UPDATE: April 2nd – Added new pinning article thanks @an_animal!
UPDATE: Feb 14th – Added (draft, initial) forensics section, Added pinning links, thanks @an_animal for most pinning resources!
Android Security is like IPv6: It will catch you sooner or later :). It is becoming more common for Web Applications to involve a Mobile Application component. The purpose of this post is to try to get the average infosec person (or competent developer) up to speed asap.
Free Tools
- OWASP Mobisec ISO: This is a bootable ISO like Backtrack/Samurai WTF but for Mobile testing, including lots of tools, emulators, etc (i.e. saves you a lot of time) http://sourceforge.net/p/mobisec/wiki/Home/ (Slides here). NOTE: You can install it on a VM for persistent changes, updates, etc
- Dan Cornell/DenimGroup’s scripts (https://code.google.com/p/smartphonesdumbapps/): I made some small contributions to this new release and Dan added more improvements (released yesterday: Feb 13th!)
- Android SSL bypass: This is an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented (pinning links below), as well as other debugging tasks: https://www.isecpartners.com/tools/mobile-security/android-ssl-bypass.aspx (Source here)
- Java Decompiler: http://java.decompiler.free.fr/?q=jdgui
NOTE: You need the Java source to do source code searches for insecure practices. jd-gui is just the best tool for this, unfortunately it’s a GUI tool so you’ll have to manually open the .jar file and then click on File / Save all Sources it to save all the .java files to disk:
- Droidsheep (for broken SSL PoCs): http://code.google.com/p/droidsheep/
- SQLite editor (Edit SQLite databases from your phone): http://code.google.com/p/xdroidx/downloads/detail?name=SQLite%20Editor-9.apk&can=2&q=
- Android APK Tool: http://code.google.com/p/android-apktool/w/list
- Agnitio (@securityninja’s source code review tool, contains Android and iPhone app analysis features and great checklist questions): http://www.securityninja.co.uk
Vulnerable Apps
- OWASP GoatDroid (Jack Mannino): https://github.com/jackMannino/OWASP-GoatDroid-Project
- Pandemobium (Dan Cornell/DenimGroup): https://github.com/denimgroup/Pandemobium/
Useful Presentations
- OWASP Top 10 Mobile Risk (Jack Mannino, Zack Lanier, Mike Zusman) http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks
- Advanced Code Review Tecniques (Prashant Verma, Dinesh Shetty): https://www.owasp.org/images/4/40/OWASP_Advanced_Mobile_Application_Code_Review_Techniques.pptx
- UI Redressing A$acks on Android Devices (Marcus Niemietz): https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-slides.pdf (Paper here)
- Whack-‐A-‐Mobile II (Secure Ideas: Kevin Johnson, Tony DeLaGrange): https://www.owasp.org/images/4/49/ASDC12-WhackaMobile_II_Mobile_App_Pen_Testing_with_the_MobiSecLive_Environment.pdf
- Mobile Malfeasance (Jason Haddix) http://www.slideshare.net/jasonhaddix/mobile-malfeasance-exploring-dangerous-mobile-vulnerabilities
- Seven Ways to Hang Yourself with Google Android (Yekaterina Tsipenyuk O’Neil and Erika Chin): http://blog.fortify.com/blog/2011/08/19/Seven-Ways-to-Hang-Yourself-with-Google-Android (NOTE: Android Intent Madness explained here!)
- TEAM JOCH vs. Android: The Ultimate Showdown (Jon Oberheide, Zach Lanier): http://jon.oberheide.org/files/shmoo11-teamjoch.pdf
- Mobile Threats and OWASP Mobile Top 10 Risks (Securbay): http://www.slideshare.net/securbay/securbay-mobile-threats-and-owasp-top-10-risks
- Secure Android Applications The OWASP Way (Jack Mannino): http://www.slideshare.net/JackMannino/secure-android-apps-nvisium-security
- Mobile Application Security Code Reviews (Dan Cornell/DenimGroup): http://www.slideshare.net/denimgroup/mobile-application-security-code-reviews
- Cracking the Code of Mobile Applications (Sreenarayan Ashokkumar): http://vimeo.com/54227159 (Slides here)
- (Italian with lots of English, easy for Spaniards/Valencian-Catalonian speakers :)) – OWASP Top 10 Mobile Risks: http://www.slideshare.net/franciov/owasp-mobile-security-project
On SSL validation and pinning
- OWASP Pinning CheatSheet: https://owasp.org/index.php/Pinning_Cheat_Sheet
- Certificate Pinning in a Mobile Application: http://www.netspi.com/blog/2013/04/01/certificate-pinning-in-a-mobile-application/
- Defeating SSL certificate validation for Android Applications (McAfee): https://secure.mcafee.com/us/resources/white-papers/wp-defeating-ssl-cert-validation.pdf
- Your app shouldn’t suffer SSL’s problems (Moxie Marlinspike): http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/
- Android SSL bypass: This is an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented, as well as other debugging tasks: https://www.isecpartners.com/tools/mobile-security/android-ssl-bypass.aspx (Source here)
- Certificate Pinning
- Public key pinning: http://www.imperialviolet.org/2011/05/04/pinning.html
- Surveillance works! Let’s have more of it: http://blog.cryptographyengineering.com/2013/01/ubiquitous-surveillance-works-lets-have.html
Forensics
- FROST: Forensic Recovery Of Scrambled Telephones (full disk encryption bypass via cold boot attacks against new Android 4 devices): https://www1.informatik.uni-erlangen.de/frost
Further reading
- OWASP Top 10 Mobile Risks: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#Top_Ten_Mobile_Risks
- OWASP Top 10 Mobile Controls: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#Top_Ten_Mobile_Controls
- Android Security and Permissions: http://developer.android.com/guide/topics/security/index.html
- Android Security Overview: http://source.android.com/tech/security/
- Rough overview of HP Fortify’s Android checks: http://stackoverflow.com/questions/12832957/fortify-android-checks
- Reversing Android apps (the article focuses on malware but reversing an .apk for review is largely equivalent)
P.S. If there is something useful I missed above, please let me know and I will update this blog post. Thank you in advance.
