Hacking Android

Table of Contents

Hacking Android

Credits

About the Authors

About the Reviewer

www.PacktPub.com

eBooks, discount offers, and more

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Setting Up the Lab

Installing the required tools

Java

Android Studio

Setting up an AVD

Real device

Apktool

Dex2jar/JD-GUI

Burp Suite

Configuring the AVD

Drozer

Prerequisites

QARK (No support for windows)

Getting ready

Advanced REST Client for Chrome

Droid Explorer

Cydia Substrate and Introspy

SQLite browser

Frida

Setting up Frida server

Setting up frida-client

Testing the setup

Vulnerable apps

Kali Linux

ADB Primer

Checking for connected devices

Getting a shell

Listing the packages

Pushing files to the device

Pulling files from the device

Installing apps using adb

Troubleshooting adb connections

Summary

2. Android Rooting

What is rooting?

Why would we root a device?

Advantages of rooting

Unlimited control over the device

Installing additional apps

More features and customization

Disadvantages of rooting

It compromises the security of your device

Bricking your device

Voids warranty

Locked and unlocked boot loaders

Determining boot loader unlock status on Sony devices

Unlocking boot loader on Sony through a vendor specified method

Rooting unlocked boot loaders on a Samsung device

Stock recovery and Custom recovery

Prerequisites

Rooting Process and Custom ROM installation

Installing recovery softwares

Using Odin

Using Heimdall

Rooting a Samsung Note 2

Flashing the Custom ROM to the phone

Summary

3. Fundamental Building Blocks of Android Apps

Basics of Android apps

Android app structure

How to get an APK file?

Storage location of APK files

/data/app/

/system/app/

/data/app-private/

Example of extracting preinstalled apps

Example of extracting user installed apps

Android app components

Activities

Services

Broadcast receivers

Content providers

Android app build process

Building DEX files from the command line

What happens when an app is run?

ART – the new Android Runtime

Understanding app sandboxing

UID per app

App sandboxing

Is there a way to break out of this sandbox?

Summary

4. Overview of Attacking Android Apps

Introduction to Android apps

Web Based apps

Native apps

Hybrid apps

Understanding the app's attack surface

Mobile application architecture

Threats at the client side

Threats at the backend

Guidelines for testing and securing mobile apps

OWASP Top 10 Mobile Risks (2014)

M1: Weak Server-Side Controls

M2: Insecure Data Storage

M3: Insufficient Transport Layer Protection

M4: Unintended Data Leakage

M5: Poor Authorization and Authentication

M6: Broken Cryptography

M7: Client-Side Injection

M8: Security Decisions via Untrusted Inputs

M9: Improper Session Handling

M10: Lack of Binary Protections

Automated tools

Drozer

Performing Android security assessments with Drozer

Installing testapp.apk

Listing out all the modules

Retrieving package information

Identifying the attack surface

Identifying and exploiting Android app vulnerabilities using Drozer

Attacks on exported activities

What is the problem here?

QARK (Quick Android Review Kit)

Running QARK in interactive mode

Reporting

Running QARK in seamless mode:

Summary

5. Data Storage and Its Security

What is data storage?

Android local data storage techniques

Shared preferences

SQLite databases

Internal storage

External storage

Shared preferences

Real world application demo

SQLite databases

Internal storage

External storage

User dictionary cache

Insecure data storage – NoSQL database

NoSQL demo application functionality

Backup techniques

Backup the app data using adb backup command

Convert .ab format to tar format using Android backup extractor

Extracting the TAR file using the pax or star utility

Analyzing the extracted content for security issues

Being safe

Summary

6. Server-Side Attacks

Different types of mobile apps and their threat model

Mobile applications server-side attack surface

Mobile application architecture

Strategies for testing mobile backend

Setting up Burp Suite Proxy for testing

Proxy setting via APN

Proxy setting via Wi-Fi

Bypass certificate warnings and HSTS

HSTS – HTTP Strict Transport Security

Bypassing certificate pinning

Bypass SSL pinning using AndroidSSLTrustKiller

Setting up a demo application

Installing OWASP GoatDroid

Threats at the backend

Relating OWASP top 10 mobile risks and web attacks

Authentication/authorization issues

Authentication vulnerabilities

Authorization vulnerabilities

Session management

Insufficient Transport Layer Security

Input validation related issues

Improper error handling

Insecure data storage

Attacks on the database

Summary

7. Client-Side Attacks – Static Analysis Techniques

Attacking application components

Attacks on activities

What does exported behavior mean to an activity?

Intent filters

Attacks on services

Extending the Binder class:

Using a Messenger

Using AIDL

Attacking AIDL services

Attacks on broadcast receivers

Attacks on content providers

Querying content providers:

Exploiting SQL Injection in content providers using adb

Querying the content provider

Writing a where condition:

Testing for Injection:

Finding the column numbers for further extraction

Running database functions

Finding out SQLite version:

Finding out table names

Static analysis using QARK:

Summary

8. Client-Side Attacks – Dynamic Analysis Techniques

Automated Android app assessments using Drozer

Listing out all the modules

Retrieving package information

Finding out the package name of your target application

Getting information about a package

Dumping the AndroidManifes.xml file

Finding out the attack surface:

Attacks on activities

Attacks on services

Broadcast receivers

Content provider leakage and SQL Injection using Drozer

Attacking SQL Injection using Drozer

Path traversal attacks in content providers

Reading /etc/hosts

Reading kernel version

Exploiting debuggable apps

Introduction to Cydia Substrate

Runtime monitoring and analysis using Introspy

Hooking using Xposed framework

Dynamic instrumentation using Frida

What is Frida?

Prerequisites

Steps to perform dynamic hooking with Frida

Logging based vulnerabilities

WebView attacks

Accessing sensitive local resources through file scheme

Other WebView issues

Summary

9. Android Malware

What do Android malwares do?

Writing Android malwares

Writing a simple reverse shell Trojan using socket programming

Registering permissions

Writing a simple SMS stealer

The user interface

Code for MainActivity.java

Code for reading SMS

Code for the uploadData() method

Complete code for MainActivity.java

Registering permissions

Code on the server

A note on infecting legitimate apps

Malware analysis

Static analysis

Disassembling Android apps using Apktool

Exploring the AndroidManifest.xml file

Exploring smali files

Decompiling Android apps using dex2jar and JD-GUI

Dynamic analysis

Analyzing HTTP/HTTPS traffic using Burp

Analysing network traffic using tcpdump and Wireshark

Tools for automated analysis

How to be safe from Android malwares?

Summary

10. Attacks on Android Devices

MitM attacks

Dangers with apps that provide network level access

Using existing exploits

Malware

Bypassing screen locks

Bypassing pattern lock using adb

Removing the gesture.key file

Cracking SHA1 hashes from the gesture.key file

Bypassing password/PIN using adb

Bypassing screen locks using CVE-2013-6271

Pulling data from the sdcard

Summary

Index

Hacking Android

Hacking Android

Copyright © 2016 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: July 2016

Production reference: 1250716

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-78588-314-9

www.packtpub.com

Credits

Authors

Srinivasa Rao Kotipalli

Mohammed A. Imran

Reviewer

Guangwei Feng

Commissioning Editor

Edward Gordon

Acquisition Editor

Divya Poojari

Content Development Editor

Trusha Shriyan

Technical Editor

Nirant Carvalho

Copy Editors

Safis Editing

Madhusudan Uchil

Project Coordinator

Kinjal Bari

Proofreader

Safis Editing

Indexer

Hemangini Bari

Graphics

Kirk D'Penha

Production Coordinator

Arvindkumar Gupta

Cover Work

Arvindkumar Gupta

About the Authors

Srinivasa Rao Kotipalli (@srini0x00) is a security researcher from India. He has extensive hands-on experience in performing web application, infrastructure, and mobile security assessments. He worked as a security consultant at Tata Consultancy Services India for two and a half years and later joined a start-up in Malaysia. He has delivered training sessions on web, infrastructure, and mobile penetration testing for organizations across the world, in countries such as India, Malaysia, Brunei, and Vietnam. Through responsible disclosure programs, he has reported vulnerabilities in many top-notch organizations. He holds a bachelor's degree in information technology and is OSCP certified. He blogs at www.androidpentesting.com and www.infosecinstitute.com.

First and foremost I would like to thank my family members for their support and encouragement while writing this book. This would never have happened without their support.

Many thanks to my special friends Sai Satish, Sarath Chandra, Abhijeth, Rahul Venati, Appanna K, Prathapareddy for always being with me right from the beginning of my career.

Special thanks to Dr. G.P.S. Varma, principal of S.R.K.R Engineering College, Mr. Sagi Maniraju, Mr. G. Narasimha Raju, Mr. B.V.D.S Sekhar, Mr. S RamGopalReddy, Mr. Kishore Raju and all the staff members of S.R.K.R, Information Technology Department for their wonderful support and guidance during my graduation.

Huge thanks to Mr. Prasad Badiganti for being my mentor and tuning me into a true professional with his valuable suggestions.

Last but not the least, thanks to the Packt Publishing team especially Divya, Trusha & Nirant for helping us in every way possible to get this book to this stage.

Mohammed A. Imran (@secfigo) is an experienced application security engineer and the founder of null Singapore and null Hyderabad. With more than 6 years of experience in product security and consulting, he spends most of his time on penetration testing, vulnerability assessments, and source code reviews of web and mobile applications. He has helped telecom, banking, and software development houses create and maintain secure SDLC programs. He has also created and delivered training on application security and secure coding practices to students, enterprises, and government organizations. He holds a master's degree in computer science and is actively involved in the information security community and organizes meetups regularly.

First and foremost, I want to thank my parents for all their love and support during all these years. I want to thank my beautiful wife for bringing joy in my life and for being patient with all my side projects. I also want to thank my siblings Irfan, Fauzan, Sam and Sana for being the best siblings ever.

About the Reviewer

Guangwei Feng is a mobile developer at Douban (https://www.douban.com/) in Beijing. He holds a master's in information technology from University of Sydney and a BE from Nankai University (Tianjin). He is a part of the Douban app (social), Douban Dongxi app (online shopping), and TWS for Douban FM (wearable) projects. Out of these, the Douban app has been downloaded over 10 million times and has become one of the most popular apps in China.

www.PacktPub.com

eBooks, discount offers, and more

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www2.packtpub.com/books/subscription/packtlib

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Preface

Mobile security is one of the hottest topics today. Android being the leading mobile operating system in the market, it has a huge user base, and lots of personal as well as business data is being stored on Android mobile devices. Mobile devices are now sources of entertainment, business, personal life, and new risks. Attacks targeting mobile devices and apps are on the rise. Android, being the platform with the largest consumer base, is the obvious primary target for attackers. This book will provide insights into various attack techniques in order to help developers and penetration testers as well as end users understand Android security fundamentals.

What this book covers

Chapter 1, Setting Up the Lab, is an essential part of this book. This chapter will guide you to setting up a lab with all the tools that are required to follow the rest of the chapters in the book. This chapter is an essential part of the book for those who are new to Android security. It will help you build an arsenal of tools required for Android security at one place.

Chapter 2, Android Rooting, provides an introduction to the techniques typically used to root Android devices. This chapter discusses the basics of rooting and its pros and cons. Then, we shall move into topics such as the Android partition layout, boot loaders, and boot loader unlocking techniques. This chapter acts a guide for those who want to root their devices and want know the ins and outs of rooting concepts.

Chapter 3, Fundamental Building Blocks of Android Apps provides an overview of Android app internals. It is essential to understand how apps are being built under the hood, what they look like when installed on a device, how they are run, and so on. This is exactly what this chapter covers.

Chapter 4, Overview of Attacking Android Apps, provides an overview of the attack surface of Android. It discusses possible attacks on Android apps, devices, and other components in the application architecture. Essentially, this chapter lets you build a simple threat model for a traditional application that communicates with databases over the network. It is essential to understand what the possible threats that an application may come across are in order to understand what to test during a penetration test. This chapter is a high-level overview and contains fewer technical details.

Chapter 5, Data Storage and Its Security, provides an introduction to the techniques typically used to assess the data storage security of Android applications. Data storage is one of the most important elements of Android app development. This chapter begins with discussing different techniques used by developers to store data locally and how they can affect security. Then, we shall look into the security implications of the data storage choices made by developers.

Chapter 6, Server-Side Attacks, provides an overview of the attack surface of Android apps from the server side. This chapter will discuss the attacks possible on Android app backends. This chapter is a high-level overview and contains fewer technical details, as most server-side vulnerabilities are related to web attacks, which have been covered extensively in the OWASP testing and developer guides.

Chapter 7, Client-Side Attacks – Static Analysis Techniques, covers various client-side attacks from a static application security testing (SAST) viewpoint. Static analysis is a common technique of identifying vulnerabilities in Android apps caused due to the ease availability of reversing tools for Android. This chapter also discusses some automated tools available for static analysis of Android applications.

Chapter 8, Client Side Attacks – Dynamic Analysis Techniques, covers some common tools and techniques to assess and exploit client-side vulnerabilities in Android applications using dynamic application security testing (DAST). This chapter will also discuss tools such as Xposed and Frida that are used to manipulate application flow during runtime.

Chapter 9, Android Malware, provides an introduction to the fundamental techniques typically used in creating and analyzing Android malware. The chapter begins with introducing the characteristics of traditional Android malware. This chapter also discusses how to develop a simple piece of malware that gives an attacker a reverse shell on the infected phone. Finally, the chapter discusses Android malware analysis techniques.

Chapter 10, Attacks on Android Devices This chapter is an attempt to help users secure themselves from attackers while performing everyday operations, such as connecting their smartphones to free Wi-Fi access points at coffee shops and airports. This chapter also discusses why it is dangerous to root Android devices and install unknown applications.

What you need for this book

In order to get hands-on experience while reading this book, you need the following software. Download links and installation steps are shown later in the book.

Android Studio

An Android emulator

Burpsuite

Apktool

Dex2jar

JD-GUI

Drozer

GoatDroid App

QARK

Cydia Substrate

Introspy

Xposed Framework

Frida

Who this book is for

This book is for anyone who wants to learn about Android security. Software developers, QA professionals, and beginner- to intermediate-level security professionals will find this book helpful. Basic knowledge of Android programming would be a plus.

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: Let us first delete the test.txt file from the current directory.

A block of code is set as follows:

@Override       

public void onReceivedSslError(WebView view, SslErrorHandler handler,                SslError error)

{           

  handler.proceed();       

}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

if(!URL.startsWith(file:)) {

Any command-line input or output is written as follows:

$ adb forward tcp:27042 tcp:27042 $ adb forward tcp:27043 tcp:27043

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: Finally, give your AVD a name and click Finish.

Note

Warnings or important notes appear in a box like this.

Tip

Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail <[email protected]>, and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the example code

You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to