Android Application Assessment Inspecting Android Applications for Known Issues
Android Application Assessment- © 2013 Christopher 1
Assessing Mobile Apps (1) • Risk from mobile applications – –
–
Low – app poses little or no threat to device and data on device Moderate – app poses some threat to device protective measures and data stored on device High – app is likely to circumvent device protective measures and/or exfiltrate private data ● ●
All address book data to a server Intent with poor filtering
Android Application Assessment - © 2013 Christopher2
Assessing Mobile Apps (2) • Checklist of actions to perform for mobile app assessment • Checklists are effective in this context • Helps to build in house knowledge for ongoing assessment, once the org starts to assess apps, you are responsible to do so for evermore… Android Application Assessment - © 2013 Christopher3
Threats • Primary threat to Android devices is mobile malware – –
SMS premium rate messages cost people money Private Data Theft
• Pen test objective is to model the threats associated with running the apps • Non-malware threats use the same methods as malware Android Application Assessment - © 2013 Christopher
4
Two Types of Assessments • Behavioral – –
– –
Use a sandbox environment Watch file access, network traffic, SMS messages, Calls Easier when dealing with obfuscated code App may not misbehave while you’re watching
• Static Code Analysis More challenging – More thorough (if done properly) – Can detect latent behaviors, long running timers and triggered events Android Application Assessment - © 2013 Christopher5 –
Checklist • Checklists are lame • But checklists have proven to be extremely effective at preventing mistakes in routine (and important) tasks – –
Pre-flight checklist Medical Checklist
Android Application Assessment - © 2013 Christopher6
Android Static Analysis - 1 • Android Static Analysis –
– –
Applications for Android come in the form of Android Packages (APK) APKs contain a Dalvik Executable (DEX), a Manifest, and other files DEX is bit code compiled Java code ●
We can use two different approaches to extract Java code from DEX files
Android Application Assessment - © 2013 Christopher7
Android Static Analysis - 2 • Android Static Analysis – – –
This is a challenging thing to do! There are some tools that are available to help with automation Look at a few of these, then dig into a manual method
Android Application Assessment - © 2013 Christopher8
Automated Analysis - 1 • Stowaway –
–
Online assessment, requires upload of the apk file to the server at http://www.android-permissions.org/ Gives a listing of the permissions requested, and if the permissions are actually used
Android Application Assessment - © 2013 Christopher9
Automated Analysis - 2 • Androwarn – –
–
Static assessment Produces HTML report of potentially sensitive actions based on the function calls present in the code Available from: https:// github.com/maaaaz/androwarn
Android Application Assessment - © 2013 Christopher10
Manual Analysis • Back to manual – – –
–
Manual code inspection provides the most thorough assessment Requires the most skill Objective is to help you develop a methodology for quickly scouring code for known suspicious functions We’ll use Eclipse and FindBugs™ to accomplish this
Android Application Assessment - © 2013 Christopher11
Eclipse • Eclipse is a development environment • Provides opportunity for code review But this is manual – Need to know java fairly well to know what to look for – We can help resolve this with FindBugs™ Android Application Assessment - © 2013 Christopher –
12
FindBugs™ • FindBugs™ is a suite of checks for known programming flaws • It is intended to help programmers to avoid known, common errors • We are going to adapt it to our purpose of looking for code that is suspicious and warrants review Android Application Assessment - © 2013 Christopher13
Install Eclipse • http://www.eclipse.org/downloads • Download eclipse classic • Install default ●
Next, next, finish ;-)
Android Application Assessment - © 2013 Christopher14
Install FindBugs™ - 1 • Eclipse: Help->“Install New Software…”
Android Application Assessment - © 2013 Christopher15
Install FindBugs™ - 2 • Click Add… • Enter “FindBugs update site” (no quotes) for the name • Enter “http://findbugs.c s.umd.edu/eclipse ” (no quotes) as the Location • Click “OK” Android Application Assessment - © 2013 Christopher16
Install FindBugs™ - 3 • Click “Select All” • Click “Next”
Android Application Assessment - © 2013 Christopher17
Install FindBugs™ - 4 • Accept the warning
Android Application Assessment - © 2013 Christopher18
Dalvik to Java - 1 • Now we need to have java code to import into eclipse • We will use the APK files to inspect the code. • There are two main ways to do this – –
Dex2jar Smali / apktool
Android Application Assessment - © 2013 Christopher19
Dalvik to Java - 2 • Use dex2jar.bat to get readable, but non-executable java code • Use smali and apktool to get executable, but difficult to read java code • You will probably end up doing both, as each is useful in its own way Android Application Assessment - © 2013 Christopher20
APK disassembly – smali • Smali and apktool method • Results in code that can be modified and recompiled
Android Application Assessment - © 2013 Christopher21
APK disassembly – Dex2jar • Dex2jar method
Android Application Assessment - © 2013 Christopher22
Sidebar – Android Package downloads • Where can you get the code to assess? – – –
Download .apk file from internet Move application to removable sdcard, then remove sdcard and copy Copy .apk file from rooted android device
• Malware –
http://contagiominidump.blogspot.com is a repository of known android malware
Good material to practice with, but be careful with Androidmalware! Application Assessment - © 2013 Christopher23 ●
Import code to Eclipse • 1) Create new project
Android Application Assessment - © 2013 Christopher24
Import code to Eclipse • 1) Import external archive
Android Application Assessment - © 2013 Christopher25
Conclusion • App Assessment is a valuable task to protect individuals and organizations – – –
Behavioral Automated code analysis Static code analysis
• Android has substantial threats from malware Android Application Assessment - © 2013 Christopher26
Contact Info •
[email protected] –
LinkedIn e-mail
• +ChrisCrowley –
G+
• @CCrowMontance –
#Twitter
Android Application Assessment - © 2013 Christopher27