Hacking Android电子书

Hacking Android

Table of Contents

Hacking Android

Credits

About the Authors

About the Reviewer

www.PacktPub.com

eBooks, discount offers, and more

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Setting Up the Lab

Installing the required tools

Java

Android Studio

Setting up an AVD

Real device

Apktool

Dex2jar/JD-GUI

Burp Suite

Configuring the AVD

Drozer

Prerequisites

QARK (No support for windows)

Getting ready

Advanced REST Client for Chrome

Droid Explorer

Cydia Substrate and Introspy

SQLite browser

Frida

Setting up Frida server

Setting up frida-client

Testing the setup

Vulnerable apps

Kali Linux

ADB Primer

Checking for connected devices

Getting a shell

Listing the packages

Pushing files to the device

Pulling files from the device

Installing apps using adb

Troubleshooting adb connections

Summary

2. Android Rooting

What is rooting?

Why would we root a device?

Advantages of rooting

Unlimited control over the device

Installing additional apps

More features and customization

Disadvantages of rooting

It compromises the security of your device

Bricking your device

Voids warranty

Locked and unlocked boot loaders

Determining boot loader unlock status on Sony devices

Unlocking boot loader on Sony through a vendor specified method

Rooting unlocked boot loaders on a Samsung device

Stock recovery and Custom recovery

Prerequisites

Rooting Process and Custom ROM installation

Installing recovery softwares

Using Odin

Using Heimdall

Rooting a Samsung Note 2

Flashing the Custom ROM to the phone

Summary

3. Fundamental Building Blocks of Android Apps

Basics of Android apps

Android app structure

How to get an APK file?

Storage location of APK files

/data/app/

/system/app/

/data/app-private/

Example of extracting preinstalled apps

Example of extracting user installed apps

Android app components

Activities

Services

Broadcast receivers

Content providers

Android app build process

Building DEX files from the command line

What happens when an app is run?

ART – the new Android Runtime

Understanding app sandboxing

UID per app

App sandboxing

Is there a way to break out of this sandbox?

Summary

4. Overview of Attacking Android Apps

Introduction to Android apps

Web Based apps

Native apps

Hybrid apps

Understanding the app's attack surface

Mobile application architecture

Threats at the client side

Threats at the backend

Guidelines for testing and securing mobile apps

OWASP Top 10 Mobile Risks (2014)

M1: Weak Server-Side Controls

M2: Insecure Data Storage

M3: Insufficient Transport Layer Protection

M4: Unintended Data Leakage

M5: Poor Authorization and Authentication

M6: Broken Cryptography

M7: Client-Side Injection

M8: Security Decisions via Untrusted Inputs

M9: Improper Session Handling

M10: Lack of Binary Protections

Automated tools

Drozer

Performing Android security assessments with Drozer

Installing testapp.apk

Listing out all the modules

Retrieving package information

Identifying the attack surface

Identifying and exploiting Android app vulnerabilities using Drozer

Attacks on exported activities

What is the problem here?

QARK (Quick Android Review Kit)

Running QARK in interactive mode

Reporting

Running QARK in seamless mode:

Summary

5. Data Storage and Its Security

What is data storage?

Android local data storage techniques

Shared preferences

SQLite databases

Internal storage

External storage

Shared preferences

Real world application demo

SQLite databases

Internal storage

External storage

User dictionary cache

Insecure data storage – NoSQL database

NoSQL demo application functionality

Backup techniques

Backup the app data using adb backup command

Convert .ab format to tar format using Android backup extractor

Extracting the TAR file using the pax or star utility

Analyzing the extracted content for security issues

Being safe

Summary

6. Server-Side Attacks

Different types of mobile apps and their threat model

Mobile applications server-side attack surface

Mobile application architecture

Strategies for testing mobile backend

Setting up Burp Suite Proxy for testing

Proxy setting via APN

Proxy setting via Wi-Fi

Bypass certificate warnings and HSTS

HSTS – HTTP Strict Transport Security

Bypassing certificate pinning

Bypass SSL pinning using AndroidSSLTrustKiller

Setting up a demo application

Installing OWASP GoatDroid

Threats at the backend

Relating OWASP top 10 mobile risks and web attacks

Authentication/authorization issues

Authentication vulnerabilities

Authorization vulnerabilities

Session management

Insufficient Transport Layer Security

Input validation related issues

Improper error handling

Insecure data storage

Attacks on the database

Summary

7. Client-Side Attacks – Static Analysis Techniques

Attacking application components

Attacks on activities

What does exported behavior mean to an activity?

Intent filters

Attacks on services

Extending the Binder class:

Using a Messenger

Using AIDL

Attacking AIDL services

Attacks on broadcast receivers

Attacks on content providers

Querying content providers:

Exploiting SQL Injection in content providers using adb

Querying the content provider

Writing a where condition:

Testing for Injection:

Finding the column numbers for further extraction

Running database functions

Finding out SQLite version:

Finding out table names

Static analysis using QARK:

Summary

8. Client-Side Attacks – Dynamic Analysis Techniques

Automated Android app assessments using Drozer

Listing out all the modules

Retrieving package information

Finding out the package name of your target application

Getting information about a package

Dumping the AndroidManifes.xml file

Finding out the attack surface:

Attacks on activities

Attacks on services

Broadcast receivers

Content provider leakage and SQL Injection using Drozer

Attacking SQL Injection using Drozer

Path traversal attacks in content providers

Reading /etc/hosts

Reading kernel version

Exploiting debuggable apps

Introduction to Cydia Substrate

Runtime monitoring and analysis using Introspy

Hooking using Xposed framework

Dynamic instrumentation using Frida

What is Frida?

Prerequisites

Steps to perform dynamic hooking with Frida

Logging based vulnerabilities

WebView attacks

Accessing sensitive local resources through file scheme

Other WebView issues

Summary

9. Android Malware

What do Android malwares do?

Writing Android malwares

Writing a simple reverse shell Trojan using socket programming

Registering permissions

Writing a simple SMS stealer

The user interface

Code for MainActivity.java

Code for reading SMS

Code for the uploadData() method

Complete code for MainActivity.java

Registering permissions

Code on the server

A note on infecting legitimate apps

Malware analysis

Static analysis

Disassembling Android apps using Apktool

Exploring the AndroidManifest.xml file

Exploring smali files

Decompiling Android apps using dex2jar and JD-GUI

Dynamic analysis

Analyzing HTTP/HTTPS traffic using Burp

Analysing network traffic using tcpdump and Wireshark

Tools for automated analysis

How to be safe from Android malwares?

Summary

10. Attacks on Android Devices

MitM attacks

Dangers with apps that provide network level access

Using existing exploits

Malware

Bypassing screen locks

Bypassing pattern lock using adb

Removing the gesture.key file

Cracking SHA1 hashes from the gesture.key file

Bypassing password/PIN using adb

Bypassing screen locks using CVE-2013-6271

Pulling data from the sdcard

Summary

Index