UPDATE: April 2nd – Added new pinning article thanks @an_animal!
UPDATE: Feb 14th – Added (draft, initial) forensics section, Added pinning links, thanks @an_animal for most pinning resources!
Android Security is like IPv6: It will catch you sooner or later :). It is becoming more common for Web Applications to involve a Mobile Application component. The purpose of this post is to try to get the average infosec person (or competent developer) up to speed asap.
Free Tools
- OWASP Mobisec ISO: This is a bootable ISO like Backtrack/Samurai WTF but for Mobile testing, including lots of tools, emulators, etc (i.e. saves you a lot of time) Click to explore (Slides here). NOTE: You can install it on a VM for persistent changes, updates, etc
- Dan Cornell/DenimGroup’s scripts (Click to explore): I made some small contributions to this new release and Dan added more improvements (released yesterday: Feb 13th!)
- Android SSL bypass: This is an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented (pinning links below), as well as other debugging tasks: Click to explore (Source here)
- Java Decompiler: Click to explore
NOTE: You need the Java source to do source code searches for insecure practices. jd-gui is just the best tool for this, unfortunately it’s a GUI tool so you’ll have to manually open the .jar file and then click on File / Save all Sources it to save all the .java files to disk:
- Droidsheep (for broken SSL PoCs): Click to explore
- SQLite editor (Edit SQLite databases from your phone): Click to explore
- Android APK Tool: Click to explore
- Agnitio (@securityninja’s source code review tool, contains Android and iPhone app analysis features and great checklist questions): Click to explore
Vulnerable Apps
- OWASP GoatDroid (Jack Mannino): Click to explore
- Pandemobium (Dan Cornell/DenimGroup): Click to explore
Useful Presentations
- OWASP Top 10 Mobile Risk (Jack Mannino, Zack Lanier, Mike Zusman) Click to explore
- Advanced Code Review Tecniques (Prashant Verma, Dinesh Shetty): Click to explore
- UI Redressing A$acks on Android Devices (Marcus Niemietz): Click to explore (Paper here)
- Whack-‐A-‐Mobile II (Secure Ideas: Kevin Johnson, Tony DeLaGrange): Click to explore
- Mobile Malfeasance (Jason Haddix) Click to explore
- Seven Ways to Hang Yourself with Google Android (Yekaterina Tsipenyuk O’Neil and Erika Chin): Click to explore (NOTE: Android Intent Madness explained here!)
- TEAM JOCH vs. Android: The Ultimate Showdown (Jon Oberheide, Zach Lanier): Click to explore
- Mobile Threats and OWASP Mobile Top 10 Risks (Securbay): Click to explore
- Secure Android Applications The OWASP Way (Jack Mannino): Click to explore
- Mobile Application Security Code Reviews (Dan Cornell/DenimGroup): Click to explore
- Cracking the Code of Mobile Applications (Sreenarayan Ashokkumar): Click to explore (Slides here)
- (Italian with lots of English, easy for Spaniards/Valencian-Catalonian speakers :)) – OWASP Top 10 Mobile Risks: Click to explore
On SSL validation and pinning
- OWASP Pinning CheatSheet: Click to explore
- Certificate Pinning in a Mobile Application: Click to explore
- Defeating SSL certificate validation for Android Applications (McAfee): Click to explore
- Your app shouldn’t suffer SSL’s problems (Moxie Marlinspike): Click to explore
- Android SSL bypass: This is an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented, as well as other debugging tasks: Click to explore (Source here)
- Certificate Pinning
- Public key pinning: Click to explore
- Surveillance works! Let’s have more of it: Click to explore
Forensics
- FROST: Forensic Recovery Of Scrambled Telephones (full disk encryption bypass via cold boot attacks against new Android 4 devices): Click to explore
Further reading
- OWASP Top 10 Mobile Risks: Click to explore
- OWASP Top 10 Mobile Controls: Click to explore
- Android Security and Permissions: Click to explore
- Android Security Overview: Click to explore
- Rough overview of HP Fortify’s Android checks: Click to explore
- Reversing Android apps (the article focuses on malware but reversing an .apk for review is largely equivalent)
P.S. If there is something useful I missed above, please let me know and I will update this blog post. Thank you in advance.