SlideShare a Scribd company logo
© Blueinfy Solutions
Android Attacks
© Blueinfy Solutions
Insecure Data Storage
• Storing sensitive information on device – a
major threat
• Phone can be hacked or stolen
• Imagine site access, username, passwords,
tokens etc. get harvested
• Malware used to attack local system and fetch
information out.
• What are the options?
© Blueinfy Solutions
Insecure calls
• Storage can be accessed by third party
• If device is rooted then access to sensitive
information
• Poor permission can allow cross access
• One app accessing information of other
• Information not encrypted
© Blueinfy Solutions
Bird eye view
© Blueinfy Solutions
Storage calls
• Shared Preferences
– Store private primitive data in key-value pairs.
• Internal Storage
– Store private data on the device memory.
• External Storage
– Store public data on the shared external storage.
• SQLite Databases
– Store structured data in a private database.
• Network Connection
– Store data on the web with your own network server.
© Blueinfy Solutions
Accessing with adb
# cd bank.One
cd bank.One
# ls
ls
cache
databases
files
lib
# cd files
cd files
# ls
ls
PublicKey
remember
settings
temp_file
# cat remember
cat remember
jack
jack123#
Got user/pass in clear text
© Blueinfy Solutions
Weak Server Side Controls
• Backend Application Security
• Protocols
• OWASP Top 10 for AppSec
© Blueinfy Solutions
Analyzing HTTP traffic
• Security assessment needs sound knowledge
of HTTP analysis
• Tools and mind needed to analyze the traffic
• What to look for? – methods, cookie,
querysting etc.
• All part of HTTP – Response analysis is equally
important.
© Blueinfy Solutions
JSON
• JSON (JavaScript Object Notation) - a
lightweight data-interchange format
• Based on JavaScript Programming Language
(Standard ECMA-262)
• Completely language independent
• C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many
others.
• Interchangeable is the Key.
© Blueinfy Solutions
JSON
– object
• {}
{ members }
– members
• pair
pair , members
– pair
• string : value
– array
• []
[ elements ]
• elements
• value
value ,
elements
• value
• string
number
object
array
true
false
null
© Blueinfy Solutions
JSON
• Example
{ "firstName": "John", "lastName": "Smith",
"address": { "streetAddress": "21 2nd Street",
"city": "New York", "state": "NY", "postalCode":
10021 }, "phoneNumbers": [ "212 732-1234", "646
123-4567" ] }
© Blueinfy Solutions
JSON call
• Calling JSON services
© Blueinfy Solutions
JSON fetch
• Fetch attribute
© Blueinfy Solutions
Insufficient Transport Layer Protection
• Poor or no Encryption during transit
• Poor certification validations
• Man in the middle opening
• Traffic over HTTP
• Token passing
• Device ID over poor channel
© Blueinfy Solutions
Session with token only
© Blueinfy Solutions
Client Side Injection
• Native or Web apps
– Using poor libs
– Abusing APIs
• Popular injections – XSS, SQLi, XPATH etc.
• Payment and SMS
• Mixed usage
– Using webview
© Blueinfy Solutions
SQLite
© Blueinfy Solutions
What is SQLite?
• SQLite is an in-process library that implements a self-
contained, serverless, zero-configuration, transactional SQL
database engine.
• It is the database which is zero configured , that means like
other database you do not need to configure it in your
system.
• At the end, it is a comma separated file (CSV file)
© Blueinfy Solutions
SQLite Commands
• The standard SQLite commands to interact with relational
databases are similar as SQL.
• They are CREATE, SELECT, INSERT, UPDATE, DELETE, and
DROP.
• Data Manipulation Language
Command Description
INSERT Creates a record
UPDATE Modifies records
DELETE Deletes records
© Blueinfy Solutions
Cont.
• Data Query Language:
• Data Definition Language:
Command Description
SELECT Retrieves certain records from one or
more tables
Command Description
CREATE Creates a new table, a view of a table,
or other object in database
ALTER Modifies an existing database object,
such as a table.
DROP Deletes an entire table, a view of a
table or other object in the database.
© Blueinfy Solutions
SQLite – Create Database
• The following command will create a new database or will
open the database if it has been created.
• sqlite3 [database name].db
© Blueinfy Solutions
Retrieving Master Table
• This command will retrieve the master table.
• For example:-
variable=* FROM SQLITE_MASTER; --
© Blueinfy Solutions
SQLite Version
• This command retrieves the version number
of the db.
© Blueinfy Solutions
SQLite – Create Table
• For example:- create table [newtablename](id int, name text);
• By using .tables on the command shell the newly created
designation table is shown.
© Blueinfy Solutions
SQLite – Drop Table
• drop table users;--
© Blueinfy Solutions
SQLite – Insert Query
• INSERT INTO TABLE_NAME (column1, column2,
column3,...Ncolumn) VALUES (value1, value2,
value3,...Nvalue);
© Blueinfy Solutions
Extending/Appending queries
• By altering the select query the injected DELETE query
removes all records from the company table.
© Blueinfy Solutions
SQLite – OR 1=1
• ‘* from [tablename] where id=1 OR 1=1;’
© Blueinfy Solutions
Adding User
• insert into users values(15,’user15’)
© Blueinfy Solutions
Side Channel Data Leakage
• Platform issues – sandboxing or disable
controls
– Cache
– Logs, Keystrokes, screenshots etc.
– Temp files
• 3rd
Party libs (AD networks and analytics)
© Blueinfy Solutions
Unauthorized Dialing/SMS
© Blueinfy Solutions
Unauthorized Dialing/SMS
• Social Engineering using Mobile Devices
• Attacker plays with user’s mind
• User installs application
• Application sends premium rate SMS or a
premium rate phone call to unknown number
• Used by Malware/Trojans
© Blueinfy Solutions
GGTracker
• June 2010
• Another Application which sends
International SMS
• One SMS Costs – 40 USD (NOK 200)
• Application Sends Premium SMS to US
numbers
© Blueinfy Solutions
UI Impersonation
© Blueinfy Solutions
UI Impersonation
• Attack has been there since long
• On a mobile stack, known as UI
impersonation
• Other names are Phishing Attack, ClickJacking
• Attacker plays with user’s mind and try to
impersonate as other user or other
application
© Blueinfy Solutions
UI Impersonation
• Victim looses credit card information or
authentication credentials or secret
• One application can create local PUSH
notification as it is created from apple store
• Classic example is - Netflix Application in
AppStore
• Flow in review process of AppStore – Anyone
can name anything to their application
© Blueinfy Solutions
NetFlix
• Oct -2011
• Steals users “netflix” account information
• Application shows error message to user
“Compatibility issues with the user’s
hardware” when user enters username and
password and uninstalls itself
• More than 10000 users lost their details in a
week
© Blueinfy Solutions
Activity Monitoring
© Blueinfy Solutions
Activity Monitoring
• Sending a blind carbon copy of each email to
attacker
• Listening all phone calls
• Email contact list, pictures to attacker
• Read all emails stored on the device
• Usual intension of Spyware/Trojans
© Blueinfy Solutions
Activity Monitoring
• Attacker can monitor –
– Audio Files
– Video
– Pictures
– Location
– Contact List
– Call/Browser/SMS History
– Data files
© Blueinfy Solutions
Android.Pjapps
• Early 2010
• Steal/Change users information
• PjApps Application –
• Send and monitor incoming SMS messages
• Read/write to the user's browsing history and
bookmarks
• Install packages and Open Sockets
• Write to external storage
• Read the phone's state
© Blueinfy Solutions
System Modification
© Blueinfy Solutions
System Modification
• Application will attempt to modify system
configuration to hide itself (Historically this is
known as ROOTKIT)
• Configuration changes makes certain attack
possible i.e. –
– Modifying device proxy to get user’s activity
monitoring
– Configure BCC email sending to attacker
© Blueinfy Solutions
Information in Common Services
© Blueinfy Solutions
Information in Common Services
• KeyBoard, Clipboard are shared amongst all
the applications.
• Information stored in clipboard can be
accessed by all the application
• Sensitive information should not be allowed
to copy/paste in the application
© Blueinfy Solutions
Logical Issues
© Blueinfy Solutions
Logical Issues
• Authentication flags and privilege escalations
at application layer
• Critical parameter manipulation and access to
unauthorized information/content
• Business constraint exploitation
• Identity or profile extraction
• Denial of Services (DoS) with business logic
© Blueinfy Solutions
In Memory Analysis
© Blueinfy Solutions
In memory analysis
• Using in built command in ADB named
“dumpsys”
• Command to get memory dump –
# Dumpsys meminfo
• Can be run only by “su” (Rooting a device is
mandatory)
© Blueinfy Solutions
Uncovering vulnerability from
Manifest File
© Blueinfy Solutions
Quick Recap of Manifest tags
• Manifest
• Application
• Activity
• Activity-alias
• Receiver
• Service
• Uses-permission
© Blueinfy Solutions
Decompiling Android Applications
© Blueinfy Solutions
Decompiling android application
• Using Apktool -
http://code.google.com/p/android-apktool/
• Using Dex2Jar -
http://code.google.com/p/dex2jar/
• Using aapt (Bundled with Android SDK)
© Blueinfy Solutions
Use Apktool to convert the XML to readable format
Android manifest file:
APK Tool
© Blueinfy Solutions
Use dex2jar to convert classes.dex file in the extracted folder to .class files
Use JAD to convert the class files into JAVA files
Dex2Jar and JAD
© Blueinfy Solutions
Debuggable flag in Android
• One of the key attribute in android manifest
file
• Under “application” section
• Describes debugging in enabled
• If “Debuggable”attribute is set o true, the
application will try to connect to a local unix
socket “@jdwp-control”
• Using JDWP, It is possible to gain full access to
the Java process and execute arbitrary code
in the context of the debugable application
© Blueinfy Solutions
CheckDebuggable Script
• Checks in APK whether debuggable is enabled
• Script can be found at –
http://www.espheresecurity.com/resourcest
ools.html
• Paper can be found at -
http://www.espheresecurity.com/CheckDebu
ggable.pdf
© Blueinfy Solutions
Conclusion

More Related Content

What's hot (20)

PDF
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
Sam Bowne
 
PPT
XSS and CSRF with HTML5
Shreeraj Shah
 
PPT
Pentesting web applications
Satish b
 
PPTX
Core defense mechanisms against security attacks on web applications
Karan Nagrecha
 
PPT
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
PDF
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
PDF
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
Sam Bowne
 
PPTX
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
PDF
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
PDF
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
PDF
CNIT 128: 9: Mobile payments
Sam Bowne
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
PDF
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
Shreeraj Shah
 
PDF
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
 
PPTX
Hacking mobile apps
kunwaratul hax0r
 
PDF
CNIT 129S: Ch 4: Mapping the Application
Sam Bowne
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
Sam Bowne
 
XSS and CSRF with HTML5
Shreeraj Shah
 
Pentesting web applications
Satish b
 
Core defense mechanisms against security attacks on web applications
Karan Nagrecha
 
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
Sam Bowne
 
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
CNIT 128: 9: Mobile payments
Sam Bowne
 
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
Shreeraj Shah
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
 
Hacking mobile apps
kunwaratul hax0r
 
CNIT 129S: Ch 4: Mapping the Application
Sam Bowne
 

Viewers also liked (8)

PPT
Brief History of the Soviet Jewry Movement
philipspiegel
 
PDF
Karen White – Becoming a more powerful observer
SACAP
 
DOC
new resume
OMPRAKASH JOSHI
 
PDF
Control Dynamics
Steven Casey
 
PPTX
Casa-1000 project
Zumra Cheema
 
PDF
resume
Shihao Jin
 
PPTX
LeasePlan UK Lease Accounting Standard
Rebecca Whittaker
 
PDF
SF Express
Viacheslav Savin
 
Brief History of the Soviet Jewry Movement
philipspiegel
 
Karen White – Becoming a more powerful observer
SACAP
 
new resume
OMPRAKASH JOSHI
 
Control Dynamics
Steven Casey
 
Casa-1000 project
Zumra Cheema
 
resume
Shihao Jin
 
LeasePlan UK Lease Accounting Standard
Rebecca Whittaker
 
SF Express
Viacheslav Savin
 
Ad

Similar to Android attacks (20)

PDF
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
PPTX
Android Security and Peneteration Testing
Surabaya Blackhat
 
PDF
Introduction to Android Development and Security
Kelwin Yang
 
PDF
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
PDF
Mobile Forensics on a Shoestring Budget
Brent Muir
 
PDF
6.3. How to get out of an inprivacy jail
defconmoscow
 
PDF
7. Attacking Android Applications (Part 2)
Sam Bowne
 
PPTX
Security testing of mobile applications
GTestClub
 
PDF
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
PPTX
Untitled 1
Sergey Kochergan
 
PPTX
Mobile application security
Shubhneet Goel
 
PPTX
Mobile Application Security
Ishan Girdhar
 
PDF
Android Hacking
antitree
 
PDF
Mobile Securty - An Oxymoron?
morisson
 
PPTX
Sql injection
Dilan Warnakulasooriya
 
PDF
Hacking your Droid (Aditya Gupta)
ClubHack
 
PPTX
Pentesting Android Apps
Abdelhamid Limami
 
PDF
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
PDF
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Codemotion
 
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
Android Security and Peneteration Testing
Surabaya Blackhat
 
Introduction to Android Development and Security
Kelwin Yang
 
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Mobile Forensics on a Shoestring Budget
Brent Muir
 
6.3. How to get out of an inprivacy jail
defconmoscow
 
7. Attacking Android Applications (Part 2)
Sam Bowne
 
Security testing of mobile applications
GTestClub
 
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
Untitled 1
Sergey Kochergan
 
Mobile application security
Shubhneet Goel
 
Mobile Application Security
Ishan Girdhar
 
Android Hacking
antitree
 
Mobile Securty - An Oxymoron?
morisson
 
Sql injection
Dilan Warnakulasooriya
 
Hacking your Droid (Aditya Gupta)
ClubHack
 
Pentesting Android Apps
Abdelhamid Limami
 
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Codemotion
 
Ad

More from Blueinfy Solutions (13)

PPT
Html5 on mobile
Blueinfy Solutions
 
PPT
Source Code Analysis with SAST
Blueinfy Solutions
 
PPT
HTML5 hacking
Blueinfy Solutions
 
PDF
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
PPT
XSS - Attacks & Defense
Blueinfy Solutions
 
PPT
Defending against Injections
Blueinfy Solutions
 
PPT
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
PPT
Blind SQL Injection
Blueinfy Solutions
 
PPT
Application fuzzing
Blueinfy Solutions
 
PPT
SQL injection basics
Blueinfy Solutions
 
PPT
Assessment methodology and approach
Blueinfy Solutions
 
PPT
HTTP protocol and Streams Security
Blueinfy Solutions
 
PPT
Advanced applications-architecture-threats
Blueinfy Solutions
 
Html5 on mobile
Blueinfy Solutions
 
Source Code Analysis with SAST
Blueinfy Solutions
 
HTML5 hacking
Blueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
XSS - Attacks & Defense
Blueinfy Solutions
 
Defending against Injections
Blueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
Blind SQL Injection
Blueinfy Solutions
 
Application fuzzing
Blueinfy Solutions
 
SQL injection basics
Blueinfy Solutions
 
Assessment methodology and approach
Blueinfy Solutions
 
HTTP protocol and Streams Security
Blueinfy Solutions
 
Advanced applications-architecture-threats
Blueinfy Solutions
 

Recently uploaded (20)

PDF
Infrastructure planning and resilience - Keith Hastings.pptx.pdf
Safe Software
 
PDF
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
PPTX
Presentation about Database and Database Administrator
abhishekchauhan86963
 
PDF
Virtual Threads in Java: A New Dimension of Scalability and Performance
Tier1 app
 
PDF
Adobe Illustrator Crack Full Download (Latest Version 2025) Pre-Activated
imang66g
 
PDF
Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...
Q-Advise
 
PPT
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 
PPTX
TRAVEL APIs | WHITE LABEL TRAVEL API | TOP TRAVEL APIs
philipnathen82
 
PDF
Enhancing Security in VAST: Towards Static Vulnerability Scanning
ESUG
 
PDF
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 
PDF
AI Image Enhancer: Revolutionizing Visual Quality”
docmasoom
 
PDF
Step-by-Step Guide to Install SAP HANA Studio | Complete Installation Tutoria...
SAP Vista, an A L T Z E N Company
 
PDF
AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdf
siddharthnetsavvies
 
PPT
Activate_Methodology_Summary presentatio
annapureddyn
 
PDF
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
PPTX
Presentation about variables and constant.pptx
kr2589474
 
PPTX
Role Of Python In Programing Language.pptx
jaykoshti048
 
PPTX
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
PDF
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
PPT
Brief History of Python by Learning Python in three hours
adanechb21
 
Infrastructure planning and resilience - Keith Hastings.pptx.pdf
Safe Software
 
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
Presentation about Database and Database Administrator
abhishekchauhan86963
 
Virtual Threads in Java: A New Dimension of Scalability and Performance
Tier1 app
 
Adobe Illustrator Crack Full Download (Latest Version 2025) Pre-Activated
imang66g
 
Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...
Q-Advise
 
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 
TRAVEL APIs | WHITE LABEL TRAVEL API | TOP TRAVEL APIs
philipnathen82
 
Enhancing Security in VAST: Towards Static Vulnerability Scanning
ESUG
 
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 
AI Image Enhancer: Revolutionizing Visual Quality”
docmasoom
 
Step-by-Step Guide to Install SAP HANA Studio | Complete Installation Tutoria...
SAP Vista, an A L T Z E N Company
 
AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdf
siddharthnetsavvies
 
Activate_Methodology_Summary presentatio
annapureddyn
 
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
Presentation about variables and constant.pptx
kr2589474
 
Role Of Python In Programing Language.pptx
jaykoshti048
 
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
Brief History of Python by Learning Python in three hours
adanechb21
 

Android attacks

  • 2. © Blueinfy Solutions Insecure Data Storage • Storing sensitive information on device – a major threat • Phone can be hacked or stolen • Imagine site access, username, passwords, tokens etc. get harvested • Malware used to attack local system and fetch information out. • What are the options?
  • 3. © Blueinfy Solutions Insecure calls • Storage can be accessed by third party • If device is rooted then access to sensitive information • Poor permission can allow cross access • One app accessing information of other • Information not encrypted
  • 5. © Blueinfy Solutions Storage calls • Shared Preferences – Store private primitive data in key-value pairs. • Internal Storage – Store private data on the device memory. • External Storage – Store public data on the shared external storage. • SQLite Databases – Store structured data in a private database. • Network Connection – Store data on the web with your own network server.
  • 6. © Blueinfy Solutions Accessing with adb # cd bank.One cd bank.One # ls ls cache databases files lib # cd files cd files # ls ls PublicKey remember settings temp_file # cat remember cat remember jack jack123# Got user/pass in clear text
  • 7. © Blueinfy Solutions Weak Server Side Controls • Backend Application Security • Protocols • OWASP Top 10 for AppSec
  • 8. © Blueinfy Solutions Analyzing HTTP traffic • Security assessment needs sound knowledge of HTTP analysis • Tools and mind needed to analyze the traffic • What to look for? – methods, cookie, querysting etc. • All part of HTTP – Response analysis is equally important.
  • 9. © Blueinfy Solutions JSON • JSON (JavaScript Object Notation) - a lightweight data-interchange format • Based on JavaScript Programming Language (Standard ECMA-262) • Completely language independent • C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. • Interchangeable is the Key.
  • 10. © Blueinfy Solutions JSON – object • {} { members } – members • pair pair , members – pair • string : value – array • [] [ elements ] • elements • value value , elements • value • string number object array true false null
  • 11. © Blueinfy Solutions JSON • Example { "firstName": "John", "lastName": "Smith", "address": { "streetAddress": "21 2nd Street", "city": "New York", "state": "NY", "postalCode": 10021 }, "phoneNumbers": [ "212 732-1234", "646 123-4567" ] }
  • 12. © Blueinfy Solutions JSON call • Calling JSON services
  • 13. © Blueinfy Solutions JSON fetch • Fetch attribute
  • 14. © Blueinfy Solutions Insufficient Transport Layer Protection • Poor or no Encryption during transit • Poor certification validations • Man in the middle opening • Traffic over HTTP • Token passing • Device ID over poor channel
  • 15. © Blueinfy Solutions Session with token only
  • 16. © Blueinfy Solutions Client Side Injection • Native or Web apps – Using poor libs – Abusing APIs • Popular injections – XSS, SQLi, XPATH etc. • Payment and SMS • Mixed usage – Using webview
  • 18. © Blueinfy Solutions What is SQLite? • SQLite is an in-process library that implements a self- contained, serverless, zero-configuration, transactional SQL database engine. • It is the database which is zero configured , that means like other database you do not need to configure it in your system. • At the end, it is a comma separated file (CSV file)
  • 19. © Blueinfy Solutions SQLite Commands • The standard SQLite commands to interact with relational databases are similar as SQL. • They are CREATE, SELECT, INSERT, UPDATE, DELETE, and DROP. • Data Manipulation Language Command Description INSERT Creates a record UPDATE Modifies records DELETE Deletes records
  • 20. © Blueinfy Solutions Cont. • Data Query Language: • Data Definition Language: Command Description SELECT Retrieves certain records from one or more tables Command Description CREATE Creates a new table, a view of a table, or other object in database ALTER Modifies an existing database object, such as a table. DROP Deletes an entire table, a view of a table or other object in the database.
  • 21. © Blueinfy Solutions SQLite – Create Database • The following command will create a new database or will open the database if it has been created. • sqlite3 [database name].db
  • 22. © Blueinfy Solutions Retrieving Master Table • This command will retrieve the master table. • For example:- variable=* FROM SQLITE_MASTER; --
  • 23. © Blueinfy Solutions SQLite Version • This command retrieves the version number of the db.
  • 24. © Blueinfy Solutions SQLite – Create Table • For example:- create table [newtablename](id int, name text); • By using .tables on the command shell the newly created designation table is shown.
  • 25. © Blueinfy Solutions SQLite – Drop Table • drop table users;--
  • 26. © Blueinfy Solutions SQLite – Insert Query • INSERT INTO TABLE_NAME (column1, column2, column3,...Ncolumn) VALUES (value1, value2, value3,...Nvalue);
  • 27. © Blueinfy Solutions Extending/Appending queries • By altering the select query the injected DELETE query removes all records from the company table.
  • 28. © Blueinfy Solutions SQLite – OR 1=1 • ‘* from [tablename] where id=1 OR 1=1;’
  • 29. © Blueinfy Solutions Adding User • insert into users values(15,’user15’)
  • 30. © Blueinfy Solutions Side Channel Data Leakage • Platform issues – sandboxing or disable controls – Cache – Logs, Keystrokes, screenshots etc. – Temp files • 3rd Party libs (AD networks and analytics)
  • 32. © Blueinfy Solutions Unauthorized Dialing/SMS • Social Engineering using Mobile Devices • Attacker plays with user’s mind • User installs application • Application sends premium rate SMS or a premium rate phone call to unknown number • Used by Malware/Trojans
  • 33. © Blueinfy Solutions GGTracker • June 2010 • Another Application which sends International SMS • One SMS Costs – 40 USD (NOK 200) • Application Sends Premium SMS to US numbers
  • 34. © Blueinfy Solutions UI Impersonation
  • 35. © Blueinfy Solutions UI Impersonation • Attack has been there since long • On a mobile stack, known as UI impersonation • Other names are Phishing Attack, ClickJacking • Attacker plays with user’s mind and try to impersonate as other user or other application
  • 36. © Blueinfy Solutions UI Impersonation • Victim looses credit card information or authentication credentials or secret • One application can create local PUSH notification as it is created from apple store • Classic example is - Netflix Application in AppStore • Flow in review process of AppStore – Anyone can name anything to their application
  • 37. © Blueinfy Solutions NetFlix • Oct -2011 • Steals users “netflix” account information • Application shows error message to user “Compatibility issues with the user’s hardware” when user enters username and password and uninstalls itself • More than 10000 users lost their details in a week
  • 39. © Blueinfy Solutions Activity Monitoring • Sending a blind carbon copy of each email to attacker • Listening all phone calls • Email contact list, pictures to attacker • Read all emails stored on the device • Usual intension of Spyware/Trojans
  • 40. © Blueinfy Solutions Activity Monitoring • Attacker can monitor – – Audio Files – Video – Pictures – Location – Contact List – Call/Browser/SMS History – Data files
  • 41. © Blueinfy Solutions Android.Pjapps • Early 2010 • Steal/Change users information • PjApps Application – • Send and monitor incoming SMS messages • Read/write to the user's browsing history and bookmarks • Install packages and Open Sockets • Write to external storage • Read the phone's state
  • 43. © Blueinfy Solutions System Modification • Application will attempt to modify system configuration to hide itself (Historically this is known as ROOTKIT) • Configuration changes makes certain attack possible i.e. – – Modifying device proxy to get user’s activity monitoring – Configure BCC email sending to attacker
  • 44. © Blueinfy Solutions Information in Common Services
  • 45. © Blueinfy Solutions Information in Common Services • KeyBoard, Clipboard are shared amongst all the applications. • Information stored in clipboard can be accessed by all the application • Sensitive information should not be allowed to copy/paste in the application
  • 47. © Blueinfy Solutions Logical Issues • Authentication flags and privilege escalations at application layer • Critical parameter manipulation and access to unauthorized information/content • Business constraint exploitation • Identity or profile extraction • Denial of Services (DoS) with business logic
  • 48. © Blueinfy Solutions In Memory Analysis
  • 49. © Blueinfy Solutions In memory analysis • Using in built command in ADB named “dumpsys” • Command to get memory dump – # Dumpsys meminfo • Can be run only by “su” (Rooting a device is mandatory)
  • 50. © Blueinfy Solutions Uncovering vulnerability from Manifest File
  • 51. © Blueinfy Solutions Quick Recap of Manifest tags • Manifest • Application • Activity • Activity-alias • Receiver • Service • Uses-permission
  • 52. © Blueinfy Solutions Decompiling Android Applications
  • 53. © Blueinfy Solutions Decompiling android application • Using Apktool - http://code.google.com/p/android-apktool/ • Using Dex2Jar - http://code.google.com/p/dex2jar/ • Using aapt (Bundled with Android SDK)
  • 54. © Blueinfy Solutions Use Apktool to convert the XML to readable format Android manifest file: APK Tool
  • 55. © Blueinfy Solutions Use dex2jar to convert classes.dex file in the extracted folder to .class files Use JAD to convert the class files into JAVA files Dex2Jar and JAD
  • 56. © Blueinfy Solutions Debuggable flag in Android • One of the key attribute in android manifest file • Under “application” section • Describes debugging in enabled • If “Debuggable”attribute is set o true, the application will try to connect to a local unix socket “@jdwp-control” • Using JDWP, It is possible to gain full access to the Java process and execute arbitrary code in the context of the debugable application
  • 57. © Blueinfy Solutions CheckDebuggable Script • Checks in APK whether debuggable is enabled • Script can be found at – http://www.espheresecurity.com/resourcest ools.html • Paper can be found at - http://www.espheresecurity.com/CheckDebu ggable.pdf