Link to this headingAndroid Platform

Link to this headingAndroid Versions

  • Each APK has a target
  • Uses SElinux
    • (4.X) Logged but not enforced
    • (5.0+) Enforced

APK Level and Android Version Table:

Android NameAndroid VersionAPI Version
Oreo8.1.0API level 27
Oreo8.0.0API level 26
Nougat7.1API level 25
Nougat7.0API level 24
Marshmallow6.0API level 23
Lollipop5.1API level 22
Lollipop5.0API level 21
KitKat4.4WAPI level 20
KitKat4.4 - 4.4.4API level 19
Jelly Bean4.3API level 18
Jelly Bean4.2API level 17
Jelly Bean4.1API level 16
Ice Cream Sandwich4.0.3API level 15
Ice Cream Sandwich4.0API level 14
Honeycomb3.2API level 13
Honeycomb3.1API level 12
Honeycomb3.0API level 11
Gingerbread2.3.3API level 10
Gingerbread2.3API level 9

Link to this headingChangeLog

Android 4.2 (API level 16)
- Released in November 2012
- (introduction of SELinux)

Android 4.3 (API level 18)
- Released in July 2013
- (SELinux became enabled by default)

Android 4.4 (API level 19)
- Released in October 2013
(several new APIs and ART introduced)

Android 5.0 (API level 21)
- Released in November 2014
- (ART used by default and many other features added)

Android 6.0 (API level 23)
- Released in October 2015
- Permissions during Runtime
- Switch to BoringSSL
- Remove access to view WIFI and Bluetooth Mac addresses if not have permission
- DSA Crypto has been deprecated
- Better APK validation if a file is missing

Android 7.0 (API level 24-25)
- Released in August 2016
- Makes changes to the Linux file system and does not support the MODE_WORLD_READABLE and/or MODE_WORLD_WRITEABLE
- new JIT compiler on ART
- Certificates Need to be installed in the System Store

Android 8.0 (API level 26-27)
- Released in August 2017
- applies a Secure Computing (SECCOMP) filter to all apps.
- Webviews in isolated process
- Random APK install folder
- Android ID is per app specific now
- Certificates need to have a expiration of less than 1 year

Android 9 (API level 28)
- Released in August 2018.
- Uses System dialog for FingerPrint
- Cannot use Camera, Microphone, Accelerators or gyroscopes on a backgrounded application
- Removes support for Android secure encrypted files (ASECs).
- Now uses the subjectAltName for Certificate matching
- Remove Applications read access to /proc/net/xt_qtaguid
- Build.SERIAL is now set to UNKNOWN and needs READ_PHONE_STATE permission to get serial
- isCleartextTrafficPermitted() is now set to false
- Apps can not share WebView directory across multiple processes
- Per app SE-Linux domains are present that prevent Unix world permissions

Android 10 (API level 29)
- Uses new mode Adiantum
- Also includes Face authentication
- Uses external storage that is scoped to the application
- MAC randomization by default
- Restrict app access to /proc/net
- Clipboard only works on an app with current focus
- Will not trust SHA1 Certificates

Android 11 (API level 30)
- Change memory allocator from Jemalloc to Scudo
- Pre initialized memory (userspace and kernel)
- Applications can’t get a list of apps installed on the system
- Can get a true|false for specific app id name
- Can get all apps installed signed with a specific Key
- Scoped Storage

Android 12 (API level 31)

  • TODO
  • TODO
    • Bluetooth permissions split into BLUETOOTH_SCAN, BLUETOOTH_ADVERTISE, and BLUETOOTH_CONNECT

Link to this headingAndroid Sandbox

Link to this headingUser Isolation

Each application is given a unique userid.

List of User IDs:

UserUIDDescription
AID_ROOT0traditional unix root user
AID_SYSTEM1000system server
AID_RADIO1001telephony subsystem, RIL
AID_BLUETOOTH1002bluetooth subsystem
...
AID_SHELL2000adb and debug shell user
AID_CACHE2001cache access
AID_DIAG2002access to diagnostic resources
AID_NET_BT_ADMIN3001bluetooth: create any socket
AID_NET_BT3002bluetooth: create sco, rfcomm or l2cap sockets
AID_INET3003can create AF_INET and AF_INET6 sockets
AID_NET_RAW3004can create raw INET sockets ...
AID_APP10000first app user
AID_ISOLATED_START99000start of uids for fully isolated sandboxed processes
AID_ISOLATED_END99999end of uids for fully isolated sandboxed processes
AID_USER100000offset for uid ranges for each user

Link to this headingUser Permissions

World Readable and Writable:
With API 17+ MODE_WORLD_READABLE and MODE_WORLD_WRITEABLE are deprecated but applications that are compiled with android:targetSdkVersion < 17 may be affected.

Link to this headingCrypto

  • Crypto changes depending on the API version.
  • Check that the app is using java.security
  • The unlockedDeviceRequied flag introduced in API 28 prevents keys in the AndroidKeystore from being decrypted when the device is locked

Link to this headingTink

  • Use it to store Encrypted Shared Preferences

Link to this headingKeystore

  • Bouncy Castle Keystore (BKS): is a software backed keystore and should not be used. It uses a encrypted file.

  • Key not invalidated on new fingerprint enrollment:

  • Keystore accessible without screen unlock:

  • Keys stored in a hardware backed store like TEE or Secure Element

  • Keys can be used by the app

    • Request access to the key that gets revoked after a period of time
    • Request an operation preformed on a message by the trusted module

How Keystore should be done

Link to this headingCertificate Pinning

  1. Check if has Certificate pinning
  2. Check if bypassable by Objection or frida Script
  • Look for Classes TrustManager, HostnameVerifier, CertificatePinner
  • Look for functions checkClientTrusted, checkServerTrusted, getAcceptedIssuers

Link to this headingPush Notifications

  • Is called Firebase or Google Cloud Messaging (FCM/GCM)
  • Allows messages to be sent from an APp server to a client device
  • Uses either HTTP or XMPP communication
    • HTTP usually uses port 5228 but can also use 5229, and 5230
    • XMPP uses port 5235 for prod and 5236 for testing.

Library for E2E Push notifications

Link to this headingHTTP

Link to this headingXMPP

Link to this headingFirebase

Check Firebase settings by finding the https://\<firebaseProjectName\>.firebaseio.com/.json request

Firebase Vuln

Example of attacking a firebase database

Link to this headingImportant Files/Folders

Text Messages (Needs Root):

/data/data/com.android.providers.telephony/databases/mmssms.db /data/data/com.android.providers/telephony/databases/mmssms.db

Grab Contacts and Settings (does not need root):

adb shell content query --uri content://contacts/phones adb shell content query --uri content://settings/secure adb shell content query --uri content://settings/global

Contacts (Needs Root):

/data/data/com.android.providers.contacts/databases/contacts2.db /data/data/com.android.providers.contacts/databases/contacts.db /data/data/android.providers.contacts/databases

Accounts (Needs Root):

/data/system/users/0/accounts.db /data/system/accounts.db

Wifi Keys (Needs Root):

/data/misc/wifi/wpa_supplicant.conf

Remove passcode lock (Need Root):

adb shell rm /data/system/gesture.key adb shell rm /data/system/password.key

List Users ID and appnames:

cat /data/system/packages.list

Google Keychain:

/data/misc/keychain/

Keystore Information:

/data/misc/keystore/user_0/

Link to this headingClipboard Information

By default a malicious application can steal data from clipboard while in the background.
Android Clipboard Monitor App
Newer Possible Android Clipboard Monitor App

Android 8:
TODO

Android 10:
Unless your app is the default input method editor (IME) or is the app that currently has focus, your app cannot access clipboard data on Android 10 or higher.
Source

Link to this headingBackup

Back up user data with Auto Backup

Making a Backup:

>>> adb backup com.kyriba.mobile.android >>> ls backup.ab

Android Backup Extractor
Extracting a Backup:

>>> java -jar ~/Downloads/abe.jar unpack backup.ab backup.tar [password] >>> tar xvf backup.tar

Link to this headingKeyboard Cache

Location: /data/data/com.google.android.inputmethod.latin/files

Grep for a known unique value:

bullhead:/data/data/com.google.android.inputmethod.latin/files # grep -R 'gdsteststring' /data/data/com.google.android.inputmethod.latin/files

Link to this headingBiometrics

New Biometric API Information

  • FingerprintManager has been deprecated and should not be used
    • This just returns a success, failure or error and can easily be bypassed
    • Can also use a Symmetric Key stored in the keystore to verify data. This key needs setUserAuthenticationRequired(true) to be set.
  • BiometricManager should use a CryptoObject when being created.
    • This is the best Option for new Apps
  • FingerprintManager should use a CryptoObject when being created.
    • setUserAuthenticationRequired(true) requires fingerprint to access key
    • setInvalidatedByBiometricEnrollment(boolean invalidateKey) removes key when a new fingerprint is added

Link to this headingAttributes & Settings

Link to this headingDalvik Executable (DEX) File

Link to this headingApplication Data Storage

Link to this headingUnexported Application

Link to this headingComponents

Link to this headingApplication Logging

Link to this headingApplication Data in Memory

Link to this headingInsufficient Cryptography

Link to this headingAnti-Reverse Engineering

Link to this headingOther Security Checks

Link to this headingIncorrect Python Interpretor

Check for user inputed code that goes to PythonInterprter