Talk : Android Penetration testing

A presentation at OWASP DKTE talk in March 2022 in India by Raja Nagori

Slide 1

Slide 1

ANDROID APPLICATION PENETRATION TESTING Raja Nagori

Slide 2

Slide 2

$WHOAMI • Senior Information Security Engineer at FIS Global. • Cyber Crime Intervention Officer from ISAC (NSD). • Synack Red Team Member. • Actively contributing to OWASP Community.

Slide 3

Slide 3

TODAY’S DISCUSSION • Some Kick off Resources for Mobile VA and PT • Device Requirements and Tools Requirements for starting a Android Application VA and PT • Concept about Android Architecture • Practical implementation for Android Application VA and PT

Slide 4

Slide 4

RESOURCES • MOBILE SECURITY TESTING GUIDE • https://mobile-security.gitbook.io/mobile-security-testing-guide/ • OWASP Mobile Top 10 • https://owasp.org/www-project-mobile-top-10/ • HACKTRICKs • https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting

Slide 5

Slide 5

DEVICE REQUIREMENTS • Android Penetration Testing • Windows, Kali linux, Parrot OS or MacBook • Preferable with 8-16GB of RAM or more and greater than 250GB of drive storage. • For Android interface • You can use emulator like ( Android Studio (My fav) Memu, nox, bluestacks, Genymotion) • You can use rooted a physical device.

Slide 6

Slide 6

TOOLS REQUIREMENTS • JDAX-GUI • APKTOOL • MobSF • Frida • Objection • BurpSuite

Slide 7

Slide 7

ANDROID ARCHITECTURE Ref: OWASP Mobile Security Testing (Link)

Slide 8

Slide 8

LET’S TALK ABOUT PENETRATION TESTING PROCESS Reconnaissance (Active/Passive) Scanning and Enumeration Gathering Information or Gaining Access evidence about the Scanning is the target application. phase before the attack takes in Attackers use action. vulnerabilities identified during the detection and scanning stages to gain access to the identified system and network. Maintaining Access Maintaining access refers to the phase when the attacker tries to retain his or her ownership of the system. Covering Tracks For obvious reasons, such as avoiding legal problems and maintaining access, attackers often try to erase all evidence of their actions. P E N E T R A T I O N T E S T I N G

Slide 9

Slide 9

LET’S TALK ABOUT MOBILE APPLICATION PENETRATION TESTING PROCESS Reconnaissance (Active/Passive) Gathering Information or evidence about the target application. Static Analysis Scanning and go through the code Dynamic Analysis Make changes and manipulating at the runtime of the application. Reporting Report the findings. M O B I L E P E N E T R A T I O N T E S T I N G

Slide 10

Slide 10

SEE, WHO CAME “THE ANDROID”

Slide 11

Slide 11

STATIC ANALYSIS

Slide 12

Slide 12

• Extension is .xml • You’ll get basic information about the application ANDROID MANIFEST FILE • SDK version • Permission • Activities • Content Providers • Intent

Slide 13

Slide 13

• Doesn’t have any extension unfortunately • It defines what data and hardware component can be need at the runtime PERMISSION • Camera • Internet • Access external storage • Bluetooth • ETC.

Slide 14

Slide 14

• It also do not have any extension too • UI element of the application or different screen in the application. (take example of Gpay) ACTIVITIES • First screen will show you Gpay Logo. • Second will ask you the Fingerprint. • Third will display all the payment you did in past. NOTE: Here INTENT is changing from one screen to other.

Slide 15

Slide 15

• Usually find in resources/strings.xml • Threat Vector FINDING HARDCODED STRINGS • Login Bypass • URL’s Exposed • API Keys Exposed • Firebase URL’s

Slide 16

Slide 16

DYNAMIC ANALYSIS

Slide 17

Slide 17

• Intro to SSL Pinning ANDROID DYNAMIC ANALYSIS • Bypassing with BurpSuite • Intro Frida/Objection • Inject Frida Manually /Automatically • Dumping Memory and Sensitive Data • Runtime analysis of Local Storage

Slide 18

Slide 18

• It’s a methodology which ensure no traffic will intercept from the application. SSL PINNING • Some application VERIFY the receiving traffic into the phone as KNOWN CERTIFICATE. • App may crash when we try to intercept the network.

Slide 19

Slide 19

• An adversary will use an automated tool to reverse engineer the code and modify it using malware to ROOT DETECTION perform some hidden functionality. • Root detection are related to binaries • • • • • /system/bin/su /system/xbin/su /sbin/su /system/su /system/bin/.ext/.su

Slide 20

Slide 20

Q-N-A