Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

More documents

Recommendations

Info

FOCUSInside AndroidApplicationsBy the end of 2011, the number of Smartphone shipments aroundthe world will explode to nearly 468 million units and the androidoperating system would have a fifty percent market share. Thiswould increase the number of attacks on mobile applications andalso the investment in securing the applications from the attacks.The most important part of performing anapplication pentest for an android applicationis understanding the manifest configuration.Analyzing a manifest file is one of the most importantand tedious task while performing a penetration testingassessment on the world’s most popular mobile Os.Android is a privilege-separated operating system, inwhich each application runs with a distinct system identity.At install time, Android gives each package a distinct Linuxuser ID. The identity remains constant for the duration ofthe package’s life on that device. On a different device, thesame package may have a different UID; what matters isthat each package has a distinct UID on a given device.Every android application must have an AndroidManifest.xml file in its root directory. The manifestpresents essential information about the application tothe Android system. High-level permissions restrictingaccess to entire components of the system or applicationcan be applied through the AndroidManifest.xml. Themanifest file does the following:• It describes the components like the activities,services, broadcast receivers, and content providersthat the application is composed of. These declarationslet the Android system know what the components areand under what conditions they can be launched.• It determines which processes will host applicationcomponents.• It declares which permissions the application musthave in order to access protected parts of the APIand interact with other applications.Figure 1. AndroidManifest.xml natively obfuscatedFigure 2. Decoding apk application le05/2011 (5) SeptemberPage 34http://pentestmag.com
Table 1. Android malware analysis toolsSetting What to check Recommendationsandroid:If it is set to „auto”, The application may be installed on the Use „”internalOnly” value for this setting.installLocationexternal storage, but the system will install the application onthe internal storage by default. If the internal storage is full,then the system will install it on the external storage. Onceinstalled, the user can move the application to either internalor external storage through the system settingsandroid:protectionLevelandroid:persistentandroid:restoreAnyVersionCharacterizes the potential risk implied in the permissionand indicates the procedure the system should follow whendetermining whether or not to grant the permission to anapplication requesting it.Whether or not the application should remain running at all times– „true” if it should, and „false” if not. The default value is „false”.Indicate that the application is prepared to attempt a restore ofany backed-up data set, even if the backup was stored by a newerversion of the application than is currently installed on the device.Check if the value is set to „normal” or„dangerous”. If it is set to „dangerous”, checkthe permissions.Applications should not normally set thisag. It should be set to “false”Setting this attribute to true will permit theBackup Manager to attempt restore evenwhen a version mismatch suggests that thedata are incompatible• It also declares the permissions that others arerequired to have in order to interact with theapplication’s components.• It declares the minimum level of the Android APIthat the application requires.• It lists the libraries that the application must belinked against.• And moreover, it names the Java package for theapplication. The package name serves as a uniqueidentifier for the application.AndroidManifest.xml file plays a very important role inanalyzing the security of Android mobile applications.The file is of great interest when analyzing systemsecurity because it defines the permissions the systemand applications enforce.Android packages are .apk file. For the test purposeyou can download any android application and extractit and you will see the AndroidManifest.xml file whichwould be difficult to open (see Figure 1).Below I have mentioned step by step methodology toopen and review it.Figure 3. Example of AndroidManifest.xml• Download the following tools• apktool-install-windows-file• apktool-file• Unpack both to your Windows directory.• Now copy the APK file also in that directory and runthe following command in your command prompt(see Figure 2):apktool d app.apk ./app_decryptedHere app.apk is your Android APK file• This will create a folder app _ decrypted in yourcurrent directory. Inside it you can find theAndroidManifest.xml file in decrypted form andyou can also find other XML files inside theapp _ decrypted/res/layout directory.The manifest contains juicy information like permissions,intent filters, and lots more. A typical manifestfile is shown below (see Figure 3).Some of the important configuration settings to lookfor while analyzing a manifest file: Table 1.Analyzing manifest file thoroughly could help apenetration tester plan and execute other attacks.After it is done successfully, the remaining testing boilsdown to a normal web application pentest. So nexttime when you download any application from androidmarket, just take a while to open and analyze theandroidmanifest.xml file for fun.DEVESH BHATTDevesh is an Information Security Researcherand Consultant. He is primarily focused in theapplication Security space. He has worked ondeveloping a framework for securing mobileapplication (Android and IOS). His area ofexpertise also lies in the Cloud Security arena.05/2011 (5) SeptemberPage 35http://pentestmag.com
Page 2 and 3: EDITOR’S NOTE05/2011 (05)Editor:
Page 4 and 5: POINT OF VIEWIsn’t Social Enginee
Page 6 and 7: POINT OF VIEWTrust Pentesting Team.
Page 8 and 9: FOCUSBreaking Downthe i* {Devices}P
Page 10: FOCUSListing 1. IPhone applications
Page 19 and 20: AndroidManifest.xml. An important p
Page 21 and 22: Smartphone running the version of A
Page 23 and 24: Simplied User ExperienceThe user in
Page 26 and 27: FOCUSAttacking the MobileInfrastruc
Page 28 and 29: FOCUSAt any rate, I think these ent
Page 30 and 31: FOCUSToneLoc and LoadUseful For a P
Page 32 and 33: FOCUSoperate in a degraded state; f
Page 36 and 37: (NEW) STANDARDSNew PenetrationTesti
Page 38 and 39: (NEW) STANDARDSof Hatforce. Before
Page 40: (NEW) STANDARDSReferences• [1] So
Page 43 and 44: name, IP address and server locatio
Page 45 and 46: Figure 8. User Agent Switcher Menur
Page 47: Say Hello toRed TeamTesng!Security

Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

Create successful ePaper yourself

Delete template?

Save as template?