Dynamic Security Analysis & Static Security Analysis for Android Apps.
- 1. Security Analysis of Mobile Apps (Android & iOS) Note: The sole purpose of this Workshop is for learning and testing of your own applications.This is not intended for piracy or any other non- legal use. webuy.com
- 2. Agenda
- 3. Reverse Engineering of Android app ● Decompiling : ○ Extracting the source code of the app. ● Recompiling: ○ To compile the program/source code again after changes has been made to it in order to test and run it.
- 4. Reverse Engineering of Android app ● Why Android: ○ Easy access to apk’s ○ Very less apps secured with obfuscation ○ Root access to devices ○ Easy to decompile
- 5. Reverse Engineering of Android app Tools to analyse: ● APKTool - A tool to decompile and recompile the apk. ● Dex2jar - To extract the source code into jar ● JD-GUI - To view the source code ● iLSpy - .Net assembly browser and decompiler
- 7. APKTool Installation: ● Prerequisite: Java 7 or higher version needs to be installed ● Download APKTool and follow the instructions in the below https://ibotpeaches.github.io/Apktool/install/ Steps to Decompile & Recompile: ● Go to the folder where the apk lies and run the below command from command prompt. This will decompile the apk to the current folder where apk lies. ○ apktool d appname.apk
- 8. Recompiling an apk ● After decompiling ,check AndroidManifest.xml file and other src files.If there are any modifications to be done then modify it and recompile the app using below command. ○ apktool b appname ● To sign the APK,the key should be generated first. For generating the key, run the below command ○ keytool -genkey -keystore filename.keystore -validity 1000 -alias aliasname
- 10. Recompiling an apk ● To sign the apk ,run the below command and enter the password which had given while generating the key. ○ jarsigner -keystore filename.keystore -verbose appname.apk aliasname ● Woohaaa!!!! You are done with apk creation :) ,install the apk on device.
- 11. Security analysis of Android and iOS apps using MobSF
- 14. Features of MobSF ● Static Analysis ● Dynamic Analysis
- 15. MobSF Configuration Requirements: ● Static Analysis ○ Python 2.7 - Python 2 Download (Latest Python 2.7 release is recommended) ○ Oracle JDK 1.7 or above - Java JDK Download ○ Mac OS X Users must install Command-line tools for MAC OS X How to Install Commandline Tools in Mac ○ iOS IPA Analysis works only on OSX and requires a MAC ○ Windows App Static analysis requires a Windows Host or Windows VM for
- 16. Execution of MobSF through Terminal ● Navigate to the Mobile-Security-Framework-MobSF-0.9.2 folder on terminal and then : ○ python manage.py runserver
- 22. Dynamic Analysis with Inspeckage Inspeckage is a tool developed to offer dynamic analysis of Android applications. ● Simple Application ● Internal HTTP Server ● Developed as an Xposed framework module
- 23. Features of Inspeckage ● Information Gathering ○ Request permissions ○ App permissions ○ Shared Libraries ○ Exported and Non-Exported Activities ○ App is Debuggable or not ○ Version,UID,GUID etc ● Hooks(We can see what application is doing during runtime)
- 24. Installation of Inspeckage ● Required Softwares: ○ Any emulator (Genymotion emulator 5.1.0 would be preferred) ○ ARM Translation 1.1 (for latest ARM Translation follow the 3rd point) ○ Google Apps (for gapps and latest ARM translation follow this link https://gist.github.com/wbroek/9321145 or https://www.genymotion.com/help/desktop/faq/#google-play-services ) ○ SuperSU v2.46 (Install latest version from Playstore) ○ Xposed Framework v80 sdk-22 x86 (Follow this link for different Android versions https://devs-lab.com/download-install-xposed-installer-framework-android.html )
- 25. How to Run?!! ● Install the Apk on device for dynamic analysis ● Open Inspeckage App on emulator ● Run the below command from command prompt ○ adb forward tcp:8008 tcp:8008 ( to know whether service has started, open browser then browse the url http://127.0.0.1:8008 ) ● Go to Emulator/device,choose the Target app from Inspeckage and click on ‘Launch App’
- 28. Sources and More info ● https://github.com/dan7800/VulnerableAndroidAppOracle ● https://ibotpeaches.github.io/Apktool/documentation/ ● Inspeckage: http://www.kitploit.com/2017/04/inspeckage-android-package- inspector.html ● MobSF: https://tools.androidtamer.com/Security%20Assessment/Automated%20Analy sis/MobSF/ ● https://manifestsecurity.com/android-application-security/ ● https://tools.pentestbox.org/
Editor's Notes
- #3: In the US, a famous mobile app widely used among all the payment mobile. Consumers simply enter their passwords once when activating the payment portion of the app and use it, again and again, to make unlimited purchases without having to re-input their password or username. This might seem great when you talk about convenience. The sad truth is that on 16 January 2014, that mobile app, the most used application in the US with 10 million customers, was found to be storing user credentials in plain text format. When CNBC reported that user data had been compromised, 3 million people deleted the app from their mobile devices. In 24 hours, the app fell from 4th highest grossing app to number 26. That company scrambled to release an update later that week, too late. The Clear text also displayed users’ geolocation tracking points. With this information in hand, unauthorized individuals would have the credentials to log into the company’s website as well. Often people use the same username and password across accounts. This means that there is a potential to compromise additional user accounts.
- #4: Extract the contents of the app which allows you to modify individual aspects of an app. For instance, you can simply change the color palette of the app by just changing few hex codes. Depending on the expertise, you can even modify the functionality of the app if needed. Once your work is completed, you need to recompile the files to form an APK.
- #12: Installation: git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF Install MobSF Python dependencies using pip Windows C:\Python27\python.exe -m pip install -r requirements.txt NOTE: If you face any issues, download and install the latest python 2.7.x Mac pip install -r requirements.txt --user
- #23: By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime. We can run it without Xposed, but 80% of its, but 80% of its features depends on the Xposed Framework so it's recommended that the framework is present on the device / emulator.To know more about Xposed http://blog.attify.com/2015/01/04/xposed-framework-android-hooking/