book

Hacking Android

Name: Hacking Android
ISBN: 9781785883149

by Mohammed A. Imran, Srinivasa Rao Kotipalli

July 2016

Beginner to intermediate

376 pages

7h 37m

English

Packt Publishing

Read now

Unlock full access

Hacking Android
Table of Contents
Hacking Android
Credits
About the Authors
About the Reviewer
www.PacktPub.com
eBooks, discount offers, and moreWhy subscribe?
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
Downloading the example codeErrataPiracyQuestions
1. Setting Up the Lab
Installing the required toolsJava
Android Studio
Setting up an AVD
Real deviceApktoolDex2jar/JD-GUIBurp Suite
Configuring the AVD
DrozerPrerequisitesQARK (No support for windows)Getting readyAdvanced REST Client for ChromeDroid ExplorerCydia Substrate and IntrospySQLite browserFridaSetting up Frida serverSetting up frida-clientTesting the setupVulnerable appsKali Linux
ADB Primer
Checking for connected devicesGetting a shellListing the packagesPushing files to the devicePulling files from the deviceInstalling apps using adbTroubleshooting adb connections
Summary
2. Android Rooting
What is rooting?Why would we root a device?Advantages of rootingUnlimited control over the deviceInstalling additional appsMore features and customizationDisadvantages of rootingIt compromises the security of your deviceBricking your deviceVoids warranty
Locked and unlocked boot loaders
Determining boot loader unlock status on Sony devicesUnlocking boot loader on Sony through a vendor specified methodRooting unlocked boot loaders on a Samsung device
Stock recovery and Custom recovery
Prerequisites
Rooting Process and Custom ROM installation
Installing recovery softwaresUsing OdinUsing Heimdall
Rooting a Samsung Note 2
Flashing the Custom ROM to the phone
Summary
3. Fundamental Building Blocks of Android Apps
Basics of Android appsAndroid app structureHow to get an APK file?Storage location of APK files/data/app//system/app//data/app-private/Example of extracting preinstalled appsExample of extracting user installed apps
Android app components
ActivitiesServicesBroadcast receiversContent providersAndroid app build process
Building DEX files from the command line
What happens when an app is run?
ART – the new Android Runtime
Understanding app sandboxing
UID per appApp sandboxingIs there a way to break out of this sandbox?
Summary
4. Overview of Attacking Android Apps
Introduction to Android appsWeb Based appsNative appsHybrid apps
Understanding the app's attack surface
Mobile application architecture
Threats at the client side
Threats at the backend
Guidelines for testing and securing mobile apps
OWASP Top 10 Mobile Risks (2014)M1: Weak Server-Side ControlsM2: Insecure Data StorageM3: Insufficient Transport Layer ProtectionM4: Unintended Data LeakageM5: Poor Authorization and AuthenticationM6: Broken CryptographyM7: Client-Side InjectionM8: Security Decisions via Untrusted InputsM9: Improper Session HandlingM10: Lack of Binary Protections
Automated tools
DrozerPerforming Android security assessments with DrozerInstalling testapp.apkListing out all the modulesRetrieving package information
Identifying the attack surface
Identifying and exploiting Android app vulnerabilities using DrozerAttacks on exported activitiesWhat is the problem here?
QARK (Quick Android Review Kit)
Running QARK in interactive modeReportingRunning QARK in seamless mode:
Summary
5. Data Storage and Its Security
What is data storage?Android local data storage techniquesShared preferencesSQLite databasesInternal storageExternal storage
Shared preferences
Real world application demo
SQLite databases
Internal storage
External storage
User dictionary cache
Insecure data storage – NoSQL database
NoSQL demo application functionality
Backup techniques
Backup the app data using adb backup commandConvert .ab format to tar format using Android backup extractorExtracting the TAR file using the pax or star utilityAnalyzing the extracted content for security issues
Being safe
Summary
6. Server-Side Attacks
Different types of mobile apps and their threat model
Mobile applications server-side attack surface
Mobile application architecture
Strategies for testing mobile backend
Setting up Burp Suite Proxy for testingProxy setting via APNProxy setting via Wi-FiBypass certificate warnings and HSTSHSTS – HTTP Strict Transport SecurityBypassing certificate pinningBypass SSL pinning using AndroidSSLTrustKillerSetting up a demo applicationInstalling OWASP GoatDroidThreats at the backendRelating OWASP top 10 mobile risks and web attacksAuthentication/authorization issuesAuthentication vulnerabilitiesAuthorization vulnerabilitiesSession managementInsufficient Transport Layer SecurityInput validation related issuesImproper error handlingInsecure data storageAttacks on the database
Summary
7. Client-Side Attacks – Static Analysis Techniques
Attacking application componentsAttacks on activitiesWhat does exported behavior mean to an activity?Intent filtersAttacks on servicesExtending the Binder class:Using a MessengerUsing AIDLAttacking AIDL servicesAttacks on broadcast receiversAttacks on content providersQuerying content providers:Exploiting SQL Injection in content providers using adbQuerying the content providerWriting a where condition:Testing for Injection:Finding the column numbers for further extractionRunning database functionsFinding out SQLite version:Finding out table names
Static analysis using QARK:
Summary
8. Client-Side Attacks – Dynamic Analysis Techniques
Automated Android app assessments using DrozerListing out all the modulesRetrieving package informationFinding out the package name of your target applicationGetting information about a packageDumping the AndroidManifes.xml fileFinding out the attack surface:Attacks on activitiesAttacks on servicesBroadcast receiversContent provider leakage and SQL Injection using DrozerAttacking SQL Injection using DrozerPath traversal attacks in content providersReading /etc/hostsReading kernel versionExploiting debuggable apps
Introduction to Cydia Substrate
Runtime monitoring and analysis using Introspy
Hooking using Xposed framework
Dynamic instrumentation using Frida
What is Frida?PrerequisitesSteps to perform dynamic hooking with Frida
Logging based vulnerabilities
WebView attacks
Accessing sensitive local resources through file schemeOther WebView issues
Summary
9. Android Malware
What do Android malwares do?
Writing Android malwares
Writing a simple reverse shell Trojan using socket programming
Registering permissions
Writing a simple SMS stealerThe user interfaceCode for MainActivity.javaCode for reading SMSCode for the uploadData() methodComplete code for MainActivity.javaRegistering permissionsCode on the serverA note on infecting legitimate apps
Malware analysis
Static analysisDisassembling Android apps using ApktoolExploring the AndroidManifest.xml fileExploring smali filesDecompiling Android apps using dex2jar and JD-GUIDynamic analysisAnalyzing HTTP/HTTPS traffic using BurpAnalysing network traffic using tcpdump and Wireshark
Tools for automated analysis
How to be safe from Android malwares?
Summary
10. Attacks on Android Devices
MitM attacks
Dangers with apps that provide network level access
Using existing exploits
Malware
Bypassing screen locks
Bypassing pattern lock using adbRemoving the gesture.key fileCracking SHA1 hashes from the gesture.key fileBypassing password/PIN using adbBypassing screen locks using CVE-2013-6271
Pulling data from the sdcard
Summary
Index

Content preview from Hacking Android

Logging based vulnerabilities

Inspecting adb logs often provides us a great deal of information during a penetration test. Mobile app developers use the Log class to log debugging information in to the device logs. These logs are accessible to any other application with READ_LOGS permission prior to the Android 4.1 version. This permission has been removed after Android 4.1 and only system apps can access the device logs. However, an attacker with physical access can still use the adb logcat command to view the logs. It is also possible to write a malicious app and read the logs with elevated privileges on a rooted device.

The Yahoo messenger app was vulnerable to this attack as it was logging user chats along with the session ID into the logs. ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781785883149

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Hacking Android

by Mohammed A. Imran, Srinivasa Rao Kotipalli

Logging based vulnerabilities

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.