Android Application Security Assessments - Part 6: Other Tools and Random Musings
We have come to the end of this series and you should now have an idea of how to start your own Android Application Security Assessment and even reverse engineer your app to source code. Before we go, here are a few other mumblings that you may find useful.
Additional tools for your arsenal:
Android Debug Bridge(ADB) is a command line client application that allows you to communicate with the emulator (or a connected Android device). This came with the Android SDK and you already used this to install an application into your emulator.
BusyBox provides a number of additional Unix tools to aid you in your security assessment. You can compile it yourself, download a copy someone else compiled, or download the installer from the Android Marketplace.
Intent Fuzzer is a fuzzer. SHOCKING! It provides invalid, unexpected and random data in an attempt to cause your Android application to fail.
Manifest Explorer helps users to find and view the AndroidManifest.xml file for an application. This is very useful, as the AndroidManifest.xml file contains the security permissions of the application. I recommend using the menu option to extract and save the manifest so you can read it more easily on your PC.
MoshZuk another intentionally vulnerable Android application. I have not had a chance to test this one personally, so buyer beware!
SQLITE3 can be run from the ADB shell (see above) and used for querying Android application databases. Be on the lookout for hashed (or occasionally cleartext) passwords and PINs .
TaintDroid is a great app for seeing what type of sensitive data is being sent out of your Android. However, it is not a simple install. It requires that you flash a custom-built firmware to your device. There are decent instructions on the appanalysis.org site. Be careful what you wish for with this app. Seeing how much data sent to so many different locations may make you want to revert to your old Motorola StarTAC.
Wireshark, if you are new to the security field, will be a staple of your arsenal. Wireshark is a packet analyzer allowing you to intercept and log network traffic. The amount of information you will receive from this application may be daunting, but it is worth taking the time to learn to use this tool.
Areas of Interest:
In my experience, there are a few vulnerabilities that mobile applications contain that regular web applications avoid nowadays.
Hardcoded Encryption Keys: This should be pretty simple after you have reversed engineered the Android Package File (.apk). Quiet often I have seen insecure implementations using the javax.crypto.Cipher.init() method.
Sensitive Information Transmitted Via Cleartext Communications: Although ‘snappy’ is a cool buzz word for mobile apps, we still need to ensure that authentication and other sensitive data is handled over TLS/SSL.
Session Identifiers and Sensitive Information Transmitted Within URLs: I have had developers tell me that since you cannot ‘see’ the URL, this is not an issue. They are wrong. Most web servers aren’t configured to reliably not log sensitive URL components.
String Comparison: While not usually a security issue, developers should really pay close attention to ensure they aren’t using ‘==’ to compare strings.
SQL Injection: In an effort to keep their application sizes down, far too many applications are directly taking in user generated data for their queries instead of using prepared statements or securely stored procedures.
Finally, here are a couple more references that I would highly recommend taking a look at:
Mobile Application Security by Himanshu Dwivedi, Chris Clark and David Thiel
Penetration Testing Android Applications by Kujan Shah of Foundstone
Hopefully you found the information in this series useful. If not, why are you still reading?