Intercepting Android Native Application

Recently, I got an opportunity to do a security hands-on on an Android native application. This application does not communicate to internet via HTTP protocol or mobile browser. The application communicates with the remote server over TCP on some XYZ port.

From my past Android experience and papers I read on internet, it was only mentioned about intercepting browser based application traffic. Some of the papers mentioned about native apps but those apps eventually communicate over HTTP protocol. Read here for traffic interception for HTTP based application.

Challenge Scenario

Native app perfectly works fine when no proxy is set-up on emulator and is connected to internet over wi-fi. The moment I change APN settings of Android emulator, application stops and throws a “Network Error” without any more details.

The Solution

Initially I wanted to capture and modify the traffic as we do for normal Android web app and apply web app security test cases. After digging into the problem for quite some time, I got my hands onto debugging of Android with tcpdump. This allowed me to create a pcap file and then conduct analysis using wireshark in a normal traffic analysis way.

The Steps

Start Android emulator using emulator.exe present in /tools/emulator.exe

Issue command:

emulator.exe avd avd_name -tcpdump apptraffic.pcap

This command will start your emulator in a new window and will dump all traffic sent and receive to a apptraffic.pcap file.

The file can then be imported to wireshark for further analysis. Here’s a screenshot:

With careful analysis of TCP packets you can detect server IP address and port. To further filter out your result and capture only for specific port use below switch:

emulator.exe avd avd_name -tcpdump apptraffic.pcap port 10004

Happy Reading!!!

Managing Wordpress and Joomla Security

In the last 6 months, I have noticed that there is an exponential increase in hacking activities specially targeted to CMS based websites i.e. Wordpress and Joomla. Both these platforms offer business owners a comfortable base to built application within no time. Additionally, CMS offers some really cool plug-ins that can be easily integrated to your website. Because of its usability, popularity and known weaknesses hackers make it as an easy target.

Here’s some statistics on attack motivation and distribution as on August 2012 (source: Hackmageddon)

Where is the problem?

CMS vendors (Wordpress and Joomla) regularly release new versions when it finds that there is a need to upgrade or new feature to offer or any security vulnerability is detected. This is really good and it shows reactive nature of vendors. This introduces a problem too. Business owners do not generally prefer to upgrade their platform version as it introduces a lot of risk to their business. When a website is hacked, it loses user base, trust and sometimes even they are out of business.

Wordpress and Joomla have lot many version specific exploitable vulnerabilities that can be easily exploited by script-kiddie by a simple google search. This really highlights the need to upgrade your CMS platform as new release comes out in the market.

Attackers have an easy way to detect what platform you are using. Below is the technique to detect: 

Wordpress:

• Browse to http://www.site.com/readme.html - This will return wordpress installation page revealing wordpress version number.

Joomla:

• Browse to http://www.site.com/administrator - This will return Joomla Administrator page.

What next?

Every business is critical and everyone wants their business to be profitable and secure. To achieve the level of satisfaction, I recommend at least follow below basic best practices for your website. 

Based on my CMS security assessment experience, I will list out the best practice that you must follow to strengthen security of your website:

• Try to have up-to-date CMS version
• Disable Directory Listing on your website – This is the first thing hackers look for to map your application directory structure
• Set 644 (rw-r--r--) Permission on all your .htaccess, index.php and config files
• Change your administrator Default Username from “admin” to “anything”
• Maintain an inventory of Trusted Users for remote access and ensure to revoke their right once the work is completed
• Apply Access Restriction on your admin module (as this is only used for administration purposes by limited people) or change your admin path from /administrator to /siteadm/adm.php. The idea is to remove /administrator directory from CMS installation 
• Delete all Default Configurations and redirect users to application customized error page
• Audit and remove HTTP Response Header that discloses your CMS version, web server version and operating system details
• Remove all Unused or Unreferenced files from your CMS installation directory
• Apply strict Password Policy for FTP, Admin module and any other remote access to your server. Your policy must include:

• Must be 8 characters in length
• Must be alpha-numeric
• Must change every month
• For Joomla Based Websites, ensure:
• .htaccess file is not accessible via http://www.site.com/htaccess.txt
• Admin password page is not directly accessible i.e. http://www.site.com/administrator/index.php
• Ensure you have up-to-date Antivirus and Malware tool installed on your server and it scans your application files on a weekly basis. I recommend to use ClamAV.
• Deploy a Web Application Firewall and configure it to prevent at least some of the common web application attacks. For linux environments, mod_security is the recommended one.
• Install a Wordpress and Joomla security scanner to quickly detect and fix the security issues. Below are the recommended one:
• Wordpress:
• Exploit Scanner
• BulletProof Security 
• Secure Wordpress
• Joomla:
• JDefender
• Ensure all your application files are linked completely and do not disclose any internal server path

Android Application Assessment – Part III

This post covers some more android application specific attacks and tools which may further help you in pentesting your android app.

Please note for an android application that connects to internet via Wifi or GPRS, you need to inject a proxy and perform testing similar to web application testing. In this case, all applicable web application tests would apply. Check here to set up a proxy in android emulator.

Application Process and Inter-Communication Inspection

The objective is to look for internal system calls made by your application, screen grabbing without rooting your device, local data spoofing, view processes and application state information. The utility we use here is a GUI version of adb.exe i.e. ddms.bat. The default location of this utility is C:\Program Files\Android\android-sdk\tools. Below is how you can have access to all above mentioned data:

Browse to location \Android\android-sdk\tools via command prompt

Locate and execute ddms.bat to get below screen:

Insecure Cryptographic Storage

The objective of this test is to look for hardcoded keys the application may store to perform encryption and decryption of data at rest or in transit. Application decompilation should do most of your work which is detailed in my last post. Places to look for:

• Methods like javax.crypto.Cipher.init() in class file
• Class name should give you the direction
• Application homepage /login page may perform some encryption logic

Useful Tools

Below are some of the android application specific tools (apart from which I mentioned in this series) that may help you further investigate or look for more issues:

Intent Fuzzer – Supply random, invalid data to test how your application reacts to it.

Intent Sniffer – Monitor and intercept intent of your application

BusyBox – Bundle of Unix tools to test your android application

Wireshark – Most of you must be aware of its functionality. Combine it with RawCap to analyze the traffic

I hope you have found this series useful in pentesting your android applications. I await your feedback..:)

Happy Reading!!!

Android Application Assessment – Part II

I hope my last post helped you to kick off android application pentest. In this post, I will cover application specific attacks/checks using adb.exe (Android Debug Bridge) from SDK toolkit.

Android Application Decompilation

I assume you already have application installable .apk file saved onto your local drive (If not, please refer to my last post). In simpler terms, decompilation is the method to view application files. Steps for application decompilation are:

• Rename your application file from .apk to .zip or .rar
• Extract the zipped file to view application files

Files of interest are:

• AndroidManifest.xml - Contains application permission, configuration settings, filters, service settings. Look for application permission or any external service call. More information can be found here.
• Classes.dex – Contains application source code i.e. class files, java files, xml files, etc. Look for business logic implementation, encryption/decryption logic, hard-coded credentials, test data.

There are high chances of AndroidManifest.xml file being encoded, so you need to decode it using a third party tool before you can actually view it. Download AXMLPrinter2.jar utility from here. Below are the steps to decode AndroidManifest.xml file:

You should now be able to view your application AndroidManifest.xml in cleartext.

Another method to inspect AndroidManifest.xml file is to download and install Manifest Explorer application on to your android device as shown:

The next step is to decompile the classes.dex file. This is the most important file to inspect from security point of view. Here’s how you can decompile it:

• Download a third party tool named dex2jar from here
• Below is the command to convert dex file to jar:

• Locate the created jar file and rename it to rar or zip
• Extract the zipped file and view class files using your favourite java decompiler

Database Inspection

The objective of this test is to look for sensitive information stored in application database. There are high chances of getting the user credentials in cleartext or sensitive information  like user financial details, SSN numbers, etc. Android stores all application-related files under /data/data folder. You can access those files from adb.exe using the below commands:

adb devices – List of connected devices will be shown
adb shell
su
cd /data/data/
ls

Look for your application folder

cd com.android.applicationname
ls

Application database files will be stored in databases folder. To view database file, we need to use sqllite3 utility which comes along with SDK toolkit. Here’s how you can view them:

sqllite3 /data/data/com.android.applicationname/databases/databasename
.table – List all database tables
select * from user_id;

I will cover more application specific attacks and tool list which are essential from pentest perspective in my next post.

Happy Reading!!!

Android Application Assessment – Part I

Recently, I was engaged in testing an android application. The customer generously provided me his new Samsung 750 Tablet with the application installed on it. The application does not interact with any remote server which meant all application data, database schema and files had to be stored locally. From the tutorials and my learning I was expected to find an android installation file (.apk file), install it on a google android emulator and start testing. Unfortunately, the first step itself didn’t meet my expectations.

I shall be releasing the series of android application testing; so this post is focused on setting up an environment, common challenges and confirming all is well before we proceed

Challenge 1:

Extract android application installable file (.apk file) from tablet. The application is running in tablet but not sure whether installation files are removed or hidden by the developer.

Solution:

After searching and testing few apps/tricks found by Google results, I finally decided to go with Astro File Manager application. The application is less complicated and fulfils my expectation. Below are the steps to get the .apk file:

1. Download and install Astro File Manager on your android tablet or phone
2. Locate and open Astro File Manager
3. Browse to Application Backup menu
4. Locate your application from Installed Apps list and select the app (extreme right)
5. Hit “Backup” button
6. Check and confirm your application backup in Backup Apps list

Now, we have the backup of our application. Next steps:

1. Exit Astro File Manager application
2. Browse to Home Screen and go to My Files folder
3. Look for backups folder and you will find your .apk file there

Once you have your application .apk file, there are multiple ways to get it onto your PC. I installed a Dropbox application on tablet and then downloaded it onto my PC. Other alternatives are as below:

• Attach file to your inbox (< 5MB)
• Install Samsung windows driver from here and transfer it via USB.

Next step is to install the application on Android emulator. You can download it from here and installation steps are listed here. Once setup is done, you will have similar running emulator as below:

Installing Assessment Application on Emulator 

Post successful SDK toolkit installation; add below strings to your PATH environmental variables (Right click My Computer-->Properties-->Advanced-->Environment Variables):

C:\Program Files\Android\android-sdk\tools;C:\Program Files\Android\android-sdk\platform-tools
 

We are now ready to install application on android emulator from any location (of course a valid one). The utility to interact with emulator is adb.exe and it can be found under C:\Program Files\Android\android-sdk\platform-tools. Steps are as below:

Open AVD Manager from All Programs and click on Start to run Emulator
Open command prompt and browse till path where you have saved your application apk file
Issue command: adb devices to ensure your emulator is working properly
To install app: adb install app_name.apk
Here's a screenshot of above steps:

Happy Reading!!!

Facebook Like Widget – Spammers Tool???

Now a days, I get very curious to look at view-source of website where Facebook’s Like button is embedded. But why should I do this? Isn’t facebook Like button trusted? This is right.. Huh!!! The answer is NO. If there is a mismatch in the domain (you are visiting) and facebook’s Like button then there is surely a problem and it is a spam page.

How I concluded this?

Facebook’s Like widget can be integrated to any website and is free to use. More surprisingly it does not validate the host website.

How can it be used by Spammers?

Spammers use Like widget to make their fake page look-like very real and therefore inducing visitors to click on the Like button. The Like button can trigger any event of attacker’s choice and will run inside the user’s browser or may redirect the user to attacker’s website or may infect user’s system.

Root Cause Analysis

Facebook does not validate the host domain which is causing the issue. Validating the host domain with facebook (using API or XHR or hidden variable) may solve the problem.

Happy Reading!!!