Android Pentesting and related issues

Tram Ho

0. Overview

Today’s products are mostly available on mobile platforms – Android and iOS, even products that are mostly based on mobile platforms (such as e-wallets). Pentesting and mobile-based vulnerabilities are unique and different from the web. However, before entering the “pentesting” phase, there is another important job, which is building the environment. In this article I will mention the “pre-pentest” barriers to Android.

1. SSL Pinning – SSL is pinned into Application

First, let’s talk about Secure Web Connections:

When the client starts a secure session with the server, there are three things that the two parties must agree on:

  • How keys be exchange – How to exchange keys?
  • How will data be encrypted – How is the data encrypted?
  • How will messages are marked as authentic – How are messages marked as authentic?

For example, the server may decide to use RSA to exchange keys, use AES 256 to encrypt data and SHA-1 to sign messages.

If the client supports the above types, it will request a certificate chain from the server, once the client has confirmed the certificate chain, the public key will be extracted from the certificate.

By default, the SSL implementation used in the App will trust any server with a certificate that is trusted by the OS (as shown above). It is a list of CAs (certificate authorities) available in the OS.

This is where SSL Pinning comes into play. Developers can compile (compile) the public key into the application code, this is basically pinned key into the application. When the client receives a public key from the server, it compares this key with the pinned pin in the application. If the key is correct, will start the session.

There are currently 3 types of SSL Pinning:

  • Certificate Pinning
  • Public Key Pinning (The type mentioned above)
  • SPKI Pinning

Certificate Pinning: This is a method of pinning the entire certificate instead of just pinning the public key and also the easiest method to implement. So what happens when certificate expires (expires)? The client will have to update the application with the new certificate before the certificate on the server is updated. So sometimes public key pinning is the preferred method.

Public key pinning: More flexible but a bit more complicated due to the need for additional steps to extract public keys from certificates.

SPKI Pinning (Subject Public Key Information): is the latest pinning method, the hash of the public key and meta-data are pinned into the application.

If the application does not use SSL Pinning, it is highly vulnerable to Man-in-the-Middle attacks.

As such, SSL Pinning helps Developers have an extra layer of security in their applications and is easy to implement with libraries like AF Networking (with iOS) or OkHTTP (with Android).

The reason to bypass this is because we will build a proxy server to block requests from the App sent to the Server, and the Server and App only talk when the correct Cert is available …

2. Anti VM – Do not allow installation / use on virtualized devices.

This is a simple way for the Application to detect whether or not the device is a virtualization device (emulator), if so, the features will restrict or not allow installation.

Why is the pentest Application on emulator still used? Simply because it is more convenient, all devices, all android versions … just select and install, after 5 minutes you have immediately 1 android emulator device with full functionality. The most popular and popular emulator device creation application is Genymotion.

In fact with Pentester, this is not a very serious problem, because most often use real devices 😂 If you do not have the necessary equipment, then the reverse app to remove this detect is probably not too difficult.

The way Application detects a device is an emulator of all kinds. Here is an example:

This explicit code has no reason not to bypass it, you can modify the string as follows:

So the above function is “harmless” and the application can be installed on the emulator.

3. Root Detection Techniques

If the Anti VM does not seem to be very painful because it is easy to use real devices instead 😆 , “anti rooted device” is a different story. Because whether it’s a real device or an emulator, it all has to be rooted, since it’s related to a lot of issues when pentesting.

Here is an example of a script to detect Root in 3 different ways. There are, of course, other ways and other binaries to support this.

When learning Mobile Device Management (MDM), there are many ways to detecting rooted Android devices. The methods are quite similar and often involve searching for specific packages or files, or directory permissions and running certain commands.

Through the review of source code, the pentester can be modified as the above example and many other instructions to bypass detect root, including when Safetynet – Google’s official API, specifically to combat rooted users, unlock bootloader or Install the custom ROM using Android Pay to be used.

4. Code Obfuscation

If this is considered a part of “pre-pentest” (in fact it is not at the stage of building the environment), then it will be the most sweet potato. This is a technique added when the product is about to be published. To keep source code unreadable by third parties. A basic example of Code Obfuscation of an application related to MONEY (I changed the application name):

And another Application that looks very friendly without Code Obfuscation:

This is a necessary and important technique. However, Obfuscation Code affects App performance and a number of related issues. So in the second example, although this is an in-house application of a software company, the Obfuscation Code does not apply.

5. Conclusion

The article introduces “hard things” before starting to embark on pentest Android applications in particular and Mobile Application in general. Of course, when pentesting, there is no shortage of other difficulties and characteristics of each App.

Hopefully after building the “environment”, you can be happy with it and find lots of bugs 💪💪

6. References

https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning

https://www.youtube.com/watch?v=is8lHjEkk7U

https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/

https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05j-testing-resiliency-against-reverse-engineering#common-root-detection-methods

https://www.juanurs.com/Bypassing-Android-Anti-Emulation-Part-III/

https://medium.com/@angelhiadefiesta/how-to-obfuscate-in-android-with-proguard-acab47701577

Share the news now

Source : Viblo