SlideShare une entreprise Scribd logo

Android Security & Penetration Testing

Subho Halder
Subho Halder

These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck

Technologie
1  sur  40
Télécharger pour lire hors ligne
ANDROID SECURITY & PENETRATION TESTING Subho Halder @sunnyrockzzs #AFE Monday, 23 September 13
./AboutMe.sh Information Security Researcher Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan. Lead Developer of AFE (Android Framework for Exploitation) Python Lovers Co-founder of XYSEC (http://xysec.com) Have found bug in some famous websites including Google, Apple, Microsoft, Skype, Adobe and many more Monday, 23 September 13
Some Companies I have found Vulnerabilities in ..... And many more... Monday, 23 September 13
./Agenda Quick Introduction to Android Internals Android Security Model Android Coding Best Practices Android Malware, Technique, Effectiveness using AFE (Android Framework for Exploitation) Small Social Experiment ! Monday, 23 September 13
Android Internals.exe Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS) Application runs through Dalvik VM (Dalvik Virtual Machine) Dalvik VM runs executable files like dex (Dalvik executable) or apk files apk files are zipped content of Resources, Signatures, classes.dex and AndroidManifest.xml file Monday, 23 September 13
Android Security Model.txt Application are sandboxed (Runs with different UID and GID) Zygote spawns a new process for each Application Each Application runs with a separate instance of Dalvik VM Special Permissions are provided to access Hardware API’s Permissions are mentioned in AndroidManifest.xml file. Monday, 23 September 13
Android Application.apk Just an Archive ! Written mainly in Java and XML Multiple Entry-points, such as Activity, Services, Intents, Content Providers, etc. Monday, 23 September 13
AndroidManifest.xml Monday, 23 September 13
CAN THESE PERMISSION BE BYPASSED? Monday, 23 September 13
Uploading a sensitive file from SD-Card to Remote Server without any Permission! Read Files from SD-Card Uploads File to Remote Server Upload a file through Browser Permission not Required for READING files from SD Card Opening Browser through INTENT doesn’t requires Permission Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/")); Save theValue in the GET parameter to a file in Server Monday, 23 September 13
QUICK-DEMO ( SHOULD I ) ? Monday, 23 September 13
Android Coding Best Practices Follow -> http://developer.android.com/guide/practices/index.html Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/ Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Attend more GDG Talks and other Security Conferences Shoot me a tweet @sunnyrockzzs Monday, 23 September 13
AndroidManifest.xml OMG ! Activities, Services, Receivers should not be exported or else you can bypass those activities ! Monday, 23 September 13
AndroidManifest.xml OMG ! (Contd.) android:exported= “True” in <provider> will turn into a nightmare ! BTW by default it is “True” if either android:minSdkVersion or android:targetSdkVersion to “16” or lower. For applications that set either of these attributes to “17” or higher, the default is “false”. Monday, 23 September 13
AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)Monday, 23 September 13
ANDROID MALWARE Monday, 23 September 13
Android Malware (Common Features) Send SMS to premium Number Subscribe to premium Services Dial Premium number Steal messages, contact list, logs Steal SD-Card files Auto-respond to attackers’s text messages ! Monday, 23 September 13
Creating a Malware.vbs Use CONTENT PROVIDERS Make use of CURSORS & SQLITE databases Write JAVA codes like crazy Set up Server component Get frustrated, start from bullet-point one. Monday, 23 September 13
If you don’t have past relationship with JAVA Monday, 23 September 13
Android Framework for Exploitation Monday, 23 September 13
Let’s Create a Malware ! Monday, 23 September 13
What about GOOGLE? Presenting GOOGLE Bouncer ! Monday, 23 September 13
“I am not Afraid” - Eminem Monday, 23 September 13
Faking Legitimate Application? Malware services generally injected in legitimate applications How to do it? legitimate apk Smali/Java Add malicious services/classes RecompileFinal malware Monday, 23 September 13
USE AFE TO AUTOMATE !! Monday, 23 September 13
Android Framework for Exploitation.py To make your life easier ! Find security vulnerabilities in your device+apps Protect your device against malwares Create automated malwares/botnets + send the data to a python listener Inject malicious services in another applications Use Android Exploits Crypt existing malwares to make them FUD Monday, 23 September 13
AFE Perspective.c Offensive Defensive Malware Creation BotNet Automation Crypting Injecting Content Query App Assesment Fuzzing Kernel Assesment Monday, 23 September 13
AFE Internals.py Python Based Plugin Based Architecure Modules Libraries Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Rebuild + Zipalign Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Modifies the classnames and all its references within files Example: Converts com.example.org to com.omg.lol Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Split variables into two, and append at runtime Example: String a = “hello” Will now become String aa = “hel” String ab = “lo” String a = aa + ab Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Add dummy loops to change CFG Example: goto end; start: //everything in this label will execute, only when it is called ........ end: //everything in this label will execute, only when it is called goto start; Monday, 23 September 13
Statistics? ? ? ? ? ? ?.xls Earlier Detection: 30/46 Monday, 23 September 13
Statistics? ? ? ? ? ? ?.xls Detection after Crypting: 4/46 Monday, 23 September 13
OOPS CRYPTING MODULE IS NOT PUBLIC :) Monday, 23 September 13
./Conclusion -h Be safe Don’t download apps from 3rd party markets Turn USB debugging OFF Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation for both Android and iOS Monday, 23 September 13
HEY WAIT!! WHERE IS THE SOCIAL EXPERIMENT ? Monday, 23 September 13
./QUESTIONS subho.halder@gmail.com security@xysec.com http://xysec.com @sunnyrockzzs Monday, 23 September 13
STILL CURIOUS ?? MEET ME NOW !!! Monday, 23 September 13

Recommandé

Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 

Recommandé

Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to MetasploitGTU
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 

Contenu connexe

Tendances

Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to MetasploitGTU
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 

Tendances (20)

Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to Metasploit
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 

En vedette

Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating systemSalma Begum
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and PrivacyAnika Tasnim Hafiz
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]Ammar WK
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesBulent Buyukkahraman
 
Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_osbaroqueworksdev
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва it-people
 
Data Storage In Android
Data Storage In Android Data Storage In Android
Data Storage In Android Aakash Ugale
 

En vedette (20)

Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Android security
Android securityAndroid security
Android security
 
Android ppt
Android ppt Android ppt
Android ppt
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating system
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and Privacy
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing Services
 
Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_os
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
 
Data Storage In Android
Data Storage In Android Data Storage In Android
Data Storage In Android
 

Similaire à Android Security & Penetration Testing

Engineering culture
Engineering cultureEngineering culture
Engineering culturePamela Fox
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Matt training-html-halfday
Matt training-html-halfdayMatt training-html-halfday
Matt training-html-halfdayMatthew Dobson
 
(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensicsINSIGHT FORENSIC
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackSoya Aoyama
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Tools/Processes for serious android app development
Tools/Processes for serious android app developmentTools/Processes for serious android app development
Tools/Processes for serious android app developmentGaurav Lochan
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Continuous Delivery at Netflix
Continuous Delivery at NetflixContinuous Delivery at Netflix
Continuous Delivery at NetflixRob Spieldenner
 
[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...BeMyApp
 
Windows 10 URI persistence technique
Windows 10 URI persistence techniqueWindows 10 URI persistence technique
Windows 10 URI persistence techniqueGiulio Comi
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareAchim D. Brucker
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 

Similaire à Android Security & Penetration Testing (20)

Engineering culture
Engineering cultureEngineering culture
Engineering culture
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
Matt training-html-halfday
Matt training-html-halfdayMatt training-html-halfday
Matt training-html-halfday
 
(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Tools/Processes for serious android app development
Tools/Processes for serious android app developmentTools/Processes for serious android app development
Tools/Processes for serious android app development
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Continuous Delivery at Netflix
Continuous Delivery at NetflixContinuous Delivery at Netflix
Continuous Delivery at Netflix
 
Android TCJUG
Android TCJUGAndroid TCJUG
Android TCJUG
 
[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...
 
Windows 10 URI persistence technique
Windows 10 URI persistence techniqueWindows 10 URI persistence technique
Windows 10 URI persistence technique
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
A false digital alibi on mac os x
A false digital alibi on mac os xA false digital alibi on mac os x
A false digital alibi on mac os x
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 

Plus de Subho Halder

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Subho Halder
 
Android App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserAndroid App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserSubho Halder
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 

Plus de Subho Halder (6)

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
 
Android App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserAndroid App (Vulner)ability - Teaser
Android App (Vulner)ability - Teaser
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 

Dernier

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Dernier (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Android Security & Penetration Testing

  • 1. ANDROID SECURITY & PENETRATION TESTING Subho Halder @sunnyrockzzs #AFE Monday, 23 September 13
  • 2. ./AboutMe.sh Information Security Researcher Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan. Lead Developer of AFE (Android Framework for Exploitation) Python Lovers Co-founder of XYSEC (http://xysec.com) Have found bug in some famous websites including Google, Apple, Microsoft, Skype, Adobe and many more Monday, 23 September 13
  • 3. Some Companies I have found Vulnerabilities in ..... And many more... Monday, 23 September 13
  • 4. ./Agenda Quick Introduction to Android Internals Android Security Model Android Coding Best Practices Android Malware, Technique, Effectiveness using AFE (Android Framework for Exploitation) Small Social Experiment ! Monday, 23 September 13
  • 5. Android Internals.exe Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS) Application runs through Dalvik VM (Dalvik Virtual Machine) Dalvik VM runs executable files like dex (Dalvik executable) or apk files apk files are zipped content of Resources, Signatures, classes.dex and AndroidManifest.xml file Monday, 23 September 13
  • 6. Android Security Model.txt Application are sandboxed (Runs with different UID and GID) Zygote spawns a new process for each Application Each Application runs with a separate instance of Dalvik VM Special Permissions are provided to access Hardware API’s Permissions are mentioned in AndroidManifest.xml file. Monday, 23 September 13
  • 7. Android Application.apk Just an Archive ! Written mainly in Java and XML Multiple Entry-points, such as Activity, Services, Intents, Content Providers, etc. Monday, 23 September 13
  • 9. CAN THESE PERMISSION BE BYPASSED? Monday, 23 September 13
  • 10. Uploading a sensitive file from SD-Card to Remote Server without any Permission! Read Files from SD-Card Uploads File to Remote Server Upload a file through Browser Permission not Required for READING files from SD Card Opening Browser through INTENT doesn’t requires Permission Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/")); Save theValue in the GET parameter to a file in Server Monday, 23 September 13
  • 11. QUICK-DEMO ( SHOULD I ) ? Monday, 23 September 13
  • 12. Android Coding Best Practices Follow -> http://developer.android.com/guide/practices/index.html Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/ Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Attend more GDG Talks and other Security Conferences Shoot me a tweet @sunnyrockzzs Monday, 23 September 13
  • 13. AndroidManifest.xml OMG ! Activities, Services, Receivers should not be exported or else you can bypass those activities ! Monday, 23 September 13
  • 14. AndroidManifest.xml OMG ! (Contd.) android:exported= “True” in <provider> will turn into a nightmare ! BTW by default it is “True” if either android:minSdkVersion or android:targetSdkVersion to “16” or lower. For applications that set either of these attributes to “17” or higher, the default is “false”. Monday, 23 September 13
  • 15. AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)Monday, 23 September 13
  • 17. Android Malware (Common Features) Send SMS to premium Number Subscribe to premium Services Dial Premium number Steal messages, contact list, logs Steal SD-Card files Auto-respond to attackers’s text messages ! Monday, 23 September 13
  • 18. Creating a Malware.vbs Use CONTENT PROVIDERS Make use of CURSORS & SQLITE databases Write JAVA codes like crazy Set up Server component Get frustrated, start from bullet-point one. Monday, 23 September 13
  • 19. If you don’t have past relationship with JAVA Monday, 23 September 13
  • 20. Android Framework for Exploitation Monday, 23 September 13
  • 21. Let’s Create a Malware ! Monday, 23 September 13
  • 22. What about GOOGLE? Presenting GOOGLE Bouncer ! Monday, 23 September 13
  • 23. “I am not Afraid” - Eminem Monday, 23 September 13
  • 24. Faking Legitimate Application? Malware services generally injected in legitimate applications How to do it? legitimate apk Smali/Java Add malicious services/classes RecompileFinal malware Monday, 23 September 13
  • 25. USE AFE TO AUTOMATE !! Monday, 23 September 13
  • 26. Android Framework for Exploitation.py To make your life easier ! Find security vulnerabilities in your device+apps Protect your device against malwares Create automated malwares/botnets + send the data to a python listener Inject malicious services in another applications Use Android Exploits Crypt existing malwares to make them FUD Monday, 23 September 13
  • 27. AFE Perspective.c Offensive Defensive Malware Creation BotNet Automation Crypting Injecting Content Query App Assesment Fuzzing Kernel Assesment Monday, 23 September 13
  • 29. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Monday, 23 September 13
  • 30. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Rebuild + Zipalign Monday, 23 September 13
  • 31. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Modifies the classnames and all its references within files Example: Converts com.example.org to com.omg.lol Monday, 23 September 13
  • 32. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Split variables into two, and append at runtime Example: String a = “hello” Will now become String aa = “hel” String ab = “lo” String a = aa + ab Monday, 23 September 13
  • 33. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Add dummy loops to change CFG Example: goto end; start: //everything in this label will execute, only when it is called ........ end: //everything in this label will execute, only when it is called goto start; Monday, 23 September 13
  • 34. Statistics? ? ? ? ? ? ?.xls Earlier Detection: 30/46 Monday, 23 September 13
  • 35. Statistics? ? ? ? ? ? ?.xls Detection after Crypting: 4/46 Monday, 23 September 13
  • 36. OOPS CRYPTING MODULE IS NOT PUBLIC :) Monday, 23 September 13
  • 37. ./Conclusion -h Be safe Don’t download apps from 3rd party markets Turn USB debugging OFF Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation for both Android and iOS Monday, 23 September 13
  • 38. HEY WAIT!! WHERE IS THE SOCIAL EXPERIMENT ? Monday, 23 September 13
  • 40. STILL CURIOUS ?? MEET ME NOW !!! Monday, 23 September 13