8everslng Androld Apps

Packlng and cracklng Androld apps ls easy

Agenda
lssues (ln Lhe pasL)
Androld securlLy / code concepL
1echnlques for penLesLers / reverse englneers
My experlences and Lhe general quallLy of
apps
My approach
8oughL P1C ueslre/8ravo wlLh Androld 2.0
(now 2.2.0) ln 2010
llndlng securlLy relaLed lssues
lssues (ln Lhe pasL?)
Loslng phones
Clrcumvenung lock screen
Clrcumvenung lock screen
oor lock screen lmplemenLauon
Pome buuon mashlng, noL all brands<= 2.2
8ack buuon durlng call, noL all brands <= 2.0
lug lnLo car dock, unknown
Cmall address & password ,null, unknown
Lock screen noL acuvaLed
uS8 debug on (adb shell)
AssoclaLed Coogle accounL
Cpen8ecovery, MllesLone <= 2.1
Aqulre physlcal memory (forenslc Lools)
Coogle MarkeL - a feel free
envlronmenL
8rlng malware Lo Lhe moblle
xSS on Coogle MarkeL webslLe
Convlnce users (aka puL on markeL)
App wlLhouL permlsslons lnsLalls apps wlLh
permlsslons
Angry 8lrds exLra level malware, xed
8rowser vulnerablllLy (cookle sLeallng), < 2.3.3
new Lechnlque golng Lo be released ln november
Cberhelde/Lanle, Source 8arcelona
CLher lssues
lacebook-App v. 1.6 ls able Lo read/wrlLe/edlL
SMS/MMS
laln auLhenucauon Lokens, xed
SMS recelver lncorrecL, xed
PLclogger, P1C only
App reverslng
Many more
nuclear chaln of command...
xkcd.com
... ls slmllar Lo Lhe Androld chaln of
securlLy
My slLuauon
8oughL P1C ueslre ln 2010
Sull on Androld 2.2.0, means:

Screen lock clrcumvenuon (buuon mashlng)
vulnerable Lo urolduream malware
8rowser vulnerablllLy
Cookle sLeallng / xSS
Can be used Lo lnsLall apps
Androld securlLy / code concepL
SecurlLy ConcepL
ualvlk !ava vM ls no securlLy layer
ermlsslon sysLem
Androld ls a Llnux
Cne app = one Llnux user
Androld code
WrlLe app ln !ava and P1ML/!avascrlpL (Androld Suk)
1he obvlous approach
MosL apps from Lhe Coogle MarkeL
Lasy Lo decomplle/dlsassemble/reassemble
WrlLe app ln A8M nauve code (Androld nuk)
1ogeLher wlLh !ava code
A8M Assembler 8everse Lnglneerlng and !nl
use a framework/generaLor
appmakr.com
honeCap
CLhers?
1echnlques for penLesLers /
reverse englneers
1. Cemng hundreLs of Androld
Apps (apk les)
Cbvlous download approach
Cpen markeL app on moblle
Cllck app and lnsLall
SC apk le from phone
! 1oo slow, noL enough space on moblle, eLc

Pow Lo download all Androld apps
ConnecL moblle Lo lapLop Wl wlLh alrbase-
ng / dnsmasq
use lpLables Lo redlrecL Lo local 8urp
Lhx Androld for noL havlng a proxy opuon
8urpLxLender Lo save responses wlLh apk les
Send moblle a P11 404 noL found
lnsLall all apps?
Cne P11S requesL Lo markeL.androld.com
Change Lhe app name
com.google.androld.youLube
Modled w3af splder / regex plugln
Search for Lerms A ... ZZ on markeL.androld.com
no resLrlcuons (e.g. CapLcha) as ln Coogle search
WroLe scrlpL LhaL sends P11S requesLs wlLh
app name
uownload envlronmenL
MeLadaLa
AbouL 300'000 apps ln markeL
Crawled abouL 10'000 app names
Successfully downloaded and decomplled
abouL 3'300 apps (abouL 13 C8)
1ook abouL 3 days Lo download all Lhese apps
2. uecomplle/dlsassemble
1he apkLool dlsassembled sLrucLure
+assets
+res
+drawable
-icon.png
+layout
-main.xml
+values
-strings.xml
+META-INF
-AndroidManifest.xml
-classes.dex
Apk unzlpped
+assets
+res
+drawable
-icon.png
+layout
-main.xml
+values
-strings.xml

-AndroidManifest.xml
+smali
+com
+...
-apktool.yml
! apkLool dlsassembled
1wo approaches
ulsassembllng Lo small
Slmllar Lo !asmln synLax (!ava assembler code)
ApkLool
CorrecL small code
uldn'L use dexdump/dedexer
uecomplllng Lo !ava
uex2!ar + !ava-uecompller
Someumes lncorrecL !ava code
ulsassembllng howLo
ApkLool
me$ java -jar apktool.jar d app.apk output-folder
ulsassembled example
8easssembllng howLo
ApkLool
me$ echo "change something"
change something
me$ java -jar apktool.jar b output-folder/ fake-app.apk
[]
me$ keytool -genkey -alias someone -validity 100000 -
keystore someone.keystore
[]
me$ jarsigner -keystore someone.keystore fake.apk someone
me$ adb install fake-app.apk
3. CLher Lechnlques for
penLesLers
Peap dump
me$ su
me# ps | grep kee
949 10082 183m S com.android.keepass
960 0 1964 S grep kee
me# kill -10 949
me# grep password /data/misc/heap-dump-tm1312268434-
pid949.hprof
thisisasecretpassword
ln Androld > 2.3
8uuon ln uuMS Lool or call
androld.os.uebug.dumpPprofuaLa(lename)
lnvoklng Acuvlues
Acuvlues are baslcally user lnLerfaces
,one screen
lorLunaLely Lhls example doesn'L work
me$ dumpsys package > packages.txt
me$ am start -n com.android.keepass/
com.keepassdroid.PasswordActivity
1ons of oLher Lools
Androguard
ApklnspecLor
Cul comblnlng apkLool, dex2[ar, a !ava decompller, byLe
code, eLc.
uLu
androldAudlL1ools
SmarLphonesdumbapps
1alnLdrold (rlvacy lssues)
Androld lorenslc 1oolklL
vlaLxLracL
More
Lxperlences when decomplllng/
dlsassembllng 3'300 apps
llndlng securlLy relaLed lssues
MeLadaLa
AbouL 3'300 apps
2'300 unlque emall addresses
1'000 fuck
Several Lwluer / facebook / lckr / geocachlng Al
keys
Low hanglng frulLs
Pashlng and encrypuon - a shorL besL
pracuces refresh
Secure algorlLhms/lmplemenLauons
8andom, long salLs/keys
Pashlng
SeparaLe salL for every hash
Several hashlng rounds
L.g. hash(hash( ... hash(pwd+salL)+salL ... ))
Lncrypuon
keep Lhe key secreL
k
e
y: M
S8
alw
ays 0

u
se
d
fo
r se
n
d
ln
g p
assw
o
rd
s ln
P
1
1

S
u
se
d
Lo
slgn
allse
Lh
e
se
rve
r Lh
aL ln
-
gam
e
go
o
d
s w
e
re
p
u
rch
ase
d

CbfuscaLed code
W
h
o
calls Lh
ls ,ah
co
n
sLru
cLo
r?
CbfuscaLed code
4 greps laLer...
c.f lncludes Lhe key
c.f calls a.bs(key)
a.bs calls a.ah(key)
a.ah uses Lhe key and locale varlables for encrypuon
We know all Lhe lnpuL daLa for Lhe encrypuon
rouune
lL's symmeLrlc crypLo
We can decrypL ,lL (whaLever lL mlghL be)
1esLxxxxx.[ava
?eah, leL's copy/pasLe a LesL emall!
1esLxxxxx2.[ava
And credenuals for Lhe LesL server...
Some apps l looked aL more
closely
(lL's gemng worse)
App 1 - banklng app
Who really wanLs banklng on Lhe moblle?
A loL of banklng apps! ?ay!
App 1
no obfuscauon + can easlly be recomplled
App slmply shows Lhe webslLe
Pldes Lhe u8L and SSL cerL/lock from Lhe user
Can only be used wlLh m1An
App 2
Server had self-slgned SSL cerucaLe
SSL Ml1M uump:
/usernam e=B1436A 13E85D20 F2428D6E 232C2B93
FE....pa ssword=2 C30F3866 016E6C59 52655C06
400BCC6. imei=405 23204606 E450... ...
W
o
w
, lL
's
e
n
c
r
y
p
L
e
d
... u
o
n
'L
w
e

n
e
e
d
a
k
e
y
fo
r
L
h
a
L
?

App 2
ALS key
public byte[] cryptKey42 = {-31, -21, 4, 24, -21,
54, -63, -40, -38, 61, -47, -115, -95, -36, -142,
64, 53, 120, -85, -96, -69, 85, 81, 16, -36, 80,
-102, 95, -20, 110, 36, -11};

App 3 - rooL deLecuon
private boolean deviceRoot(){
try{
Runtime.getRuntime().exec("su");
return true;
}
catch (IOException localIOException){
return false;
}
}
App 3 - Clrcumvenung rooL deLecuon
noL necessary
App 4 - AnoLher rooL deLecuon
public static boolean isDeviceRooted(){
File f = new File(/system/sbin/su)
return f.exists()
}

App 4 - 8emovlng rooL deLecuon
me$ java -jar apktool.jar d app.apk source
[]
me$ sed -i "" 's/system\/sbin\/su/system\/sbin\/
CEW1PFSLK/g' source/smali/net/example/checks.smali
me$ java -jar apktool.jar b source/ fake.apk
[]
me$ keytool -genkey -alias someone -validity 100000
-keystore someone.keystore
[]
me$ jarsigner -keystore someone.keystore fake.apk
someone
me$ adb install fake.apk
App 4 - Was LhaL a good meLhod Lo
remove Lhe rooL deLecuon?
AlLerlng Lhe app
no updaLes
We only wanL Lo fall LhaL slmple check
App 4 - revenL rooL deLecuon
me$ adb shell
$ su
# cd /system/bin/; mount -o remount,rw -o rootfs rootfs /;
mount -o remount,rw -o yaffs2 /dev/block/mtdblock3 /system
# echo $PATH
/sbin:/system/sbin:/system/bin:/system/xbin
# mv /system/sbin/su /system/xbin/
r
o
o
L
s
L
a
y
s
r
o
o
L
!
A speclal secreL key
443 apps use Lhe same ALS key
byLe[] a = [ 10, 33, -112, -47, -6, 7, 11, 73, -7, -121,
121, 69, 80, -61, 13, 3 }
Coogle Ads
LncrypL lasL known locauon
All locauon provlders (CS, Wl, ...)
Send vla Lhe ,uule !SCn parameLer
noued Coogle on Lhe 23Lh of !une
no response yeL
1o be honesL l haven'L seen Lhe ,uule
parameLer ln my neLwork yeL
Coogle Ads
Why dldn'L Lhey use asymmeLrlc crypLo?
CounLermeasures
use asymmeLrlc crypLo lnsLead of symmeLrlc
when Lransferlng daLa Lo a server
SLore hashes/sesslon Lokens lnsLead of
passwords
Cood obfuscauon ls SecurlLy 1hrough
CbscurlLy
enLesL your apps
know Lhe llmlLauons
rooL sLays rooL
8eferences
hup://deslgnora.com/graphlcs/androld-logo/
hup://blog.duosecurlLy.com/2011/03/when-angry-blrds-auack-androld-edluon/
hup://[on.oberhelde.org/blog/2011/03/07/how-l-almosL-won-pwn2own-vla-xss/
hup://www.h-onllne.com/open/news/lLem/Androld-apps-send-unencrypLed-auLhenucauon-Loken-1243968.hLml
hups://www.lnfoseclsland.com/blogvlew/13439-Coogle-Sued-for-Surrepuuous-Androld-Locauon-1racklng.hLml
hup://www.h-onllne.com/open/news/lLem/Androld-malware-acuvaLes-lLself-Lhrough-lncomlng-calls-1233807.hLml
hup://www.slldeshare.neL/bsldeslondon/bsldeslondon-spo#LexL-verslon
hups://www.hashdays.ch/asseLs/les/slldes/burns_androld_securlLy_Lhe20fun20deLalls.pdf
hups://Lheassurer.com/p/736.hLml
hup://Lhomascannon.neL/blog/2011/02/androld-lock-screen-bypass/
hup://www.symanLec.com/conLenL/en/us/abouL/medla/pdfs/symc_moblle_devlce_securlLy_[une2011.pdf?
om_exL_cld=blz_socmed_Lwluer_facebook_markeLwlre_llnkedln_2011!un_worldwlde_mobllesecurlLywp
hup://www.xkcd.com/898
hup://www.madaxeman.com/general/2009/11/losL-phone.hLml
hup://Lhomascannon.neL/pro[ecLs/androld-reverslng/
hup://www.lnfsec.cs.unl-saarland.de/pro[ecLs/androld-vuln/
hup://www.madaxeman.com/general/2009/11/losL-phone.hLml
hup://www.helse.de/mobll/meldung/Androld-verschlckL-SMS-an-falsche-Lmpfaenger-2-updaLe-1162683.hLml
hup://blog.duosecurlLy.com/2011/09/androld-vulnerablllues-and-source-barcelona/
1hx!
1wluer: oyd_ch
hup://oyd.ch