2. Principal Consultant @ Indusface, India
Over 6 years experience in Information and
Application Security
CISSP, CHFI, ITIL
3. What comes to any Indian’s mind when
they think of Russia?
4.
5. Introduction to Android and Mobile Applications
Working with Android SDK and Emulator
Setting up GoatDroid Application
Memory Analysis
Intercepting Layer 7 traffic
Reverse Engineering Android Applications
SQLite Database Analysis
Demo: ExploitMe application
6. Gartner Says:
8.2 Billion mobile applications have been
downloaded in 2010
17.7 Billion by 2011
185 Billion application will have been downloaded
by 2014
7.
8. Most widely used mobile OS
Developed by Google
OS + Middleware + Applications
Android Open Source Project (AOSP) is
responsible for maintenance and further
development
9.
10. Linux kernel with system services:
Security
Memory and process management
Network stack
Provide driver to access hardware:
Camera
Display and audio
Wifi
…
11. Core Libraries:
Written in Java
Provides the functionality of Java programming language
Interpreted by Dalvik VM
Dalvik VM:
Java based VM, a lightweight substitute to JVM
Unlike JVM, DVM is a register based Virtual Machine
DVM is optimized to run on limited main memory and less
CPU usage
Java code (.class files) converted into .dex format to be
able to run on Android platform
12.
13. Thick and Thin Client
Security Measures
User Awareness
14. Handset / Android Device
Android SDK and Eclipse
Emulator
Wireless Connectivity
And of course… Application file
15. What we need:
Android SDK
Eclips
GoatDroid (Android App from OWASP)
MySQL
.Net Framwork
Proxy tool (Burp)
Agnitio
Android Device (Optional)
SQLitebrowser
16.
17. Development Environment for Android
Application Development
Components:
SDK Manager
AVD Manager
Emulator
18. Can be downloaded from :
developer.android.com/sdk/
Requires JDK to be installed
Install Eclipse
Install ADT Plugin for Eclipse
20. Go to Help->Install new Software
Click Add
Give Name as ADT Plugin
Provide the below address in Location: http://dl-
ssl.google.com/android/eclipse/
Press OK
Check next to ‘Developer Tool’ and press next
Click next and accept the ‘Terms and Conditions’
Click Finish
21. Now go to Window -> Preferences
Click on Android in left panel
Browse the Android SDK directory
Press OK
27. Android Debug Bridge (adb) is a versatile command
line tool that lets you communicate with an
emulator instance or connected Android-powered
device.
You can find the adb tool in <sdk>/platform-tools/
28. Install an application to emulator or device:
29. Push data to emulator / device
adb push <local> <remote>
Pull data to emulator / device
adb pull <remote> <local>
Remote - > Emulator and Local -> Machine
30. Getting Shell of Emulator or Device
adb shell
Reading Logs
adb logcat
31. Reading SQLite3 database
adb shell
Go to the path
SQLite3 database_name.db
.dump to see content of the db file and .schema to print the
schema of the database on the screen
Reading Logs
adb logcat
41. Both Android Phone and laptop (machine to be used
in auditing) needs to be in same wireless LAN.
Provide Laptops IP address and port where proxy is
listening in proxy tool (transproxy) installed in
machine.
42. Burp is a HTTP proxy tool
Able to intercept layer 7 traffic and allows
users to manipulate the HTTP Requests and
Response
47. Install MySQL
Install fourgoats database.
Create a user with name as "goatboy", password as
"goatdroid" and Limit Connectivity to Hosts
Matching "localhost". Also "goatboy" needs to
have insert, delete, update, select on fourgoats
database.
48. Run goatdroid-beta-v0.1.2.jar file
Set the path for Android SDK Root directory
and Virtual Devices:
Click Configure -> edit and click on Android tab
Set path for Android SDK, typically it should be
▪ C:Program FilesAndroidandroid-sdk
Set path for Virtual Devices, typically it should be
▪ C:Documents and SettingsManishandroidavd
49. Start web services
Start emulator through GoatDroid jar file
Push / Install the application to Device
Run FourGoat application from emulator
Click on Menu and then click on Destination Info
Provide following information in required fields:
Server: 10.0.2.2 and Port 8888
51. Assuming FourGoat is already installed
Run goatdroid-beta-v0.1.2.jar file and start web services
Start any HTTP Proxy (Burp) tool on port 7000
Configure Burp to forward the incoming traffic to port
8888
Start emulator from command line by giving following
command:
emulator –avd test2 –http-proxy 127.0.0.1:7000
52. Open the FourGoat application in emulator
Click on Mene to set Destination Info
Set Destination Info as below:
Server: 10.0.2.2 and port as 7000
Now see if you are able to intercept the trrafic
in Burp
57. • Install the app in Android device
• Set the destination info as below:
• Server: IP address (WLAN) of your laptop
and port as 8888 (incase no proxy is
listening)
• Memory Analysis through Terminal Emulator
and DD command
60. Vulnerabilities can be found through Reverse
Engineering :
Vulnerabilities in Source Code
Re-compile the application
Commented Code
Hard coded information
61. Dex to jar (dex2jar)
C:dex2jar-versiondex2jar.bat someApk.apk
Open code files in any Java decompile
66. SQLite Database:
SQLite is a widely used, lightweight database
Used by most mobile OS i.e. iPhone, Android, Symbian,
webOS
SQLite is a free to use and open source database
Zero-configuration - no setup or administration needed.
A complete database is stored in a single cross-platform
disk file.
67. Pull the .db files out of the emulator / Device
as explained eirler
Tools
SQLite browser
Epilog