Vaccinating Android

so everybody um welcome to uh breaking grounds um vaccinating Android by Milan and Danel um yeah give them an

Applause thank you uh my name is Milan gber and today is with me Daniel gra and we will be talking a little bit about vaccinate and enjoy it so um let's start um actually who are we we are just two guys from Slovenia so has anybody been to Slovenia yet really oh cool cool I've been to Romania uh giving a talk already there so um what what else do we do we are but just having fun breaking the stuff uh especially we love to play with the application so my company is actually spe specialized in application security so a little bit more about Slovenia for those that are not so much familiar uh do you guess which kind of the city is

Wikipedia talking about this no US city it's 30 at most in you in us actually it's it's about Las Vegas why did I took this because uh metro area of Las Vegas has so many people that are actually living in Slovenia so about 2 million people and uh we are so small that on a flight you know they don't even put our our Capital uh capital city or even Slovenia you have Croatia you have Austria Hungary and there's Slovenia you know so we are that small um who has been to the LA yesterday's talk about uh melver they had that guy had a lot of cute puppies so we won't have cute puppies uh but we

will have some nice pictures of Slovenia instead so you will you will get little bit familiar and maybe um next time when you're in Europe or vicinity you might be visiting Slovenia okay let's see a little bit more about famous Slovenian uh guys um let somebody remembers binary planting it was hype couple of years ago also around the US and conferences actually company called across from Slovenia um they made fuz about it and they exploited so this is one part and we don't only have a good guys but all we also have bad guys um this one it looks he looks like almost like Edward Snowden is it kind of but um does somebody know

knows who actually he is no idea well actually he's quite famous also in the United States because FBI was after him so he was he is actually he wrote the um he wrote the software around the Mariposa botnet somebody hear about Mariposa botnet it was like in 2009 2010 uh only two countries in the world they was not infected with the Mariposa botnet any guesses which two countries in the world no North Korea and South Sara because normally they don't have internet officially Al kind of too um he was sentenced last uh this year beginning this year for four years um I was actually going to his trial because I was really interested it was the triy

was going on in my city uh and in America the FBI is still after him so in Slovenia he was sentenced to four years uh what do you think how much how many years would he get in United States around 60 yeah a lot so yeah so we have um we have quite quite famous uh people in Slovenia also okay so a little bit of agenda so I'm going to just skip shortly so where are we today in the mobile applications especially Android uh short 101 APK analyzes going through what static Dynamic and then we're going to go Daniel is going to be describing a little bit more about the tool that we brought and uh of course

we're going to have three three demos live demos um who likes demos okay great because I I have been missing demos on B sides you know do you also did Miss because I haven't seen so much demos you know everybody was talking about nobody showing it so we're going to show it I hope everything is going to be working okay so where are we today uh actually also the basic word is complexity also with Android uh especially if you go around the components that are actually in an Android ecosystem you know see there's a lot of lot of stuff so a lot a lot of code and lot a lot of stuff to play and

exploit it also if we going to uh I don't know if you trust hp45 team but they say that uh from their research nine of 10 mobile apps um are vulnerable to something or to uh some uh you can exploit them uh and especially in this in this um uh report you have also other data that 86% of mobile apps lacks efficiency security measures uh the 80% uh were having problems with using SSL encryption and a lot of stuff about that and also kasperski says okay if you trust also kasperski that 98% of mod mobile threads Target Android um before the talk I was just you know walking around and I was really happy to see that users with iPhones

were coming to the talk about Android security so it's it's interesting and there are also some other things there's a big need for testing mobile application uh last last year we were getting quite few requests uh for mobile apps to do the penetration testing not just the banking or finance application but also other uh let's say very popular uh mobile application from Slovenia um and if you go through uh source code of if you try to uh reverse some kind of source code then you see that you know the development of the mobile apps is like development in late 90s and this is based also on our experience we we uh we analyzed a lot of

mobile ation um we have been working also with the students from faculty uh on some kind of say joint projects regarding uh mobile security and we have seen lot lot of lot of interesting uh stuff in there so why actually is this happening uh three things manager because the manager has focused on the due dates uh developers are not focus on security but rather on features and the last part the users actually don't care about the security so nothing new uh here uh this is also one nice view of Slovenian capital city so if you come Liana is a must um okay as a penetration testing as a p penetration tester or security analyzer you're a man on a mission now

you have to do uh pent test mobile application you have to do security analysis you have to do Cod review and other stuff so sometimes it really feel feels like uh you need to see and not only to see but also feel invisible what's actually hidden in the application and uh uh try to get uh out of it uh once I found a very good um let's say definition um what the penetration testers or security analyzes or security guys or even hackers are doing uh actually we or I or we together as a community we have been doing the same things as other people you know nothing new but uh normally we are looking them

just in different way does anybody wants to guess who actually said that any guesses he already passed away but the author original author of this was Albert Albert Einstein so looking outside of this box uh it's definitely the right way for the hackers uh and for the penetration testers okay next thing if you're in a mobile pentest security is what to check there are several things uh to check first definitely Transport Security uh if the data is uh transmitted in plain text if there some kind of validation of SSL certificates um UI web views there's a problems last year there was a problem with UI web views because you could do uh remote uh code

execution uh we we have seen a lot of things regarding insecure data storage so username passwords tokens uh in uh SQL light databases or in files um a lot of applications they are logging uh they are not just logging the necessary data but also username and passwords and other interesting things and of course there's binary analysis so you need to deess the this assembly and de comp or decompile the application and the take confiscation is something there how many of you have taken apart APK already is it hard no okay but we're going to see uh how it's actually done this okay this next one is Venia has also C uh we only have 30 kilm of the sea but we have some

beautiful cities so also good place to with it okay uh for those that they are not taken apart uh APK uh already so we prepar just couple of the slides so you see what's actually how you do it so when you go when you come home you can take you can you can do it on your on your own uh so we're going to see just What APK is how you get it how you decompile and analyze and how to test it so uh actually it's Android application package file um anybody knows what's actually that APK exactly actually it's a zip file so you just rename APK to zip uh and you can look at it unzip it um actually this

is written in exclusively in Java with Native libraries so you can use native libraries regarding if you need a speed or other uh lowlevel functions and it's composed of different uh components like activities Services broadcast receivers etc etc so if you're a developer uh this is kind of process putting us together with the resource files and assets and Source codes and at the end you have unsigned or if you sign it even signed APK and you publish it to the story so how to get a APK the simplest way is just copy from the phone if you don't know how to do it now just go to YouTu YouTube it's um several videos are there you can

copy it from the backup if you're doing a backup you could use uh Android um debugging bridge to pull it off or you just go to one site uh which it will download it for you so you just put in a name and you get the APK or you can download it from untrusted Source I know what it means maybe some malware inside or something but uh give you can do it also so the next step is uh so to decompile it so it's really really simple just unzip it and then pull out the deck jar or even deck jar you can get it from APK so classes and V JD GUI you just open this jar and you got the

whole Java source of the application these are also the tools that are used uh who is using Ki Linux distribution ation testing distribution all the tools are already there so you don't need to install it anything uh or you can use that um that URL address it will do everything on you you just upload APK it will decompile it and it you can save it to your own uh hard drive okay um since only couple of hands were up I will pass now to Daniel he will show you how to just uh decompile it and get the source code from one

APK okay can you hear me I would do just uh show you how simply is um to get the source code of the under application uh just to warm myself up uh because uh more serious stuff will come so I'm just I'm just moving moving the application into zip

file and then I'm unzipping

it then I'm calling Dex to jar to get uh the Java bite code out of D bite

code take some

time and now I will run J GUI how many of you know J GUI

sorry I forgot in which directory I am okay

and here you can see the source code but as you can see the source code has pretty uh just leave it for a second here uh just uh you see the their developers were quite uh quite good because their classes are named a a AA BC a a oh cool okay uh what do what do you think they did before they publishing the application yeah offis replacing the name and the methods so our job is going to be a little bit uh a little bit harder but not uh not that hard okay um we also have some other cities that The see but that's it okay the next thing is testing the application now what's the the next step The Next Step

start simulator with a proxy why with the proxy because we want to see what's actually the application is sending to the server what is uh communicating uh install application in EM emulator or device normally we are using device because emulator is sometimes really slow uh um and use V Shar fidler zap burp whatever you like who's using burp who's using zap nobody's using zap okay you run application see the log Dum crash and files and other stuff and when you do the um analyzis what you sent over the network you see the interesting what yeah you see the interesting stuff and speci here you know the response is back from from the server to application you know

uh I I'm guess you know from the first site you can decrypt what's actually written there so uh that's why we are also playing with uh binary Dynamic uh Dynamic analysis because uh these kind of values that's actually sent from the server to the application they are setting to some kind of variables in application so uh you're going to see later on uh why uh it's much easier to interact in that kind that way that we did it with application that decrypting and seeing the stuff uh here if you want to play there are other tools like Dexter with dexlab it's a thing it's beta so you can see all the stuff that's actually done here so the classes de

compilation what's actually sent over the over the internet then you have uh from guide uh bage uh I think he's from Turkey you also have one online uh analyzing uh tool you just upload application you just upload APK and he does everything for you uh he's that guy that actually crashed the Google Play when he was playing with with uh some exploits um and I think the Google Play was uh unavailable for several hours just uploading one APK to Google Play and the system went down uh okay and the next step is static uh analyzis so if you want to do static analysis you need to know how to read the Java uh Java Java code or at least

little bit you know um how to program how many people do you know how to read or how to program in Java okay some of them great uh what's the problem also with IC analyz because you don't see any runtime replies you know you just see the code not nothing what's getting from the server and it's offc it's rename and sometimes if the code is really really uh huge uh there is a problem identifying important segments in the code so decryption where sending to the server how it's done with the loging and things like that okay after we dived into static analysis um we wrote a tool and it's basically a b script that uses other

tools and it's used for the compiling the Andre application and searching for patterns of source code so for example if you identify a Java source that is vulnerable you can place all the Andre application into one directory and just run this tool AP aper it's called and uh put some regular expression into it and this will show something similar to this and here you can see uh that we search for HTTP https and protocols like that uh so basically what application uh uses to connect to the server and it gives you a brief description of uh source code and where it's located this source so when you're doing statical analysis you might be feeling lucky no especially

in Las Vegas my feeling lucky is very important because sometimes uh you you find in a source code things like that you know just some server name API save PHP uh T and Q what if there is a game who wants to guess what actually T and U is this is a except from the source code you know the server actually with this call you publish your score to the server so the T are number of points and the U is username so doing a statical analysis you just see that kind of code you know just put it in a browser you know uh just enter the scores and you're at the top list of the scores and sometimes if

you're not lucky you get uh this kind of stuff because all the tools for decompilation they don't decompile it um totally to see the Java code so you get intermediate codes and sometimes it's really hard just looking at the at the source code so with dynamical analyzis what we are looking into actually it's monitoring and changing traffing with uh proxy I have shown already something before uh with burp uh or you can use debugging and there's another method you can use reflection so actually what's reflection reflection is a language ability to inspect and dynamically call classes methods attributes at the run time so Java is perfect for this with uh use of uh uh reflection and that's the

principle that we have been using in our tool and it's work just perfectly and we use another uh component it's called Bean shell who knows what bell is anybody used it already it's really nice Library Java Library actually Java interpreter so scripting support scripting Landress is really small you can include it u in your project and um it has already all the methods for the reflection and since we are kind of sometimes lazy and we didn't want to write and invent uh history again and again we just use Bean shell and it's really getting as a really strong and powerful tool so uh why should we go with uh reflection not uh and not debugging uh because with reflection you

have higher level of view you have classes methods uh and you have a better idea how application works especially you have a uh source code so if you do the de compilation you get the source code you see all the classes even if they have strange names like a a a ABC um and you get the all access to objects methods and variables and you got the real interaction with application so and real runtime so you can see so these are all the features that we got so we can access all the variables even if they are declared private and it shouldn't be accessed from other classes we can change it call methods so you could call

method I don't know if you have encrypted string you just call method decrypt and you get the uh uh decrypted string and with ban shell you can you all use use only also your own variables in scripts and uh actually write a Java code so you're going to see we're going to show how it's with four five six lines of code you can do very good uh ultimate cheating uh uh uh cheating uh machine so what else do we see in uh analyzing with Dynamic and statical uh uh analysis there's authentication pins in the system locks and the builds uh credential cached uh SEC light databases there usernames and passwords uh when we analyzed apks there are also internal

IPS so you get the internal IPS of the banks other financial institutions and sometimes you can get even hardcoded usernames passwords especially for the HTT protected areas um lot of application have U this kind of things inside okay we also have uh Rivers pretty nice River really nice Rivers so if you want to come to Slovenia that's definitely uh place to be okay Daniel is going to beit dig little bit deeper and he's going to explain what actually we did and then show some demos to to get you feeling what's actually there so after digging deeper we came up with a tool it's called vacine and uh what vaccine actually does it takes the Android application injects a service

into it and then connects through the service to the application after it's connected it lives inside the application so you can access all the variables private public you can execute uh Java source code or bin shell scripts or something else here we can see the environment in which Vine functions on the left side you can see the under application and on the right side uh boxine consist mainly of three parts it's user interface a bar script this its uh controller and a component that is called manifest changer what actually a bar script does is it takes the application it unzips it it um uses a tool that's called SMY does anybody know SMY okay for those that don't know small

it's Assembly Language for doic bite code and then we are adding our own code into SMY repackaging it again to the classic classes de file uh changing the Manifest and included or let's say replacing this uh manifest and classes deck in the original AP ke and after that we are uh removing the signature signing the application ation installing connecting and so on uh so what is possible with vaccine is exing objects and Fields executing methods of objects and other stuff I will show you that here's the user interface of Vine on the left upper part you can see the hierarchy of objects these objects are used at run time by the application uh below you can see the

scripting part here you can write scripts or regular Java source code and there's another view on the right side yeah if you I just want to show you you know it's tool is really complicated you know as the normal hacking tools are so it's from three parts you know and that three parts are uh actually doing the uh uh you could do a really lot of interesting stuff actually you do coding write your own code here and when you're calling exit execute it's actually executing in uh runtime of the environment of the application so the best way is to show the demo um and I think the best way is to try with the live application so we're going to play

a little bit games you know since we are Vegas it's definitely good place to play the games okay I will now start vacine okay we SE started let's start the game so this is this what you see here it's actually this kind this device here so we are uh bringing the uh it's not

working okay so you see you have it's actually the same uh same uh same display as on the on the on a phone so if we want to can I play no just a second I will show you that I am uh on the application I will show a message so actually we can interact with uh uh with application that's running on a phone uh and copying it just to vine so so you can see so it's actually running there so it's a knock knock uh so we can now interact or change all this variables or classes actually is uh uh running in this application can I play now yes okay let's play the game

um okay okay play now okay it's the same game you know you need to have I don't know uh okay it's already ended because I um we have to wait for another round but uh we can still already print some uh some words see here there are words that actually uh you need to find them in a game so let's wait for just a second okay here's the round

results okay not connect okay get started let's try another round play

now

crash okay just wait a second yeah we have problems with Wi-Fi we try to play it um who knows English word jet okay let's try with jet okay I found the jet hot it's also but actually you can see I already printed the correct results out so if you do the statical analysis and you have hesitate hesitate hesitate okay okay I around I found the top word now so actually you have uh access to the all kind of the words and if you remember that burp screenshot that I showed actually that these words are transferred uh over the HTTP to the application but they are encrypted so you cannot see what kind of words are actually transferred but with

this kind of uh methods you can access unencrypted words stored in a hash table in an application okay we need to wait for another [Music] round and after that uh I will drop the answers on the user interface so just wait a second so we found the way actually the this uh kind of application is actually off fiscated so there are classes change name but I don't know for some reason they didn't change the name of the method like Dam dump answers so this method uh Daniel is going to call it now you can dump all right I have the it's not okay let's reconnect okay if he now calls this kind of method uh you see see I got the

ownership uh I got the whole words already there and actually it's uh owner oh oh ownership and you can actually the win every time in this kind of the game but uh I have also written a script that will play this game alone so uh it will fill out all the answers and then set the user to besides Las Vegas and hopefully win the game so you see the uh 1 two three four five 6 7 8 nine but we can actually this put together in six lines of code so with six lines of code uh it's actually winning the game all the time why it choose this game because my wife really likes to play it uh

and that's why we were playing with uh that game especially it was really nice because last year we done it in Romania so we have been playing with that kind of game in Romanian language so we were winning every time and we didn't know what actually we were in you know inserting this because there were Romanian words and we played this year in Paris the same game in uh French wordss and we we were also winning the French wordss so so now you can see bides as top score bides as a top top score at this time know I hope they don't see it so let's move on because we really want to we are

saving one less demo of as the last one and it would be too bad if we don't get to last demo so okay okay oh we forgot disclaimer know everything that we are showing you know it's just for educational purposes but anyway you know since we are Vegas you know what's happens Vegas stays in Vegas at least they say so so you're going to keep the secrets uh which game did we go okay we also have some kind some castles really nice castles really nice cave behind that castle in po K so you can come and visit and there's a let's say uh next episode because now we have been changing APK but Daniel is

going to explain that uh after CCC 30 uh from December last year uh we found a new method that we don't need to change apks anymore but Daniel is going to it's going to tell a little bit more so we saw a talk uh it's it was about dynamical uh doic instrumentation and what what this stuff does uh this guy Colin muliner built a framework that can be used to hook Java methods so uh any Java method that the application uses and the underlying under reach framework so we did scratch ourself how can we use this and after some help from Colin uh we came up with a solution uh to inject our service and use vacine without

touching the application so everything is done at run time but you need to do some stuff and uh use the framework the hijack program we are hijacking the zot process how many of you know know zigot zigot is a process um it's like modern nature every application it's forked from this process and yeah it's modern nature um and after using hijack we inject our uh library and we hook the under app activity on start method so everything is in place and we can use Vine so I will show you how to do this uh on Google Play

Store

so here you can see I'm on the phone and I have already place all the necessary things and uh I will run the hijack

program

but first we need to know the pit of the zot

process it's 40 so I am actually waiting for the application to start so let's run the application B BQ so actually now on the phone application already started so you see the Google Play Store is actually uh starting up it takes a little bit longer because it's now loading our our classes runtime and injecting into a uh into a virtual machine so all the vaccine and all the classes from Bean shell and other stuff is actually uh already there so we didn't touch any more apks and we are actually cooking on start method and uh running it uh

there we also need to forward the port that service is listening on it then to start and then we get the same Java GUI and you can now interact with uh Google Play and all the classes that are actually

there so just to prove you that I am on the application I will print the user ID um just before the Daniel is look uh is uh searching for the code with uh vaccine here you have all the methods and all the variables and if they change they're changing the colors to the red so you can easily spot what's actually changed in a in a run time from the last uh uh from the last uh update and here you can set the watches you can set the variables that you want to watch watch you know and to see which kind of variable are watching are changing now here you can see the output and it's

called com Android winding this is the package um so the Play

store okay um um what are the changes between two methods that we have been uh researching with Apk there is no need to you for you to have the rooted phone you just change APK and upload it with the ADB uh ADB needs to be uh of course enabled and untrusted sources you can install it on your device but no route and you have to download modify and upload but vacine takes care with uh going to the Android so hijacking and uh and injecting the libraries uh you need to have rooted phone uh but there's no need modification for APK because somehow with the apks you know they are checking if some kind of modification it has been

done on APK but um um we found only a few uh packages that are actually um looking for that kind of the things okay there's another Beauty in Slovenia so definitely worth to see it okay there are some definitely challenges ahead of us um what can you do with this kind of tool actually it's not only for Droid you know you can use it uh we actually had one project this year we actually tested it with Oracle forms who knows what Oracle forms are is still somebody using Oracle forms sadly yes sadly yes I thought they were dead until the client you know contacted us yeah and we we actually injected this in Oracle forms so in a process with

little little bit uh modifying with BP requests so when the form was uh downloading we actually injected our code before started Oracle forms and then actually we happily lived in Oracle forms um uh so the reflection is still not that because there are some other projects like Javas Snoop you could actually attach to the Java process and you do the same but we tried with Javas Snoop and uh uh it was not working uh with the latest version of java and we try to contact authors we didn't get any reply and definitely we have ideas to use with other Java applets you know Minecraft maybe or uh um some other Erp systems that using Java that would be the definitely the

perfect way uh to use it uh uh for changing and injecting into Oracle forms how many time we did spend about 5 hours in know to change everything and we are running with the guy and expect inspecting all the elements so there are also other kind of possibilities uh because with this kind of you know you don't need to package and then repackage you can just write it uh and compile it at the runtime so you can have get the phone instance you can send class zero smss uh also other or even you create ultimate cheating platforms uh so final thoughts before we uh up it's just one small script small guy tool it's going to be never finished

now it can help testers res Searchers or even hackers cheaters and we are open for suggestions and Improvement comments we're going to be publishing it uh on our GitHub so it's going to be freely available just download it run it uh give us uh feedback we will be really thankful for it uh and some other tips you know if you're doing the uh Android development you have to know your platform you know this means read more than one book uh different than iOS andjoy it in 10 minutes and especially experience in mileage helps a lot you know uh experience from different kind of field especially development a Java application okay but since we are in

Vegas we cannot go uh at the end without any demo uh what do you think uh I was a little bit thinking more like online Blackjack good enough okay let's try one game and uh you're going to see um how it's easy now that's the code that Daniel is uh actually copying now um to help playing with Blackjack what would help playing Blackjack would it help if you see the next card that is coming would that be good if you see next four cards would it help let's see if we can try to make uh um okay I will be I will be playing the Blackjack I'm not really good Gambler just two seconds um okay there there you see he uh

actually actually we

took uh we took one one game from the App Store I don't know it's quite popular it has several million downloads so let's try to play uh the game are you ready you have just a second please let's play the game you see we can show little bit code uh what's actually doing the code for those that can read Java up up up up so first of all we uh a little bit sniff the traffic so we see that uh mapping from one resources resources to to other so actually these are the cards so uh we could write uh normal cards but we extended it so actually we're going to see the cards from resources so images and this

is the the code that's actually showing the games and uh all the uh stuff doing it's not that much uh all of the code was uh encrypted and offis skated we still can use it are you ready yeah okay let's play see I started the

game okay uh it's starting let's sit here on this left buy into the game okay I'm into the game I only with two players in a bank wait for another turn so you will notice that when the hit button pops up it will show the next card the user will receive yeah so let's deal the cards okay so you see the next card is going to be eight SPID so if we uh for 14 and 14 and 8 is 22 not so good that's not I was busted so I lose 3300 dollars points whatever okay let's try another one change okay 17 so let's see the next now it's your turn should We Stand double or

hit

stand and you will see the bank will take this card yeah so we will level up so for the next level and actually this kind of uh it gets you four next cards we were trying to get on the GUI but it's kind of problems because you know cannot just write on the guy these kind of images but with a lock uh you see all the four cards next four cards or you can do uh you can count the cards because every four times they are shifting so you can do your own model and you know you just play it and uh okay let's see next four cards okay then we're finish okay minut great um no the

cards are outputed to the system output yeah see the next four cards are eight Diamond Jak Club 10 hearts and uh Queen pain okay let's do another one and to see if this is true uh what should it let's say hit I have a blackjack so it was eight Spade so it works actually we are living in inside the application and we have the full control of all the all the variables and this is why is this interesting because normally variables they're not encrypted no they're just values so you can be scores you know you can be do fuzzing with this run with with runtime so lot of lot of crazy ideas you can get from

uh from this okay so we didn't have cute puppies but at the end we can have nice cat actually it's my cat enjoined the sun uh taken couple weeks ago uh and yes some questions no questions okay you can stop us you can bug us we will here we will be at Defcon uh so at the end thank you very much oh one question uh it's going to be I don't know at the end of this week so it's going to be there zip you just call it uh it's not uh it's not Mel so not no melver inside but you can decompile it and use it so it's going to be free so okay thank you very much I hope you

enjoy [Applause] it