Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher...
Transcript of Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher...
![Page 1: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/1.jpg)
Android Application Assessment- © 2013 Christopher Crowley
1
Android Application Assessment
Inspecting Android Applications for Known Issues
![Page 2: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/2.jpg)
Android Application Assessment - © 2013 Christopher Crowley
2
Assessing Mobile Apps (1)
• Risk from mobile applications– Low – app poses little or no threat to
device and data on device– Moderate – app poses some threat to
device protective measures and data stored on device
– High – app is likely to circumvent device protective measures and/or exfiltrate private data
● All address book data to a server● Intent with poor filtering
![Page 3: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/3.jpg)
Android Application Assessment - © 2013 Christopher Crowley
3
Assessing Mobile Apps (2)
• Checklist of actions to perform for mobile app assessment
• Checklists are effective in this context• Helps to build in house knowledge for
ongoing assessment, once the org starts to assess apps, you are responsible to do so for evermore…
![Page 4: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/4.jpg)
Android Application Assessment - © 2013 Christopher Crowley
4
Threats
• Primary threat to Android devices is mobile malware
– SMS premium rate messages cost people money
– Private Data Theft• Pen test objective is to model the
threats associated with running the apps
• Non-malware threats use the same methods as malware
![Page 5: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/5.jpg)
Android Application Assessment - © 2013 Christopher Crowley
5
Two Types of Assessments
• Behavioral– Use a sandbox environment– Watch file access, network traffic, SMS messages,
Calls– Easier when dealing with obfuscated code– App may not misbehave while you’re watching
• Static Code Analysis– More challenging– More thorough (if done properly)– Can detect latent behaviors, long running timers
and triggered events
![Page 6: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/6.jpg)
Android Application Assessment - © 2013 Christopher Crowley
6
Checklist
• Checklists are lame• But checklists have proven to be
extremely effective at preventing mistakes in routine (and important) tasks
– Pre-flight checklist– Medical Checklist
![Page 7: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/7.jpg)
Android Application Assessment - © 2013 Christopher Crowley
7
Android Static Analysis - 1
• Android Static Analysis– Applications for Android come
in the form of Android Packages (APK)
– APKs contain a Dalvik Executable (DEX), a Manifest, and other files
– DEX is bit code compiled Java code● We can use two different approaches to
extract Java code from DEX files
![Page 8: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/8.jpg)
Android Application Assessment - © 2013 Christopher Crowley
8
Android Static Analysis - 2
• Android Static Analysis– This is a challenging thing to do!– There are some tools that are
available to help with automation– Look at a few of these, then dig into
a manual method
![Page 9: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/9.jpg)
Android Application Assessment - © 2013 Christopher Crowley
9
Automated Analysis - 1
• Stowaway– Online assessment, requires
upload of the apk file to the server at http://www.android-permissions.org/
– Gives a listing of the permissions requested, and if the permissions are actually used
![Page 10: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/10.jpg)
Android Application Assessment - © 2013 Christopher Crowley
10
Automated Analysis - 2
• Androwarn– Static assessment– Produces HTML report of
potentially sensitive actions basedon the function calls present in the code
– Available from: https://github.com/maaaaz/androwarn
![Page 11: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/11.jpg)
Android Application Assessment - © 2013 Christopher Crowley
11
Manual Analysis
• Back to manual– Manual code inspection provides
the most thorough assessment– Requires the most skill– Objective is to help you develop a
methodology for quickly scouring code for known suspicious functions
– We’ll use Eclipse and FindBugs™ to accomplish this
![Page 12: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/12.jpg)
Android Application Assessment - © 2013 Christopher Crowley
12
Eclipse
• Eclipse is a development environment
• Provides opportunity for code review– But this is manual– Need to know java fairly well to know
what to look for– We can help resolve this with
FindBugs™
![Page 13: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/13.jpg)
Android Application Assessment - © 2013 Christopher Crowley
13
FindBugs™
• FindBugs™ is a suite of checks for known programming flaws
• It is intended to help programmers to avoid known, common errors
• We are going to adapt it to our purpose of looking for code that is suspicious and warrants review
![Page 14: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/14.jpg)
Android Application Assessment - © 2013 Christopher Crowley
14
Install Eclipse
• http://www.eclipse.org/downloads• Download
eclipse classic
• Install default
● Next, next, finish ;-)
![Page 15: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/15.jpg)
Android Application Assessment - © 2013 Christopher Crowley
15
Install FindBugs™ - 1
• Eclipse: Help->“Install New Software…”
![Page 16: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/16.jpg)
Android Application Assessment - © 2013 Christopher Crowley
16
Install FindBugs™ - 2
• Click Add…• Enter “FindBugs
update site” (no quotes) for the name
• Enter “http://findbugs.cs.umd.edu/eclipse” (no quotes) as the Location
• Click “OK”
![Page 17: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/17.jpg)
Android Application Assessment - © 2013 Christopher Crowley
17
Install FindBugs™ - 3
• Click “Select All”• Click “Next”
![Page 18: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/18.jpg)
Android Application Assessment - © 2013 Christopher Crowley
18
Install FindBugs™ - 4
• Accept the warning
![Page 19: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/19.jpg)
Android Application Assessment - © 2013 Christopher Crowley
19
Dalvik to Java - 1
• Now we need to have java code to import into eclipse
• We will use the APK filesto inspect the code.
• There are two main ways to do this– Dex2jar– Smali / apktool
![Page 20: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/20.jpg)
Android Application Assessment - © 2013 Christopher Crowley
20
Dalvik to Java - 2
• Use dex2jar.bat to get readable,but non-executable java code
• Use smali and apktool to get executable, but difficult to readjava code
• You will probably end up doing both, as each is useful in its own way
![Page 21: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/21.jpg)
Android Application Assessment - © 2013 Christopher Crowley
21
APK disassembly – smali
• Smali and apktool method• Results in code that can be
modified and recompiled
![Page 22: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/22.jpg)
Android Application Assessment - © 2013 Christopher Crowley
22
APK disassembly – Dex2jar
• Dex2jar method
![Page 23: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/23.jpg)
Android Application Assessment - © 2013 Christopher Crowley
23
Sidebar – Android Package downloads
• Where can you get the code to assess?
– Download .apk file from internet– Move application to removable sdcard,
then remove sdcard and copy– Copy .apk file from rooted android device
• Malware– http://contagiominidump.blogspot.com is
a repository of known android malware● Good material to practice with, but be careful with
malware!
![Page 24: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/24.jpg)
Android Application Assessment - © 2013 Christopher Crowley
24
Import code to Eclipse
• 1) Create new project
![Page 25: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/25.jpg)
Android Application Assessment - © 2013 Christopher Crowley
25
Import code to Eclipse
• 1) Import external archive
![Page 26: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/26.jpg)
Android Application Assessment - © 2013 Christopher Crowley
26
Conclusion
• App Assessment is a valuable task to protect individuals and organizations
– Behavioral– Automated code analysis– Static code analysis
• Android has substantial threats from malware
![Page 27: Android Application Assessment - sans.org · Android Application Assessment - © 2013 Christopher Crowley 3 Assessing Mobile Apps (2) • Checklist of actions to perform for mobile](https://reader030.fdocuments.net/reader030/viewer/2022040702/5d62626b88c9931f3f8b781c/html5/thumbnails/27.jpg)
Android Application Assessment - © 2013 Christopher Crowley
27
Contact Info
• [email protected]– LinkedIn e-mail
• +ChrisCrowley– G+
• @CCrowMontance– #Twitter