Android reverse engineering

Install Virtuous Ten Studio(VTS) as the reverse engineering tool for Android.

VTS can be downloaded on: http://virtuous-ten-studio.com/

All in one reverser: ApkTool, Smali/Baksmali, ADB, Zipalign, Sign, dex2jar, Logcat, many more…

Reverse engineering

adb pull /data/data/xxx.apk C:\\xxx

Use VTS to import the apk file

Use VTS to generate java source code

Analysis the source code

Smali

Useful URLs:

http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

Android security basic

APK file: 

Just like a zip file and can be unzipped as a zip file 

Written in java, may include some native libs in C/C++ 

Structure: 

assets                                applications assets  

lib                                       so files 

META-INF                         Signature information 

res                                      resources not compiled into resources.arsc 

AndroidManifest.xml     Android global configuration file 

classes.dex                        classes compiled in the dex file format 

resources.arsc                  precompiled resources, such as binary XML for example 

The structure of the manifest file(Some important elements will be introduced in detail later): 

<?xml version="1.0" encoding="utf-8"?>  <manifest>      <uses-permission />      <permission />      <permission-tree />      <permission-group />      <instrumentation />      <uses-sdk />      <uses-configuration />        <uses-feature />        <supports-screens />        <compatible-screens />        <supports-gl-texture />        <application>          <activity>              <intent-filter>                  <action />                  <category />                  <data />              </intent-filter>              <meta-data />          </activity>          <activity-alias>              <intent-filter> . . . </intent-filter>              <meta-data />          </activity-alias>          <service>              <intent-filter> . . . </intent-filter>              <meta-data/>          </service>          <receiver>              <intent-filter> . . . </intent-filter>              <meta-data />          </receiver>          <provider>              <grant-uri-permission />              <meta-data />              <path-permission />          </provider>          <uses-library />      </application>  </manifest>

Android file system 

Generally, two types of file system: 

External storage 

Also known as SD cards. Any data written to  SD cards, lacks Linux permission-based access control. Thus, any file written to external storage is accessible by any app on the device 

Internal storage 

Including Shared Preferences, SQLite Databases and app private data. 

Android will create an app-specific directory under the path /data/data/app_package_name. This directory is configured such that the associated app’s UID is the owner and only the owner permissions are set; no other UIDs have access to it. 

Some useful path: 

/data/data/app_package_name      app-specific directory 

/data/app                                             user installed apk files 

/data/system/packages.xml              information about apk, including permissions 

/system/app                                         system apk files 

Android architecture 

Architecture diagram: 

2014/7/14 10:54 - Screen Clipping 

Security Architecture 

Based on Linux kernel 

A user-based permissions model (user/group ID) 

Process isolation (sandboxing) 

Extensible mechanism for secure IPC 

Mandatory application sandbox for all applications 

Secure inter-process communication 

Content Providers, Intents, Binder/IPC, local sockets, or the file system 

Application signing 

Based on Java's JAR specification 

Application-defined and user-granted permissions 

Apps statically declare permissions they need (use) 

No support for dynamic (run-time) granting of permissions 

Android permissions 

API permissions: 

API permissions include those that are used for controlling access to high level functionality within the Android API/framework. 

More information can be get by visiting https://developer.android.com/reference/android/Manifest.permission.html 

File system permissions: 

Unix/Linux-like permissions, with distinct UID/GID. 

The standard way that Android lays out the filesystem on a device is to create an app-specific directory under the path /data/data/app_package_name.The app can only get access to it's own data storage path. 

There are four important caveats to this setup: 

Because file isolation is based on UIDs, apps that are configured to run with the same UIDs can access each other’s files. 

A user who accesses the Linux kernel using the root UID will be able to bypass any permissions on any file, allowing access to any data stored by any app. 

Any data written to external storage, such as SD cards, lacks Linux permission-based access control. Thus, any file written to external storage is accessible by any app on the device (or off the device and capable of accessing the storage media). 

As the developer, you can specify different permissions on files 

IPC permissions: 

Permissions used to communication between app components(Will be introduced in detail later) 

Android main components 

AndroidManifest.xml 

The control file that tells the system what to do with all the top-level components (specifically activities, services, broadcast receivers, and content providers) in an application. This also specifies which permissions are required. 

Activity 

An Activity is analogous to a single screen displayed on the device to a user that is composed of what the user actually sees. 

Broadcast Receiver 

A Broadcast Receiver is a type of component that listens for system messages called Intents. 

Services 

A Service is an Android component that is designed for background processing. 

Content Provider 

A Content Provider is a component designed to share data across apps. 

Intent 

An Intent is a messaging object you can use to request an action from another app component. 

Configure Android security test environment

Install JDK and SDK 

If don't know how to install these, just Googling. Ignore the detail steps sine they are not our main purpose. 

Use the default emulator in SDK as the test environment (Slow but full support) 

Use SDK manager to create new device 

Use Genymotion as the test environment (Fast but maybe not full support) 

Install Genymotion(faster, free, rooted by default) 

Genymotion can be downloaded on: http://www.genymotion.com/  

You have to register a account for Genymotion to download it and you need this account to download different ROMs. 

During your installation, Genymotion will install VirtualBox. 

After install, click "Settings" to configure the SDK path for  Genymotion: 

Click "Add" to select and download a ROM. 

Click "Play" to start the device. 

Install ARM support for Genymotion(Genymotion-ARM-Translation_v1.1.zip) 

Download on: http://forum.xda-developers.com/showthread.php?t=2528952 

And just drag it to Genymotion and it will be installed 

After installation complete, reboot the device 

Configure the proxy(Fiddler, Burpsuite or other proxy tools, here use Fiddler as example) 

Click "Settings" in the device: 

Click "Wi-Fi", press WiredSSID and hold for a moment and in the dialog, click "Modify network": 

Set proxy to your PC and click "Save": 

Install certificate to intercept HTTPS requests: 

Go to http://www.telerik.com/fiddler/add-ons and download "CertMaker for iOS and Android" and install it after download. 

Visit 192.168.2.116:8888(Your PC IP address which Fiddler is installed in) , and click FiddlerRoot Certificate: 

Need to set a password for screen lock, so click "OK" and set the password. 

Then configure Fiddler to intercept HTTPS request: 

Go to Tools->Fiddler Options…->HTTPS, check "Capture HTTPS CONNECTS" and then "Decrypt HTTPS traffic" 

  

Switch to the Connections tab and check "Allow remote computers to connect" 

Restart Fiddler and visit some HTTPS site on the web browser of the device, the HTTPS requests are intercepted: