Testing Android SecurityJosé Manuel Ortega @jmortegac

AMSTERDAM 11-12 MAY 2016

https://speakerdeck.com/jmortegahttp://jmortega.github.io

AGENDA

▪ Development Cycle▪ Static and Dynamic Analysis▪ Components Security▪ Hybrid Automatic tools▪ Best Practices & OWASP

DEVELOPMENT CYCLE

WHITE BOX /BLACK BOX

✓✓✓

✓✓✓

TESTING ANDROID SECURITY

FORENSICS

FORENSICS

▪▪

▪▪

▪▪

STATIC ANALYSIS

✓✓✓✓✓✓✓

CODE REVIEW / SOURCE CODE ANALYSIS

ANDROID LINT

ANDROID STUDIO INSPECT CODE

ANDROID SONAR PLUGIN

ANDROID SONAR PLUGIN >RULES

SONAR SECURITY

ANDROWARN

QARK

▪ Quick Android Review Kit

▪ https://github.com/linkedin/qark

▪ Static code analysis tool

▪ Look for potential vulnerabilities

QARK

▪ Identifies permissions and exported components(activities,services..) on Manifest

▪ Looks for WORLD_READABLE and WORLD_WRITABLE files

▪ Looks for X.509 certificates validation issues

QARK

QARK REPORT

REVERSE ENGINEERING

▪ Decompile dalvik to smali▪ classes.dex in APK▪ APKTOOL▪ DEX2JAR▪ Java Decompiler

APK STRUCTURE

DISASSEMBLY AND DECOMPILATION

JADX-GUI

APKTOOL

DYNAMIC ANALYSIS TOOLS

WIRESHARK

BURP SUITE

▪ Intercepting network traffic▪ HTTP proxy tool▪ Able to intercept layer traffic and allows users to

manipulate the HTTP request and response

DROZER

▪ https://labs.mwrinfosecurity.com/tools/drozer/▪ Find vulnerabilities automatically▪ Automate security testing▪ Interact with your Apps with debugging

disabled

INSIDE DROZER

DROZER

DROZER PACKAGE INFO

▪ app.package.info

DROZER COMMANDS

DROZER CONTENT PROVIDERS

FINDING SQL INJECTION IN CONTENT PROVIDERS

EXPLOITING SQL INJECTION VULNERABILITY

ANDROID MANIFEST

android:debuggable=true

android:exported=true

ANDROID MANIFEST EXPORTED ATTRIBUTE

…

…

…

COMPONENTS SECURITY

▪ AndroidManifest.xml▪ Activities▪ Content Providers▪ Services▪ Shared Preferences▪ Webview

LOG INFORMATION

public static final boolean SHOW_LOG = BuildConfig.DEBUG;

public static void d(final String tag, final String msg) {if (SHOW_LOG)

Log.d(tag, msg);}

THRID PARTY LIBRARIES

VULNERABILITIES IN CORDOVA 3.5

SECURITY IN CONTENT PROVIDERS

▪ Components provide a standardized interface for sharing data between applications

▪ URI addressing scheme▪ Can perform queries equivalent to SELECT,

UPDATE,INSERT, DELETE

SQLCIPHER

▪ SQLCipher is a SQL extension that provides transparent AES encryption of database files

▪ 256-bit AES Encrypt SQLite database▪ http://sqlcipher.net/sqlcipher-for-android

SECURED PREFERENCES

▪ https://github.com/scottyab/secure-preferences▪ Encrypt your app’s shared preferences

▪ Android Share Preferences wrapper that provides encryption for keys and values

SECURED PREFERENCES

DATA STORAGE

PROTECTING DATA FILES

SECURE COMMUNICATIONS

▪ Ensure that all sensitive data is encrypted

▪ Certificate pinning for avoid MITM attacks

CERTIFICATES

SSLSocketFactory.ALLOW_ALLHOSTNAME_VERIFIER

TrustManager where checkServerTrusted() always returns true

CERTIFICATE PINNING

X.509 CERTIFICATES

HTTPS Connection

HTTPS Connection

ENCRYPT NETWORK REQUESTS

▪ Best practice is to always encrypt network communications

▪ HTTPS and SSL can protect against MitM attacks and prevent casual sniffing traffic.

▪ Server certificate validity is checked by default

VALIDATE SERVER CERTIFICATE

▪ https://www.ssllabs.com/ssltest

CHECK CERTIFICATES TOOLS

▪ OpenSSL

▪ Keytool

▪ Jarsigner

Runtime Permissions

▪ All permissions granted at install time▪ Dangerous permissions require user

confirmation▪ Prompt for dangerous permissions at

runtime▪ Granted/revoked by permission group▪ Managed per app, per user

▪ /data/system/users/0/runtime-permissions.xml

Group permissions on Android M

Permissions FLOW on Android M

Permissions on Android M

Permissions on Android M

OBFUSCATION

▪ The obfuscator can use several techniques to protect a Java/Android application:

▪ change names of classes, methods, fields▪ modify the control flow▪ code optimization▪ dynamic code loading▪ change instructions with metamorphic technique

PROGUARD

▪ File shrinker: detects and removes unused classes, fields, methods,and attributes

▪ Optimizer: optimizes bytecode and removes unused instructions

▪ Obfuscator: renames classes, fields, and methods using short meaningless names

OBFUSCATION WITH PROGUARD

OBFUSCATION WITH PROGUARD

HYBRID AUTOMATIC ONLINE TOOLS

▪ SandDroid▪ ApkScan▪ Visual Threat▪ TraceDroid▪ CopperDroid▪ APK Analyzer▪ ForeSafe▪ AndroTotal▪ NowSecure Lab

VULNERABILTIY ANALYSIS

HYBRID AUTOMATIC ONLINE TOOLS

▪ http://sanddroid.xjtu.edu.cn/#home

SANDROID

SANDROID

TRACEDROID

NOWSECURE LAB

NOWSECURE LAB

NOWSECURE LAB

BEST PRACTICES

▪ Don’t hardcode sensitive information▪ Don’t store sensitive information ▪ Don’t store at easily readable location like

memory card▪ Encrypt the stored data▪ Implement SSL

BEST PRACTICES

▪ Protect the webserver against application layer attacks

▪ Prefer encryption over encoding or obfuscation▪ Sanitize inputs, use prepared statements

(protection against sql injection)

BEST PRACTICES

Android Secure Coding Checklist

▪ Use least privilege in request permissions▪ Don’t unnecessarily export components▪ Handle intents carefully▪ Justify any custom permissions▪ Mutually authenticate services▪ Use APIs to construct ContentProvider URIs▪ Use HTTPS▪ Follow best practices from OWASP project http://owasp.

org/index.php/OWASP_Mobile_Security_Project

OWASP MOBILE TOP 10 RISKS

OWASP MOBILE TOP 10 RISKS

Open Android Security Assesment Methodology

PENTESTING TOOLS / SANTOKU LINUX

ooo

PENTESTING TOOLS / NOWSECURE

▪ https://www.nowsecure.com/resources/freetools/

REFERENCES

▪ http://proguard.sourceforge.net▪ http://code.google.com/p/dex2jar▪ http://code.google.com/p/android-apktool▪ https://labs.mwrinfosecurity.com/tools/drozer▪ http://sqlcipher.net/sqlcipher-for-android▪ https://www.owasp.org/index.

php/OWASP_Mobile_Security_Project▪ https://developer.android.

com/training/articles/security-tips.html

BOOKS

BOOKS

Thanks!

@jmortegac

AMSTERDAM 9-12 MAY 2016