Upload
owaspkerala
View
432
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Android pen test basics By Vishnu P Presented at OWASP Kerala Meet September 2014
Citation preview
Android Penetration Testing
Topics covered
• Android Security Model• Android software stack• Content provider
Android Software stack
Android Security Model
Android security model
• Linux-based platform.• App programming – done in Java• App isolation.• OS software stack consists of Java apps
running on a Dalvik Virtual Machine. • Each app has its own DVM
Android security model (contd)
• Data storage location: /data/data/<package-name>
• AndroidManifest.xml – very important– Contains information about package, components
like activities, services, content providers, etc– Responsible to protect the application by defining
permissions
Content Provider
Content providers
• Used to manage access to a structured set of data.
• Provide mechanism for defining data security.• Standard interface that connects data in one
process with code running in another process (Inter process communication)
Android debug bridge (ADB)
• Command line tool that lets you communicate with an android device/emulator.
~demo
Structure of an apk file
App security testing – how?
• Reverse engineering the apk file.• Examining permissions, services, activities, etc• Test sensitive data storage.
Reverse engineering the apk
Steps to reverse apk
1. Rename <file>.apk to <file>.zip2. Extract contents of zip3. Convert application code (Dalvik bytecode) to
Java bytecode using dex2jar4. Convert Java byte into Java source code
using JD-GUI
Testing
• Pre-requisites– PC with Android SDK installed– Genymotion Android emulator– Tools like apktool, dex2jar, etc
~demo
Common insecure practices
• Hardcoding sensitive information• Encrypting passwords• Lack of binary protection• Insecure data storage. (~demo)
Application integrity challenges• Hackers/malwares gaining physical access to
application binaries.• “My application contains no programming
flaws”. But, application binaries are still open to reverse-engineering and hacking tools.
• Most commonly found attack scenario:• Attempt to insert malware and rebuild the original app(eg.
whatsapp, flappybird, etc) to create malicious apk. • Spread malicious apk through email, social
network/forums.• Victim installs apk and is compromised.
Examples
• Bypassing Android lock-screen• Insecure data storage
Secure Coding Practices
• Code obfuscation• Symbol stripping• Symbol renaming• String encryption• Anti-debug
And much more
References
• Google Developers• Mobile App Integrity Protection by Arxan• Learning PenTest for Android – Aditya Gupta
Principle of least privilege