testing android security - jose manuel ortega candel - codemotion amsterdam 2016
TRANSCRIPT
Testing Android SecurityJosé Manuel Ortega @jmortegac
AMSTERDAM 11-12 MAY 2016
https://speakerdeck.com/jmortegahttp://jmortega.github.io
AGENDA
▪ Development Cycle▪ Static and Dynamic Analysis▪ Components Security▪ Hybrid Automatic tools▪ Best Practices & OWASP
DEVELOPMENT CYCLE
WHITE BOX /BLACK BOX
✓✓✓
✓✓✓
TESTING ANDROID SECURITY
FORENSICS
FORENSICS
▪▪
▪▪
▪▪
STATIC ANALYSIS
✓✓✓✓✓✓✓
CODE REVIEW / SOURCE CODE ANALYSIS
ANDROID LINT
ANDROID STUDIO INSPECT CODE
ANDROID SONAR PLUGIN
ANDROID SONAR PLUGIN >RULES
SONAR SECURITY
QARK
▪ Quick Android Review Kit
▪ https://github.com/linkedin/qark
▪ Static code analysis tool
▪ Look for potential vulnerabilities
QARK
▪ Identifies permissions and exported components(activities,services..) on Manifest
▪ Looks for WORLD_READABLE and WORLD_WRITABLE files
▪ Looks for X.509 certificates validation issues
QARK
QARK REPORT
REVERSE ENGINEERING
▪ Decompile dalvik to smali▪ classes.dex in APK▪ APKTOOL▪ DEX2JAR▪ Java Decompiler
APK STRUCTURE
DISASSEMBLY AND DECOMPILATION
JADX-GUI
APKTOOL
DYNAMIC ANALYSIS TOOLS
WIRESHARK
BURP SUITE
▪ Intercepting network traffic▪ HTTP proxy tool▪ Able to intercept layer traffic and allows users to
manipulate the HTTP request and response
DROZER
▪ https://labs.mwrinfosecurity.com/tools/drozer/▪ Find vulnerabilities automatically▪ Automate security testing▪ Interact with your Apps with debugging
disabled
INSIDE DROZER
DROZER
DROZER PACKAGE INFO
▪ app.package.info
DROZER COMMANDS
DROZER CONTENT PROVIDERS
FINDING SQL INJECTION IN CONTENT PROVIDERS
EXPLOITING SQL INJECTION VULNERABILITY
ANDROID MANIFEST
android:debuggable=true
android:exported=true
ANDROID MANIFEST EXPORTED ATTRIBUTE
…
…
…
COMPONENTS SECURITY
▪ AndroidManifest.xml▪ Activities▪ Content Providers▪ Services▪ Shared Preferences▪ Webview
LOG INFORMATION
public static final boolean SHOW_LOG = BuildConfig.DEBUG;
public static void d(final String tag, final String msg) {if (SHOW_LOG)
Log.d(tag, msg);}
THRID PARTY LIBRARIES
VULNERABILITIES IN CORDOVA 3.5
SECURITY IN CONTENT PROVIDERS
▪ Components provide a standardized interface for sharing data between applications
▪ URI addressing scheme▪ Can perform queries equivalent to SELECT,
UPDATE,INSERT, DELETE
SQLCIPHER
▪ SQLCipher is a SQL extension that provides transparent AES encryption of database files
▪ 256-bit AES Encrypt SQLite database▪ http://sqlcipher.net/sqlcipher-for-android
SECURED PREFERENCES
▪ https://github.com/scottyab/secure-preferences▪ Encrypt your app’s shared preferences
▪ Android Share Preferences wrapper that provides encryption for keys and values
SECURED PREFERENCES
DATA STORAGE
PROTECTING DATA FILES
SECURE COMMUNICATIONS
▪ Ensure that all sensitive data is encrypted
▪ Certificate pinning for avoid MITM attacks
CERTIFICATES
SSLSocketFactory.ALLOW_ALLHOSTNAME_VERIFIER
TrustManager where checkServerTrusted() always returns true
CERTIFICATE PINNING
X.509 CERTIFICATES
HTTPS Connection
HTTPS Connection
ENCRYPT NETWORK REQUESTS
▪ Best practice is to always encrypt network communications
▪ HTTPS and SSL can protect against MitM attacks and prevent casual sniffing traffic.
▪ Server certificate validity is checked by default
VALIDATE SERVER CERTIFICATE
▪ https://www.ssllabs.com/ssltest
CHECK CERTIFICATES TOOLS
▪ OpenSSL
▪ Keytool
▪ Jarsigner
Runtime Permissions
▪ All permissions granted at install time▪ Dangerous permissions require user
confirmation▪ Prompt for dangerous permissions at
runtime▪ Granted/revoked by permission group▪ Managed per app, per user
▪ /data/system/users/0/runtime-permissions.xml
Group permissions on Android M
Permissions FLOW on Android M
Permissions on Android M
Permissions on Android M
OBFUSCATION
▪ The obfuscator can use several techniques to protect a Java/Android application:
▪ change names of classes, methods, fields▪ modify the control flow▪ code optimization▪ dynamic code loading▪ change instructions with metamorphic technique
PROGUARD
▪ File shrinker: detects and removes unused classes, fields, methods,and attributes
▪ Optimizer: optimizes bytecode and removes unused instructions
▪ Obfuscator: renames classes, fields, and methods using short meaningless names
OBFUSCATION WITH PROGUARD
HYBRID AUTOMATIC ONLINE TOOLS
▪ SandDroid▪ ApkScan▪ Visual Threat▪ TraceDroid▪ CopperDroid▪ APK Analyzer▪ ForeSafe▪ AndroTotal▪ NowSecure Lab
VULNERABILTIY ANALYSIS
HYBRID AUTOMATIC ONLINE TOOLS
▪ http://sanddroid.xjtu.edu.cn/#home
SANDROID
SANDROID
NOWSECURE LAB
NOWSECURE LAB
BEST PRACTICES
▪ Don’t hardcode sensitive information▪ Don’t store sensitive information ▪ Don’t store at easily readable location like
memory card▪ Encrypt the stored data▪ Implement SSL
BEST PRACTICES
▪ Protect the webserver against application layer attacks
▪ Prefer encryption over encoding or obfuscation▪ Sanitize inputs, use prepared statements
(protection against sql injection)
BEST PRACTICES
Android Secure Coding Checklist
▪ Use least privilege in request permissions▪ Don’t unnecessarily export components▪ Handle intents carefully▪ Justify any custom permissions▪ Mutually authenticate services▪ Use APIs to construct ContentProvider URIs▪ Use HTTPS▪ Follow best practices from OWASP project http://owasp.
org/index.php/OWASP_Mobile_Security_Project
OWASP MOBILE TOP 10 RISKS
OWASP MOBILE TOP 10 RISKS
Open Android Security Assesment Methodology
PENTESTING TOOLS / SANTOKU LINUX
ooo
PENTESTING TOOLS / NOWSECURE
▪ https://www.nowsecure.com/resources/freetools/
REFERENCES
▪ http://proguard.sourceforge.net▪ http://code.google.com/p/dex2jar▪ http://code.google.com/p/android-apktool▪ https://labs.mwrinfosecurity.com/tools/drozer▪ http://sqlcipher.net/sqlcipher-for-android▪ https://www.owasp.org/index.
php/OWASP_Mobile_Security_Project▪ https://developer.android.
com/training/articles/security-tips.html
BOOKS
BOOKS
Thanks!
@jmortegac
AMSTERDAM 9-12 MAY 2016