- Jaimin Gohel

Android

Static Analysis

About Speaker

  • InfoSec Enthusiast
  • Speaker
    • Null Ahmedabad
    • Mozilla Gujarat

@jaimin_gohel

What?

Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards.

Static analysis is performed in a non-runtime environment. Typically a static analysis tool will inspect program code for all possible run-time behaviors and seek out coding flaws, back doors, and potentially malicious code.

Common threats

1. Exported="true"
    Activities, content providers, broadcast receivers, services

2. debuggable="true"
    process hook, sandbox memory

3. backup="true"
    can pull sandbox data

4. Hard coded secrets

5. Weak ciphers or algorhithms
    MD5

6. Bypass SSL pinning

Common terms

  • Android manifest file
  • Permissions
  • Activity
  • Services
  • Content providers
  • Broadcast Receiver

Android manifest file

  • Basically a XML document which contains lot of information about the application.
  • It names the Java package for the application. The package name serves as a unique identifier for the application.
  • It describes the components of the application — the activities, services, broadcast receivers, and content providers that the application is composed of.

Android manifest file(cont.)

  • It declares which permissions the application must have in order to access protected parts of the API and interact with other applications.
  • It declares the minimum level of the Android API that the application requires.
  • It lists the libraries that the application must be linked against

Permissions

  • Android is a privilege-separated operating system, in which each application runs with a distinct system identity (Linux user ID and group ID).
  • Parts of the system are also separated into distinct identities. Linux thereby isolates applications from each other and from the system.
  • Android sandboxes applications from each other.

Permissions(Cont.)

  • By default no application has permission to perform any operations that would adversely impact other applications, the operating system, or the user.
  • All types of applications — Java, native, and hybrid — are sandboxed in the same way and have the same degree of security from each other.

Activity

  • An Activity is an application component that provides a screen with which users can interact in order to do something, such as dial the phone, take a photo, send an email, or view a map.
  • You must declare your activity in the manifest file in order for it to be accessible to the system. To declare your activity, open your manifest file and add an <activity> element as a child of the <application> element.

Activity(cont.)

<manifest ... >
  <application ... >
      <activity android:name=".ExampleActivity" />
      ...
  </application ... >
  ...
</manifest >
  • Example of activity declaration:

Services

  • A Service is an application component that can perform long-running operations in the background and does not provide a user interface.
  • Another application component can start a service and it will continue to run in the background even if the user switches to another application.

Services(Cont.)

  • For example, a service might handle network transactions, play music, perform file I/O, or interact with a content provider, all from the background.

  • A service can essentially take two forms:

    • Started

      • A service is "started" when an application component (such as an activity) starts it by calling startService().

    • Bound

      • A service is "bound" when an application component binds to it by calling bindService().

Content Providers

  • A content provider manages access to a central repository of data.

  • A content provider presents data to external applications as one or more tables that are similar to the tables found in a relational database.

  • Through the content provider, other applications can query or even modify data.

Broadcast Receiver

  • A broadcast receiver is a component that respond to the system-wide broadcast announcements.

  • For example, applications can register for the ACTION_BOOT_COMPLETED system event which is fired once the Android system has completed the boot process.

Phases of android reversing

classes.dex

Application .apk file

resources.rec

(image, layout, asset files)

AndroidManifest.xml

(Readable XML file)

.class files

Java files

Extract using apktool

dex to class

(use dex2jar tool)

class to java

(use ByteCodeViewer)

How ?

MobSF Features

  • Static Analyzer
  • Dynamic Analyzer
  • Web API Fuzzer

DEMO

Resources and credits

  • Thanks to: @ajinabraham
  • https://github.com/MobSF/Mobile-Security-Framework-MobSF
  • https://www.slideshare.net/ajin25/automated-mobile-application-security-assessment-with-mobsf

Questions?

Thanks

Made with Slides.com