Attacking & Defending Android Apps Training

hello and welcome to security beside athens my name is oman syadav i will be the instructor for this workshop this is our content we will cover android introduction basic we will set up android pen testing involvement lab and we will do some reverse engineering practical and some basic practical as well we will do and the last we will see application component and security issues and we will also do some android static pen testing by using the tools like mob sf so this is the android architecture we have five layer in android architecture application application framework liability android runtime and linux kernel each app each layer is responsible for doing the different different operation at the end these all layers support

a application for doing their work for operation like a mobile banking application or browser-based application like chrome so uh every application which we install inside the mobile device got different different support from a different different application layer like suppose library so we have web browser like chrome mozilla installed in our app mobile device so we have library like webkit so webkit library support the chrome browser so we have like power management in linux kernel so basically linux kernel is very important it is like the heart of the android architecture and it's provide process isolation power management flash driver memory camera driver display driver usb driver so a linux kernel is very important and then it's come

with and there is a application framework so we get activity manager window manager content provider inside the application framework and at last where we install our application like contact home phone browser banking application chatting application extract structure so uh this is uh android application fundamental so basically we know all the android apps that is in java programming language and android sdk is responsible for compiling your code suppose we write a code in in any ide like android studio in java programming language right and so basically ide comes with the android sdk so it is the android software development kit that is that compile your code into the apk and then apk we install into our mobile

device so we will have a quick look at the android studio

so this is android studio and we will close it and i will start a new project

i will start a new project so this is the templates we can select any template like bottom navigation we will select it it will come with the activities i will you can name it anything right so our project is loading so this is our android studio this it's these are the file structure of our application we can see there are different different files like library source code all the source code is here main this is the xml file this is the central file of any application in android and we can say here main java and this is the main activity so basically what is main active activity main activity is something when whenever we open any application

the first activity will be the main activity so we can open it here so this is main activity we can add any dot java file we can add any activities right so i will try to run it it will build up automatically and

yes it will build automatically and then it will start the emulator and it will install automatically inside the emulator this is how it looks like it's already installed actually okay uh let me go this one this is

okay both are same we can say this is dashboard segment fragment sorry this is notification fragment this is about emulator here so so basically android studio is something it is it is id intricate development environment where we develop our android apps we can develop we can go we can write our own activities we can modify any activities code right so whatever like you want to develop a chatting app you want to develop a banking app whatever you want to develop you can use android studio and it will automatically come with the android sdk all right so this is the android file system structure i'm talking here i am talking about the uh the android operating system file

structure this is and this is this file system this is file system is and this is for the apps android apps but this file system structure is for the operating system so it is pretty much similar to linux there is a single loop here and we have sd card folder and external sd card folder so if you if you put any external sd card it will appear in android file system structure and this is the main important things that android do because android manage sandboxing and permission model is a very very unique way so whenever we install a app suppose we install two app f1 and app2 so when we open or when we start our app

one f1 will get a unique process id and app2 will get a unique process id so basically f1 will get a unique user like a uid and app 2 will be treated as a unique user from the links linux kernel so linux kernel give a unique id to f1 it will treat f1 as a user and it will treat app 2 as a user so f1 cannot use the resource of app 2 and app 2 cannot use the resource of f1 and inside the data folder data folder f1 can store their or their whatever data they want to install and app 2 can install their own data inside their own folders so they cannot access the files and the data of

each others without the permission without the use of intent right so this is how android manage permission model and sandboxing and this is the process of creating apk basically as i show you in android studio we write java programming and we develop android app and then we compile the the code and by using the java compiler and we get the byte code and then again we compile byte code with the help of dex compiler and with resources all the resources and data and then we got the apk file so this is the diagram for creating a apk from the java files this is a android component architecture sorry a diagram so we have different different

component in android like activity like so activity is a screen like single screen we can call it as activity like i so this is home fragment this is a activity now this is dashboard segment this is notification segment so notification dashboard these are the button but this is the this is notification segment is activity so activity is a screen and these are the buttons and services like suppose we are doing some chatting and in the background we are listening some music so that music will be a services thought card receiver is like when our phone battery is going to down and with the seaway alerts that your battery is going to be down five percent below two percent load

this is a broadcast message or when we apply dnd so at the time of 10 pm it will automatically appear that do not disturb mode it is enabled automatically so it is a broadcast message basically content provider basically com contains provider components supply data from one application to other on the request so when you request from data from one application to other so it will be it will be done by the using the content provider and we have additional component like intent so intent is also very important so intent is like when intent is like a messenger suppose we need a data from from app2 suppose app one needed the data from app2 so in with the help of intent will send a

request to app2 and app2 will transfer the data with the help of content provider to everyone this is something how they work together now let's create the pen testing environment lab so for creating the pen testing environment lab we need a emulator so we can use this this emulator android studio emulator or we we can use the journey motion emulator so i will use jenny motion i will show you how to install the image of any android operating system so i am going to open my jenny motion so generation you can download from here this is the website jenny motion you can download and you can install it for linux mac and windows so basically jenny

motion work with virtualbox so you need to install the virtualbox in order to run the journey motion i already have the virtual box so these are the images so whenever you when you install the journey motion you open it up and you login inside the genymotion and you will find there are so many images these are the custom devices so you can install any image make sure it should be like api 23 android 7 8 you know it is it should be something not too much latest or not outdated so we will do so here if i want to show you how to install it just click on this button so i will show you on

on some latest one it right custom phone it this one this is you you install it here net default is that custom phone two and it's start downloading it will when this when it will complete it automatically so we can create it so when it will be completed so in the meantime i will start this one it already installed so it is starting virtual devices and you can see here custom phone one it's running in the virtual box right this is the image it is booting up and this is our ip address you can see here and we also get the message to that device install device has been installed we can start this as well

if you want right because i want to show you how to install it that's why i install it and now okay now it's already started right so now first we need a app we are going to do a pen testing right so we need a app where we can do it our pen testing practice right so we will do our fantastic texture on a very good app piva viva can we find here it is a very good app and it is developed by st bridge so because why i am choosing it because it's covered so many vulnerabilities you can see here vulnerability cover these are the vulnerabilities that it's covered and it's help us to explore more

vulnerabilities so that we can learn about the more vulnerabilities the more name we know about the vulnerabilities the more we'll learn right so we will use this app you can download it here apk and this is the apg i already have it click on download i have five file actually so i downloaded it and now i will try to install it inside this emulator before we going ahead we need one more tool called adb and what is adb

basically you can run you can learn about the adb here adb is a bridge that will help us to communicate with the device or with the emulator so with the help of adb we can easily communicate with the emulator right so you can learn about it how what is the adp how we connect and what are the command that adb provided to us adba is actually very good tool or it will automatically come with platform tool if you download the android platform tool

is if you download the platform tools it will come automatically with adb fastboot systec so these here they have platform tool already window mac linux you can download it i already downloaded and installed the adb in my system so now i will try to run adb sorry adb and you can see there are so many commands now we will go up and we will start seeing the different different command right so first is like devices so devices command will list all the devices right adb devices so now you can see we have two emulator this one and this one so this emulator belongs to android studio you know we already in this this emulator this one

right and both are connected right

now i will try to install the pivo application in both emulator right so now i will go into my directory

this is so now i am going to copy that piva file inside this directory

download which one i should copy you can copy anyone

let's try to keep

okay okay now we get the piva file

ready devices right now i am going to install this file let me change the name of this

file now it looks fine all right now i'm going to install it and we can install it in an emulator okay let me

we don't need to install the file in this emulator android one will

so you can see that emulator has gone disappear it is here so this is the command that will install the piva application inside this genymotion emulator now we can see install has been successful okay let's go to the device and check here we can see and we can open this application this is the main screen main activity of this pw application so why i use piva for the demonstration purpose because it's contained so many vulnerability now you can see here there are so many vulnerability login encryption so it will give you an idea actually that what kind of vulnerability you can find inside a application of you are the beginner then you don't need to go into the reverse engineering you

don't need to go to start frida as a beginner so as a beginner it will help you to understand the how how what kind of vulnerability can be found inside the mobile app assessment right dynamic code of loads here you can see services adv shall am start you know am is activity manager so adb cell give a command to activity manager to start the particular services like this they have written here right so these are the vulnerabilities that we can easily learn and we can easily try to find out inside any assessment and if we see the about the project we see as we see this in pivo website so these are the detail of the vulnerability that cover

in this application we will not cover all the vulnerability we will cover a very few vulnerability but it will helpful for your learning purpose so this is why i choose i always choose this application for demonstration so almost we are all set with our pen testing lab one thing i also want to highlight there is a there is a vm mobile accent so this vm is very good it is very good for both android and ios so basically if you do not want to set up or install the adb your android platform tool gennymotion and all these stuff you do don't want to install it so you can what you can do you can you can download this mobile excel vm

and then you can start your pen testing process you can create your lab and you can start all your pen testing so but in that also you need to install jenny genymotion in a different environment because it is not come with jenny motion it comes with the ns studio so you can use that emulator if you want to use the android studio emulator you can that use that so this is the mobile access you can find it on its website you can find it here computer

image

this is the website it will give you all the detail about the mobile access and it's very good actually it's very good download this is download form this is download feature and this is the home page of the website android john ios zone so i will show you this is when you log in download and install in virtualbox and you log in so you will get these stuff sag zone io zone android zone so you will get almost all this file like jd gui it's very good too sometimes it's great problem while working on mac so you can work on this fashion fluid is very good framework for ios and you can start more fs

is very good tool for aesthetic fantastic it will give you the overview about the application how many activities are there how many content providers how many broadcasters even are there so more sf we will see it more of a browser you can find this is a very good framework browser and you will get a lot of tool in this vm you will get verb suit as well so many it's good to use it recently use suppose i want to use more sf one two three four five is password so it will start mob sf and i can it will start the mob stuff it's a very good tool i i will show you i will so i just

started for the demonstration i will not do any assessment right now i will do later end of the workshop it is starting let's just start right so now what uh we we almost set up the our involvement pen testing involvement and we almost to install the application right now we have the apk suppose we are working in any company and industry we receive the apk and our setup is already ready so what will be next next step so next step will be the approach this is done this is the next step so we know there are two testing approach one is a static pen testing and other is dynamic so what is the static main

testing is static pen testing is when we do pen testing when code is not running code we have only code we have on only apk and we are not going to install it and we are not running the apk inside the mobile device and we are doing the pen testing or we are doing the source code analysis on just the apk file that's come inside the static pen testing and dynamic is something when we install the application we run we start intercepting the traffic ins into a burp suit we start hooking the application by using feeder tool so and we try to bypass some restriction like assaulting or like root detection so all these activity come into the

dynamic pen testing right so now let's start with static pen testing

let's start with a study pen test so first of all i will start with this tool mob sf it already started here you can click on it it will here

and you can see it's already there

so when we when we open the mob sf it's a very good it's a very good tool for basically static dynamic we can do dynamic as well but dynamic will not give you the proper uh very quality result so what we need to do just we need to just drag and drop the application so this is the piva we will i will upload it and we will get the result in a very few minute right when we get the result it is not uh it is not perfect so what we will get the idea we will get the idea how how many we will get a overview right we will get over the of the

application so let's see it is analyzing the application and it will give us an idea about the application because the more we will dig the application the more we will try to find out the loopholes it is kind of recon so for the recon purpose you can use this tool and now we get a very good screen a very formatted output we can see that it gives the output as well that what can be the vulnerability but till the end you can see this application till the end you can all also download a report for from this small fs but see if you click on report it will come like this uh it will also mention the

vulnerability either these are not vulnerability but it's fine i mean for the purpose of understanding so we will go one by one so now we almost get the result of the mob sf now see so this is the application name and this is the package name com.html this is dot viva this is the package name this is the main activity name we can see here sdk target sdk26 we can see here android version is 1.0 right security score we can see here 10 out of 100 because it's a vernal application of course now as i told you that we will receive a overview result so we can see here there are 10 activity in this

application there are 10 activity in this application so we get to know now that there are 10 activities so we can go to the activity and we can see okay these are the activity here main activity encrypted activity webview activity database cloud load activity so these are the activity we can we can try to get into further right but for right now we know okay there are 10 activities now again we will go to now we see there is there is one services okay and that service is exported that means it is it can be used by other app if it is exported so we will go to services so this is the services handlers vulnerable service this is the

services this is receiver this is content provider we can see here this is the content provider right content provider receiver broadcast receiver now here we can see if we can set we need to set up a dynamic plan in if we want to start dynamic analysis we have to set up the dynamic so in that case we need an emulator for this particular mode sf now we can download java code we can download this mali code we can download apk apks will already have so now we can view android manifest file here we can click on that and we can so what is android manifest file android manifest file is is a central file that

contain each and every information about the app suppose what is the permission what permission need when we install the application inside our mobile device that contain that all are written in android men's first file suppose nfc write external write permission read external lead permission so these are the permission that required in this application when we install it so you can check it if suppose it is not a banking application there is no need for nfc permission right nearby protocol if near frequency protocol if this is this if it is required or not the profile read contacts so um based on the property of application we can decide how how much permission is required and now

we can see activity this is the intent filter here right as we know that there is a main activity that is exported right so if a activity is exported that means they have defined the intent filter also and these are the more activities here exported is true as well so you will find intent yes right so okay this is done this is that's it this is the small android menses file but it is very important to go and learn about the android menses file as it will give us too much knowledge about the application right now let's try to decompile the application by using other tools right there is a tool called d2j text to jar

and this is a java decompiler d2j text to jar it will decompile the application into a jar format the file is already there so let me remove the first one

now it is decompiling and we are getting the jar file

and okay i will open it into the java decompiler jd gui this is the javade compiler and now i can see the source code of the application now here you can see you can open about activity you can open broadcast activity.class file build config.class file it is g work or not yes it is debug configuration file you can see you can my vulnerable you can very complicate password you can see the password here sorry webview link you can see here using them is test you can see here so uh you will find you will find out the hard coded sensitive data if something is hard coded inside the mobile device and you will surprise that

still still we find this vulnerability in the modern application still we found some sometimes the the key the token the api keys or sometime the username itself inside the inside the hard coded inside the application so this is how you can decompile the application by using the j j two desktop and jdg ui right and suppose we are not able to identify anything we go to search we start searching the will click on we want to search in everywhere java module method constructor everywhere username so it will come like this okay and we see username got highlighted right and we got the username test suppose you want to search password you can search here password it will highlight all these

password

here password password so you will find the password if you want to search the token you can see here it will highlight token is not a valid session token object right if you want to search the key so it will be appear here so this is how you can search

search is very good actually

yeah so this is how you search api api and so on and so on so many thing right so we can find easily if something is hard coded if something some sensitive information is hardcoded we can easily find if we want to find some username admin administrator right local test test we can find guess yes we can find so this is that's it about it so uh so still what we are doing is is still a static pen testing we we did not start our application and start doing a dynamic pen testing this is the static pen testing right now i want to go into further

and now let's do reverse sensoring let's try to reverse engineering the application and then try to see what we can do or we can tamper the application or not we can we can sign the application again with by using javascience or not right so basically there are two things one is tampering and one is reverse engineering tampering is a process where we do reverse engineering the code so what we have apk file we try to decompile it and get the source code and then we try to modify it with the we try to modify it we try to inject our code we basically it's called tampered we tempered the apk and then we rebuild the design and then we installed that

tampered application but in this simple neighbor sensing we reverse engineering we decompile and they recompile and resign it so if we want to recompile and we want to tamper also so we have to we have to inject our code in somewhere so that we can easily compile design and th that application can be useful for the malicious purpose or it can affect any victim right so there are many tools for decompilation as we as i show you java d compiler and this apk tool it is very good so while using apk tool we can decompile or even we can build the application so let's do let's decompile the application by using the apk2 so we have already this pivot.apk file

apk2 this is the command for use decompile you can see the apk tool these are the commands in apk tool so let's

now we are we now our application is decompiling and as we can see we got a new folder right and we can see the resources as we seen in this android studio project right so not all the resources we will find here but similar to that resources like this shows value string we can find a string here sometime there are so many important information stored inside this string

right and here we get the android manifest file as we have seen in mob sf so suppose we want to tamper something right okay let's temper the manifest files we can what we can do we can camera phone recorder we can remove this permission or we can make the backup false okay

we have tempered the application now now go back and again recompile it sorry we have to give the same folder name now it is checking whether source has changed i don't know if they have any filter they can verify it is the application is dampered or not but you will get a new folder called destination and you will get a new tampered application right so this is the tampered application right now we cannot install it until we have to sign it by using javascience we have we have designer already so i will go into my sign up

this is done this is also done ah this is right the complete sign now i'm going to resign it

i was having a jar signup somewhere i don't know i forget i guess

where is my jaw signal

sorry guys

okay here right

right this is we have jason okay so i can use it i can copy this part java hyphen jar this and i can give the ap

now we will we will receive a signed one right i will change its name

that's right now we will try to install this the temple one so what i will do i will uninstall the previous apk this one

i uninstall it and uninstall complete finish no application no now we will do solution ready we will install the tamper it is gear it has been installed now you can see here right we have seen the password right in this this one here test and very complicated password now let's try to login with that password test very complete now here we can see we logged in inside the application we can find out the different different links okay it is opening there browser these are the different different tactical actually here right so we have done with our this practical and we i guess we don't need this mobilizer now in the future right now we have seen the the securities

issue like hardcore password already because guys i was going into a very in a flow so i didn't care about the ppt if i am going step by step or i am jumping that's fine just the purpose of to execute the practical is to demonstrate the vulnerability now this there is one more vulnerability called insecure data storage and this vulnerability is still fine so what happened in this vulnerability we found some sensitive information inside the mobile device itself okay let's try to get this

vulnerability now in for this we have to go to inside shell radius shell we are now inside the device we can check the ip address you know this is our ip address and now we have to go to data data now you see we can see all the packages so these are the folders as i described by it is managed by linux kernel for it is like for linux permission and sandboxing so these are all different different folders belong to different different apps so this is our folder here we will go in this package and we will see but right now these are the folders inside this file right like shared folder we can check if there is anything in

this folder no we can check if this has something nothing right and sometimes there is a folder called files it is not appearing right now because i guess we didn't execute anything that's why it is not coming right if we execute then it might appear

you can see app texture

this is the directory we can try to get into the directory

and there is nothing in this so okay let's try to uninstall this tempered one and check let's try to install this damper one and see if it should not change anything

ah okay this is you know okay i want now i tried to install this apk this is not signed one right so that's why it is failed to collect certificate from this one nice so we're gonna install the unsigned application so we have to go back so we'll install this one now it will install this right

here you can find it and

you can try to login okay uh this is the cross side scripting vulnerability so whenever whenever the application enable the javascript if you found like the application has javascript enable and it is loading a remote ul then you can do it remote then you can do a cross side scripting so you put you put your like this is here we have put our script and we put the urls up there and now we go it will execute the profile description here so this is how we we find the closer description in mobile application right now we go to our practical reading data data form dot all the package

data data right right uh still there is a folder it's always up here here files it is not coming i don't know but you will find you will find some so you can check this this folder inside the package folder you can check if they are storing any kind of sensitive data or sometimes they also install inside the actual sd card inside the xd card so you can also check an sd card as well you will find it this is root and here as g car and you can check now this is not down right now there is nothing but you can check handle if something is there and you can see here

uh you can find here files so this is you know credential.that file so sometimes they store some sensitive data inside the local device and you can find test and password so this is how sometimes you find and token api keys jwt token or sometimes encrypted token and sometimes md5 hashes so so always try to check what they are showing inside the local device this is for this spectacle and now more as if i already explained other work we can find either attack api vulnerability access control issue auth related issue jw token issue so just for finding the idle api vulnerability access control instrument we have to intercept the traffic we have to open the application we have to

intercept the traffic so for doing this we need to set up the proxy right okay now let's set up the burp proxy and for doing the proxy just also we also need to install the certificate of above custom phone if we have anything nothing i guess we already reset it previously i install it but yes certificate is not there because the lock is not there if we if we have to install the certificate we have to also set up the screen lock okay it will automatically tell us it will force us to set up this thing lock when we will install certificate so again we have to install the certificate now what i will do is

i will push the certificate i will use the feature adb push and push the certificate inside into the mobile device right so i will exit from here and i will go

i already have the certificate i will push adb this is the command push

you can see

these are the certificate you can easily push but where we want to push we can check here shall we go ah we are sorry we are already in inside the device right so we can put certificate here as well if you want to put here in download sd card download we can put here as well so just write this path copy and paste one file pushed now we go here right we are inside already inside the file because we are inside a device by using this command adb shell so now if we ls we get a certificate right now we can install this certificate just go into device in settings and when we search install certificates we go to install

certificate we go to downloads it is not here because we have to go here and this is the certificate we can name it bob now it will ask for screen lock pin one two three four one two three four don't show notification at all now bob is in store bob's certificate installed right now time comes for applying proxy

where is the wifi this is the wi-fi go there modify proxy manual and put the ip address here ip address for what for our primary os where we want the traffic to go through right so we can check the ip address here iep sorry but this is the ipad of the device right this is the ipads of device and this is the ip address of our os it will come 0 this one 0 186 right so we can put it

i already start the buff so we can put it here 192.168.0.1 186 code we can give added at eight now we have set up the proxy here now we have to start the verb for listener the proxy so what we can do all interface edit edit that's it it will start intercept all the interface allow now just go to intercept intercept is on off now let's try to open something let's try to open google.com now we can see the traffic is coming into a burp suit and here we go we already we said we installed this web certificate now we can intercept the https traffic forward we see the result it will come it will take time so we can

insert off see this result it will come actually this browser is not good that's why now we open our application this is our application check if we will go here click on go

ah this one what happened okay

okay

hmm fine to request for the intercept is on do not come now let's try this

let's say this one it's come

uh what is the error

there's no need to worry about handset because the application do not have any certificate hassle claims

okay let's set up again no problem close this up

this let's keep it this ip is for villager yes yes but fine because sometimes this great problem bridge and that if it will not work then we will set up with this one what happened okay it is opening so this is the last practical actually we have installed the web certificate for intercepting your traffic it got installed and it was okay fine suddenly something happened and i we should also specify the address

this one

will come

traffic was coming before it is not coming this time

sorry guys it is taking a little bit time but i want to show you because sometimes it creates problem but it's fine so now i will start intercept on this

i think we will get a different i played this as well

our emulator will get a different idea this is okay fine this is starting this taking a little bit time it should not take it i don't know why it is taking a time

okay and sometimes like we want to we need some google play stuff so there is here open gaps we can install it from here itself you have to install open gaps on your virtual device so when you install the open gaps you will find google play store and you will find the google apps by default right now it is not opening it is its open now if we see

jdb shall see the ip address 0 183 and 57.102 okay and if

our

yes this is fine

did you okay

that's what he does sometimes it's

happening

i don't know what is happening here i will just modify it on that and try to this is the last practical actually so after that so basically we can find these vulnerability by using when we intercept the request and when when we set up and insert the request when suppose i do we want to delete other user commands so we try to change the command id we try to change the user id if you want to delete some user profile data and here like some api vulnerability like access control issue authorization issue and jw token issues and so this is the source code review here we can do because issue review is always good to find out the low hanging fluid

of to find out the vulnerability before it's go to a production so these are some benefit for source code review detection inflation like we can deduct easily we can detect some hard coded password secret key is there before it goes to production and we can detect some deductible definition as well we can detect some weak algorithm uses as well so these are the benefit for mobile application source code review these are some reference i took it and that's all guys for this thank you very much for your patience and thank you for joining me today thank you guys