Conf42 Chaos Engineering 2021 - Online

Attacking/Defending Mobile Apps Training

Video size:

Abstract

The talk aims to teach attendees Android & iOS application security from basic level to advanced. ​ I will cover architecture, file system, security model, application components, OWASP mobile top 10, Mitigation, toolset, frameworks, techniques used to identify, analyse and exploit vulnerabilities.

Summary

  • Romansh Yadav will talk about Android introduction and basic. We will also touch Android components, application components and security issue in Android. And in the last we will touch defensive tool and techniques for Android.
  • You can download directly mobile access. It will come up with all the tools that require for Android and as well as iOS pen testing. If you face any problem then please message me. We have only 40 minutes to complete this session.
  • There are two types of mobile pen testing approach. First, static pen testing and then dynamic pen testing. Reverse engineering is a process where we try to extract the code from APK. First job should be like understanding the Android manifest file.
  • App can be searched by username, password or any API key. We have to recompile the app and resign it before we can install it inside the emulator. We need to sign the APK with any Java signer. We can easily change the name of the app.
  • There are so many vulnerabilities lists that this application will cover. Why just write some test cases in this application. It will be very helpful and it will be a very learning experience.
  • Frida is a world class dynamic distribution toolkit. You can do so many things with frida even if your device is not rooted. Without even rooted your device you can use the Freeda gadgets library and then you can do runtime manipulation.
  • So I will show you how to intercept the traffic. And I can found access controlled vulnerability, idol token related vulnerability. So guys, try each and every vulnerability, try to understand and try to replicate these. If you face any problem, then you guys can reach out to me anytime.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
You. Hi everyone, good morning, good afternoon, good evening. My name is Romansh Yadav. I welcome you all at Con 42. Thank you for joining. So today we will talk about attacking defending mobile apps in this session and below. This is our content for today's session. We will talk about Android introduction and basic. We will try to set up Android pen testing environment and we will do reverse engineering and runtime manipulation. We will also touch Android components, application components and security issue in Android. And in the last we will touch defensive tool and techniques for Android. So let's start with the Android Introduction Basic. As we know Android is an operating system and here is the architecture of Android. We have application layer, then we have application framework, then we have libraries and Android runtime, and then we have Linux kernel. So we will start from the Linux kernel. So Linux kernel provides some basic system functionality like process management, memory management, device management, right. Kernel also provide the user basic permission model, process isolation, right? And now we have libraries like we have webkit libraries, escalate libraries like we use. So these libraries support our application. Like Webkit libraries support web browsers, escalate library support, escalate database. So these are the supportive library that support our application. Now we have Android runtime, like Android runtime and we have core libraries and Dalwig virtual machine, right? So like Dalwig virtual machine which is specifically designed by Android open source project to execute applications written for Android. Each apps training in the Android device has its own Dalwick virtual machine and Android runtime is an alternative to Dalvig virtual machine which has been released with Android four as an experiment release. Like in Android Lollipop, it will be complete, replaced by Dalvik Virtual Machine. I mean art will replace Dalvig virtual machine in Android Lollipop. So the changes in art is like ahead of time. We call it arts ahead of time compilation. So basically there are two terms like one is Jet git, sorry, just in time compilation in which bytecode are compiled. Bytecode are compiled when users run the apps. But in AoT ahead of time compilation, Android apps will be compiled when user installed them on their device. Right. When we are installing the app that time whitecode compiled in AoT ahead of time compilation. Now application framework, right? Like application framework layer provide many high level services to the application in the form of Java classes like activity manager, window manager, content provider, content provider is used to share data with one app to other app, right? Notification Manager, broadcast, we will see here some broadcast receiver also here, right? And at the layer of application we have application all whatever we install the application that come on the application layer. So this is the Android architecture and we can see here different, different layer, right. And we will see in upcoming slides which layer used to do what kind of stuff. Right now this is some fundamental Android application. Fundamental Android apps are written in the Java programming language as we know. But nowadays like we can develop, we have some many multiplatform frameworks like Kotline, like Flutter. So we can develop multiplatform application within one framework, right? But at the back end at the basic, the part of Android is written in Java programming language. So this is the Android file system structure. We can see it's based on Linux so the file system strip iOS similar to Linux. We have root ATC and we can see sd card and external sd card. If we put any external sd card, sd card. So we will see the external sd card folder here. This is the Android permission model and sandboxing as we know that it is managed by the kernel Linux kernel. So Android assign a unique user id to each Android application. Suppose we install a app, one, app two. So every app will get a unique user id that is used because Android use the UID to set up a kernel level application sandbox. So if suppose here we can see data, this is a kind of sandbox that this app cannot access the data of app two or app two cannot access the data of app two. So app one. So this is related to the all sandboxing, right? This is the process of building apk. Like suppose we want to build an apk. Now we have a Java code. Then we convert the Java code into bytecode with the help of the Java compiler. Then we convert bytecode into the DeX code with the help of Dex compiler. Then we build the apk, right? So that apk we can install into our system, into our emulator or into a mobile operating system. This is the Android components we have activity activity is a screen. So we see login screen, vc, register screen, vc, whatever the screen is that we call activity services. Like suppose we are listening music in the background, we are doing some chatting, so the background service is called a service, music is called service. Then we have broadcast receiver. Like suppose we want to give a broadcast notification to each and every of that. The battery is down, we receive battery down, broadcast receiver. And so many broadcast receiver like notifications also comes into broadcast receiver, right? A content provider. We use content provider like we share data one data to other one data from one app to other apps. So we use content provider and we have intent also so intent bind individually component to each other at runtime. Suppose we are running two, three, four app and suppose we want to open a link and we see a link in the mobile app and we click on that will go to web browser. So that will happen with the help of intent. Okay, now let's see, let's set up the pen testing environment lab. So I would suggest if you are new so you can download directly mobile access. This is the operating system and this is a complete vm. It will come up with all the tools that require for Android and as well as iOS pen testing. And if you are like suppose you want to create lab for your own, you want to install each and every tool step by step, one by one. Then you can download Jenny motion, you can download apps, apps, iOS, a toolkit that has eight to ten, eight to ten tool for Android pen testing. And then you can install any custom image of Android iOS. And then you can install the ADB Android debug bridge. And then you can start with the Android pen testing. So I will show you. This is my Jenny motion here. You can see this is my Jenny motion here. And suppose I am running this emulator or I will close it and I will start again. As you can see it is starting. So Jenny motion need virtualbox. So you need to have virtualbox in your iOS and okay it is starting, it's almost started and you can do some configuration as well. So you want to take it on net or you want to right now we cannot edit it, but you can change the network as well. Bridge or Nat, whatever you want. Because the system what you are using should be on same network, right? Suppose now I have already installed the ADB. ADB is a Android debug bridge. So you can see we have so many options in ADB, we can do push, suppose we want to do some push some file to the Android emulator, we can do that. If we want to pull any file from Android emulator we can do that too. And then, okay, now there is a command to check if device is listed or not. Here you can see yes, device is listed and we can give a command and ADB shell. So now we are into the Android emulator. You can see who I am root, right? We can see all these files here. Now we will exit it from here. So this is all about setting up the Android pen testing lab because we have only 40 minutes to complete this session. So that's why I am little bit going fast, right, so this is here. Now this is the mobile access, you can download it from Google, you will find it. So this is complete if I. Okay, yeah. So you can see the tools that already install in the mobile access Zdex leader GDGI Lockhead padcad whitecode viewer. It is a complete vm for mobile Pen testing. Like you can do Android and iOS as well. You can see here so many tools here, iOS John, Android, John, and all you can see here, right, bub suit and you can see Iogen passive suit is there for Android, iOS, MOFs is there for. So we are all set with our lab. If you face any problem then please message me. I will drop my email. So you can message me or you can email me right now. We will move forward, we will try to now deep into mobile pen testing approach. So there are two types of mobile pen testing approach. First, static pen testing and then dynamic pen testing. So static pen testing, we do static pen testing when app is not running. App is like in a rest mode. Suppose we get ApK and we are not going to install the apk. We have to just do some decompilation, decompilation signing, try to, try to dig into the application without running it on the emulator, right? So it's called like static pen testing. When we install the application, we try to intercept the traffic. We see the traffic in burp suit and then we try to do some access controlled issue, some token related issue, and we try to manipulate some data that, and sometimes we try to hook the app by using serial tool. We try to do some runtime manipulation that call dynamic that's come into the dynamic pen testing approach. Okay, now let's do some reverse engineering. So we will start with static pen testing. We have already an app, it's called Piva. So you guys can download it again. You will find it. It is a very good app. I also type the link, this one. This is a very good app for the beginners as well, right? Basically beginners can easily run it and it contains so many vulnerability as well. So like reverse engineering. Now, reverse engineering is a process where we try to extract the code from APK. So we will use the tool, APK tool for reverse engineering. So we can see here, it is already there. So I will remove it. Okay. So it will override it. No problem. So now APK tool is like you can see here, loading table resources, decoding Android fest file, then loading resource, then regular, then decoding file resource. So it will decompile this. Right now, if we go into this directory, we can see so many files, smallly original. We can see Android manifest file. Now after doing the decompile of the ApK. Our first job should be like understanding the Android manifest file. Now what is Android manifest file? Android manifest file iOS the central file of the complete Android application. So whatever Android application is using, how many activities are there, what kind of permission they are using. They're asking for the user how many broadcast receiver, how many content provider, all are mentioned inside the Android manifest file. If any activity is exported, is there any broadcast receiver or broadcast whatever they have exported? Everything is mentioned inside the Android Menson file. You can see here sorry get account, read profile, read contain and now you can see here write external storage permission. Read external storage permission, right. Cell phone so everything mentioned inside the Android mansource file and we will see here some backup. Yes, backup. Backup is true. So anyone can take user can take the backup, right? So after that we can go in assets, we can see assets. It is not any sensitive information. Json.com now the thing that we have to see is string. Also it will come in resource, I guess classes build ss excellent Java. So we can go step one by one by one and we can see and explore each and every file. We can see this string here value, value, right? Sometimes what happened, they mention some authorization inside the script. So iOS, the admin is yes or no. So that kind of stuff sometimes nowadays it's not happened, but sometimes they have mentioned in the side this string file and then you can see original again the file metanfo you can see certificate here. You can see the certificate, right? It's a signed certificate. Okay, so the point is like we can decompile the application, we can read the Android manifest file, we can read all the files. If we know the smally, if we understand the smally, we can also see the smally so that it will give us the idea that what kind of vulnerability we can find easily. What is the hanging fruits right now there iOS a different thing. Like suppose we want to tamper application. So suppose tampering is a process. When we change some data, like suppose we want to do backup is false, we want to backup is true, or we want to do some code change in smally files, then we have to write some small code inside the application, right? So whatever, we will change it and we will temper it. Then we have to again recompile it, resign it. Then again we can install it inside the emulator. So we have done the decompilation, right? Smallly code. Now there is a different tool, d two jdex two jar. So what this tool do? It will create a jar file and we can directly open that jar file into the, it is also a Java decompiler so it will create a jar file and then we can open jar file into jdgui. It's a very nice, we will also try this, okay, we will try here. So this is Java decompiler Jdgui and this is here we can see our application. Now we will try to dex to jar. Right now we will give the file name, okay, it's successful. Now we will try to open this jar file into Java decompiler. So we can go directly into this path here. We can open it so we can see here Android this is here all activity we can see about classes, botcard classes, build config. We can see here debug mode. So suppose we want to search anything. We can search it also we can see, okay, database created classes here. Suppose we want to search anything. We want to suppose search username, right? So we will enable it filled string, right? Yes, username. So we will see here authentication class. This is like username and this is username test. You can see hard coded, right? We can see password, hard coded here also very complicated password. You can see test users, right? So these are, you can see access. This is inside the application. So this is all about the decompilation. We have to move forward. So you can search anything, but you want to search password. You can search password. You will see here, okay, let me again. Password here and then you can see here password, you can see here, right? So suppose you want to search any API key, any inbuilt API key API. You can search API. So if there is any API key that you will find here, right? If you can search about keys token, these are some keyboards that you can search inside the application. Okay, now let's move to the next part as we see, okay, we have already see the Android Menson file service. Continue provide activity broadcast need to be mentioned in the Android menus file permission and exported services. Right now we will try to recompile the app. We already recompiled the app right now. We will try to rebuild it and resign it. And then we will try to again install this app, right? So, okay, it's very simple. We can do this with the help of APK tool. So now I'm going to change something. I will change very small, like suppose I want to make this, it's already true, but okay, let's make it false. Okay, make it debuggable false. Also right now we have made some changes. We have to give the folder name Piva. Now we will try to build it. So we will get APK inside this Piva folder. Build APK successful. Here we can see we will go to Piva folder, we will go to test destination and here you can see we got this apk bit. But this is not signed APK, right? So again we have to sign it with any Java signer, right? We have a signer. So what I will do it. I will copy this. First I want to change this name, right new one APK. Then I will copy it one, two, yeah. Okay now I want to copy this. Here we will find this one. So this is the new one, right? This iOS the new one. Now we already build our APK. Now we have to sign it. So we need a signer. We have already signed up so this is our signer. In this directory we will again go to this Java, Java, right and we need the file name so we can easily give the file name here. Okay jar sign jar sorry. Right now we will get the new signed apk at this path, same path. This one. This is the new signed one, right? So we will change iOS name hello new we'll make it hello new okay now we have a hello new, right? So now we are going to install this. First let me uninstall this one. Uninstall finish. Okay, right now this is uninstalled. Now what I will do, I will install new one Adb install hello new and okay we got the success. We can see here if the application has been installed. Let's check it. Okay this is there and we can even see their test and we can see the password is there, right we can see the password is here, very complicated. We can copy it and we can paste it here, right we have login and we can see there are so many okay this is stb ssl web uas vulnerability. So now after login inside the application let's go to about the project and try to understand the project. So here we can see list of vulnerability cover in this project. So there are so many vulnerabilities lists that this application will cover. Suppose like this, I mean these are not so risky vulnerabilities but it all depend on the application nature and behavior. Like uses of weak initialization vector possible man in the middle attack remote URL load in web view object desolation found right enable debug mode weak encryption hard coded encryption key as we've seen hard coded username and password dynamic load of code creation of world readable item file as sometimes what happened app create a world readable and item file inside the external storage, right? Or maybe internal storage use of uncreative app is communicating in ACET protocol weak hashing algorithm app is using MD four, Shaw one or MD five kind of algorithm that is weak app iOS creating predictable numbers generator function app is using suppose they are using just s random. So basically there are so many number of vulnerabilities you can find in this application and you can do your practice. It will be very helpful and it will be a very learning experience. You can see part traversal is there self signed ca enabled in webview clear test HTTP js temporary file creation is there displayed set pluginistic in webview untrusted ca accepted uses of ban API function. So you will get to learn so many things. Why just write some test cases in this application. Okay now we will move to our next Android runtime manipulation. So basically we will use the frida for doing the runtime manipulation. And frida is a world class dynamic distribution toolkit. It's very good. And if you want to set up the freeda so you can go to this blog and you can set up the freedom even he also shares some trick for bypassing the ssl pinning using frida or you can also bypass the root reduction. You can do so many things with frida even if your device is not rooted then you can use the frida gadgets. So without even rooted your device you can use the Freeda gadgets library and then you can do runtime manipulation. So I already installed the freedom and do one thing sorry. Make sure you have to match the server and client version same. So when you install the freedom server it should be same right inside your emulator and inside your operating system, your base operating system. So I already installed it. So whenever you are set then you can give this command frida psyphon u it will show you all these I already installed the feeder. Now it is saying that cedar is okay. So now we have to start the feeder server. This is the command in what happened? Let me watch it. So this is the command to start the freeda server inside my gen inside my emulator. So I will give this command and now the feeder has been started, right? If I try to give this command it will show all. Now feeder has started and we can see all the apps here with their package name. Suppose we are not able to see the st bridge, right? So because the app is we should be here. We can see here. This is the app that we are going to pen test. Suppose we want to hook this app. So simply we can run this command simply, we can run this command Freeda and then package name. And then the filter script is necessary, right. Package name, package name I have to, sorry, copy package name. Let's copy the package name where it is. Ht bridge this one. Okay, now this is the package name, right? So it's a command, this command, we have to run it with this script, no CdA package name. Hyphen F is also there for hosting. Then hyphen L for script pinning script now and then no pause. So it will, no pause, it will hook one time and then resuming main set. Process terminated. Okay, piva has a stop. So basically it creates some problem with the emulator, but when you will run it on your real device, it will not create problem, it will hook successfully and it will bypass whatever the script you will use for like pinning or do deduction or whatever the script you will use. So it will work. So this is the way, like we do with Frida, we work with frida, like this one, we give the commands with package name, we hook the application, right? And now we have application component security issue. So many like we have seen hard coded credential inside the, inside the device when we did the Java decompilation, this is also a vulnerability. Sometimes what happened? Developers store the data inside the mobile device. So we can also check if they are storing some sensitive information inside the mobile device. So we can go adb shell, we can see, okay, data, then again data and then we can package name here and now here we go shared information. We see, okay, we can get this file stand on nothing in this file, no problem. We can files block file, you can see here test and very complicated password. So this is the credential they are storing inside the device, right? So in that way we check if they are storing any hard, any credential or any sensitive information inside the mobile device. Other bugs like there are so many bugs like idol. We can test idol API vulnerability, we can test API vulnerabilities, access control issue, ox related vulnerability, jw token related vulnerability. So what we will do, we will try to do interception, no problem, we have fine, I'm going to add a proxy. Okay, 8090 I will proxy has started, right? Nice, right. So I have set up a proxy here. So for that you can also install the burp certificate for intercepting the HTTP request. So in that case you just type here burp httpp and you download certificate like here because it's already installed. But I will show you how to do that. Okay, maybe so here, if we click on this ca it will download started downloading. I don't know what iOS stopping but when you download it you can go to gallery. Gallery? Yeah this is downloads. No item here it is not downloaded actually. Okay, no problem. So I will try to do a restart of this sometime. It's create problem while doing it starting. So there is another way to push. Suppose we want to push a certificate or whatever we want to push so we can directly push from here. Adb push user I might having a certificate. You can see here I have a certificate. It is a del extension. No problem. We will try to push this certificate just for the demo sd card. Here we can see one file push. If we see this file. This is the file and that is already a certificate. Here I push before. And one thing, you can face some a problem when you try to install app. This is Jennymotion arm transaction. So sometime what happened? Like the app is not compatible with arm processor. So then you have to install this Jenny motion arm translation. So after installing it you have to just flush it and then you will be able to install any app, right. So I will show you how to intercept the traffic. I mean traffic is already coming, okay, this is my work. Suppose I want to intercept browser traffic. So here you can see I already installed the certificate. Now traffic is coming here. So I can see all the traffic. And I can found access controlled vulnerability, idol token related vulnerability, even I can open it. This app itself, this one, right. So this is SSL API. You want to try the API bypassing. So you can use that API and here test. Okay, now I will see, okay, it is not going to server, the traffic is not going to serve, it is checking internally I guess. But this is the only traffic going to server. Suppose we want to go here st bridge. Okay if you want to see this link three, it will go to there because we can also perform the cross site descripting inside a mobile device. That is the option. That is the vulnerability that inside the web view. If the GS is enabled inside the web view, then we can perform the cross site scripting, right? So you can see here access because the script is hosted at this URL. And if we are enabling that, we can load a remote URL inside the web view without any validation. So we can do access. Also we can go to, okay, no problem. So for that go to Piva, right. So now here you can see so many vulnerability. You can test it. So many vulnerability, so many vulnerabilities. So guys, okay, try each and every vulnerability, try to understand and try to replicate these, all the practical and whatever you find or whatever, you face any problem, then you guys can reach out to me anytime. And this is my email id. You romansh yadav@gmail.com so you guys can reach out to me and I can give you the suggestion or whatever where you are stuck in. So I can give you the advice or I will try to solve your problem. All right, guys, so that's all from my side. I'm glad you have joined me for today's session. Thank you very much.
...

Romansh Yadav

Senior Security Consultant @ Aptiva Corp

Romansh Yadav's LinkedIn account Romansh Yadav's twitter account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)