Android ApplicationSecurityfrom Consumer and

Developer Perspectives

http://www.meetup.com/Colombo-White-Hat-Security

https://www.facebook.com/colombowhitehat

https://twitter.com/ColomboWhiteHat

Ayoma Wijethunga WSO2, Platform Security Team

[ayomawdb]

Ayoma Wijethunga

api android arduino automation building developing

discusses diy electronics engineering iot jaggery java kali linux modular osgi prusa reprap

security software ublox web wireshark wso2o WSO2, Platform Security Team.o Get in touch

o Email : ayoma@wso2.como LinkedIn : https://lk.linkedin.com/in/ayoma o Blog : http://ayomaonline.com o Twitter / Facebook / Github / Hangout : ayomawdb

Agenda

● Statistics

● Developer Perspective

○ OWASP Mobile Top 10

○ Additional Security Best Practices

● Consumer Perspective

○ Android Malware (Demo and code walkthrough)

■ AndroRAT - Android Remote Administration Tool

■ Android Chat - Custom made RAT demo

○ Prevention and Detection Options

Statistics

Source; McAfee Labs -

2016 Threats Predictions

Mobile and Non-mobile Application Weaknesses

Source: HPE Security

Research Cyber Risk

Report 2016

Mobile Applications Threats

Source: HPE Security

Research Cyber Risk

Report 2016

OWASP Mobile Top 10

OWASP Mobile Top 10

M1: Weak Server Side Controls (Relates to OWASP Top 10)

A1 Injection

A2 Broken Authentication and Session Management

A3 Cross-Site Scripting (XSS)

A4 Insecure Direct Object References

A5 Security Misconfiguration

A6 Sensitive Data Exposure

A7 Missing Function Level Access Control

A8 Cross-Site Request Forgery (CSRF)

A9 Using Components with Known Vulnerabilities

A10 Unvalidated Redirects and Forwards

Con

side

ring

RE

ST

AP

I bas

ed S

erve

r Sid

e

OWASP Mobile Top 10 (Cntd.)

M2: Insecure Data Storage

Storage Options:

● Shared Preferences● Internal Storage● External Storage● SQLite Databases● Network Connection

Encrypt sensitive data before storing

Encryption keys should not be hardcoded (KeyStore, ‘FireAndForget’ key)

Shared preferences should not be MODE_WORLD_READABLE/WRITABLE (deprecated in API level 17)

Transport Layer Protection

OWASP Mobile Top 10 (Cntd.)M3: Insufficient Transport Layer Protection

General transport layer protection practices

● SSL/TLS (TLS 1.2 prefered) with strong cipher suite & appropriate key lengths

● Certificates issued by trusted CA provider● SSL chain verification / Hostname verification● Always alert user if any validation goes wrong

When possible, do application level encryption before sending data over transport layer (avoid future transport layer vulnerabilities)

M4: Unintended Data Leakage

● Keyboard Caching / Suggestions ○ For non-password informtion : android:inputType="textNoSuggestions"○ For passwords : andorid:inputType="password"

● Analytics Data● Logs (!)

OWASP Mobile Top 10 (Cntd.)

M5: Poor Authorization and Authentication

● Never persistent credentials locally● Avoid spoofable values during authentication (MAC/IMEI)● Ensure authorization controls cannot be bypassed● Token based authentication with backend APIs (OAuth 2)

○ Google “Dulanja API Security”

● Discourage use of 4 digit or all digit pass-codes

M6: Broken Cryptography

M7: Client Side Injection

SQL Injection (SQL Lite), XSS, File Inclusion

OWASP Mobile Top 10 (Cntd.)

M8: Security Decisions Via Untrusted Inputs

Intents

PackageManager.getLaunchIntentForPackage(-)

Intent intent = new Intent(Intent.ACTION_MAIN);intent.setComponent(ComponentName.unflattenFromString("com.example.app/com.ex ample.app.ExampleAction"));intent.addCategory(Intent.CATEGORY_LAUNCHER);intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);intent.putExtra(“SESSION_DATA”, sessionData);startActivity(intent);

Binder Framework

http://blog.checkpoint.com/wp-content/uploads/2015/02/Man-In-The-Binder-He-Who-Controls-IPC-Controls-The-Droid-wp.pdf

BroadcastReceiver

OWASP Mobile Top 10 (Cntd.)

M9: Improper Session Handling : Timeouts, cookie or token rotation

M10: Lack of Binary Protections

● Bytecode Conversion (apktool; dex2jar)● Runtime Analysis (ADB)● Reverse Engineering (IDA Pro)

○ https://www.hex-rays.com/products/ida/support/tutorials/debugging_dalvik.pdf ● Disassembly (baksmali)

Let’s keep these for another sessions...(Maybe: Android Application Security - from Pentester Perspective)

Image credit: http://www.gograph.com/vector-clip-art/complex.html

Android Malware

Image credit: http://www.ibtimes.co.uk/new-android-threat-prowl-krysanec-malware-masquerades-legitimate-apps

-unleashes-remote-access-1462013

AndroRAT (Remote Administration Tool)

Demo and code walkthrough

Image credit: http://combiboilersleeds.com/

Android Chat - Custom Made RAT

Demo and code walkthrough

Image credit: http://combiboilersleeds.com/

Prevention and Detection Options

Image Credit: http://maxpixel.freegreatpicture.com/Detective-Finger-Mystery-Fingerprints-Find-Clues-1520

85

Application permissionsAlways double check application permissions!

Facebook:

●●●●●●●●●●●●●

○○○

Viber:

●●●●●●●●●●●●●

○○○○

Application permissions

Pokémon GO:

● In-app purchases● Identity● Location● Photos/Media/Files● Camera● Other

○ receive data from Internet

MX Player:

● Photos/Media/Files● Wi-Fi connection information● Other

○ receive data from Internet

VLC Player:

● Photos/Media/Files

New Permission Model

Android 6.0 (API level 23)+

● Users grant permissions at run-time

● User can control what permissions to allow (and what to revoke)

● Developers see warnings if code will break due to not handling permission revocations properly.

● Dangerous permission must be approved manually.

https://developer.android.com/guide/topics/permissions/requesting.html

Dangerous permissions

●●

●

●●●

●●

●

●●

●●●●●●●

●

●●●●●

https://www.owasp.org/images/c/ca/ASDC12-An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applicati

ons.pdf

https://developer.android.com/guide/topics/permissions/requesting.html

Modify Application Permissions

App Opps (Not available with 4.4.2. Use “App Ops [Root]” or similar from Sore)

Network Traffic Analysis

Shark for Root Packet Capture

Firewalls

Additional Security Best PracticesApart from what was discussed in OWASP Mobile Top 10

● Request least number of permissions possible (avoid dangerous permissions)

● Update dependent libraries and frameworks

● Properly define Content Provider’s exposed attribute and permissions

● Avoid storing and transmitting personal / sensitive data as much as possible

● Using WebView can introduce web application vulnerabilities (XSS, Cache Poisoning, ..) to mobile apps. Use with caution!

● Be cautious with dynamic class loading and usage of reflection (do not allow external parties to tamper dynamic values)

● https://developer.android.com/training/articles/security-tips.html

Point to Ponder Is there any option but to sacrifice privacy?

https://github.com/will3942/uber-hackhttp://motherboard.vice.com/read/ubers-god-view-was-once-available-to-drivers

Uber God View

Image credit: https://www.pinterest.com/pin/453245149972280324/

BE WITHIN LEGAL LIMITS

Only test with your own devices, or test with proper authorization.

Thank you!