View
340
Download
0
Category
Preview:
Citation preview
Android SecurityBy – Ravi Rai
Google Android Linux + Java + Google’s Magic = Android Open distribution model
Android Market, Amazon Appstore, Verizon V Cast
Application capabilities are granted by permission
User settings to enable/disable installation from untrusted source
Rooting
Key Terms DVM – All application run’s under a
virtual environment is called davalik virtual environment
DVM executes files in format is called .dex
You Could use utility provided by SDK itself called adb
Basics Commands # adb devices ( List down all connected
devices ) # adb shell ( shell interaction) # ps ( List out all process’s)
File SystemBinaries as Command /system/bin /system/xbinApplication data/data/appApp need to buy/data/app-private /
Android package (.apk) Default extension of android
application . It is archived file contains all necessary
files and folders Files and folders can be extracted using
7zip or winrar
Apk File structureAPK
Classes.dex
Androidmanifest.xml
Resources.arsc
Res AssetsLib Meta-
inf
Screen Lock /Pattern Lock Cracking Location of pattern lock and screen lock
(/data/system)
# cd /data/system#lsGesture. KeyPassword .Key#rm gesture.key (Note – phone should be rooted)
Auditing android application
Content Provider leakage Content Provider – All application use
content provider to store data within application .
Unless restriction has been there any content provider can access with permission by using defined content provider
All providers have unique resource identifier (URI) in order to identify query
Content Provider leakage (Cont.)
All content provider tool need to be registered in andoidmanifest.xml
Use apktool to decompile androidmanifest.xml file
Testing for content provider leakage Step 1 # apktool d appname.apk (It will list
out all files of android application)Step 2 # grep –R ‘content://’ android
manifest(Check into manifest file and use grep command to search for key words of content providers
Testing for content provider leakage (Cont) Step 3 #adb install vulnerable-app.apk adb shell content query -uri Install application in emulator in order to
query and confirm vulnerability
Dozer for Automatic testing of content leakage # Dozer console connect Dz> run app.provided.finduri ( It will search for content provider in
android manifest file)
Countermeasure Configuration of android manifest.xml is
Android:exported =false
Insecure File storage No correct permissions leads to this
issue Many application store very sensitive
information in application file Generally game scores and credit points
store in local memory Loosely configured permission can allow
other application’s to read data
Steps #adb shells #cd /data/data #ls –l ( to see all file permissions) #Ls –l
/data/data/com.ravi.example/file’s/userinfo.xml
#Grep ‘password ‘/data/data/com.ravi.example/file’s/userinfo.xml
Countermeasure Provide proper permission and properly
hash and salt values
Path Traversal Vulnerability A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
Tools Tool – Dozer dz> run app.provider.finduri Dz> run app.provider.read:\\content
Check for android file system and possible search inside base system
21
Client Side Injection• Apps using browser libraries
• Pure web apps• Hybrid web/native apps
• Some familiar faces• XSS and HTML Injection• SQL Injection
• New and exciting twists• Abusing phone dialer + SMS• Abusing in-app payments
Impact
• Device compromise
• Toll fraud
• Privilege escalation
22
M4- Client Side Injection Garden Variety XSS…. With access
to:
Testing Injection Dz> run app.provider.query (URI)
projection “* from sqlite_master where type = ‘table’ ; --
Thank youQuestion ?????????????
Recommended