helps user to decide to trust app or not.

Normal – Dangerous – Signature – Signature or System

Components

• Activity

• Content Providers

• Broadcast Receivers

• Services

Activity

• Provides a screen and allows a user to interact with it.

• A window where the user interface is defined

Content Providers

• Allow efficient data sharing between processes & applications

• Allow applications to access the stored data of other applications

• Use relational databases similar to tables

• Each row is an Instance each column is a Type

• Pic

Examples of Content Providers

• Calendar provider

• Contacts provider

Broadcast Receiver

• Listens for asynchronous request from intents

• Apps can register for events and get notified when it happens

Services

• Background processes

• Run even when app is not visible

• Provide computations

• Example is GPS

SecurityException

• Without proper permissions a component call will raise a Security Exception

Intents

• Mechanisms for asynchronous IPC (Inter Process Communication)

• Allow app to send or broadcast messages to specific components

• Control task and transport data

• Components like Activities, Broadcast Receivers & Services are activated via Intents

• Contain a large amount of information

• Parsed by OS & used by the receiver to take action

• Contain category and instruction for activity launch

Action – Data – Type – Category (note)

Google Bouncer

• Automatically scans Android Market looking for malicious Apps

• Checks new applications

• Apps already in Store

• Developer accounts

• No restrictions on upload process

• Can be bypassed

Rooting

• Gain Root permissions

• Allow access and editing of Carrier and Manufacturer apps

• Install Custom Software (ROMs)

• Install different Android Version

• Wi Fi tethering

• Overclocking

• Removing Fluff-ware

Some Rooting Techniques

• Depends on the device

• OneClickRoot

• SuperOneClick

• z4Root

• GingerBreak

• UnlockRoot

The SDK

• Windows and Linux

• SDk & Eclipse

• Virtual Devices (emulators)

• Allows interaction with virtual and real devices

– Browse files

– Create, install, extract apps

– Get shells

– SSH & VNC

SDK continued

• Eclipse

• ADT – Android Developer Tools

– Signing

– Debugging

– Important for developer & tester

– Use Android SDK Tools

• IDE – integrated Development Environment

Package Explorer

Package ExplorerMiddle pane

• Source code

• Activity’s UI

Right Pane (Outline)

• Methods

• Functions

• Arguments

• Variables

• Properties

Perspectives

• Java – DDMS – Debug (Dalvik Debug Monitor Server)

AVD Manager

• Allows emulation of devices

• Custom hardware

• Custom software

• Runs from SDK executables

Android Virtual Device

Device definition

• Create

• Clone – Edit – Delete

• New custom devices

What we can do with a Virtual Device

• Send and receive text between devices

• make calls

• interact with the touch screen if you have one on your host

• browse file

• threads

Commands Available

• the VM can be run from the command line

• Command - adb devices

• adb connect <device name>

• note the number reference the port used

USB devices are different

Shell interaction is via the –s option

Shell commands

• allows browsing

• read and write files & folders

• change permissions

• get network statistics

basic linux commands

• ls

• ps

• netstat

• top

More Commands• list all the packages

• pm list packages –f

sqlite3• access databases *.db

• query statements

• show a browsed database from /data/Datacom.android.providers.telephony/databases

Browse SMS Folder

Database containing SMSs

Sqlite3 mnsms.db

sqlite .tables

select * sms

Adb pull - Adb push

• adb pull <device_path> <local_path>

• adb push <device_path> <local_path>

Pull ExampleBrowser Files

Push Example

Changed “enable_javascript” to true

Device Settings Changed

Sqlite.exe in sdk/tools

Sqlite store credentials

Because the Web Browser had the “Remember Password” option enabled we can view it in the “webview.db” file

DDMS ViewDalvik Debug Monitor Server

Browse all Devices and Contents by using the “File Explorer” Tab

More Powerfull Shell

SSH Client

SSH Server

Putty as Client

putty shell via ssh over wifi

Droid VNC

Analysis Types

APK = ZIP

Decompiling & Disassembling

Elements in apk

SourceAndroidManifest.xml

Dex filesdexdump –d path_to_file.dex

apktoolapktool d name.apk path_to_file

Smali / bacsmali

• Developed by Jesus Freke

• Assembler/ disassembler for dex files

smali Folder

classes.dex vs .smali

ApktoolAndroidManifest.xml

Folders & Uses

src – source• Packages• MainActivity.java

assets• Fonts, audio, images, text files• Non-android xml files

Folders & Uses

bin – same as Linuxlibs - same as Linuxres - resources• drawables – images for layouts• layout –user interface *• values – string.xml – styles.xml – dimens.xml - colors

layout/Folder

Activity_Main.xml<TextView

android:layout_width=“wrap_content”android:layout_height=“wrap_content”android:text=“@string/”hello world”

values\Folder

Strings.xml<resourses><string name=“Hello world”> Hello world </string>

dex2jar

Decompiles dex into java

JD-GUI

XDAAutoTool

XDAAutoTool Options

Bypassing Security Controls

Code example

for - if - else

passwordafter 5 iterations

Quick Way

Tom Updegrovetu@internetworkservice.com