Qark DefCon 23

3. WHAT IS QARK? QUICK ANDROID REVIEW KIT AN AUDITING AND ATTACK FRAMEWORK A PROGRESSION OF OTHER TOOLS/IDEAS A PINCH OF INNOVATION LOTS OF (HORRIBLY WRITTEN) PYTHON

4. QARK’s mission RAISE THE BAR SHARE KNOWLEDGE COMMUNITY INVOLVMENT MOTIVATE OTHERS

5. ANDROID ISSUES FRAGMENTATION USERS DON’T UPDATE IMPROPER TLS, IF ANY NUMEROUS TAINTED SOURCES CLIENT SIDE FAIL – NO ONE WILL KNOW

6. MOTIVATION WE’RE LAZY OUR BOSS IS CRAZY WE HAVE LOTS OF APPS TO PROTECT DEVELOPERS ARE EVEN LAZIER THAN US WE HATE REPEATING BUGS LOTS OF SMALL DEV SHOPS (AKA NO SECURITY)

7. UNDER THE HOOD PARSING: PLYJ, BEAUTIFULSOUP, MINIDOM REVERSING: PROCYON, JD-CORE, CFR, DEX2JAR, APKTOOL CODE: PYTHON TOOLS & BUILDING: ANDROID SDK

8. APK STRUCTURE APK RESOURCES .ARSC /RES ANDROID MANIFEST. XML CLASSES .DEX /META-INF /LIB /ASSETS

9. REVERSING APKs GET MANIFEST •  APKTOOL D FOO.APK UNZIP APK •  APK TO ZIP; UNZIP DALVIK BYTECODE •  DEX2JAR CLASSES.DEX JAVA BYTECODE •  JD-GUI RAW JAVA FILES

10. ACQUISITION SIMPLIFIES APK RETRIEVAL FROM DEVICES DECOMPRESSES APK CONVERTS ANDROIDMANIFEST.XML TO TEXT PARSES ANDROIDMANIFEST.XML FINDS PERMISSIONS ISSUES FINDS EXPORTED COMPONENTS, SUPPORTED VERSIONS, ETC.

11. COMMUNICATION SOURCES WEBVIEWS INTENTS NETWORK REQUESTS DEEPLINK URLSAIDL MESSAGES

12. ACTIVITY ONCREATE() ONSTART() ONRESUME() ONPAUSE() ONSTOP() ONDESTROY() ONRESTART() SERVICE ONCREATE() ONBIND() ONSTARTCOMMAND() ONUNBIND() ONDESTROY() PROVIDER ONCREATE() RECEIVER ONRECEIVE() COMPONENTS

13. PARSE STRUCTURE MAPS MANIFEST TO CLASSES PARSES JAVA CLASSES LOCATES “ENTRY POINT” METHODS

14. SOURCE TO SINK FINDS SOURCES OF TAINTED INPUT TRACKS POTENTIALLY TAINTED INPUT RECORDS ANY “SINKS” ENCOUNTERED STORES INFORMATION GATHERED ALONG WITH MANIFEST DETAILS FOR LATER USE SECURITY MAGIC

15. QARK CHECKS EXAMINES WEBVIEW CONFIGURATIONS AND PROVIDES TEMPLATED HTML FILES FOR VALIDATION OF VULNERABILITIES LOOKS FOR COMMON X.509 CERTIFICATE VALIDATION ISSUES LOOKS FOR VULNERABILITIES ORIGINATING FROM WITHIN THE APP, INSPECTING BROADCAST, STICKY AND PENDING INTENTS LOOKS FOR EMBEDDED PRIVATE KEYS AND INCORRECTLY IMPLEMENTED CRYPTO ISSUES LOOKS FOR WORLDREADABLE AND WORLDWRITEABLE FILES

16. DEMO TIME !!

17. UNIQUE FEATURES USES MULTIPLE DECOMPILERS TO PROVIDE BETTER RESULTS BUILDS AN APK FOR MANUAL TESTING CONTAINS SWISS-ARMY KNIFE STYLE SET OF FUNCTIONALITIES CREATES ADB COMMANDS TO EXPLOIT DISCOVERED VULNERABILITIES CREATES CUSTOM EXPLOIT APK FOR POINT- AND-CLICK PWNAGE

18. QARK Is NOT (YET) A FORENSICS TOOL A DYNAMIC ANALYSIS TOOL PERFECT FINISHED

19. FUTURE PLANS DYNAMIC ANALYSIS FUNCTIONALITY SMALI INSPECTION NON-ANDROID SPECIFIC JAVA VULNS ODEX SUPPORT IMPROVE EXTENSIBILITY ASK FOR YOUR HELP

20. ACKNOWLEDGEMENTS MWR LABS: DROZER RAFAY BLALOCH, ET AL, FOR THE WEBVIEW EXPLOITS NVISIUM: TAPJACKING CODE THE AUTHORS AND MAINTAINERS OF ALL THE OPENSOURCE PROJECTS USED IN QARK JASON HADDIX, SAM BOWNE, ET AL, FOR SUPPLYING SOME VULNERABLE APKS

21. CONTACT INFO WWW.SECBRO.COM •  WWW.LINKEDIN.COM/IN/TONYTRUMMER @SECBRO1 TONY TRUMMER •  WWW.LINKEDIN.COM/IN/TDALVI @TUSHARDALVI TUSHAR DALVI

22. WHERE TO GET QARK? LINKEDIN’S GIT REPO HTTPS://GITHUB.COM/LINKEDIN/QARK

Qark DefCon 23

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (6)

Similaire à Qark DefCon 23

Similaire à Qark DefCon 23 (20)

Dernier

Dernier (20)

Qark DefCon 23