How to: Testing Android Application Security, Part 1

The popularity of Android devices and applications makes it a target for malware and other threats. This post is the first in a short series on Android application security.

Similar to its use for web applications, penetration (“pen”) testing is a part of developing mobile applications. We will discuss in detail the process for performing security testing on Android applications.

Setting up the pen-testing environment

Android Studio is the official integrated development environment for Android. Here are the steps for setting up Android Studio.

  1. Download and install the latest Java Development Kit.
  2. Set the JAVA_HOME variable with the path pointing to the Java Development Kit.
  3. Download and install Android Studio.
  4. Once it is installed, create an Android virtual device (emulator).
  5. Browse to “Tools–>Android–>Avd Manager–>Create Virtual Device” and create a new virtual device as shown in the following screens.

20160523 Android App Security 1

Android virtual device settings.

20160523 Android App Security 2

Further Android virtual device settings.

Customize parameters such as RAM, AVD Name, Android Version, and Internal Storage to suit your requirements. (We used device types Nexus 5 and Android Version Lollipop.)

 

Capturing traffic

Capturing traffic from emulator requires the proxy tool to act as a “man in the middle.” Follow these steps.

  1. Export the certificate from your proxy tool, and save it as proxy.cer.
  2. Push the certificate onto the emulator using the command

adb push proxy.cer /sdcard/

  1. Browse to SettingsàSecurityàInstall from the SD card, and install the certificate on the emulator.
  2. The Android virtual device will force the user to set the PIN on the device. Set the PIN.
  3. In the proxy tool, set the proxy listener to listen on local interface (127.0.0.1) and on any port (for example, 8082).
  4. Start the emulator using the command

emulator -avd test -no-audio -http-proxy http://127.0.0.1:8082

  1. Note that the traffic will pass via the proxy tool (Burp), as shown in the following screen:

20160523 Android App Security 3

Traffic captured in the proxy tool.

Common workarounds

  • An emulator crash during boot is a known issue. To mitigate, use the toggle “-no audio.”
  • In case the traffic is not routing via proxy, use local host rather than the loopback IP address (127.0.0.1).

emulator -avd avdname -no-audio -http-proxy http://localhost:Portno

  • Often the virtual device loads momentarily and then crashes. In this case go to “Tools–>Avd Manager–>Select Device–>View Details” and traverse to the emulator-user.ini file. In this file modify the parameters as “x =0” and “window.y =0.”

 

The post How to: Testing Android Application Security, Part 1 appeared first on McAfee.

Beware of keystroke loggers disguised as USB phone chargers, FBI warns

Enlarge (credit: FBI)

FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards.

The FBI's Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices.

"If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."

Read 2 remaining paragraphs | Comments