Articles by "android"
Showing posts with label android. Show all posts

Android Apps for Penetration Testing







 Androwarn tool scans and detects harmful files in Android applications.

Androl4b doing reverse engineering applications through the Default device is installed on the device to analyze applications.

Mobile-Security-Framework MobSF This tool is used in the API analysis of open source applications and detect security vulnerabilities by.

Vezir Project is an imaginary system penetration test and analysis software and malicious applications that are hacked phones.

MARA Tool If you are interested in the field of reverse engineering this tool will do the job through your tasks.

FSquaDRA this tool scans Android applications and detect malicious packets to the phone by reading the application algorithm.

CFGScanDroid role of this tool is to examine (CFG) signatures for open source applications and are also detects malicious applications within devices.

RiskInDroid Tool The role of this tool is to examine the powers of applications within the device and also to detect applications with sensitive powers that threaten the safety of devices.

AndroTickler  A java tool that helps to pentest Android apps faster, more easily and more efficiently. AndroTickler offers many features of information gathering, static and dynamic checks that cover most of the aspects of Android apps pentesting. It also offers several features that pentesters need during their pentesters.

Android_Penetration_Testing_script This is a shell script for automating the android Penetration testing Process  
It has been 8 years since Google offered the public DNS service Google wanted to go one step further in terms of security and privacy of queries made through their DNS servers, and therefore just announced the implementation of  DNS-over-TLS . However, CloudFlare , Quad9 and other companies have been offering it for a few months now. As of Android 9 (Pie) we can make use of this new feature called " Private DNS ". We can also use DNS over HTTPS (DoH) in the Mozilla Firefox browser .

dns.google





Google had implemented in their function DNS DNS-over-TLS , 

From now on , the connections to the DNS server will be equally protected than we do against a website over HTTPS . These DNS comply with RFC 7766 rules to avoid overload and, in addition, have support for TLS 1.3 , TCP Fast Open (TFO) to streamline requests and functions to make several resolutions in a single request. 

This measure of security and privacy depends exclusively on Google, so we do not have to do anything to enjoy it. In addition, its use is totally passive and invisible, we will not notice any change between the usual operation.

Google is the fifth entity that decided to implement DNS-over-TLS for its public DNS servers, before they did it:

Private DNS

Why use private DNS? 


TLS is the protocol that encrypts your traffic through an unreliable communication channel, such as when you browse your email in a cafeteria's wireless network . Even with TLS, there is still no way to know if your connection to the DNS server has been hijacked or if it is being tracked by a third party. This is important because a bad actor could set up an open WiFi hotspot in a public place that responds to DNS queries with forged records to hijack connections to common e-mail providers and online banks. DNSSEC solves the problem of guaranteeing authenticity by signing responses, making the manipulation detectable, but leaving the message body readable by any other person on the wire.

DNS over HTTPS / TLS resolves this. These new protocols ensure that the communication between your device and the resolution system is encrypted, as we expect from HTTPS traffic. 

However, there is one last unsafe step in this chain of events: the disclosure of the SNI (server name indication) during the initial TLS negotiation between your device and a specific host name on a server. The requested host name is not encrypted, so third parties can still see the websites you visit. It makes sense that the final step to fully secure your browsing activity involves SNI encryption , which is an ongoing standard in which several organizations have come together to define and promote. 

DNS Over TLS on Android 9.0


Android 9, the new version of Google's mobile operating system, already has support for this new security protocol thanks to the new " Private DNS Mode " feature included in this update. Private DNS Mode allows us to use DNS-over-TLS security on our smartphone natively, without relying on a VPN or any other configuration other than specifying the server as such. 


Settings> Networks and the Internet ". Within the network options that appear here, in the "Advanced" section, we can see an option called " Private DNS ". This is the option that interests us.
dns




To use Google's private DNS, we must enter in this section: 
dns.google
To use Cloudflare's private DNS , the address we must enter in this section is:


1dot1dot1dot1.cloudflare-dns.com
"Settings" and then "Network & Internet". At the bottom, you should see an "Advanced" option. Open up the "Advanced" options and you should see "Private DNS" option. S
dns-tls.qis.io
  1. Go to Settings -> Network & Internet -> Advanced -> Private DNS.
  2. Select the Private DNS provider hostname option.
  3. Enter dns.quad9.net and select Save.
 dns.quad9.net



Technical performance

  • A stub to resolve (the DNS client on a device that talks to the DNS resolver) connects to the resolver over to TLS connection:
  • Before the connection the DNS stub resolver has stored to base64 encoded SHA256 hash of cloudflare-dns.com's TLS certificate (called SPKI)
  • DNS stub resolve establishes to TCP connection with cloudflare-dns.com:853
  • DNS stub resolve initiates to TLS handshake
  • In the TLS handshake, cloudflare-dns.com presents its TLS certificate.
  • Once the TLS connection is established, the DNS stub can resolve DNS over an encrypted connection, preventing eavesdropping and tampering.
  • All DNS queries sent over the TLS connection must comply with specifications of sending DNS over TCP.


Previous versions Android 9 

Previous versions of Android Devices that run versions prior to Android 9 do not support DNS over TLS and can not configure private DNS for all networks. You can configure DNS for each individual Wi-Fi network you use. This requires configuring all the network information manually and is only recommended for advanced users. However, there is a CloudFlare app to facilitate the task.

 At the beginning of the year 2018, CloudFlare launched its own DNS service to the public, called "1.1.1.1". The CloudFlare DNS resolution is different from your ISP or other DNS alternatives such as Google Public DNS and Cisco OpenDNS, as it focuses on privacy and speed first. Your IP address is never registered or saved in the CloudFlare servers, and with several optimizations implemented, 1.1.1.1 is, according to CloudFlare, up to 28% faster than other DNS solutions. It also helps fight censorship: countries like Turkey and Venezuela are known to censor and block media, social networks and adult websites, and an alternative DNS resolution helps overcome that restriction. 1.1.1.1 can also be used in telephonesAndroid, but it's not an exactly simple process for devices with Android Oreo and lower versions . Luckily, CloudFlare has launched an application to make it easier .


connecting


The process is simple: just download the application, open it and touch the key to use CloudFlare DNS 1.1.1.1 and navigate with it. It is also quite light with 7.8 MB. And the best part? It does not require root or any other modification : just open it, touch and go. The only drawback? The application uses the Android VPN API to connect to the alternative DNS resolution . This means that if you are using 1.1.1.1, you will not be able to use a real VPN provider at the same time.
iPhone
ES Explorer is one of the most popular applications of Android , largely because many manufacturers introduce it as standard in their phones to compensate for the absence of a good native file manager. The French security researcher known as Elliot Alderson (real name Baptiste Robert and discoverer of the back door of OnePlus 6) explains that there is an important vulnerability thanks to which it is possible to extract information contained in a mobile phone connected to a local network.



 French security researcher Elliot Alderson has discovered a vulnerability in the file management software of Android ES File Explorer with more than 100 million downloads, specifically according to its creators "more than 300 million users worldwide". 

ES Explorer runs an HTTP server that can be exploited to launch various attacks on a local network. Using a fairly simple script, the researcher has demonstrated the ease with which you can extract photos, videos and names of applications, as well as data contained in memory cards. As if this were not enough, it is also possible to run applications remotely. 

The failure must be exploited in a local network, which in some way limits the risks for the common user (although those who connect to public networks would do very well to protect themselves) 


The vulnerability has been confirmed in versions of Android equal to or less than 4.1.9.7.4 and allows through from HTTP requests to port 59777 execute applications and read files remotely in local network. This TCP port opens once the application is started and remains open even if the application is closed.



Elliot Alderson has published through his GitHub a 'script' as proof of concept with the following capabilities:

listFiles : List all the files 
listPics : List all the pictures 
listVideos : List all the videos 
listAudios : List all the audio files 
listApps : List all the apps installed 
listAppsSystem : List all the system apps 
listAppsPhone : List all the phone apps 
listAppsSdcard : List all the apk files in the sdcard 
listAppsAll : List all the apps installed (system apps included) 
getDeviceInfo : Get device info. Package name parameter is needed 
appPull : Pull an app from the device 
appLaunch : Launch an app. Package name parameter is needed 
getAppThumbnail: Get the icon of an app. Package name parameter is needed

On the other hand, the miter has assigned the CVE CVE-2019-6447 and remains waiting to receive an update by the manufacturer. 
Mobile Security Framework (MobSF) is an open source all-in-one mobile application (Android / iOS) capable of performing static and dynamic automated analysis. CuckooDroid is an extension of the Cuckoo Sandbox open source software analysis framework for automating the analysis of suspicious malware files. On the other hand, AppMon is an automated framework based on Frida for the tracking and manipulation of calls to the API of the native application system in MacOS, iOS and Android.

Static code analysis, this is the audit of applications in Android. An application on Android is programmed in JAVA so you might think (wrongly) that in essence the code analysis is a traditional analysis of JAVA. This is not so since both Android architecture (Intents, Broadcast, States, etc.) and the SDK API for interaction with devices (GPS functions, SMS, 3G, SD Writing, etc) must be taken into account. That is, they change two fundamental aspects with respect to the traditional analysis of JAVA: the sinks and the dataflow. 
Very few applications in the official Market are OpenSource, so the code is not available. However, if we can access the apk files, since they are copied to the devices in the path " / data / apk"

Apktool

APKtool, is a tool for the reverse engineering of Android application binaries. You can decode the resources in an almost original way and reconstruct them, after making some modifications, which makes it possible to debug smali code step by step. It also makes it easier to work with the application due to the structure of files in projects and with the automation of some repetitive tasks like the construction of apk. 

Main features of Apktool:


  • Dismantling resources in an almost original way (including resources.arsc, classes.dex, 9.png. And XMLs).
  • Reconstruction of decoded resources back to binary APK / JAR.
  • Organization and management of APKs that depend on the resources of the Framework.
  • Smali Debugging (Eliminated in 2.1.0 in favor of IdeaSmali).
  • Help with repetitive tasks with task automation components.
  
So we have access to the apk application, what's the use? the extension apk is a variant of jar, so we can extract it with the great tool apktool . For this we will follow the following steps:

  • 1. Obtaining the file AndroidManifest.xml
    To obtain this file through the apk we use the tool apktool with option b. 
    This file contains essential information about the application. For our task, the part that interests us is the one referring to the permits required, contained in the uses-permission section . For a complete understanding I recommend reading the extensive official documentation about it .
  • 2. Acquire the jar file
    For this we use the dex2jar tool The operation of this tool is as follows: translate the .dex file (dalvik byetcode executable) to a current jar file.
  • 3. Extract the jar file
    It is as simple as using a normal and current decompressor.
  • 4. Access to the source code
By following step three we will have a directory with JAVA .class files, which can be translated into their corresponding .java files through tools such as JAD , or even directly visualized using tools such as JD-GUI . It should be noted that when doing the decompilation, a lot of information is lost, such as variable names, which makes it difficult to manually analyze the code. Normally, we usually start by identifying certain functions susceptible to misuse (sink functions) and follow the dataflow manually through development environments (Eclipse, NetBeans, etc). 



Android applications use code and resources found in the Android operating system itself. These are known as Framework resources and Apktool relies on these to decode correctly and build apks. Each version of Apktool internally contains the most up-to-date AOSP framework. This allows you to decode and build most of the apk files without any problem. However, manufacturers add their own Framework files in addition to regular AOSPs. To use Apktool against these application manufacturers you must first install the manufacturer's framework files. 

Mobile-Security-Framework (MobSF)


It can be used for fast and effective security analysis of Android and iOS applications and is compatible with binaries (APK and IPA) and compressed source code. MobSF can also perform the Web API Security Tests with its Fuzzer API that can do information gathering, security header analysis, identify specific vulnerabilities of the mobile API such as XXE, FRSS, routing, IDOR, and others. Logical issues related to the session and the speed limitation API.


Mobile Security Framework, is an open source tool to perform automated penetration test in Android and iOS applications, capable of performing static and dynamic analysis. This tool tries to minimize the time, that with a set of tools it would take to realize: the decoding, the purification, revision of code and the test of penetration. Mobile Security Framework can be used forfast and efficient security analysis , being compatible with binaries (APK and IPA) and compressed source code. Mobile Security Framework performs two types of analysis:
  


  • The static analyzer is capable of performing: automatic code review, detection of insecure settings and permissions, detecting insecure SSL code, SSL derivation, weak encryption, obfuscated codes, incorrect permissions, coded secrets, the misuse of dangerous APIs, leakage of sensitive information and the storage of insecure files.
  • The dynamic analyzer runs the application in a virtual machine or on a configured device and detects the problems at runtime. A more detailed analysis is performed on the network packets captured by decoding: HTTPS traffic, log reports, error reports, debugging information and stack tracking. About the assets of applications such as: configuration files, preferences and databases. 

Mobile Security Framework is highly scalable, allows you to add custom rules with ease. It allows to generate reports at the end of the penetration test in a quick and concise way.



More information and download of Mobile Security Framework: 

AndroL4b is a virtual machine oriented to the security aspects in Android based on ubuntu-mate, which includes the collection of the latest framework, tutorials and labs, security, for reverse engineering and malware analysis in Android applications. 

AndroL4b Tools


  • APKStudio Cross-platform Qt5 based IDE for reverse-engineering android applications
  • ByteCodeViewer Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)
  • Mobile Security Framework (MobSF) (Android / iOS) Automated Pentesting Framework (Just Static Analysis in this VM)
  • Drozer Security Assessment Framework for Android Applications
  • APKtool Reverse Engineering Android Apks
  • AndroidStudio IDE For Android Application Development
  • ClassyShark Android executable browser
  • BurpSuite Assessing Application Security
  • Wireshark Network Protocol Analyzer
  • MARA Mobile Application Reverse Engineering and Analysis Framework
  • FindBugs-IDEA Static byte code analysis to look for bugs in Java code
  • AndroBugs Framework Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications

APK analysis with AppMon



This application makes use of a powerful multiplatform dynamic instrumentation environment, which we have spoken about on previous occasions: Frida. Based on this platform, AppMon includes a series of scripts that will allow analysts to spy on the events that the studied application generates in the system, whose results can then be visualized through a web interface with search and sort filters.

In addition, AppMon includes scripts that allow an intrusion inside the application modifying its normal course of action, as shown in the following video. Of course, each analyst can also include their own scripts in the tool.


It also allows applications to be implemented in both Android and iOS and, inheriting the flexibility of Frida, it can be executed in different platforms (Linux, Mac OS, and Windows with some changes to the code).

The Android Manifest of the application tells us that the package name is com.baseapp. We will need this data to be able to indicate to AppMon which process to intercept.

The prerequisites for running AppMon are obviously to install Frida and also some python modules, which can be done with the following command:

sudo -H pip install argparse frida flask termcolor

Then we can copy the project from the repository in Github or download the corresponding compressed file. If you are working on a Windows computer, you must also modify the absolute path defined in the variable merge_script_pathof the file appmon.py to point to the temporary folder in the Windows file system or another folder that the user wants. For example, it could be as follows:

merge_script_path = ‘C:/Users//AppData/Local/Temp/merged.js’

We will have to create our emulator with a version of Android 4.4.x since Frida has only been shown stable for these versions, to later transfer Frida's files and start the server, as we have done previously in the tutorial to implement apps .

 Now we must install the application we want to analyze. It is best to do it via adb since some emulators initialize the application when it is installed via drag and drop and if we are not ready to run the AppMon command, we may miss out on registering critical functionality.

AppMon creates a simple server with python that by default is initialized in port 5000, where we can then access the filtering web interface, but only after we see the indication by console that something has been dump .

It will open an event log in which we can see some operations that took place in the system in the short execution time.

After using the application for a while we can see the results in the browser, among which we find the complete detail of the network packets that have been sent with the HTTP protocol.


CuckooDroid


CuckooDroid is an extension of Cuckoo Sandbox open source software analysis framework for automating the analysis of suspicious malware files. It is an automated, multiplatform system for emulation and analysis based on the popular Cuckoo test zone and several other open source projects. Providing both static and dynamic APK inspection, as well as evading certain techniques such as: virtual environment detection, encryption key extraction, SSL inspection, API call trail, basic behavior signatures and many other features. The framework is highly customizable and extensible taking advantage of the power of the large Cuckoo community.

Cuckoo Sandbox is an open source malware scanning system. This application allows you to analyze any suspicious file and in a matter of seconds, Cuckoo will provide detailed results that describe what would result when running within an isolated environment.

Malware is the main tool of cybercriminals and the main cyber attacks in business organizations. In these times the detection and elimination of malware is not enough: it is vital to understand: how they work, what they would do in the systems when it is deployed, understand the context, the motivations and the objectives of the attack. In this way understand the facts and respond more effectively to protect yourself in the future. There are countless contexts in which a limited environment may need to be implemented, from analyzing an internal violation, collecting actionable data and analyzing possible threats. 
Cuckoo generates a handful of different raw data, which include:

  • Native functions and Windows API called fingerprints.
  • Copies of files created and deleted from the file system.
  • Dump of the memory of the selected process.
  • Full memory dump of the analysis machine.
  • Screenshots of the desktop during the execution of malware analysis.
  • Network dump generated by the machine that is used for the analysis.
In order for these results to be better interpreted by the end users, Cuckoo is able to process and generate different types of reports, which could include: 
  • JSON report.
  • HTML report.
  • MAEC report.
  • MongoDB interface.
  • HPFeeds interface.
The most interesting thing is that thanks to the wide modular structure of the Cuckoo, it is possible to customize both the processing and the reporting phase. Cuckoo provides all the requirements to easily integrate an isolated environment with existing systems, with the data you want, in the way you want and with the format you want. 

More information and download CuckooDroid: 
More information and download Cuckoo Sandbox: 
Documentation Cuckoo Sandbox: