Hacking Android
()
About this ebook
Explore every nook and cranny of the Android OS to modify your device and guard it against security threats
About This Book- Understand and counteract against offensive security threats to your applications
- Maximize your device's power and potential to suit your needs and curiosity
- See exactly how your smartphone's OS is put together (and where the seams are)
This book is for anyone who wants to learn about Android security. Software developers, QA professionals, and beginner- to intermediate-level security professionals will find this book helpful. Basic knowledge of Android programming would be a plus.
What You Will Learn- Acquaint yourself with the fundamental building blocks of Android Apps in the right way
- Pentest Android apps and perform various attacks in the real world using real case studies
- Take a look at how your personal data can be stolen by malicious attackers
- Understand the offensive maneuvers that hackers use
- Discover how to defend against threats
- Get to know the basic concepts of Android rooting
- See how developers make mistakes that allow attackers to steal data from phones
- Grasp ways to secure your Android apps and devices
- Find out how remote attacks are possible on Android devices
With the mass explosion of Android mobile phones in the world, mobile devices have become an integral part of our everyday lives. Security of Android devices is a broad subject that should be part of our everyday lives to defend against ever-growing smartphone attacks. Everyone, starting with end users all the way up to developers and security professionals should care about android security.
Hacking Android is a step-by-step guide that will get you started with Android security. You'll begin your journey at the absolute basics, and then will slowly gear up to the concepts of Android rooting, application security assessments, malware, infecting APK files, and fuzzing. On this journey you'll get to grips with various tools and techniques that can be used in your everyday pentests. You'll gain the skills necessary to perform Android application vulnerability assessment and penetration testing and will create an Android pentesting lab.
Style and approachThis comprehensive guide takes a step-by-step approach and is explained in a conversational and easy-to-follow style. Each topic is explained sequentially in the process of performing a successful penetration test. We also include detailed explanations as well as screenshots of the basic and advanced concepts.
Related to Hacking Android
Related ebooks
Hacking Android Rating: 5 out of 5 stars5/5Learning Android Forensics Rating: 4 out of 5 stars4/5Mobile Application Penetration Testing Rating: 0 out of 5 stars0 ratingsLearning Node.js for Mobile Application Development Rating: 0 out of 5 stars0 ratingsMastering Zabbix - Second Edition Rating: 0 out of 5 stars0 ratingsLearning Node.js for .NET Developers Rating: 0 out of 5 stars0 ratingsGlassFish Security Rating: 0 out of 5 stars0 ratingsMalware Analysis Techniques: Tricks for the triage of adversarial software Rating: 0 out of 5 stars0 ratingsLearning Pentesting for Android Devices Rating: 5 out of 5 stars5/5The Ultimate Kali Linux Book: Perform advanced penetration testing using Nmap, Metasploit, Aircrack-ng, and Empire Rating: 0 out of 5 stars0 ratingsJavaScript Programming: 3 In 1 Security Design, Expressions And Web Development Rating: 0 out of 5 stars0 ratingsHands-On Microservices with Django: Build cloud-native and reactive applications with Python using Django 5 Rating: 0 out of 5 stars0 ratingsPractical Mobile Forensics Rating: 4 out of 5 stars4/5JavaScript at Scale Rating: 0 out of 5 stars0 ratingsPhoneGap By Example Rating: 5 out of 5 stars5/5Building Modern SaaS Applications with C# and .NET: Build, deploy, and maintain professional SaaS applications Rating: 0 out of 5 stars0 ratingsLearning Embedded Android N Programming Rating: 0 out of 5 stars0 ratingsMastering Kali Linux for Advanced Penetration Testing Rating: 4 out of 5 stars4/5Android Software Internals Quick Reference: A Field Manual and Security Reference Guide to Java-based Android Components Rating: 0 out of 5 stars0 ratingsAsynchronous Android Programming - Second Edition Rating: 0 out of 5 stars0 ratingsThe Ultimate Kali Linux Book: Harness Nmap, Metaspolit, Aircrack-ng, and Empire for cutting-edge pentesting Rating: 0 out of 5 stars0 ratingsThe Antivirus Hacker's Handbook Rating: 0 out of 5 stars0 ratingsSwing Extreme Testing Rating: 4 out of 5 stars4/5Mastering System Center Configuration Manager Rating: 0 out of 5 stars0 ratingsGrails 1.1 Web Application Development Rating: 0 out of 5 stars0 ratingsModular Programming with JavaScript Rating: 0 out of 5 stars0 ratingsLearning AirWatch Rating: 5 out of 5 stars5/5
Programming For You
Excel : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Excel Programming: 1 Rating: 5 out of 5 stars5/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Python Programming : How to Code Python Fast In Just 24 Hours With 7 Simple Steps Rating: 4 out of 5 stars4/5Mastering Windows PowerShell Scripting Rating: 4 out of 5 stars4/5HTML in 30 Pages Rating: 5 out of 5 stars5/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Python QuickStart Guide: The Simplified Beginner's Guide to Python Programming Using Hands-On Projects and Real-World Applications Rating: 0 out of 5 stars0 ratingsPython: Learn Python in 24 Hours Rating: 4 out of 5 stars4/5Linux: Learn in 24 Hours Rating: 5 out of 5 stars5/5HTML & CSS: Learn the Fundaments in 7 Days Rating: 4 out of 5 stars4/5Learn to Code. Get a Job. The Ultimate Guide to Learning and Getting Hired as a Developer. Rating: 5 out of 5 stars5/5Python for Beginners: Learn the Fundamentals of Computer Programming Rating: 0 out of 5 stars0 ratingsSpies, Lies, and Algorithms: The History and Future of American Intelligence Rating: 4 out of 5 stars4/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5Python Data Structures and Algorithms Rating: 5 out of 5 stars5/5C Programming For Beginners: The Simple Guide to Learning C Programming Language Fast! Rating: 5 out of 5 stars5/5Java for Beginners: A Crash Course to Learn Java Programming in 1 Week Rating: 5 out of 5 stars5/5Visual Studio Code: End-to-End Editing and Debugging Tools for Web Developers Rating: 0 out of 5 stars0 ratingsPYTHON: Practical Python Programming For Beginners & Experts With Hands-on Project Rating: 5 out of 5 stars5/5Assembly Programming:Simple, Short, And Straightforward Way Of Learning Assembly Language Rating: 5 out of 5 stars5/5SQL All-in-One For Dummies Rating: 3 out of 5 stars3/5Linux Command Line and Shell Scripting Bible Rating: 3 out of 5 stars3/5
Reviews for Hacking Android
0 ratings0 reviews
Book preview
Hacking Android - Srinivasa Rao Kotipalli
Table of Contents
Hacking Android
Credits
About the Authors
About the Reviewer
www.PacktPub.com
eBooks, discount offers, and more
Why subscribe?
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Setting Up the Lab
Installing the required tools
Java
Android Studio
Setting up an AVD
Real device
Apktool
Dex2jar/JD-GUI
Burp Suite
Configuring the AVD
Drozer
Prerequisites
QARK (No support for windows)
Getting ready
Advanced REST Client for Chrome
Droid Explorer
Cydia Substrate and Introspy
SQLite browser
Frida
Setting up Frida server
Setting up frida-client
Testing the setup
Vulnerable apps
Kali Linux
ADB Primer
Checking for connected devices
Getting a shell
Listing the packages
Pushing files to the device
Pulling files from the device
Installing apps using adb
Troubleshooting adb connections
Summary
2. Android Rooting
What is rooting?
Why would we root a device?
Advantages of rooting
Unlimited control over the device
Installing additional apps
More features and customization
Disadvantages of rooting
It compromises the security of your device
Bricking your device
Voids warranty
Locked and unlocked boot loaders
Determining boot loader unlock status on Sony devices
Unlocking boot loader on Sony through a vendor specified method
Rooting unlocked boot loaders on a Samsung device
Stock recovery and Custom recovery
Prerequisites
Rooting Process and Custom ROM installation
Installing recovery softwares
Using Odin
Using Heimdall
Rooting a Samsung Note 2
Flashing the Custom ROM to the phone
Summary
3. Fundamental Building Blocks of Android Apps
Basics of Android apps
Android app structure
How to get an APK file?
Storage location of APK files
/data/app/
/system/app/
/data/app-private/
Example of extracting preinstalled apps
Example of extracting user installed apps
Android app components
Activities
Services
Broadcast receivers
Content providers
Android app build process
Building DEX files from the command line
What happens when an app is run?
ART – the new Android Runtime
Understanding app sandboxing
UID per app
App sandboxing
Is there a way to break out of this sandbox?
Summary
4. Overview of Attacking Android Apps
Introduction to Android apps
Web Based apps
Native apps
Hybrid apps
Understanding the app's attack surface
Mobile application architecture
Threats at the client side
Threats at the backend
Guidelines for testing and securing mobile apps
OWASP Top 10 Mobile Risks (2014)
M1: Weak Server-Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client-Side Injection
M8: Security Decisions via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protections
Automated tools
Drozer
Performing Android security assessments with Drozer
Installing testapp.apk
Listing out all the modules
Retrieving package information
Identifying the attack surface
Identifying and exploiting Android app vulnerabilities using Drozer
Attacks on exported activities
What is the problem here?
QARK (Quick Android Review Kit)
Running QARK in interactive mode
Reporting
Running QARK in seamless mode:
Summary
5. Data Storage and Its Security
What is data storage?
Android local data storage techniques
Shared preferences
SQLite databases
Internal storage
External storage
Shared preferences
Real world application demo
SQLite databases
Internal storage
External storage
User dictionary cache
Insecure data storage – NoSQL database
NoSQL demo application functionality
Backup techniques
Backup the app data using adb backup command
Convert .ab format to tar format using Android backup extractor
Extracting the TAR file using the pax or star utility
Analyzing the extracted content for security issues
Being safe
Summary
6. Server-Side Attacks
Different types of mobile apps and their threat model
Mobile applications server-side attack surface
Mobile application architecture
Strategies for testing mobile backend
Setting up Burp Suite Proxy for testing
Proxy setting via APN
Proxy setting via Wi-Fi
Bypass certificate warnings and HSTS
HSTS – HTTP Strict Transport Security
Bypassing certificate pinning
Bypass SSL pinning using AndroidSSLTrustKiller
Setting up a demo application
Installing OWASP GoatDroid
Threats at the backend
Relating OWASP top 10 mobile risks and web attacks
Authentication/authorization issues
Authentication vulnerabilities
Authorization vulnerabilities
Session management
Insufficient Transport Layer Security
Input validation related issues
Improper error handling
Insecure data storage
Attacks on the database
Summary
7. Client-Side Attacks – Static Analysis Techniques
Attacking application components
Attacks on activities
What does exported behavior mean to an activity?
Intent filters
Attacks on services
Extending the Binder class:
Using a Messenger
Using AIDL
Attacking AIDL services
Attacks on broadcast receivers
Attacks on content providers
Querying content providers:
Exploiting SQL Injection in content providers using adb
Querying the content provider
Writing a where condition:
Testing for Injection:
Finding the column numbers for further extraction
Running database functions
Finding out SQLite version:
Finding out table names
Static analysis using QARK:
Summary
8. Client-Side Attacks – Dynamic Analysis Techniques
Automated Android app assessments using Drozer
Listing out all the modules
Retrieving package information
Finding out the package name of your target application
Getting information about a package
Dumping the AndroidManifes.xml file
Finding out the attack surface:
Attacks on activities
Attacks on services
Broadcast receivers
Content provider leakage and SQL Injection using Drozer
Attacking SQL Injection using Drozer
Path traversal attacks in content providers
Reading /etc/hosts
Reading kernel version
Exploiting debuggable apps
Introduction to Cydia Substrate
Runtime monitoring and analysis using Introspy
Hooking using Xposed framework
Dynamic instrumentation using Frida
What is Frida?
Prerequisites
Steps to perform dynamic hooking with Frida
Logging based vulnerabilities
WebView attacks
Accessing sensitive local resources through file scheme
Other WebView issues
Summary
9. Android Malware
What do Android malwares do?
Writing Android malwares
Writing a simple reverse shell Trojan using socket programming
Registering permissions
Writing a simple SMS stealer
The user interface
Code for MainActivity.java
Code for reading SMS
Code for the uploadData() method
Complete code for MainActivity.java
Registering permissions
Code on the server
A note on infecting legitimate apps
Malware analysis
Static analysis
Disassembling Android apps using Apktool
Exploring the AndroidManifest.xml file
Exploring smali files
Decompiling Android apps using dex2jar and JD-GUI
Dynamic analysis
Analyzing HTTP/HTTPS traffic using Burp
Analysing network traffic using tcpdump and Wireshark
Tools for automated analysis
How to be safe from Android malwares?
Summary
10. Attacks on Android Devices
MitM attacks
Dangers with apps that provide network level access
Using existing exploits
Malware
Bypassing screen locks
Bypassing pattern lock using adb
Removing the gesture.key file
Cracking SHA1 hashes from the gesture.key file
Bypassing password/PIN using adb
Bypassing screen locks using CVE-2013-6271
Pulling data from the sdcard
Summary
Index
Hacking Android
Hacking Android
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: July 2016
Production reference: 1250716
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78588-314-9
www.packtpub.com
Credits
Authors
Srinivasa Rao Kotipalli
Mohammed A. Imran
Reviewer
Guangwei Feng
Commissioning Editor
Edward Gordon
Acquisition Editor
Divya Poojari
Content Development Editor
Trusha Shriyan
Technical Editor
Nirant Carvalho
Copy Editors
Safis Editing
Madhusudan Uchil
Project Coordinator
Kinjal Bari
Proofreader
Safis Editing
Indexer
Hemangini Bari
Graphics
Kirk D'Penha
Production Coordinator
Arvindkumar Gupta
Cover Work
Arvindkumar Gupta
About the Authors
Srinivasa Rao Kotipalli (@srini0x00) is a security researcher from India. He has extensive hands-on experience in performing web application, infrastructure, and mobile security assessments. He worked as a security consultant at Tata Consultancy Services India for two and a half years and later joined a start-up in Malaysia. He has delivered training sessions on web, infrastructure, and mobile penetration testing for organizations across the world, in countries such as India, Malaysia, Brunei, and Vietnam. Through responsible disclosure programs, he has reported vulnerabilities in many top-notch organizations. He holds a bachelor's degree in information technology and is OSCP certified. He blogs at www.androidpentesting.com and www.infosecinstitute.com.
First and foremost I would like to thank my family members for their support and encouragement while writing this book. This would never have happened without their support.
Many thanks to my special friends Sai Satish, Sarath Chandra, Abhijeth, Rahul Venati, Appanna K, Prathapareddy for always being with me right from the beginning of my career.
Special thanks to Dr. G.P.S. Varma, principal of S.R.K.R Engineering College, Mr. Sagi Maniraju, Mr. G. Narasimha Raju, Mr. B.V.D.S Sekhar, Mr. S RamGopalReddy, Mr. Kishore Raju and all the staff members of S.R.K.R, Information Technology Department for their wonderful support and guidance during my graduation.
Huge thanks to Mr. Prasad Badiganti for being my mentor and tuning me into a true professional with his valuable suggestions.
Last but not the least, thanks to the Packt Publishing team especially Divya, Trusha & Nirant for helping us in every way possible to get this book to this stage.
Mohammed A. Imran (@secfigo) is an experienced application security engineer and the founder of null Singapore and null Hyderabad. With more than 6 years of experience in product security and consulting, he spends most of his time on penetration testing, vulnerability assessments, and source code reviews of web and mobile applications. He has helped telecom, banking, and software development houses create and maintain secure SDLC programs. He has also created and delivered training on application security and secure coding practices to students, enterprises, and government organizations. He holds a master's degree in computer science and is actively involved in the information security community and organizes meetups regularly.
First and foremost, I want to thank my parents for all their love and support during all these years. I want to thank my beautiful wife for bringing joy in my life and for being patient with all my side projects. I also want to thank my siblings Irfan, Fauzan, Sam and Sana for being the best siblings ever.
About the Reviewer
Guangwei Feng is a mobile developer at Douban (https://www.douban.com/) in Beijing. He holds a master's in information technology from University of Sydney and a BE from Nankai University (Tianjin). He is a part of the Douban app (social), Douban Dongxi app (online shopping), and TWS for Douban FM (wearable) projects. Out of these, the Douban app has been downloaded over 10 million times and has become one of the most popular apps in China.
www.PacktPub.com
eBooks, discount offers, and more
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
eBooks, discount offers, and morehttps://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Fully searchable across every book published by Packt
Copy and paste, print, and bookmark content
On demand and accessible via a web browser
Preface
Mobile security is one of the hottest topics today. Android being the leading mobile operating system in the market, it has a huge user base, and lots of personal as well as business data is being stored on Android mobile devices. Mobile devices are now sources of entertainment, business, personal life, and new risks. Attacks targeting mobile devices and apps are on the rise. Android, being the platform with the largest consumer base, is the obvious primary target for attackers. This book will provide insights into various attack techniques in order to help developers and penetration testers as well as end users understand Android security fundamentals.
What this book covers
Chapter 1, Setting Up the Lab, is an essential part of this book. This chapter will guide you to setting up a lab with all the tools that are required to follow the rest of the chapters in the book. This chapter is an essential part of the book for those who are new to Android security. It will help you build an arsenal of tools required for Android security at one place.
Chapter 2, Android Rooting, provides an introduction to the techniques typically used to root Android devices. This chapter discusses the basics of rooting and its pros and cons. Then, we shall move into topics such as the Android partition layout, boot loaders, and boot loader unlocking techniques. This chapter acts a guide for those who want to root their devices and want know the ins and outs of rooting concepts.
Chapter 3, Fundamental Building Blocks of Android Apps provides an overview of Android app internals. It is essential to understand how apps are being built under the hood, what they look like when installed on a device, how they are run, and so on. This is exactly what this chapter covers.
Chapter 4, Overview of Attacking Android Apps, provides an overview of the attack surface of Android. It discusses possible attacks on Android apps, devices, and other components in the application architecture. Essentially, this chapter lets you build a simple threat model for a traditional application that communicates with databases over the network. It is essential to understand what the possible threats that an application may come across are in order to understand what to test during a penetration test. This chapter is a high-level overview and contains fewer technical details.
Chapter 5, Data Storage and Its Security, provides an introduction to the techniques typically used to assess the data storage security of Android applications. Data storage is one of the most important elements of Android app development. This chapter begins with discussing different techniques used by developers to store data locally and how they can affect security. Then, we shall look into the security implications of the data storage choices made by developers.
Chapter 6, Server-Side Attacks, provides an overview of the attack surface of Android apps from the server side. This chapter will discuss the attacks possible on Android app backends. This chapter is a high-level overview and contains fewer technical details, as most server-side vulnerabilities are related to web attacks, which have been covered extensively in the OWASP testing and developer guides.
Chapter 7, Client-Side Attacks – Static Analysis Techniques, covers various client-side attacks from a static application security testing (SAST) viewpoint. Static analysis is a common technique of identifying vulnerabilities in Android apps caused due to the ease availability of reversing tools for Android. This chapter also discusses some automated tools available for static analysis of Android applications.
Chapter 8, Client Side Attacks – Dynamic Analysis Techniques, covers some common tools and techniques to assess and exploit client-side vulnerabilities in Android applications using dynamic application security testing (DAST). This chapter will also discuss tools such as Xposed and Frida that are used to manipulate application flow during runtime.
Chapter 9, Android Malware, provides an introduction to the fundamental techniques typically used in creating and analyzing Android malware. The chapter begins with introducing the characteristics of traditional Android malware. This chapter also discusses how to develop a simple piece of malware that gives an attacker a reverse shell on the infected phone. Finally, the chapter discusses Android malware analysis techniques.
Chapter 10, Attacks on Android Devices This chapter is an attempt to help users secure themselves from attackers while performing everyday operations, such as connecting their smartphones to free Wi-Fi access points at coffee shops and airports. This chapter also discusses why it is dangerous to root Android devices and install unknown applications.
What you need for this book
In order to get hands-on experience while reading this book, you need the following software. Download links and installation steps are shown later in the book.
Android Studio
An Android emulator
Burpsuite
Apktool
Dex2jar
JD-GUI
Drozer
GoatDroid App
QARK
Cydia Substrate
Introspy
Xposed Framework
Frida
Who this book is for
This book is for anyone who wants to learn about Android security. Software developers, QA professionals, and beginner- to intermediate-level security professionals will find this book helpful. Basic knowledge of Android programming would be a plus.
Conventions
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: Let us first delete the test.txt file from the current directory.
A block of code is set as follows:
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error)
{
handler.proceed();
}
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
if(!URL.startsWith(file:
)) {
Any command-line input or output is written as follows:
$ adb forward tcp:27042 tcp:27042 $ adb forward tcp:27043 tcp:27043
New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: Finally, give your AVD a name and click Finish.
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <[email protected]>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the example code
You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to