Rapid Android Application Security Testing
Download as PPTX, PDF4 likes1,099 views
The document outlines the agenda for rapid Android application security testing, covering static analysis, dynamic analysis, and local storage inspection. It explains the structure of Android applications and tools for reverse engineering and testing, as well as common challenges faced during the testing process. Essential tools mentioned include Android SDK, adb, Burp Suite, and others, with emphasis on ongoing exploration of new tools and methodologies.
Rapid Android Application Security Testing
- 1. Rapid Android Application Security Testing
- 2. Agenda • Introduction to Android Testing – Static Analysis – Dynamic Analysis – Local Storage Inspection • Challenge.txt
- 3. Android Security Testing • Can install apps on device and go hack the network. • Can install the application in the emulator and test it.
- 4. What’s inside? • Android is a Linux kernel based OS. • Dalvik VM (Dalvik Virtual Machine) makes the dex file (Dalvik Executables) reach execution. • APK (Android Application Package) contains all the resources, i.e. manifest file, signatures, dex file, and other resources in a zipped manner.
- 5. So what happens. • Java source code is compiled to Java byte Code using Java Compiler • Byte code is converted into Dalvik Code using Dex compiler • Dalvik Executable (Dex file) goes to “Dalvik VM” and executes within it.
- 6. …..Continued. Dalvik VM Dalvik Executable (Dex File) Java Source Code Java Byte CodeJava Compiler Dalvik Code Dex Compiler
- 7. Pentest. How to do? • Break the testing into three parts: – Static Testing – Dynamic Testing – Local Storage • Try to uncover issues in every phase.
- 8. Static Analysis • Get the .apk file. • Reverse Engineer it. • Decompile / Dis-assemble it. • Dis-assemble it using – Dedexer gives assembly like output) or – Baksmali (based on dedexer and gives code more easy to understand. • Decompile it using – Dex2jar (dalvik code turns to Java byte code (jar file). – Use jd-gui to view the java source codes.h
- 9. What to look for? • Look for api information, database connection strings, internal / external IP disclosures and ports, etc. • If you are lucky, you might get a password too, Believe me developers are crazy. • If you can go for social engineering stuff, lot of emails can be found. • Tip: A pair of /* and */ holds a lot of information.
- 11. Dynamic Analysis • Load emulator. • Set up an Interception Proxy • Figure out SSL issues. • And follow the generic logic test cases you follow in web applications.
- 12. Proxy Setup
- 13. Continued…
- 14. Local Storage Inspection • Check for sensitive data getting stored on client side. • XML files, database files are most commonly found culprits. • Inspect memory for information sensitive information > memdump • Inspect generated logs for sensitive information > logcat. • Uninstall and check if things remain in application folder.
- 15. Where to look?
- 16. How it look?
- 17. Tools Of Trade • Android SDK • ADB • BurpSuite • APKtools • Smali/baksmali • Dex2jar • Genymotion • Appuse/Android Tamer.
- 18. Challenges • AppUse is quite slow: – Save time in loading your Emulator. – Save time in installing app. • ADB always run behind device. If you are idle, adb don’t work, or restart your emulator. – Keep your ADB attached to device constantly. • Commands for every push, apk installation, etc. – Get Drag and Drop feature. • Organization might ask you to get application from play store. – Get Play Store. • Genymotion – give you all the above sweet cake. – Supports Webcam, mike, GPS, etc. as well --------- Haven’t tested them however – Not stable. --------- One bad out of six is never a bad.
- 19. Time UP : What next? • OWASP mobile TOP 10 • Drozer (for Inter Process Communication) • Explore new tools all the time. • Keep sharing.
- 20. Questions?