android application assessment - sans application...assessing mobile apps (1) ... android...

27
Android Application Assessment- © 2013 Christopher Crowley 1 Android Application Assessment Inspecting Android Applications for Known Issues

Upload: donhi

Post on 14-Jul-2018

224 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment- © 2013 Christopher Crowley

1

Android Application Assessment

Inspecting Android Applications for Known Issues

Page 2: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

2

Assessing Mobile Apps (1)

• Risk from mobile applications– Low – app poses little or no threat to

device and data on device– Moderate – app poses some threat to

device protective measures and data stored on device

– High – app is likely to circumvent device protective measures and/or exfiltrate private data

● All address book data to a server● Intent with poor filtering

Page 3: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

3

Assessing Mobile Apps (2)

• Checklist of actions to perform for mobile app assessment

• Checklists are effective in this context• Helps to build in house knowledge for

ongoing assessment, once the org starts to assess apps, you are responsible to do so for evermore…

Page 4: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

4

Threats

• Primary threat to Android devices is mobile malware

– SMS premium rate messages cost people money

– Private Data Theft• Pen test objective is to model the

threats associated with running the apps

• Non-malware threats use the same methods as malware

Page 5: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

5

Two Types of Assessments

• Behavioral– Use a sandbox environment– Watch file access, network traffic, SMS messages,

Calls– Easier when dealing with obfuscated code– App may not misbehave while you’re watching

• Static Code Analysis– More challenging– More thorough (if done properly)– Can detect latent behaviors, long running timers

and triggered events

Page 6: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

6

Checklist

• Checklists are lame• But checklists have proven to be

extremely effective at preventing mistakes in routine (and important) tasks

– Pre-flight checklist– Medical Checklist

Page 7: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

7

Android Static Analysis - 1

• Android Static Analysis– Applications for Android come

in the form of Android Packages (APK)

– APKs contain a Dalvik Executable (DEX), a Manifest, and other files

– DEX is bit code compiled Java code● We can use two different approaches to

extract Java code from DEX files

Page 8: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

8

Android Static Analysis - 2

• Android Static Analysis– This is a challenging thing to do!– There are some tools that are

available to help with automation– Look at a few of these, then dig into

a manual method

Page 9: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

9

Automated Analysis - 1

• Stowaway– Online assessment, requires

upload of the apk file to the server at http://www.android-permissions.org/

– Gives a listing of the permissions requested, and if the permissions are actually used

Page 10: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

10

Automated Analysis - 2

• Androwarn– Static assessment– Produces HTML report of

potentially sensitive actions basedon the function calls present in the code

– Available from: https://github.com/maaaaz/androwarn

Page 11: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

11

Manual Analysis

• Back to manual– Manual code inspection provides

the most thorough assessment– Requires the most skill– Objective is to help you develop a

methodology for quickly scouring code for known suspicious functions

– We’ll use Eclipse and FindBugs™ to accomplish this

Page 12: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

12

Eclipse

• Eclipse is a development environment

• Provides opportunity for code review– But this is manual– Need to know java fairly well to know

what to look for– We can help resolve this with

FindBugs™

Page 13: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

13

FindBugs™

• FindBugs™ is a suite of checks for known programming flaws

• It is intended to help programmers to avoid known, common errors

• We are going to adapt it to our purpose of looking for code that is suspicious and warrants review

Page 14: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

14

Install Eclipse

• http://www.eclipse.org/downloads• Download

eclipse classic

• Install default

● Next, next, finish ;-)

Page 15: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

15

Install FindBugs™ - 1

• Eclipse: Help->“Install New Software…”

Page 16: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

16

Install FindBugs™ - 2

• Click Add…• Enter “FindBugs

update site” (no quotes) for the name

• Enter “http://findbugs.cs.umd.edu/eclipse” (no quotes) as the Location

• Click “OK”

Page 17: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

17

Install FindBugs™ - 3

• Click “Select All”• Click “Next”

Page 18: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

18

Install FindBugs™ - 4

• Accept the warning

Page 19: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

19

Dalvik to Java - 1

• Now we need to have java code to import into eclipse

• We will use the APK filesto inspect the code.

• There are two main ways to do this– Dex2jar– Smali / apktool

Page 20: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

20

Dalvik to Java - 2

• Use dex2jar.bat to get readable,but non-executable java code

• Use smali and apktool to get executable, but difficult to readjava code

• You will probably end up doing both, as each is useful in its own way

Page 21: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

21

APK disassembly – smali

• Smali and apktool method• Results in code that can be

modified and recompiled

Page 22: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

22

APK disassembly – Dex2jar

• Dex2jar method

Page 23: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

23

Sidebar – Android Package downloads

• Where can you get the code to assess?

– Download .apk file from internet– Move application to removable sdcard,

then remove sdcard and copy– Copy .apk file from rooted android device

• Malware– http://contagiominidump.blogspot.com is

a repository of known android malware● Good material to practice with, but be careful with

malware!

Page 24: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

24

Import code to Eclipse

• 1) Create new project

Page 25: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

25

Import code to Eclipse

• 1) Import external archive

Page 26: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

26

Conclusion

• App Assessment is a valuable task to protect individuals and organizations

– Behavioral– Automated code analysis– Static code analysis

• Android has substantial threats from malware

Page 27: Android Application Assessment - SANS Application...Assessing Mobile Apps (1) ... Android Application Assessment ... Sidebar – Android Package downloads • Where can you get the

Android Application Assessment - © 2013 Christopher Crowley

27

Contact Info

[email protected]– LinkedIn e-mail

• +ChrisCrowley– G+

• @CCrowMontance– #Twitter