Terry D. Clark - Hacking Android

Hacking Android

Learn all about Android to modify and protect your device Against security threats.

By TERRY D.CLARK

Hacking Android

Copyright 2020 TERRY D.CLARK

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without prior written permission from the publisher, except in the case of brief quotations included in articles or critical reviews.
Every effort has been made in preparing this book to ensure the accuracy of the information provided. However, the information in this book is sold without warranty, whether express or implied.
Unsolved for an anonymous person Any damages caused or alleged by this book to have occurred directly or indirectly.
An TERRY D.CLARK sought to provide trademark information about all companies and products mentioned in this book through appropriate use of capitals.

-----About the Authors----

"I do not care about people's opinion of me or their criticisms ... Their words are nothing but jealousy ... a fatal emptiness ... a waste of their message and an internal reflection of their fears and unhappiness ... the only thing that interests me is my opinion of myself. By: TERRY D.CLARK."

Preface ix

[ i ]

Listing the packages 43
Pushing files to the device 44
Pulling files from the device 44
Installing apps using adb 45
Troubleshooting adb connections 46
Summary 46
Chapter 2: Android Rooting 47
What is rooting? 47
Why would we root a device? 48
Advantages of rooting 49
Unlimited control over the device 49
Installing additional apps 49
More features and customization 50
Disadvantages of rooting 50
It compromises the security of your device 50
Bricking your device 51
Voids warranty 51
Locked and unlocked boot loaders 52
Determining boot loader unlock status on Sony devices 52
Unlocking boot loader on Sony through a vendor specified method 55
Rooting unlocked boot loaders on a Samsung device 58
Stock recovery and Custom recovery 58
Prerequisites 60
Rooting Process and Custom ROM installation 62
Installing recovery softwares 62
Using Odin 63
Using Heimdall 66
Rooting a Samsung Note 2 68
Flashing the Custom ROM to the phone 71
Summary 79
Chapter 3: Fundamental Building Blocks of Android Apps 81
Basics of Android apps 81
Android app structure 82
How to get an APK file? 83
Storage location of APK files 83
/data/app/ 84
/system/app/ 85
/data/app-private/ 86
Android app components 89
Activities 90
Services 90
Broadcast receivers 91
Content providers 91
Android app build process 92
Building DEX files from the command line 95
What happens when an app is run? 98
ART the new Android Runtime 99
Understanding app sandboxing 99
UID per app 99
App sandboxing 103
Is there a way to break out of this sandbox? 105
Summary 106
Chapter 4: Overview of Attacking Android Apps 107
Introduction to Android apps 108
Web Based apps 108
Native apps 108
Hybrid apps 108
Understanding the app's attack surface 109
Mobile application architecture 109
Threats at the client side 111
Threats at the backend 112
Guidelines for testing and securing mobile apps 113
OWASP Top 10 Mobile Risks (2014) 114
M1: Weak Server-Side Controls 115
M2: Insecure Data Storage 115
M3: Insufficient Transport Layer Protection 115
M4: Unintended Data Leakage 116
M5: Poor Authorization and Authentication 116
M6: Broken Cryptography 117
M7: Client-Side Injection 117
M8: Security Decisions via Untrusted Inputs 117
M9: Improper Session Handling 118
M10: Lack of Binary Protections 118
Automated tools 118
Drozer 119
Performing Android security assessments with Drozer 120
Installing testapp.apk 120
Listing out all the modules 120
Retrieving package information 121

[ ii ]
[ iii ]

Identifying the attack surface 122
Identifying and exploiting Android app vulnerabilities using Drozer 123
QARK (Quick Android Review Kit) 126
Running QARK in interactive mode 126
Reporting 133
Running QARK in seamless mode: 134
Summary 137
Chapter 5: Data Storage and Its Security 139
What is data storage? 139
Android local data storage techniques 141
Shared preferences 142
SQLite databases 142
Internal storage 142
External storage 142
Shared preferences 144
Real world application demo 145
SQLite databases 147
Internal storage 150
External storage 152
User dictionary cache 154
Insecure data storage NoSQL database 155
NoSQL demo application functionality 155
Backup techniques 158
Backup the app data using adb backup command 159
Convert .ab format to tar format using Android backup extractor 161
Extracting the TAR file using the pax or star utility 163
Analyzing the extracted content for security issues 164
Being safe 167
Summary 167
Chapter 6: Server-Side Attacks 169
Different types of mobile apps and their threat model 170
Mobile applications server-side attack surface 170
Mobile application architecture 171
Strategies for testing mobile backend 172
Setting up Burp Suite Proxy for testing 172
Proxy setting via APN 173
Proxy setting via Wi-Fi 175
Bypass certificate warnings and HSTS 176
Bypassing certificate pinning 184
Bypass SSL pinning using AndroidSSLTrustKiller 185
Setting up a demo application 186
Threats at the backend 187
Relating OWASP top 10 mobile risks and web attacks 188
Authentication/authorization issues 189
Session management 193
Insufficient Transport Layer Security 194
Input validation related issues 194
Improper error handling 194
Insecure data storage 194
Attacks on the database 195
Summary 196

Chapter 7: Client-Side Attacks Static Analysis Techniques 197
Attacking application components 198
Attacks on activities 198

What does exported behavior mean to an activity? 198
Intent filters 204
Attacks on services 205
Extending the Binder class: 205
Using a Messenger 205
Using AIDL 205
Attacking AIDL services 206
Attacks on broadcast receivers 206
Attacks on content providers 210
Querying content providers: 211
Exploiting SQL Injection in content providers using adb 214
Testing for Injection: 215
Finding the column numbers for further extraction 217
Running database functions 218
Finding out SQLite version: 218
Finding out table names 219
Static analysis using QARK: 220
Summary 224

Chapter 8: Client-Side Attacks DynamicAnalysis Techniques 225
Automated Android app assessments using Drozer 226
Listing out all the modules 226
Retrieving package information 228
Finding out the package name of your target application 229
Getting information about a package 229
Dumping the AndroidManifes.xml file 230
Finding out the attack surface: 232
Attacks on activities 232
[ v ]

Table of Contents

Attacks on services 236
Broadcast receivers 237
Content provider leakage and SQL Injection using Drozer 239
Attacking SQL Injection using Drozer 242
Path traversal attacks in content providers 246
Reading /etc/hosts 249
Reading kernel version 249
Exploiting debuggable apps 250
Introduction to Cydia Substrate 252
Runtime monitoring and analysis using Introspy 254
Hooking using Xposed framework 259
Dynamic instrumentation using Frida 270
What is Frida? 270
Prerequisites 270
Steps to perform dynamic hooking with Frida 272
Logging based vulnerabilities 274
WebView attacks 277
Accessing sensitive local resources through file scheme 277