How to Review a Mobile (Android) App

okay great thank you for that intro so welcome to how to review a mobile Android app so many of the things that you will learn today can be applied to iOS but you know due to time constraints we're going to stick with Android and honestly most of the presentation will be at a high level but we'll get a little bit deeper technically towards the end okay the obligatory about me as mentioned before I've been an IT for about 20 years with most of the time in software development I work at floor and floors giving me some opportunities not only in software dev but also in management project management and security here for the past four years

and I review a new mobile app probably one Android app every two three weeks and that's either for work or even on my own for fun yes my life is that exciting so the goal for this presentation is I want to give you the ability to review Android apps not only for your family or your friends but also give you the building blocks to review an app professionally and you may be asking yourself well why does this guy care and I care because before I got into security I was tricked by malicious Android app and the little story behind this the reason I got tricked was that I needed a file browser app while I was

developing and multiplication app for my daughter and the slide you see now is the multiplication app I developed for my daughter and the picture to the left her little face is the icon launcher and of course the app had to be pink for her so while I was writing this app like I said before I needed a file system browser I grabbed the first one from the Play Store ran it when I looked at the permissions I realized I just installed something bad the app needed permissions to so many things so I admit it I was tricked so naturally I thought this could be a moment to help others and then this is when I turned my

app quote evil so the picture to the right you can see a submit button when that button is clicked the app secretly took a picture using the front-facing camera and add some people at work and also some people at home and some friends of mine try and the reactions I got when people realize their picture I've been taken without them knowing or interesting some of them good some of them bad one person even said what the hell man I trusted you so besides teaching my daughter multiplication the app was built the show uses what happens when you do not pay attention to act permission so like I did so I was not the only one trick

and installing militias that here are a few others so hopefully no one watching this has any of these apps again you can see some of these installs of these malicious apps are million installs some are 5 million and even 10 million so again the golden presentation is to not be tricked like I was all right let's look at the agenda real quick hey James can you zoom in on your PowerPoint deck so the text is a little small okay is that better no it's actually the window on our side is what's small see you know okay I got a full screen on my side yeah I don't see a different way to do that so Oh actually if you go up to view

options I'll put this in the chat you can go to view options you can see a little better continue on and out and I'll help in the chat sorry about that okay so we're good with with this before yes okay so look at the agenda so real quick we're going to just talk about three things the risks of using mobile apps how to review app for sake kids or family remembers and that doesn't require any technical skills and then a review for work or you know a more detailed review and this part of the presentation will go from less technical to more technical and the last thing there's you link the bottom right hand corner

slide number five there's 32 slides and the presentation is about 24 minutes okay so let's talk about the risks of using mobile apps so the risks here are pretty obvious you know there's always the excitement of a new app but there isn't typically much discussion around risk and even less how we mitigate these risks for family or for work an important part here is to have a conversation the risks here for family members or kids you know you can read this it's you know location tracking on one communication recording audio etc and then the risks for business is all of those plus you know information theft or reputation damage and that's what we want to be careful about so for your

family members or kids having them want to use an app you can easily say yes you can use the app but you've got to disable these permissions and for work it can be you know we need to use it this newest app for our company and we can do that we just need to have certain mitigation strategies in place and those conversations are pretty easy you just have to have them alright so now that we understand the risk and how to have a conversation about the risk let's look at the second item for the agenda how'd it go into a little bit more detail to review an app for kids or family members all right so it completely random I

selected an ice-cream app from the Google Play Store to look at the permissions it's probably a perfectly fine app I just wanted to take a closer look at it and I did I blurred the name out just so you wouldn't think I was either for or against it it's I'm not either it's just completely random app that I picked so when you're reviewing these the first thing you want to look at is a content rating and that one's pretty easy and for this one it's everyone so no big deal there the next thing you want to do is scroll to the bottom for permissions and view details so let's look and see what the permissions that this app has requested

okay so here are the permissions this ice-cream app has requested and there are 17 requested permissions so you obviously got to ask yourself does this app really need these permissions and again if you look at these permissions that I have one highlighted the device ID and call information if you don't know what it is just ask the interwebs and here we've got the Batman meeting here to say mmm this really needed so in the 1 permission that I highlight is the device ID and column permission and that can be used to obtain the device IMEI which is could uniquely identify the device which likely violates the played F program policies due to privacy concerns because you can track the app

and some Android versions can revoke permission so some of these permissions being revoked could be part of our mitigating strategy in order to use the app and so while we're looking at permissions lifted let's look at some of the most abused permissions all right so we see here we have the permission on the left in the middle it's what it's used for and then how it is exploited and these permissions if you're reviewing an app and you see any of these should give you a red flag and should be only line up if it's really needed so the other important part is that you want to periodically review permissions as permissions can change and some apps can actually download at

at code later so to recap reviewing an Android app for kids or families really as simple as looking at the content rating and understanding the permissions so this concludes the first two parts of the agenda now let's look at how to review an app in more detail something you know we might review for work and we can do that in five easy steps and here they are so let's go ahead and jump into step one let's crack open the apk and so what is an apk it's an Android package kit it's really just a zip file you can rename the file from a tape ek to dot zip and then browse it like anything else now

feel free look around you'd be surprised at what you could find so this is step one so for step two we're going to review the permissions which will be very similar to how we review the permissions earlier alright so step two requires the installation of Android studio so Android studio is free it's easy to use and gives us a few tools to not only review an apk but if you wanted to build an app you could so after you've installed Android studio you just point to the apk I've grabbed another random app and navigated to the Android manifest file which defines our permissions so again we've gone to the manifest folder and we're going to open

up the androidmanifest.xml from within android studio and the Android manifest file is just a resource file that contains all the details needed by the Android system about the application and one of these permissions I want to highlight which hopefully you can see is the receive boot completed permissions request well what is that again we have our Batman mean to say wait a second does this really need it and again if you just ask the interwebs you see the full permission is Android got permission doxy boot completed and it can be used to automatically start a service after a system reboot is that really needed it could be but that is definitely one that if I saw this in a

review I would give it another look so alright we're already on the step 3 and that's to have a tool analyze the code so again we go an Android studio we click file and then profile a debug apk and then we click analyze and inspect code and it will look at the apk and expect inspect the code for vulnerabilities and what you're going to want to do next is if you can see the Security tab you're going to want to look at that give that a sanity check and you definitely want to look up anything you don't know and then share that report for risk awareness so even if you copy and paste the generated report text into

your own report no one will ever know is there's an Android student report and you'll be the hero and the next slide will show us your boss's reaction to your report there it is the Michael Scott amazed face so based on your report and the fact that you understand the risks the report is generated you're practically guaranteed a promotion okay so let's look at step three another part of step three so not only can we analyze the code we can also run the app without actually having to run it on our device so we can run it within an emulator an android studio has a built in emulator and it's as simple as clicking the start

button for the emulator and then dragging and dropping your apk onto it simple as that now again it's not required to run the app but it's a lot better to run the up app on an emulator and not on your device and then if we have some advanced users you can not only see the screens but you can watch the traffic so a lot of times these Android ads will call out to the Internet or a web service to get data and return data in fact I see that with I daresay 99% of the apps that I review and again you can watch that traffic with fiddler or Wireshark burp suite etc and if you're really advanced you can

use the Android debug bridge which is ADB and that allows you to do a multitude of things we won't get into that in this presentation but it is there for those that want to try it and again if you want to run the app this is what it looks like and like I said before it's not required to run the app to review it but it helps with the review and later we'll look at some of the decompiled Java code used here to create this app and see if there's anything interesting hidden in the code and I just created this real quick just for b-sides it doesn't really do anything alright so time check here

we're already at step four and we've all about okay so you've got about ten slides left in step four is we're going to determine the apk type all right so with the reviews that I've done at home and at work there are three types primarily there's the native type which is written in Java and sometimes C++ but usually they're just Java you then have an html5 app an example of that to say Apache Cordova and the third type is a cross-platform app typically written in xamarin and so determining the apk type will tell us how to continue their view so it's sort of like one of those choose your own destiny books so again here the

apk types but how do we determine which is which and what we do next all right we'll start with the native apk type and I'll probably see more of these than anything but again as a first step all we're going to do is rename that apk to dot zip and browse and most of the time these are written in Java sometimes C++ but you can tell that this is a job at because you look at the folder here and it says Java in the classes.dex and that tells us that this is a native app and here we've got some pros and cons for using a native app and you can read those you know it's it's

typically fast there is cons in that it has a multiple code basis because you've got to have an Android app as well as an iOS app and typically because you have the two code bases it will cost more to develop and can oftentimes take longer to build all right so that's our first type the next type is our html5 app an html5 app is an app that just contains a webview of a mobile website that's it you can easily review the contents of a zip and sometimes there are some interesting things and I'll say again quote hidden in these files so we can tell this is an html5 app by again renaming that app this is it browsing it

you can see that the app is written mostly in HTML and JavaScript when you see an assets folder and you're looking at assets full or just kind of look around and you can see the HTML files there there'll be JavaScript files and again there are pros and cons to using html5 there's a single code base it's probably the least expensive and easiest to build but some of the cons are that it's typically slower sometimes has limited functionality they are vulnerable to web-based attacks and they can have insecure plugins okay so let's go to the final apk type and that is a cross-platform app a cross-platform app is built using a framework that creates both the Android and the iOS version of

the application from one code base we can tell this is cross-platform by again renaming the apk to zip and browsing if you see an Assemblies folder that's your dead giveaway that this is a cross-platform app and the app is you know nine times out of ten you see cross-platform it's written in dotnet using xamarin and then assemblies folder contains all of the dotnet classes files which are called assemblies to build that app then again pros and cons lists as well so a pro would be the single codebase and that single codebase for both iOS and Android it's not as expensive to build and it's got a full development environment including testing and as you can read some of the

cons or require c-sharp and visual studio now for me that's a pro but there are some people that do not like Visual Studio or c-sharp and again this one can also have insecure plugins alright so now that we've reviewed the three types of apk let's look at step five the last step and for me the most exciting part of the presentation let's look at some code and again determining the apk time is how we will know what utility to use to look at the D compiled source code alright so here in step 5 show me the code means let's decompile each object and look at the source code and there's little hot peppers at the bottom they

represent the dip cooking level from 1 to 1 to 5 there and if we start here at the native the Java based app you can use bytecode viewer or Android studio to look at the D compiler code now there is a little bit of a warning with this one it's it's one hot pepper of difficulty one out of five but one caveat here is you could save dot s o files and those are shared object files and they are written in C++ and that would give them 5 hot peppers to decompile if not 10 or even 20 because those are extremely difficult to look at the source for but again 9 times out of 10 they're gonna be written in

Java and it's pretty easy to look at the source ok the next one here in our middle block is html5 typically in Apache Cordova and that requires bike of your or Android studio and again it's not required technically but it is preferred it just makes your life a lot easier and again this one is also one hot pepper so the 1 out of 5 difficulty pretty easy and then our third block here is the cross platform or xamarin app now this one I gave to hot peppers for difficulty just because you're going to need bytecode viewer or Android studio and you're going to need a product called just decompile and that will take the dotnet assemblies and

decompiling so for the final part of this let's look at a little code okay so here is a an example of buy code viewer in the decompile java code for a native APRA in java so maybe you can see something wrong with this code you look here you have something that looks like an AWS username and password and there are some people are divs that think that since the code is compiled you can hide things in here and that obviously is not the case so the next slide here is xamarin net using just decompile and typically what I will do is open up some of these dotnet assemblies and click around and then search for username and

search for password and that usually gets me a pretty good starting point to reviewing if anything's hidden in there so let's look real quick at some things I've found and things you could find in decompiled code so I did see this this message it's pretty funny you know please don't think about instead send your resume to XYZ so you know I got a laughing that one and then I've seen unauthenticated web services that return sensitive company information in you know the developer apparently felt that since it was compiled these are okay to put in there but they were they were wide open and dangerous and I was able to call and talk to the developer and

get him to fix it I've seen back to earth in a crate authentication creds I only see one of those but it does happen now I've got this one in red the excessive permissions because I see that almost every time and with the excessive permissions if it's a vendor you can easily go back to them and say hey do you really need camera contacts know whatever permission maybe do you really need all this and a lot of times they'll come back and say no we really don't or yes we do and here's the reason why which is great and I've even gone to the Google Play Store with that and sent a message to the developer that a public

message saying you know you've got all these permissions are these really needed and they've come back and said yes and here's why so you know you definitely can do that too I've seen passwords and decompiled code and secret web slash API keys for Amazon Web Services as your et cetera and that's kind of where that example before came from and let's look at some examples or actually just one example of some malicious code hey so a question in the chat yeah wanted to know why is viewing C++ code more difficult based on the hot pepper scale oh well the short answer is that C++ builds its projects differently than say Java so Java files are interpreted where C++ is not so much

and so the bytecode this generated from Java you can see that but in C++ it's extremely difficult and you've got to use honest disassembler and look at it look at the assembly code that's disassembled so the reason is that it's the reason the the method in which it's built in C++ is different from Java or C sharp got it thank you okay so again this is an example of malicious code and this does a multi-factor authentication bypass and if you can see the code there it's got a bunch of weird characters and backsplashes and encoding and if you ever come across this this is bad bad bad there's absolutely no reason to do any of this absolutely no reason okay so

before we conclude there are a couple of other things you can try if you're feeling advanced and I'll warn you this is a little bit of a geek alert so you can use Android studio and browse the device files and it's really easy you just click open the APK click browse files and you can find keys you can find databases you can find XML config files all with a wealth of information and one of the best spots to find information is if you use the file browse go to data slash data / whatever app you're looking at and look for the sequel Lite database and these are just little tiny databases and they contain an unbelievable amount

of information in most of the times they're not encrypted so I look you know I looked there first for sure and then if we want to watch the traffic from a Android app you can hook up the emulator to burp sweep so again watch the traffic means let's just see what this mobile app is communicating with nine times out of ten they're going to communicate with an external web server or web service now all we have to do is first set the pin on the emulator and then you're going to want install the burp search on the emulator and that does require our pin so don't forget to set it and you simply just spin up on your desktop a

one-liner from python to spin up this little built-in web server and you transfer the search from your desktop to the emulator and then the emulator installs and that enables us to decrypt the traffic going through you then just say your emulator settings to locals which is that 127.0.0.1 and 8080 is the port and then you can capture the traffic and a lot of times what I'll do is watch that traffic come through and then replay it out of context and that kind of gives you some insight onto what the app is calling you know if it's encrypted if it's not and a lot of other details about that application and again this is kind of the more advanced but

it's still not really that difficult to do alright so in conclusion we've taken a crash course on how to review a mobile Android app so we look at the risks both for personal and business and we made a point that you know make sure you had that discussion whether it's with your business or your kids or family and we looked at the permissions and age restrictions from the Google Play Store and then we dug a little deeper and it looked at the app type the content of the apks and also the code alright so here's some sources and tools that I use and again Android studio and bytecode viewer are far my favorite and there just make it

so easy just decompile is another one and then you have some other ABS here the Dexter jar JD GUI these are a little bit more difficult and require extra steps and I almost hesitate to put them in here but they've there's such a staple in reviewing these things that most the time when you look up how to review an Android app you're gonna see those first that Dexter jar and that Jake it was first then we've got the Oh wasp and some permissions definitions and then the multi-factor authentication bypass is an app called Joker and there's a link to that okay everyone thank you so much for listening there any questions I can answer them or after this I'll hop

on discord you know just let me know and thank you again