web analytics
Blog

Audit de securitate pentru aplicațiile Android

iOS a fost și va rămâne foarte mult timp unul dintre cele mai sigure sisteme de operare pentru smartphone și asta datorită acceselor limitate pe care le oferă utilizatorilor sau dezvoltatorilor de aplicații mobile. În schimb, Android este din punctul meu de vedere unul din cele mai nesigure sisteme de operare dezvoltate vreodată.

Pentru aceste afirmații aduc numai două argumente:

– accesul la fișierele de sistem. Pentru iOS trebuie să faci jailbreak ceea ce înseamnă posibile disfuncționalități cu ultimele versiuni de aplicații și secarea bateriei în modul cel mai barbar posibil. Pe Android  poți face root fără nici cea mai mică grijă (poate doar a garanției), poți schimba ROM-ul, poți instala aplicații .apk fără nici cea mai mică durere de inimă din partea Google și îți poți virusa device-ul extrem de repede. Orice kinder poate să strice după bunul plac un Android.

– permisiunile aplicațiilor. Atunci când trimiți în AppStore o aplicație, poate să stea o săptămână până când va fi verificată și analizată dacă nu cumva utilizează permisiuni care nu ar trebui sau interzise. Acesta este unul din motivele pentru care în AppStore nu sunt aplicații de înregistrare a apelului efectuate de pe SIM (sunt numai provideri VoIP care înregistrează în cloud). În Google Play poate să publice orice kinder care are 25$ pentru licența de dezvoltator, aplicația nefiind verificată în prealabil de nimeni.  Tocmai din acest motiv în Google Play apar toate dubioșeniile de aplicații, făcute pe genunchi la liceu. Idei bune, dar puse în practică eronat.

Știm că americanii sunt poporul cel mai panicos din lume atunci când vine vorba de securitatea datelor, interceptarea traficului și a conversațiilor de pe telefonul mobil. Dar totuși, încă nu s-a inventat aplicația perfectă și dezvoltatorii încearcă din răsputeri să evite găurile de securitate ale sistemului de operare Android astfel încât să nu poată fi modificate elemente ale aplicației lor sau activarea unor beneficii in-app purchase de către persoane neautorizate, în timp ce alți dezvoltatori crează aplicații care să exploateze fiecare componentă sau fișier a aplicațiilor deja existente în defavoarea victimei. Nu intru acum în polemici cu privire la termeni de genul hacker, cracker,  skiddie, white, black etc. Într-un final aplicațiile sunt niște tool-uri ce pot fi utilizate în scopuri educative, productive sau distructive. Până și motorul de căutare Google este utilizat de majoritatea utilizatorilor în scopuri educative sau productive, în timp ce alți utilizatori îl folosesc pentru dork-uri.

Având în vedere că un audit de securitate este destul de costisitor dacă este realizat de către o companie specializată cu oameni acreditați și este interpretată manual, sfatul meu este să folosiți cât mai multe resurse gratuite de auditare a aplicației înainte de publicarea acesteia în Google Play. Așadar, am făcut o listă cu cele mai populare dar și eficiente aplicații pentru un audit de securitate și hacking, o mare parte fiind gratuite, altele costând destul de puțin. Nici aplicațiile de pentesting nu sunt complete și perfecte, tocmai din acest motiv fiind indicat să utilizați cât mai multe dintre acestea.

Hackode

The hacker’s Toolbox is an application for penetration tester, Ethical hackers, IT administrator and Cyber security professional to perform different tasks like reconnaissance, scanning performing exploits etc.

This Application contains different tools like:

  • Reconnaissance
  • Google Hacking
  • Google Dorks
  • Whois
  • Scanning
  • Ping
  • Traceroute
  • DNS lookup
  • IP
  • MX Records
  • DNS Dig
  • Exploits
  • Security Rss Feed This Application is still in beta version
https://www.youtube.com/watch?v=H9D_X6olL9E

[divider]

Androrat

Remote Administration Tool for Android. The name Androrat is a mix of Android and RAT (Remote Access Tool). Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server. All the available functionalities are:

Get contacts (and all theirs informations)

  • Get call logs
  • Get all messages
  • Location by GPS/Network
  • Monitoring received messages in live
  • Monitoring phone state in live (call received, call sent, call missed..)
  • Take a picture from the camera Stream sound from microphone (or other sources..)
  • Streaming video (for activity based client only)
  • Do a toast
  • Send a text message
  • Give call
  • Open an URL in the default browser
  • Do vibrate the phone

[divider]

APKInspector

The goal of this project is to aide analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code. APKInspector provides both analysis functions and graphic features for the users to gain deep insight into the malicious apps:

  • CFG
  • Call Graph
  • Static Instrumentation
  • Permission Analysis
  • Dalvik codes
  • Smali codes
  • Java codes
  • APK Information

[divider]

DroidBox

DroidBox is developed to offer dynamic analysis of Android applications. The following information is shown in the results, generated when analysis is ended:

  • Hashes for the analyzed package
  • Incoming/outgoing network data
  • File read and write operations
  • Started services and loaded classes through DexClassLoader
  • Information leaks via the network, file and SMS
  • Circumvented permissions
  • Cryptography operations performed using Android API
  • Listing broadcast receivers
  • Sent SMS and phone calls

[divider]

zANTI

zANTI is a comprehensive network diagnostics toolkit that enables complex audits and penetration tests at the push of a button. It provides cloud-based reporting that walks you through simple guidelines to ensure network safety.

These various pentest options include:

  • Network Map
  • Port Discovery
  • Packet Manipulation
  • Sniffer
  • MITM (Man in the Middle filters)
  • DoS (Pentest DoS vulnerabilities)
  • Password Complexity Audit
  • Penetrate CSE to check server/desktop vulnerabilty

[divider]

Droid Sheep

DroidSheep is a simple Android tool for web session hijacking (sidejacking). It listens for HTTP packets sent via a wireless (802.11) network connection and extracts the session id from these packets in order to reuse them.

DroidSheep can capture sessions using the libpcap library and supports: OPEN Networks WEP encrypted networks WPA and WPA2 encrypted networks (PSK only)

DroidSheep is not intended to steal identities or endamage anybody, but to show the weak security of non-ssl webservices

[divider]

dSploit

dSploit is an Android network analysis and penetration suite which aims to offer to IT security experts/geeks the most complete and advanced professional toolkit to perform network security assessments on a mobile device.

Features

  • WiFi Cracking
  • RouterPWN
  • Trace
  • Port Scanner
  • Inspector
  • Vulnerability finder
  • Login cracker
  • Packet forger
  • Man in the middle
  • Simple sniff
  • Password sniff
  • Session Hijacker
  • Kill connections
  • Redirect
  • Replace images
  • Replace videos
  • Script injector
  • Custom filter

[divider]

AppUse – Android Pentest Platform Unified Standalone Environment

AppUse Virtual Machine, developed by AppSec Labs, is a unique (and free) system, a platform for mobile application security testing in the android environment, and it includes unique custom-made tools.

Features

  •  New Application Data Section
  •  Tree-view of the application’s folder/file structure
  •  Ability to pull files
  •  Ability to view files
  •  Ability to edit files
  •  Ability to extract databases
  •  Dynamic proxy managed via the Dashboard
  •  New application-reversing features
  •  Updated ReFrameworker tool
  •  Dynamic indicator for Android device status
  •  Bugs and functionality fixes

[divider]

Shark for Root

Traffic sniffer, works on 3G and WiFi (works on FroYo tethered mode too). To open dump use WireShark or similar software, for preview dump on phone use Shark Reader. Based on tcpdump. Please leave comments/send e-mail if you have any problems/suggestions.

[divider]

Android Device Testing Framework

The Android Device Testing Framework (“dtf”) is a data collection and analysis framework to help individuals answer the question: “Where are the vulnerabilities on this mobile device?” Dtf provides a modular approach and built-in APIs that allows testers to quickly create scripts to interact with their Android devices. The default download of dtf comes with multiple modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges). These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you’ll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities.

[divider]

drozer

drozer (formerly Mercury) is the leading security testing framework for Android.

drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).

[divider]

NeoPWN

Neopwn is an advanced penetration testing and radio frequency auditing platform designed to run on mobile phones and tablets. We were the first to ever release a security auditing distribution for a mobile phone, and we continue to push the envelope in supporting the latest bleeding-edge tools and hardware.

Several options exist for local and remote control of the Neopwn system, including:

  • Android-based control panel application for system management
  • Desktop interface via VNC, for full X windows programs
  • Shell access with native Android terminal emulation applications
  • Quick application access with native Android desktop icon launchers
  • Remote access through VPN and SSH

[divider]

Androguard

Reverse engineering, Malware and goodware analysis of Android applications … and more

Features:

  • Map and manipulate DEX/ODEX/APK/AXML/ARSC format into full Python objects,
  • Diassemble/Decompilation/Modification of DEX/ODEX/APK format,
  • Decompilation with the first native (directly from dalvik bytecodes to java source codes) dalvik decompiler (DAD),
  • Access to the static analysis of the code (basic blocks, instructions, permissions (with database from http://www.android-permissions.org/) …) and create your own static analysis tool,
  • Analysis a bunch of android apps,
  • Analysis with ipython/Sublime Text Editor,
  • Diffing of android applications,
  • Measure the efficiency of obfuscators (proguard, …),
  • Determine if your application has been pirated (plagiarism/similarities/rip-off indicator),
  • Check if an android application is present in a database (malwares, goodwares ?),
  • Open source database of android malware (this opensource database is done on my free time, of course my free time is limited, so if you want to help, you are welcome !),
  • Detection of ad/open source librairies (WIP),
  • Risk indicator of malicious application,
  • Reverse engineering of applications (goodwares, malwares),
  • Transform Android’s binary xml (like AndroidManifest.xml) into classic xml,
  • Visualize your application with gephi (gexf format), or with cytoscape (xgmml format), or PNG/DOT output,
  • Integration with external decompilers (JAD+dex2jar/DED/…)

[divider]

Revenssis

Nicknamed as the “Smartphone Version of Backtrack”, Revenssis Penetration Suite is a set of all the useful types of tools used in Computer and Web Application security. Tools available in it include: Web App scanners, Encode/Decode & Hashing tools, Vulnerability Research Lab, Forensics Lab, plus the must-have utilities (Shell, SSH, DNS/WHOIS Lookup, Traceroute, Port Scanner, Spam DB Lookup, Netstat… etc). All these fitting in an application approx. 10MB (post installation).

Features

All Web Vulnerability Scanners including:

  • SQL injection scanner
  • XSS scanner
  • DDOS scanner
  • CSRF scanner
  • SSL misconfiguration scanner
  • Remote and Local File Inclusion (RFI/LFI) scanners

Useful utilities such as: WHOIS lookup, IP finder, Shell, SSH, Blacklist lookup tool, Ping tool

Forensic tools (in imlementation) such as

  • Malware analyzers, hash crackers, network sniffer, ZIP/RAR password finder, social engineering toolset, reverse engineering tool
  • Vulnerability research lab (sources include: Shodan vulnerability search engine, ExploitSearch, Exploit DB, OSVDB and NVD NIST
  • Self scan and Defence tools for your Android phone against vulnerabilities Connectivity Security Tools for Bluetooth, Wifi and Internet. (NFC, Wifi Direct and USB in implementation)

[divider]

Bugtroid

Bugtroid is an innovative tool developed by the team of Bugtraq-Team. The main features of this apk, is that it has more than 200 Android and Linux tools (PRO) for pentesting and forensics through smarthphone or tablet

 [divider]

Cheat Droid PRO / root only

Cheat Droid is a developer’s tool. You are a developer and want to debug the shared preferences of your apps and games? You care about data privacy and want to see, what apps save which information about you? You forgot your password in your own app or game and try to recover it? You are simply some sort of “hacker” and simply technically interested?

Then give Cheat Droid – Shared Preferences Editor a try! Shared Preferences are the most common way for Android apps and games to store settings or information inside your phone data. For example, a puzzle game might store the current level inside this file. Or other games might store your money, gold count, highscore or whatever in it. Apps might track, how many times you started them. Or when was the last time. However, please note the disclaimer below. Cheat Droid is rather adapted for technical, scientifical and debugging reasons.

Features:

  • view, edit, add, search through and delete shared preferences
  • export and import preference files
  • browse through sqlite database files
  • export and import any other application files (CheatDroid PRO only)
  • edit sqlite database files (CheatDroidPRO only)

[divider]

În încheiere, binecunoscutul disclaimer :

YOU ARE NOT ALLOWED TO USE THIS APP FOR ANY ILLEGAL PURPOSE. You are not allowed to (commercially and in any other way) damage or disrupt a third party. Everything you do happens on your own responsibility.

Distribuie articolul pe:
TwitterFacebookGoogle+

      Cristian Iosub