Download White Paper: Pentesting Android Apps on Mac

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
Document related concepts
no text concepts found
Transcript 
White Paper: Pentesting
Android Apps on Mac
by
Adrian Pastor
Public Information
MINERVA Information Security Inc - 37 N Orange Ave Ste 500, Orlando, FL 32801, USA
MINERVA Information Security Ltd - Prama House, 267 Banbury Rd, Oxford OX2 7HT, UK
19-Jul-15
www.minerva-is.net – Public Information
2
Table of Contents
Executive Summary ...................................................................................... 3
Introduction .................................................................................................... 4
Android SDK Setup....................................................................................... 4
First Emulator Run ....................................................................................... 6
Importing Self-signed CA Certificate ...................................................... 7
Emulator Restart ........................................................................................ 13
Cleaning Up .................................................................................................. 14
Acknowledgments ...................................................................................... 15
About MINERVA .......................................................................................... 15
Works Cited ................................................................................................. 16
Tools Mentioned .......................................................................................... 16
19-Jul-15
www.minerva-is.net – Public Information
3
Executive Summary
Mobile application penetration testing has experienced a significant increase in
demand over the last few years. This is due to the ever-growing number of
smartphone users worldwide who use apps to consume products and services
from the comfort of their thumbs. By 2016, the number of smartphone users is
predicted to reach 2.16 billion (eMarketer); that’s almost 30% of the world’s
population predicted for 2016 (GeoHive). Of all the different smartphone
operating systems, Android continues to have the greatest market share,
accounting for more than 50% of the market share worldwide as of 2015
(McGrath).
Demand for mobile app pentesting is likely to continue to grow as merchants and
service providers continue to push critical functionality to their apps. This includes
transmitting, processing, and storing personally-identifiable information (PII),
cardholder and bank account data.
Being able to read and modify messages transmitted by the mobile app in scope
for security testing is one of the most important prerequisites for a successful
engagement. The technical procedures documented in this paper are written for
developers and pentesters who need to accomplish such task. The author
assumes that the app in scope was developed for the Android operating system
and that the tester is a Mac user with no access to an Android handset.
19-Jul-15
www.minerva-is.net – Public Information
4
Introduction
The method documented in this paper assumes the tester is a Mac OS X user
who has installed either the free or professional edition of Burp Suite. It has been
optimized to meet the following requirements:
•
No Integrated Development Environment (IDE) such as Android Studio or
Eclipse is installed
•
Only limited storage capacity is available to set up the testing
environment
•
Tester has no budget to purchase additional software
•
Tester has no access to an Android handset
•
There is limited time to set up the testing environment
The scope of this paper is limited to interception of unencrypted and encrypted
communications of Android apps using the Burp intercepting proxy. Local app
security checks such as application decompiling and debugging were considered
out of scope. The procedures below can also be used as guidance when other
proxies such as Proxy.app or ZAP are used. Windows users are recommended to
read Kunjan Shah’s excellent paper on the subject (Shah).
Android SDK Setup
Make sure you have the latest version of Java Runtime Environment (JRE) and
Java Development Kit (JDK) from www.oracle.com installed, which at time of
writing is version 8:
$ java -version
java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode)
$ javac -version
javac 1.8.0_45
Install stand-alone SDK tools for Mac from developer.android.com. E.g. androidsdk_r24.3.3-macosx.zip. Unzip the file into your directory of preference, home in
our case:
19-Jul-15
www.minerva-is.net – Public Information
5
Next, install Platform-tools, Build-tools, SDK Platform, and the ARM EABI v7a (or
newer if available) System Image using the SDK manager. If you don’t have the
latest version of JDK you won’t see these packages as available on the SDK
Manager:
$ ~/android-sdk-macosx/tools/android
Click Install button and accept license for each package selected:
19-Jul-15
www.minerva-is.net – Public Information
6
Before we can run the emulator we need to create an Android Virtual Device
(AVD). First, list the target platforms available. Only one should be shown in our
case since we only installed one System Image (ARM EABI v7a):
First Emulator Run
List available targets:
$ ~/android-sdk-macosx/tools/android list targets
Available Android targets:
---------id: 1 or "android-22"
Name: Android 5.1.1
Type: Platform
API level: 22
Revision: 2
Skins: HVGA, QVGA, WQVGA400, WQVGA432, WSVGA, WVGA800 (default), WVGA854,
WXGA720, WXGA800, WXGA800-7in
Tag/ABIs : default/armeabi-v7a
We can now create an AVD. If your target ID is not 1, replace the value below as
needed:
19-Jul-15
www.minerva-is.net – Public Information
7
$ ~/android-sdk-macosx/tools/android create avd -n testavd -t 1
Importing Self-signed CA Certificate
Next we need to import Burp’s self-signed CA certificate as a trusted root into
the AVD. Make sure your OS X browser (not the emulator’s) is configured to use
Burp as a proxy (loacalhost:8080 by default). Visit http://burp/cert and save
‘cacert.der’ file:
Next, convert the downloaded DER-encoded certificate to ASCII PEM format:
$ openssl x509 -inform der -in cacert.der -out cacert.crt
Then we need to create an SD card. The SD card will be used by the AVD to
access the converted certificate (cacert.crt):
$ ~/android-sdk-macosx/tools/mksdcard -l testsdcard 9M ~/androidsdcard
Confirm SD card has been created successfully:
$ file ~/androidsdcard
/Users/user/androidsdcard: x86 boot sector, code offset 0x5a, OEM-ID "MSWIN4.1", Media
descriptor 0xf8, sectors 18432 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 143, reserved3
0x800000, serial number 0x1b044206, label: " SDCARD"
19-Jul-15
www.minerva-is.net – Public Information
8
We can finally run the emulator (the emulator is likely to take a while to load the
virtual device):
$ ~/android-sdk-macosx/tools/emulator -avd testavd -sdcard ~/androidsdcard
19-Jul-15
www.minerva-is.net – Public Information
9
Make sure that netcat (nc) is allowed to receive incoming connections by your OS
X firewall:
On your OS X terminal, run the following command on the directory where
‘cacert.crt’ is located. It will serve the Burp’s CA certificate using netcat:
$ nc -vv -l 1111 < cacert.crt
Back on your Android adb shell, type the following command, where 10.1.2.3 is
the IP address of your MAC (W)LAN interface:
root@generic:/ # nc 10.1.2.3 1111 > /sdcard/cacert.crt
If you haven’t waited long enough for the emulator to load the AVD, you will
receive the following permission error when trying to save the certificate to the
SD card. The solution is to simply wait a bit longer and try both of the above
netcat commands again:
/system/bin/sh: can't create /sdcard/cacert.crt: Read-only file system
19-Jul-15
www.minerva-is.net – Public Information
10
On the Android emulator, go to Install certificate Settings / Security / Credential
storage / Install from SD card:
19-Jul-15
Select ‘cacert.crt’:
www.minerva-is.net – Public Information
11
19-Jul-15
Set PIN if prompted:
www.minerva-is.net – Public Information
12
19-Jul-15
www.minerva-is.net – Public Information
13
Confirm that Burp’s CA certificate has been successfully installed under Settings
/ Security / Credential storage / Trusted credentials / User:
Emulator Restart
Restart emulator with proxy settings enabled to use Burp:
$ ~/android-sdk-macosx/tools/emulator -avd testavd -sdcard ~/androidsdcard -http-proxy
http://localhost:8080
On your OS X terminal, install APK of app in scope for your pentest:
$ ~/android-sdk-macOS X/platform-tools/adb install ~/my-app.apk
Congratulations, you should now be able to see traffic from your Android app on
Burp, including HTTPS traffic:
19-Jul-15
www.minerva-is.net – Public Information
Cleaning Up
Remove APK and SD card once the pentest has ended:
$ ~/android-sdk-macosx/platform-tools/adb shell 'pm list packages -f' |grep -i yourappname
$ ~/android-sdk-macosx/platform-tools/adb uninstall apppackagename
$ rm ~/androidsdcard
14
19-Jul-15
www.minerva-is.net – Public Information
15
Acknowledgments
The author would like to thank Jan Fry and Monsy Carlo for their kind feedback.
About MINERVA
MINERVA is a boutique cybersecurity consultancy providing tailored services that
align with your business goals. We identify security threats and help clients
mitigate the associated risks.
In today’s rapidly evolving world no two businesses are alike and we believe that
no two security assessments should be either. Our consultants have all worked
with organisations across a wide range of industries from tech start-ups to those
listed on the FTSE 100 and Fortune 500. Our broad experience, along with our
desire to understand your business objectives, allows for the development of a
personalized security approach that can safeguard your information and
reputation.
MINERVA is a privately-owned, vendor-neutral company with no external
investors, and no sales targets. This allows us more time to focus on your needs
and provide a quality service.
19-Jul-15
www.minerva-is.net – Public Information
16
Works Cited
eMarketer. 2 Billion Consumers Worldwide to Get Smart(phones) by 2016. 11
December 2014. <http://www.emarketer.com/Article/-/1011694>.
GeoHive. Population of the entire world, yearly, 1950 - 2100. 7 July 2015
<http://www.geohive.com/earth/his_history3.aspx>.
Shah, Kunjan. Penetration Testing Android Applications. 2010.
<http://tinyurl.com/p2zrolc>.
McGrath, Felim. Android mobile now has huge lead over iOS. 10 June 2015.
<http://tinyurl.com/opkql94>.
Tools Mentioned
Android SDK tools <http://developer.android.com/sdk/index.html#Other>
Burp <https://portswigger.net/burp/download.html>
Java JRE and JDK <http://oracle.com/technetwork/java/javase/downloads/>
Proxy.app <http://www.proxyapp.io>
ZAP <https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project>
Related documents
View - Fadama III AF Project
View - Fadama III AF Project
android - Cloud 479
android - Cloud 479
CS499 * Mobile Application Development
CS499 * Mobile Application Development
How to install Android SDK
How to install Android SDK
This Course Outline
This Course Outline
Android Architecture
Android Architecture
1. Beginning Android
1. Beginning Android
Intro to Android (Powerpoint)
Intro to Android (Powerpoint)
Click Here To Abstract
Click Here To Abstract
Introduction
Introduction
Simulating network speed and latency for Android devices
Simulating network speed and latency for Android devices