Getting Started into Android Security

  • Home
  • Blog
  • Getting Started into Android Security

The availability of the Internet, lower data rates, and the easy use of mobile devices such as Android phones have been used more effectively for availing E-commerce, and mobile applications (Apps) for purchasing the daily necessities. It seems that a new Android model arises every couple of days, and Android phones are extremely popular. As Android apps grew to incredible numbers, they brought with them a slew of vulnerabilities that attackers gladly exploited.

stem for mobile devices like smartphones and tablets, Android was Introduced. It was developed by Open Handset Alliance (OAH) and managed by Google and other companies. The Android uses a Java application and Java core libraries running on Dalvik virtual machine and JIT compilation to run Java applications on a Java-based, object-oriented application framework.

Android Architecture

Android operating system runs on top of Linux. There are a number of components required to run any operating system. Android consists of a number of components, which are divided into five sections and four main layers, as shown in the following architecture diagram. The Linux Kernel is one of the components that provide basic operating system functions for smartphones. A platform for Android applications is provided by the Dalvik Virtual Machine (DVM).

Application

It is the top-most layer of the Android architecture. This layer consists of native Android apps as well as apps installed by third parties. The Android package contains all the applications to be installed such as contacts, games, settings, and messages, which are all written in this layer. messages. These applications run within the Android runtime, using the classes and services provided by the application framework.

Application Framework

In addition to the Android OS, the Android framework exposes the underlying libraries and features of the device through a Java API. Application Framework includes several classes used to create the Android application. Also, it provides a generic abstraction to Hardware resources and helps in managing the user interface with application resources. Application Framework provides different types of services like Activity Manager, window manager, content provider, location manager and some others.

Libraries 

Android Runtime is responsible for running the android application. Android Runtime consists of two different components called core libraries and Dalvik Virtual Machine ( DVM ). The android application relies on the core libraries to power its framework and uses the core libraries to power the android application. Running Android applications is actually done by the Dalvik Virtual Machine ( DVM ).

Linux Kernel 

Linux kernel is the core of the android architecture. The Linux kernel is responsible for allocating hardware resources to the android application. It also contains the drivers required by android applications so the management of drivers is also done by the Linux Kernel.

Android Security Architecture

Android is known for its open-source, versatility, and customization capacity because of the many applications it includes. As a security measure, the Android security model provides a secure environment Android is known for its open-source, versatility, and customization capacity because of the many applications it includes. As a security measure, the Android security model provides a secure environment for android applications. As we know, Android runs on top of Linux. So the Android security model builds with two different security models which are the Linux security model and the Application security model. Android Security model runs these two models parallelly in Order to provide security to android applications.

Sandboxing

To isolate the resources the Android uses a Linux user-based permission model, this process is called sandboxing. Sandboxing prevents external programs from interfering with protected applications. The sandboxing mechanism also protects the operating system components, so vulnerabilities exposed by an application cannot be exploited to gain access to the outside system. Starting with android 5.0, android has built-in protection against accessing protected apps.

Linux Security Model 

The Linux Security Model is based on the Privilege Control Model. Linux’s privilege control model ensures that each and every application running on Android has its own unique process ID. Each application also has its own UserID. User IDs are used to manage Application Access Control so that no other application can access the data of any other application.

Application Security Model 

In the Android operating system, the user’s privacy is protected by implementing the Application Security Model which is basically a permission control model. Users must give their consent before Android applications can perform actions that may affect other applications, the system or the user himself. The permissions asked by the android application are declared in AndroidManifest.xml file. Mainly android security protection levels are categorised into three levels.

  1. Normal Permissions
  2. Signature Permission
  3. Dangerous Permission

Android File System

  • Shared preferences: These are XML files that hold non-sensitive preferences of an app in the form of a key-value pair, usually of the types boolean, float, int, long, and string. Sheared_prefs named folder is created when the app is using a sheared preferences. by navigating to this folder sometimes we can get some sensitive information like user’s credentials, and personal information.
  • SQLite databases: SQLite databases are lightweight file-based databases commonly utilized in mobile environments. The SQLite database framework is also supported by Android, so you will often see apps that use SQLite databases to store data.
  • Internal storage: Internal storage, also known as the device’s internal storage, is used to save files to the internal storage. It provides a fast response to memory access requests due to its direct access and almost the entire app-related data is used here, logically it’s a hard disk of the phone. Each app creates its own directory during installation under /data/data/<app package name>/, it is private to that application and other applications don’t have access to this directory. This directory is cleared when the user uninstalls the application.
  • External storage: External storage is a world-writable and readable storage mechanism in Android which is used to store files. Any app can access this storage to read and write files, because of these reasons, sensitive files shouldn’t be stored here.
  • Tempfile: files are created upon apps are installed and used, device updates have been performed, and apps have been removed. These files are required when you are using programs or applications since more space is needed to accommodate extra memory and existing files.

Android Application Development LifeCycle

Android Application Development Life Cycle

Android applications are mainly written in java and it contains some resources all these resources are compiled and packaged by the AAPT (Android Asset Packaging Tool) in the file called r.java. For the interprocess communication between the client and the services, the application needs the .aidl (Android Interface Definition Language) file which defines the programming interface for them. The java compiler combines these files and processes them into the .class file later on which will be passed to the dex compiler. Dex compiler converts this .class file into the .dex format. Android applications are nothing but Dalvik executable files. Dalvik Bytecode files have a .dex extension. Then all Dalvik executable files are zipped into the .apk.

Android Application Components 

  • Activity:- Activities are responsible for user interaction. It is necessary that the system keeps track of what the user is currently requesting so that it may continue running the process of hosting the activity. For example Facebook Application, the Facebook app have an activity that shows the user feed. Each activity in the Facebook application is independent of the others, even though they all work together for a seamless user experience. Therefore, any of these activities can be performed by another app as long as it can access the Facebook app.
<activity android:exported="false" android:launchMode="singleTask" android:name="net.openid.appauth.AuthorizationManagementActivity" android:theme="@android:style/Theme.Translucent.NoTitleBar"/>
<activity android:exported="true" android:name="net.openid.appauth.RedirectUriReceiverActivity">
  • Intents:- An Android Intent is a description of how an action is going to be performed. Intents are essentially a way for two or more different Android applications to communicate with one another. Intents are used with some methods, including startActivity() for starting activities, startService() for keeping processes running in the background, and broadcastIntent() for sending broadcast messages. So mainly there are two types of intent Explicit and Implicit intent. An explicit intent is the one which has specific action assigned to it and the intents which allow components from another application to handle a general action are known as Implicit Intent.
<intent-filter>
 <action android:name="android.intent.action.VIEW"/>
 <category android:name="android.intent.category.DEFAULT"/>
 <category android:name="android.intent.category.BROWSABLE"/>
 <data android:scheme="gettactic"/>
</intent-filter>
  • Services:- Service components are responsible for running in the background to perform a long term operation. For example, a service might play music in the background while the user is using another program, or it could fetch data through the network without blocking the user from interacting with the program.
<service android:directBootAware="false" android:enabled="@bool/enable_system_alarm_service_default" android:exported="false" android:name="androidx.work.impl.background.systemalarm.SystemAlarmService"/>
  • Content Provider:- Content providers are responsible for supplying data from one component to another as requested. Moreover, content providers allow applications to modify data according to the permissions granted by the content provider by using the provider-client object.
<provider android:authorities="com.tactic.android.workmanager-init" android:directBootAware="false" android:exported="false" android:multiprocess="true" android:name="androidx.work.impl.WorkManagerInitializer"/>
  • Broadcast Receiver:- The broadcast receiver simply responds to messages broadcast by other applications or the system. Many broadcasts originate from the system, including broadcasts announcing that the screen has turned off, the battery is low, or a picture has been captured.
<receiver android:directBootAware="false" android:enabled="true" android:exported="false" android:name="androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver"/>

Android application is nothing but a collection of multiple files which are zipped into a single .apk file. To access the content of the .apk file you need to extract the file. An important thing to understand here is that extracting the file doesn’t mean decompiling the application. Decompilation is another process, which we will see later. As per the Operating System, there are different processes for extracting the .apk file we will see for Windows and Linux.

Extracting Android Application

  • Unzipping Application In windows:- In Windows, it is fairly easy to unzip .apk files, you just need to change their extension to .zip and then use WinRAR or any other application of your preference, to extract the contents of the zip file.
  • Unzipping application In Linux:- Unzipping application in Linux, Open the terminal then move to the folder where the .apk file is, then execute the following command
unzip -d <dirname> <.apk_file>

Here dirname is where extracted files will be saved. E.g

unzip -d save demo.apk 

Following are the types of files you will receive after unzipping the .apk file.

  • Classes.dex:- These are the classes that are compiled in the format of the dex file that is recognized by the Dalvik virtual machine.
  • Android Manifest.xml:-The file contains all the permissions an application needs in order to work.
  • Meta-INF:- It Consists of Identifying and Certifying Information
  • res:-  It Includes non-compliant resources, like images, audio, and videos
  • assets:- Integrate images, HTML files, and java scripts.
  • lib:- A library file containing Java library files needed by Android applications

The important thing here is that all these files are in compiled form, which means the content inside these files is not human readable. In order to read the content of these files, we need to decompile these files.

Decompiling/Reversing Android Application

The Android application can be decompiled using a variety of tools. We will cover apk-tool and jdax in this section. We’ll take a look at apk-tool and jdax in this section.

Apk-Tool

You can download and find the installation steps of the apk-tool for both Linux and Windows here. Open the terminal, navigate to the folder where the .apk file is located, and run the following command.

apktool -d <yourapk>

Here -d is for decompiling.

The APK tool decompiles the source code of the applications into a human-readable format called Smali.

Jdax

Jdax is a Java to dex decompiler. Installing JDax on Windows and Linux can be found here. Jdax has both command line as well as GUI versions. We will cover the command line version in this blog. In order to decompile the application, move your .apk file to /jadx/bin location. Launch the terminal and go to the /jadx/bin directory. Execute the following command.

./jdax -d <dirname> <your_apk>

Here -d is for decompiling. dirname is the directory name where extracted files will be saved. your_apk is the name .apk file.

Rooting Android Device

Rooting is the process of gaining ‘root user’ or ‘system level’ access to an android device. In contrast to Linux, the Android operating system developer has designed an operating system in a way that does not provide users with this level of access. For this reason, Rooting is used to gain access to root privileges. It basically means breaking it down into your own device, in order to give you more control over how it is customized.  

Some data in the system can only be observed by those with root access, in this condition a Security tester may need root privileges to see that data. For example, viewing data stored in private files. A comprehensive understanding of security implications must be done before rooting a device.

Emulators are always a great option if you don’t want to root the physical device, Emulators provide the functionality of rooted devices. In a subsequent section, you will learn how to set up a Genymotion emulator for testing Android devices.

Dex files

Dalvik Virtual Machine does not use Java bytecode, which is one of its most impressive features. In its place, a homegrown format called DEX was developed, and its bytecode instructions are entirely different from the Java instructions. The Android programs are first compiled into .dex files, then zipped into a .apk file on the device. The Java programming language can automatically translate compiled applications into .dex files.

Dex file format

  • File Header
  • String Table
  • Class List 
  • Field Table 
  • Method Table
  • Class Definition Table 
  • Field List
  • Method List
  • Code Header 
  • Local Variables List

The Dex file contains a lot of information which is extremely useful for security testers. The Java programming language can automatically translate compiled applications into .dex files. In order to analyze the .dex files, they need to be converted into human-readable format. There are some tools like 010 editor and dex2jar which are used to analyse dex files.

Converting Dex File into Java using Dex2jar

You can download the dex2jar from here. For viewing the converted jar file, another application called JD-GUI is needed. Let’s understand how to use these tools.

Once the .apk file has been unzipped, the classes.dex file will appear. Open a terminal, navigate to the location of classes.dex, and execute the following command.

d2j-dex2jar classes.dex

It converts your classes.dex file to the Java file format. The converted files can be viewed by using the JD-GUI.

Intercepting Android Traffic With Burp Suite

These steps apply both to emulators and physical devices. An Android device can be set up in an emulator for testing fairly easily. You can find the reference here. It is necessary to set up your wifi network with a proxy setting in order to intercept the traffic. The first thing you will need is the IP address of your base system. Using the ipconfig/ifconfig command on the terminal will bring up the IP address. Open the device’s WiFi setting and select Modify Settings. You will see the Proxy option there. Set it to Manual. Enter the IP address of the base system in the Proxy Hostname field. Additionally, provide the port 8080/8081. Save the settings. You can use any port number here.

Note:-  If you want to intercept web traffic as well as Android traffic then you must use different port numbers (8080/8081).

Enter the host and Port number

Now run Burp Suite and move to the options in Proxy Tab. Enter the port number in the ADD option and from a specific IP address, choose your base machine’s address. Save the settings.

Select Ip address

The trust certificate is necessary in order to intercept the traffic. To download the certificate open any browser on the android device and go to http://burp. You will find a CA Certificate option at the top right corner of your screen. Click it and the certificate will be downloaded automatically.

Rename the certificate with .cer extension. In order to install the certificate open the settings of an android device and go to the Install From SD option in the Security Section. And select the certificate with .cer extension.

Now you are ready to intercept the traffic. Just to check, open the browser on the device and enter any URL, Make sure that your intercept is on. Check that the HTTPS request is intercepted by Burp Suite.

If the application to be tested has a minimum API level >= 24 then the system level CA certificate needs to be installed. This is a little bit different process from the previous one. Android stores these certificates on /system/etc/security/cacerts location. We can drop the certificates there if you are having root privileges.

Run the burp suite and navigate to the options section in the proxy tab. Export the certificate in DER format by clicking on Import / Export CA Certificate.

Android expects the certificate’s filename to be the subject_hash_old value appended with .0. The certificate should be in PEM format. Then convert DER to PEM using openssl( Installation steps for openssl can be found here ) and rename the resultant file subject_hash_old.

convert DER to PEM

The certificate can be copied over with adb, but you’ll have to remount it as writable since it’s going into the /system filesystem. And move the certificate into the /sdcard

adb root
adb remount
adb push <certname.0> /sdcard

Now, move the certificate into /system/etc/security/cacerts, Give read write access using chmod.

mv /sdcard/<certname.0> /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/<certname.0>
Push Certificate in File System

Reboot the device, and verify the installation by visiting Settings -> Security -> Trusted Credentials, “Portswigger CA” should be displayed as a system trusted CA.

This article provides more references.

Some Bonus Part

To Secure android devices, android has deployed some security features. let’s understand one by one.

Biometrics

A number of biometric methods are supported by the Android framework, including face and fingerprint recognition. Android can be customized to support other biometric methods (such as Iris). The success of biometric integration will, however, be dependent on biometric security, not modality. This Biometric authentication is integrated by using BiometricPrompt API.

App Signing

Whenever an Android application is released, the developers must authenticate it with an upload key before uploading it to Google Play Store. Understanding this process must help security researchers to develop an exploit. The app signing process contains generating an upload key then the developer needs to sign the application with the upload key after that needs to configure with the play store. The detailed steps can be found here.

Trusty Trusted Execution Environment

Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. Despite sharing the same hardware and operating system, Trusty runs on a different processor and is physically isolated from the rest of the system.

Encryption

Android uses dm-crypt for low-level encryption, which is the standard disk encryption system included in the Linux kernel. Many Linux distributions leverage the same technology. Encryption does not require a PIN or password on Android 5.1 and above, but creating one is highly recommended since not having one would compromise the security.

That’s all about the basics, which are required to perform penetration testing on an android application. So, it’s a three series blog, in the next one we will be covering the concepts of Static analysis of android applications it’s nothing but a process of source code review of the apk file, in the next one will do a deep dive into the Dynamic analysis in that we will be covering some tools and techniques which will surely upgrade your knowledge and skills.

So, it’s a lot of knowledge and information you are getting in this series of blogs, STAY TUNED!

Leave a Reply

Your email address will not be published.