No announcement yet.

Reverse Engineering Mobile Apps

This is a sticky topic.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Reverse Engineering Mobile Apps

    Reverse Engineering Mobile Apps

    Practice finding flaws in real Android and iOS apps in this fun, CTF-style hands-on workshop, and you will be ready to avoid making security errors in your own apps.

    Android apps are very easy to unpack, analyze, modify, and repack; partly because of the open nature of the system, and partly because most companies neglect basic security measures. In this workshop, participants will hack apps from the Bank of America, IBM, Harvard, Home Depot, the Indian government, and other large organizations. We will find insecure network transmissions, broken cryptography, improper logging, and pervasive lack of binary protections. We will also analyze the way iOS apps use network transmissions, and observe serious vulnerabilities in iOS apps from major companies.

    We will analyze Android internals in details, using the Drozer attack framework to inspect and manipulate intents to exploit insecure activities and content providers. We will perform a protection level downgrade attack on an Android 4.3 device,l removing security protections from the Twitter app.

    All class materials are freely available on the Web, and will remain available after the workshop. All vulnerabilities were reported to the affected companies long ago, where appropriate.

    Equipment: participants must bring a laptop that can run VirtualBox machines. The host system can use Mac OS (best), Linux (OK) or Windows (usable but limited). We will use free Android emulators and a Kali virtual machine. They will be available as free downloads, and also locally on USB sticks.

    Sam Bowne is an instructor at City College San Francisco, and has been teaching hacking and security classes for ten years. He has presented talks and workshops at Defcon, HOPE, RSA, BSidesLV, BSidesSF, and many other conferences. He has a CISSP and a PhD and is a DEF CON Black Badge co-winner.

    Elizabeth Biddlecome is a consultant and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.


    I. The Android security model
    A. Attack surface
    1. Public Wi-Fi
    2. 3G, 4G, 5G networks
    3. Device theft
    4. Malicious apps (often from Google Play)
    5. Other inputs: NFC, Bluetooth, camera, microphone, etc.
    B. App sandboxing
    1. User accounts in Android
    2. App signatures
    3. App repositories and Google Play
    4. GTalkService
    5. App permissions to access hardware
    C. The OWASP Mobile top ten vulnerabilities
    1. Severity
    2. Frequency (90% of apps have them)
    3. Why these flaws are so common

    II. Dynamic analysis
    A. Preparing a simple Android hacking platform
    1. Emulators: Genymotion and Bluestacks
    2. USB debugging and ADB
    3. Busybox
    4. Burp Proxy
    B. Hands-on projects and challenges with Android
    1. "Ask a Lawyer" app plaintext login
    2. "GenieMD" broken SSL (from Harvard and IBM)
    3. "Delhaize" app puts passwords in syslog
    4. "Menards" app plaintext password in local storage
    5. "ES Explorer" app command injection
    C: Auditing iOS Apps
    1. Redirecting network traffic from an iPhone through a Mac using pf and Burp
    2. Plaintext logins
    3. Broken TLS
    4. Command injection and database exposure in the University of Houston app
    D. Hands-on projects and challenges with iOS
    1. Broken TLS in the Exxon Mobile Speedpass+ app
    2. Security flaws in "Private Browser with Adblock" app
    3. Homebrew encryption in the "Edubirdie" app

    III. Android app structure
    A. Structure of an APK file
    1. Android Manifest
    2. Assets and Resources
    3. Libraries
    4. META-INF and signatures
    B. Application components
    1. Actiivties
    2. Services
    3. Broadcast redeivers
    4. Content providers
    C. Inter-Process Communication (IPC)
    1. Binder
    2. Explicit intents
    3. Implicit intents
    4. Hands-on with Drozer: exploiting intents and receivers

    III. Static analysis
    A. Unpacking apps to Java with Jadx
    B. Extracting smali code with apktool
    C. Simple smali Trojans
    D. Rebuilding apps
    E. Signing apps
    F. Hands-on projects and challenges
    1. Reverse-engineering Home Depot's password encryption
    2. Adding Trojan code to the Bank of America app
    3. Modifying the mAadhaar app (government of India)
    a. Defeating code integrity checks
    b. Removing rooted device detection

    IV. Other topics
    A. Vulnerability scanning with LinkedIn's Qark
    B. Mobile device management
    Last edited by The Dark Tangent; April 25, 2019, 08:25.
    PGP Key:

  • #2
    在类似CTF的实践研讨会里体验在真实Android与iOS应用找到缺陷的乐趣,你将学到如何避免在自己 的应用上出现这些安全错误。Android应用非常容易被拆包、分析、修改和再打包:部分原因是系统天然的 开放性,还有部分原因是大多数公司都忽略了基本的安全措施。
    在这个研讨会里,参会者将破解来自于美国银行、IBM、哈佛、家得宝、印度政府及其他大型组织的应用。我们 将会发现不安全的网络传输、破解加密、不正确的日志和普遍缺乏的二进制安全防护。
    我们将详细分析Android内部,利用Drozer攻击框架去检查内容来利用其中不安全的活动和内容提供 。我们将对一台Android 4.3系统的设备进行安全等级保护降级的攻击,并将Twitter应用的安全保护措施删除。
    课程所有资料均可在网上免费获得,并且在研讨会结束后也会继续提供。所有漏洞均为很早以前已经报告给受影响 公司的漏洞。

    Sam Bowne是旧金山城市学院的讲师,十年来一直在教授黑客和安全课程。他曾在DEF CON,HOPE,RSA,BSidesLV,BSidesSF和许多其他会议上发表演讲和研讨会。他拥有 CISSP和博士学位,并且是DEF CON Black Badge的联合获奖者。

    Elizabeth Biddlecome是旧金山城市学院的顾问和兼职讲师,为学生和专业人士提供技术培训和指导。她自己对架 构,安全性和代码有巨大的热情,为业务需求设计和实施全面的信息安全解决方案。Elizabeth喜欢在网 络安全竞赛、黑客马拉松和CTF中使用脚本语言。
    PGP Key: