My Tryst with Security: August 2013

Monday, August 26, 2013

Running Burp with android device

Here is a follow up to my first post about using Burp Suite with a virtual device to set up a proxy.

(http://givemeroot.blogspot.com/2013/08/burp-suite-to-pen-test-android-app-on.html)

Using an emulator is a bit of a pain since it is really really slow. Also it does not support everything a phone might support (like some sensors etc)

** THIS WILL REQUIRE A ROOTED DEVICE**

So here is a tutorial on how to set up a proxy for your device and run burp to tamper data in transit or just observe the data go.

So the first few steps are going to be the same as they were for the other post where you run it for an emulator so I will just copy and paste them here

Step 1:

Download Burp Suite from: http://portswigger.net/burp/download.html

Test if it is running by running it from terminal

$ java -jar -Xmx1024m burpsuite_free_v1.5.jar

Step 2:

Set up a Proxy in your browser:

“ … Chrome - The Chrome browser picks up the HTTP proxy settings configured on the host computer. If you are using Chrome, you can open your computer's built-in browser and follow the instructions for configuring that. If you aren't sure where the built-in proxy settings are, open Chrome, go to the Customize menu, select Settings, click on "Show advanced settings", and click the "Change proxy settings ..." button. This will open the relevant configuration options for your host computer.

Firefox - Go to the Firefox menu, click on Options, click on Advanced, go to the Network tab, and click on the Settings button in the Connection section. Select the "Manual proxy configuration" radio button. Enter your Burp Proxy listener address in the "HTTP proxy" field (by default, 127.0.0.1). Enter your Burp Proxy listener port in the "Port" field (by default, 8080). Make sure the "Use this proxy server for all protocols" box is checked. Delete anything that appears in the "No proxy for" field. Then click "OK" to close all of the options dialogs. …“

Step 3:

Downloading PortSwigger Certificate

Open a site on https (eg https://www.google.com) . Once you get the security warning click on I Understand the risk and add security exception. There click on View button.

Confirm that you see a PortSwigger certificate. Go to Details tab and export it. Save it with a .crt extension.

Step 4:

Install the certificate on the device.

There are multiple ways you can do it. For android >=4.2 all you need is to have the .crt file on the sdcard.

One possible way is to do

$ adb push PortSwiggerCA.crt /sdcard/

Or you can just use your file explorer and copy it there.

Once the file is there go to Settings -> Security. Select install certificate from sdcard. It should automatically find the certificate and give you an option to install it.

You may have to set up some kind of a phone locking mechanism if you don't have one already.

Step 5:
Setting the proxy

Install an app on your device that will let you set up a proxy. I prefer proxydroid, you can get it from the play store.
In the app all you need to do is set your laptop's ip and give it a port that burp is listening to.

Step 6:
Start Burp and you are good to go. :)

Wednesday, August 14, 2013

Reversing an android app (for Beginners)

You might want to reverse an Android application for various reasons. Such as figuring out if it is a malware or not, figuring out how they implemented something, trying to find some vulnerability, etc.

This is one of the toolchains you can use to accomplish this task. There might be easier and more efficient ways to do it but this is how I prefer doing it. Another method I like is using apktool which I will cover in another post.

(Disclaimer: All the commands used are for Linux/Mac OS. they will differ if you are using Windows)

The basic steps involved in reversing an android app are:

Extracting the .apk file
Converting the .apk to a .jar file
Retrieving the .class and .so (if any) files from the JAR
Analyzing the files
(Optional) Reassemble the files into a .apk

Here are some tools/software you will need:

Android SDK
Andriod Developtment Tools (ADT)
dex2jar (https://code.google.com/p/dex2jar/downloads/list)
jd-gui (http://java.decompiler.free.fr/?q=jdgui)
IDA (Optional) (https://www.hex-rays.com/products/ida/index.shtml)
Smali (Optional) (https://code.google.com/p/smali/downloads/list)

Step 1:

Extracting the .apk file

Most of the times you would download the application from the Google Play store. If not you should try to follow that practice since it is the most reliable source. At the end of this post you will know why it is not safe to download any app from an untrusted 3rd Party.

Make sure your phone has USB Debugging turned on.

To check if your phone is properly connected :

$adb devices

This should show you your device connected.

There are various ways to actually extract the apk file from the device. But the one I am mentioning works on both rooted and unrooted phones. I got this one from stack overflow.

To list what apps are currently installed on the device enter this in the terminal

$adb shell pm list packages

Select the app you want prom its package name and take a backup of only that app:

$adb backup -apk <package name>

for eg

$adb backup -apk com.instagram.android

Follow the instructions on the phone to take the backup. Do not worry it will not erase any data. Make sure you do NOT encrypt the backup.

This creates a .ab file in your current directory. To extract your apk file from this use the following command

$dd if=backup.ab bs=24 skip=1 | openssl zlib -d > application.tar

Now you can extract the application.tar and retrieve the apk.

Step 2:

Converting the .apk file to a jar file

apk is a form of a zip file so you may try to extract the contents of the apk you just got. But all that will give you is the android manifest file which is really important and a .dex file which is almost not readable.

To convert the apk to a jar file we will use dex2jar which can be downloaded from https://code.google.com/p/dex2jar/downloads/list

to convert your file use the following command

$sh /path/to/dex2jar/d2j-dex2jar.sh /path/to/apk

This will create a .jar file in the same directory as the apk file.

Step 3:

Viewing the java classes and shared objects in the jar

To view and edit the java classes we can use the JD-GUI (http://java.decompiler.free.fr/?q=jdgui)

Open the downloaded folder and run jd-gui.

From within jd-gui you can open the .jar file and it will show you all the files of the application.

Step 4:

Analyzing the files.

The Java classes can be easily analyzed from jd-gui itself but as far as the shared object (.so) files are concerned you will have to use a separate decompiler such as IDA(https://www.hex-rays.com/products/ida/index.shtml).

For most android applications the free version of IDA will not work since it does not support ARM code in the free version.

Using IDA is not an easy task and I am myself still learning it and hence wont go into details here.

Step 5:

Reassemble the files into an apk.

In case you have made changes to the initial files and want to reassemble it into a new Android application you can use Smali (https://code.google.com/p/smali/downloads/list).

Monday, August 12, 2013

Burp Suite to Pen test android app on Virtual Device (AVD)

Here are the steps you need to follow to set up burp suite to have a proxy for your android virtual device to pen test your android app.

Step 1:
Download Burp Suite from: http://portswigger.net/burp/download.html
Test if it is running by running it from terminal

$ java -jar -Xmx1024m burpsuite_free_v1.5.jar

Step 2:
Set up a Proxy in your browser:
“ … Chrome - The Chrome browser picks up the HTTP proxy settings configured on the host computer. If you are using Chrome, you can open your computer's built-in browser and follow the instructions for configuring that. If you aren't sure where the built-in proxy settings are, open Chrome, go to the Customize menu, select Settings, click on "Show advanced settings", and click the "Change proxy settings ..." button. This will open the relevant configuration options for your host computer.
Firefox - Go to the Firefox menu, click on Options, click on Advanced, go to the Network tab, and click on the Settings button in the Connection section. Select the "Manual proxy configuration" radio button. Enter your Burp Proxy listener address in the "HTTP proxy" field (by default, 127.0.0.1). Enter your Burp Proxy listener port in the "Port" field (by default, 8080). Make sure the "Use this proxy server for all protocols" box is checked. Delete anything that appears in the "No proxy for" field. Then click "OK" to close all of the options dialogs. …“

Step 3:
Downloading PortSwigger Certificate

Open a site on https (eg https://www.google.com) . Once you get the security warning click on I Understand the risk and add security exception. There click on View button.
Confirm that you see a PortSwigger certificate. Go to Details tab and export it. Save it with a .crt extension.

Step 4:
Create a new android virtual device (android ver >4.2) with some space on the sdcard (to save the certificate).
Start the avd and copy the PortSwigger cert to the sdcard:

$ adb push PortSwiggerCA.crt /sdcard/

Step 5:
Install the cert on the device:

Go to Settings->Security and select install certificate from sdcard. It might ask you to set up a pin while doing it.

Step 6:
Check if cert and proxy are working:
Close the avd and start it from the cmd line using the following command:

$ emulator -avd <name of your device> -http-proxy http://127.0.0.1:8080

In Burp Suite go to the proxy tab and click on intercept on.

Try opening any website on the emulator and check if the proxy is working

Step 7:
Install the apk to test:
Restart avd without the proxy
Install your apk file using the command:

$ adb install filename.apk

Step 8 :
Restart emulator with proxy on

$ emulator -avd <name of your device> -http-proxy http://127.0.0.1:8080