Reverse Engineeringthe
Android OS
About MeEx Military “31 Mic” Microwave Communications - 34th Signal Battalion
Lab Developer for Jones and Bartlett Publishing
CEI – CEH V8
Martial Art Nutcase
Co-creator of Cyber Kung Fu
Reverse Engineering
• Understand how applications work
• Analyze them
• Find vulnerabilities
• Uncover hard coded information
Why do I want to Hack Mobile Devices
• Natural Curiosity
• MacGyver Fan
• CEH V8 mobile sucked
• Humongous Installed Base
• Self Defense
Lots of important information
• Contacts• Messages• Photos• Email• GPS co-ordinates• Personal notes• Stored accounts• Web traffic• Application configs and credentials
Double Edged Sword
• User moves between work and personal environments
• Carries Corporate Data
• Device can be compromised in less secure areas
• Compromised device is then connected to work environment
Theft and Loss
• Weak protective mechanisms
• Compounded by users turning off security features
• Rooted devices
More Problems
• Increasing everyday use
• Users not educated
• Mix of personal and business use
• Always connected to internet
Physical Security
• Phone is easily accessed
• SD Card
• Charging/io port access – Rubber Ducky
• Shoulder Surfing
• Smudge attack
Web Issues
• Small screen hides full URL
• XSS
• CSRF
• Phishing
Rogue Applications
• Malware
• Virus
• Trojans
• Spyware
History
• Cabir – 2004
• Skulls – 2004
• pbstealer
• Commwarrior
• Cardtrap
• All Symbion basesd but eventually spread to CE and Java (J2ME
Android and IOs
• Ikee – 2009/2010 - worm
• AndroidOS.FakePlayer – premuium SMS
• Geinimi Trojan
• SMS Replicator
• DroidDream
• GinerMaster
• DroidKungFu
Older Devices
• Out of date software
• Vulnerable to older fixed exploits
• Patching – no incentive for older hardware
• Carrier indifference
Architecture
KernelFirst layer to interact with Hardware
C/C++ Libraries
• Exposed to developer via Java API
• Kind of a transaction layer between kernel and application framework
• Provides common services for apps
Core Libraries
• SSL
• SLite
• Surface Manager
• WebKit
• Font, media, display libraries
Runtime
• DVM – Dalvik Virtual Machine
• Efficient and Secure mobile environment
Secure
• Each app runs in its own instance
• Unique ID and VM
• Separate memory and files
Application Framework
• Compiled java code running in DVM
• Provides services to multiple apps
• Layer that 3rd party developers interact with
• Abstract access to key resources
Application Layer• Contacts
• Phone
• Calendar
• Browser
• Maps
• Pictures
Privilege Separation & Sandboxing
• Based on Linux security model
• Each user is assigned a unique ID (UID)
• Each user can be assigned to Groups
• Each Group has an unique ID (GID)
Resource Permissions
• Owner
• Group
• Rest of world (everyone)
Sandboxing
• Two or more applications can communicate
• Provided they grant permissions
• Implemented in the kernel
• Extended to all software above 1st layer
App Separation
• Kernel assigns unique UID
• Runs as that user in separate process
• Different than multiuser OS
File Separation
• New apps get new UIDs
• Extended across memory cards
• All associated DB and files use the new UID
File Permissions
Separate File Permission Groups
• Note – only the associated UID and root UID have full privileges on these resources unless the developer exposes files to other apps.
SD Cards
• Everyone (Whole World) has access Storage
• Currently vfat fs
• Doesn’t support granular permissions
• Note – good place for privilege escalation
Data Storage on the Device
• Databases
• SharedPreferences
SharedPreferences
• Allows app to store and retrieve persistent key values
• Persist across device sessions
• Accesss using the SharedPreferences Object
• Stored as XML
• /data/data/”app”/shared_prefs
• Example
SQLite3
• Full Support
• Accessed via the UID of the related app
• /data/data/”app”/databases
Application Signing
• Ensures Integrity and Authenticity
• APK must be signed
• Inhibits tampering
• Aids confidentiality by insuring where it came from
• Apps signed with same key can share UID, Process, Memory, Data Storage and Sandbox
Signing Quirks
• Apps can be disassembled and changed
• Can be resigned with same certificate if you have key
• Multiple apps can use same certificate
• App can be manipulated to accept same certificate
• Debugging certificate
App access to resources
• Developer limits access to required resources
• Helps to inhibit rogue apps from taking over
• Text, GPS, MMS, camera, microphone, contacts
API Permissions
• AndroidManifest.xml
• Used by trusted applications
• Tracks what the user is allowed to do
• Each app must have an AndroidManifest.xml
Permission Model
• System displays permissions
• Helps user to decide to trust app or not.
Normal – Dangerous – Signature – Signature or System
Components
• Activity
• Content Providers
• Broadcast Receivers
• Services
Activity
• Provides a screen and allows a user to interact with it.
• A window where the user interface is defined
Content Providers
• Allow efficient data sharing between processes & applications
• Allow applications to access the stored data of other applications
• Use relational databases similar to tables
• Each row is an Instance each column is a Type
• Pic
Examples of Content Providers
• Calendar provider
• Contacts provider
Broadcast Receiver
• Listens for asynchronous request from intents
• Apps can register for events and get notified when it happens
Services
• Background processes
• Run even when app is not visible
• Provide computations
• Example is GPS
SecurityException
• Without proper permissions a component call will raise a Security Exception
Intents
• Mechanisms for asynchronous IPC (Inter Process Communication)
• Allow app to send or broadcast messages to specific components
• Control task and transport data
• Components like Activities, Broadcast Receivers & Services are activated via Intents
• Contain a large amount of information
• Parsed by OS & used by the receiver to take action
• Contain category and instruction for activity launch
Action – Data – Type – Category (note)
Google Bouncer
• Automatically scans Android Market looking for malicious Apps
• Checks new applications
• Apps already in Store
• Developer accounts
• No restrictions on upload process
• Can be bypassed
Rooting
• Gain Root permissions
• Allow access and editing of Carrier and Manufacturer apps
• Install Custom Software (ROMs)
• Install different Android Version
• Wi Fi tethering
• Overclocking
• Removing Fluff-ware
Some Rooting Techniques
• Depends on the device
• OneClickRoot
• SuperOneClick
• z4Root
• GingerBreak
• UnlockRoot
The SDK
• Windows and Linux
• SDk & Eclipse
• Virtual Devices (emulators)
• Allows interaction with virtual and real devices
– Browse files
– Create, install, extract apps
– Get shells
– SSH & VNC
SDK continued
• Eclipse
• ADT – Android Developer Tools
– Signing
– Debugging
– Important for developer & tester
– Use Android SDK Tools
• IDE – integrated Development Environment
Package Explorer
Package ExplorerMiddle pane
• Source code
• Activity’s UI
Right Pane (Outline)
• Methods
• Functions
• Arguments
• Variables
• Properties
Perspectives
• Java – DDMS – Debug (Dalvik Debug Monitor Server)
AVD Manager
• Allows emulation of devices
• Custom hardware
• Custom software
• Runs from SDK executables
Android Virtual Device
Device definition
• Create
• Clone – Edit – Delete
• New custom devices
What we can do with a Virtual Device
• Send and receive text between devices
• make calls
• interact with the touch screen if you have one on your host
• browse file
• threads
Commands Available
• the VM can be run from the command line
• Command - adb devices
• adb connect <device name>
• note the number reference the port used
USB devices are different
Shell interaction is via the –s option
Shell commands
• allows browsing
• read and write files & folders
• change permissions
• get network statistics
basic linux commands
• ls
• ps
• netstat
• top
More Commands• list all the packages
• pm list packages –f
sqlite3• access databases *.db
• query statements
• show a browsed database from /data/Datacom.android.providers.telephony/databases
Browse SMS Folder
Database containing SMSs
Sqlite3 mnsms.db
sqlite .tables
select * sms
Adb pull - Adb push
• adb pull <device_path> <local_path>
• adb push <device_path> <local_path>
Pull ExampleBrowser Files
Push Example
Changed “enable_javascript” to true
Device Settings Changed
Sqlite.exe in sdk/tools
Sqlite store credentials
Because the Web Browser had the “Remember Password” option enabled we can view it in the “webview.db” file
DDMS ViewDalvik Debug Monitor Server
Browse all Devices and Contents by using the “File Explorer” Tab
More Powerfull Shell
SSH Client
SSH Server
Putty as Client
putty shell via ssh over wifi
Droid VNC
Analysis Types
APK = ZIP
Decompiling & Disassembling
Elements in apk
SourceAndroidManifest.xml
Dex filesdexdump –d path_to_file.dex
apktoolapktool d name.apk path_to_file
Smali / bacsmali
• Developed by Jesus Freke
• Assembler/ disassembler for dex files
smali Folder
classes.dex vs .smali
ApktoolAndroidManifest.xml
Folders & Uses
src – source• Packages• MainActivity.java
assets• Fonts, audio, images, text files• Non-android xml files
Folders & Uses
bin – same as Linuxlibs - same as Linuxres - resources• drawables – images for layouts• layout –user interface *• values – string.xml – styles.xml – dimens.xml - colors
layout/Folder
Activity_Main.xml<TextView
android:layout_width=“wrap_content”android:layout_height=“wrap_content”android:text=“@string/”hello world”
values\Folder
Strings.xml<resourses><string name=“Hello world”> Hello world </string>
dex2jar
Decompiles dex into java
JD-GUI
XDAAutoTool
XDAAutoTool Options
Bypassing Security Controls
Code example
for - if - else
passwordafter 5 iterations
Quick Way