Tweet
Reverse Engineering Mobile Apps
Practice finding flaws in real Android and iOS apps in this fun, CTF-style hands-on workshop, and you will be ready to avoid making security errors in your own apps.
Android apps are very easy to unpack, analyze, modify, and repack; partly because of the open nature of the system, and partly because most companies neglect basic security measures. In this workshop, participants will hack apps from the Bank of America, IBM, Harvard, Home Depot, the Indian government, and other large organizations. We will find insecure network transmissions, broken cryptography, improper logging, and pervasive lack of binary protections. We will also analyze the way iOS apps use network transmissions, and observe serious vulnerabilities in iOS apps from major companies.
We will analyze Android internals in details, using the Drozer attack framework to inspect and manipulate intents to exploit insecure activities and content providers. We will perform a protection level downgrade attack on an Android 4.3 device,l removing security protections from the Twitter app.
All class materials are freely available on the Web, and will remain available after the workshop. All vulnerabilities were reported to the affected companies long ago, where appropriate.
Equipment: participants must bring a laptop that can run VirtualBox machines. The host system can use Mac OS (best), Linux (OK) or Windows (usable but limited). We will use free Android emulators and a Kali virtual machine. They will be available as free downloads, and also locally on USB sticks.
Sam Bowne is an instructor at City College San Francisco, and has been teaching hacking and security classes for ten years. He has presented talks and workshops at Defcon, HOPE, RSA, BSidesLV, BSidesSF, and many other conferences. He has a CISSP and a PhD and is a DEF CON Black Badge co-winner. http://samsclass.info
Elizabeth Biddlecome is a consultant and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.
DETAILED OUTLINE:
I. The Android security model
A. Attack surface
1. Public Wi-Fi
2. 3G, 4G, 5G networks
3. Device theft
4. Malicious apps (often from Google Play)
5. Other inputs: NFC, Bluetooth, camera, microphone, etc.
B. App sandboxing
1. User accounts in Android
2. App signatures
3. App repositories and Google Play
4. GTalkService
5. App permissions to access hardware
C. The OWASP Mobile top ten vulnerabilities
1. Severity
2. Frequency (90% of apps have them)
3. Why these flaws are so common
II. Dynamic analysis
A. Preparing a simple Android hacking platform
1. Emulators: Genymotion and Bluestacks
2. USB debugging and ADB
3. Busybox
4. Burp Proxy
B. Hands-on projects and challenges with Android
1. "Ask a Lawyer" app plaintext login
2. "GenieMD" broken SSL (from Harvard and IBM)
3. "Delhaize" app puts passwords in syslog
4. "Menards" app plaintext password in local storage
5. "ES Explorer" app command injection
C: Auditing iOS Apps
1. Redirecting network traffic from an iPhone through a Mac using pf and Burp
2. Plaintext logins
3. Broken TLS
4. Command injection and database exposure in the University of Houston app
D. Hands-on projects and challenges with iOS
1. Broken TLS in the Exxon Mobile Speedpass+ app
2. Security flaws in "Private Browser with Adblock" app
3. Homebrew encryption in the "Edubirdie" app
III. Android app structure
A. Structure of an APK file
1. Android Manifest
2. Assets and Resources
3. Libraries
4. META-INF and signatures
B. Application components
1. Actiivties
2. Services
3. Broadcast redeivers
4. Content providers
C. Inter-Process Communication (IPC)
1. Binder
2. Explicit intents
3. Implicit intents
4. Hands-on with Drozer: exploiting intents and receivers
III. Static analysis
A. Unpacking apps to Java with Jadx
B. Extracting smali code with apktool
C. Simple smali Trojans
D. Rebuilding apps
E. Signing apps
F. Hands-on projects and challenges
1. Reverse-engineering Home Depot's password encryption
2. Adding Trojan code to the Bank of America app
3. Modifying the mAadhaar app (government of India)
a. Defeating code integrity checks
b. Removing rooted device detection
IV. Other topics
A. Vulnerability scanning with LinkedIn's Qark
B. Mobile device management
Practice finding flaws in real Android and iOS apps in this fun, CTF-style hands-on workshop, and you will be ready to avoid making security errors in your own apps.
Android apps are very easy to unpack, analyze, modify, and repack; partly because of the open nature of the system, and partly because most companies neglect basic security measures. In this workshop, participants will hack apps from the Bank of America, IBM, Harvard, Home Depot, the Indian government, and other large organizations. We will find insecure network transmissions, broken cryptography, improper logging, and pervasive lack of binary protections. We will also analyze the way iOS apps use network transmissions, and observe serious vulnerabilities in iOS apps from major companies.
We will analyze Android internals in details, using the Drozer attack framework to inspect and manipulate intents to exploit insecure activities and content providers. We will perform a protection level downgrade attack on an Android 4.3 device,l removing security protections from the Twitter app.
All class materials are freely available on the Web, and will remain available after the workshop. All vulnerabilities were reported to the affected companies long ago, where appropriate.
Equipment: participants must bring a laptop that can run VirtualBox machines. The host system can use Mac OS (best), Linux (OK) or Windows (usable but limited). We will use free Android emulators and a Kali virtual machine. They will be available as free downloads, and also locally on USB sticks.
Sam Bowne is an instructor at City College San Francisco, and has been teaching hacking and security classes for ten years. He has presented talks and workshops at Defcon, HOPE, RSA, BSidesLV, BSidesSF, and many other conferences. He has a CISSP and a PhD and is a DEF CON Black Badge co-winner. http://samsclass.info
Elizabeth Biddlecome is a consultant and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.
DETAILED OUTLINE:
I. The Android security model
A. Attack surface
1. Public Wi-Fi
2. 3G, 4G, 5G networks
3. Device theft
4. Malicious apps (often from Google Play)
5. Other inputs: NFC, Bluetooth, camera, microphone, etc.
B. App sandboxing
1. User accounts in Android
2. App signatures
3. App repositories and Google Play
4. GTalkService
5. App permissions to access hardware
C. The OWASP Mobile top ten vulnerabilities
1. Severity
2. Frequency (90% of apps have them)
3. Why these flaws are so common
II. Dynamic analysis
A. Preparing a simple Android hacking platform
1. Emulators: Genymotion and Bluestacks
2. USB debugging and ADB
3. Busybox
4. Burp Proxy
B. Hands-on projects and challenges with Android
1. "Ask a Lawyer" app plaintext login
2. "GenieMD" broken SSL (from Harvard and IBM)
3. "Delhaize" app puts passwords in syslog
4. "Menards" app plaintext password in local storage
5. "ES Explorer" app command injection
C: Auditing iOS Apps
1. Redirecting network traffic from an iPhone through a Mac using pf and Burp
2. Plaintext logins
3. Broken TLS
4. Command injection and database exposure in the University of Houston app
D. Hands-on projects and challenges with iOS
1. Broken TLS in the Exxon Mobile Speedpass+ app
2. Security flaws in "Private Browser with Adblock" app
3. Homebrew encryption in the "Edubirdie" app
III. Android app structure
A. Structure of an APK file
1. Android Manifest
2. Assets and Resources
3. Libraries
4. META-INF and signatures
B. Application components
1. Actiivties
2. Services
3. Broadcast redeivers
4. Content providers
C. Inter-Process Communication (IPC)
1. Binder
2. Explicit intents
3. Implicit intents
4. Hands-on with Drozer: exploiting intents and receivers
III. Static analysis
A. Unpacking apps to Java with Jadx
B. Extracting smali code with apktool
C. Simple smali Trojans
D. Rebuilding apps
E. Signing apps
F. Hands-on projects and challenges
1. Reverse-engineering Home Depot's password encryption
2. Adding Trojan code to the Bank of America app
3. Modifying the mAadhaar app (government of India)
a. Defeating code integrity checks
b. Removing rooted device detection
IV. Other topics
A. Vulnerability scanning with LinkedIn's Qark
B. Mobile device management
Comment