Apps perform network communication, which can occur through unsecure networks such as cafe wifi.
The phone can be lost or stolen, no app data should be available in the filesystem
Unofficial markets provide malware threats
Big attack surface (NFC, bluetooth, camera, SMS, USB, QR, ...)
Insecure data storage: data in cleartext, hardcoded keys, or other means that can be reversed engineered.
Insecure transmission of data: not using TLS or implemented incorrectly
Lack of binary protections: No having protections against debugging, tampering, reverse engineering.
Client-side injection: untrusted data in handled in an unsafe manner
Hard-coded passwords: in the app code or data.
Leakage of sensitive data: leaking data through OS or frameworks.
M1 - Improper platform usage
M3 - Insufficient Transport Layer (on server side)
M2 - Insecure Data storage
M4 - Insecure Authentication
M5 - Insufficient Cryptography
M6 - Insecure Authorization
M8 - Code Tampering
M9 -Reverse Engineering
M10 - Extraneous Functionality
Native: developed using the SDK of android or IOs
Web: HTML5, run in the browser
Hybrid: web view(html5 on steroids, HTML5 with some OS functions) (react native, jquery mobile, ...)
Mapping the app: use the app, entry points, data flows, functions
Identify sensitive data (rest(datastore), in use, in transit_
Android SDK and testing on a rooted device
set up burp with the CA installed on the phone, certificate pinning killed.
Use http://jd.benow.ca/ to decompile to APK classes. Read the code to understand what libraries it uses, how communication is handled and obvious flaws.
Automated open source tools android static analysis:
Intercept requests using Burp
Secure Boot Chain
Process Level SandBoxing
Data at rest Encryption
Bypassing apple apps store review:
Automatic reference counting
App file system layout
Android development kit (SDK)
$ android avd # create virtual device
$ emulator -adv kitkat # start virtual device
$ adb devices # list devices
Intent: Data object that defines a task to be perfomed
Activity Graphical interface of app for users
adb install diva-beta.apk
First get the jar:
$ sh dex2jar.sh diva-beta.apk
dex2jar diva-beta.apk -> diva-beta_dex2jar.jar
You can use JD-GUI to decompile the classes
$ java -jar apktool_2.0.3.jar d diva-beta.apk -o output8
Test the app and check the output of the command:
$ adb logcat
It will show written files, activities, etc..
You can run the following command to inspect the files created by the app:
$ adb shell
> cd /data/data/
$ adb pull file
$ sqlite3 ids2
Main classes WebChromeClient WebViewClient
Native component provided by the operating system to be able to load web content and interact with the OS. Browser on steroids.
connection hijacking, XSS
Same Origin Policy (SOP) bypass can lead to device file-system access.
Microsoft Threat Modelling (DFDs and STRIDE_
Cigital Threat Modelling: Assets, Threat Agents, Controls modelled directly, Component Diagram
Unencrypted sensitive data
Mobile-aware web site
Hybrid /framework-based app
Full native code app
Real binaries, debuggers
Simulators for devices you don’t have
SDK + phone + USB SDK + System Image
Create an Android Virtual Device