Android Platform

Android Platform¶

Android Versions¶

• Each APK has a target
  • API 24 allows Certificate pinning in Android Manifest.
• Uses SElinux
  • (4.X) Logged but not enforced
  • (5.0+) Enforced

APK Level and Android Version Table:

ChangeLog¶

Android 4.2 (API level 16)
- Released in November 2012
- (introduction of SELinux)

Android 4.3 (API level 18)
- Released in July 2013
- (SELinux became enabled by default)

Android 4.4 (API level 19)
- Released in October 2013
(several new APIs and ART introduced)

Android 5.0 (API level 21)
- Released in November 2014
- (ART used by default and many other features added)

Android 6.0 (API level 23)
- Released in October 2015
- Permissions during Runtime
- Switch to BoringSSL
- Remove access to view WIFI and Bluetooth Mac addresses if not have permission
- DSA Crypto has been deprecated
- Better APK validation if a file is missing

Android 7.0 (API level 24-25)
- Released in August 2016
- Makes changes to the Linux file system and does not support the MODE_WORLD_READABLE and/or MODE_WORLD_WRITEABLE
- new JIT compiler on ART
- Certificates Need to be installed in the System Store

Android 8.0 (API level 26-27)
- Released in August 2017
- applies a Secure Computing (SECCOMP) filter to all apps.
- Webviews in isolated process
- Random APK install folder
- Android ID is per app specific now
- Certificates need to have a expiration of less than 1 year

Android 9 (API level 28)
- Released in August 2018.
- Uses System dialog for FingerPrint
- Cannot use Camera, Microphone, Accelerators or gyroscopes on a backgrounded application
- Removes support for Android secure encrypted files (ASECs).
- Now uses the subjectAltName for Certificate matching
- Remove Applications read access to /proc/net/xt_qtaguid
- Build.SERIAL is now set to UNKNOWN and needs READ_PHONE_STATE permission to get serial
- isCleartextTrafficPermitted() is now set to false
- Apps can not share WebView directory across multiple processes
- Per app SE-Linux domains are present that prevent Unix world permissions

Android 10 (API level 29)
- Uses new mode Adiantum
- Also includes Face authentication
- Uses external storage that is scoped to the application
- MAC randomization by default
- Restrict app access to /proc/net
- Clipboard only works on an app with current focus
- Will not trust SHA1 Certificates

Android 11 (API level 30)
- Change memory allocator from Jemalloc to Scudo
- Pre initialized memory (userspace and kernel)
- Applications can't get a list of apps installed on the system
- Can get a true|false for specific app id name
- Can get all apps installed signed with a specific Key
- Scoped Storage

Android 12 (API level 31)
- TODO
- TODO
- Bluetooth permissions split into BLUETOOTH_SCAN, BLUETOOTH_ADVERTISE, and BLUETOOTH_CONNECT

Android Sandbox¶

User Isolation¶

Each application is given a unique userid.

List of User IDs:

User Permissions¶

World Readable and Writable:
With API 17+ MODE_WORLD_READABLE and MODE_WORLD_WRITEABLE are deprecated but applications that are compiled with android:targetSdkVersion < 17 may be affected.

Crypto¶

• Crypto changes depending on the API version.
• Check that the app is using java.security
• The unlockedDeviceRequied flag introduced in API 28 prevents keys in the AndroidKeystore from being decrypted when the device is locked

Tink¶

• Use it to store Encrypted Shared Preferences

Keystore¶

• Bouncy Castle Keystore (BKS): is a software backed keystore and should not be used. It uses a encrypted file.
• Key not invalidated on new fingerprint enrollment:
• Keystore accessible without screen unlock:

• Keys stored in a hardware backed store like TEE or Secure Element

• Keys can be used by the app
  • Request access to the key that gets revoked after a period of time
  • Request an operation preformed on a message by the trusted module

How Keystore should be done

Certificate Pinning¶

1. Check if has Certificate pinning
2. Check if bypassable by Objection or frida Script

• Look for Classes TrustManager, HostnameVerifier, CertificatePinner
• Look for functions checkClientTrusted, checkServerTrusted, getAcceptedIssuers

Push Notifications¶

• Is called Firebase or Google Cloud Messaging (FCM/GCM)
• Allows messages to be sent from an APp server to a client device
• Uses either HTTP or XMPP communication
  • HTTP usually uses port 5228 but can also use 5229, and 5230
  • XMPP uses port 5235 for prod and 5236 for testing.

Library for E2E Push notifications

HTTP¶

XMPP¶

Firebase¶

Check Firebase settings by finding the https://\<firebaseProjectName\>.firebaseio.com/.json request

https://env.fail/posts/firewreck-1/

Example of attacking a firebase database

Important Files/Folders¶

Text Messages (Needs Root):

/data/data/com.android.providers.telephony/databases/mmssms.db
/data/data/com.android.providers/telephony/databases/mmssms.db

Grab Contacts and Settings (does not need root):

adb shell content query --uri content://contacts/phones
adb shell content query --uri content://settings/secure
adb shell content query --uri content://settings/global

Contacts (Needs Root):

/data/data/com.android.providers.contacts/databases/contacts2.db
/data/data/com.android.providers.contacts/databases/contacts.db
/data/data/android.providers.contacts/databases

Accounts (Needs Root):

/data/system/users/0/accounts.db
/data/system/accounts.db

/data/misc/wifi/wpa_supplicant.conf

Remove passcode lock (Need Root):

adb shell rm /data/system/gesture.key
adb shell rm /data/system/password.key

List Users ID and appnames:

cat /data/system/packages.list

Google Keychain:

/data/misc/keychain/

Keystore Information:

/data/misc/keystore/user_0/

Clipboard Information¶

By default a malicious application can steal data from clipboard while in the background.
Android Clipboard Monitor App
Newer Possible Android Clipboard Monitor App

Android 8:
TODO

Android 10:
Unless your app is the default input method editor (IME) or is the app that currently has focus, your app cannot access clipboard data on Android 10 or higher.
Source

Backup¶

https://developer.android.com/guide/topics/data/autobackup.html#Files

Making a Backup:

>>> adb backup com.kyriba.mobile.android
>>> ls
backup.ab

Android Backup Extractor
Extracting a Backup:

>>> java -jar ~/Downloads/abe.jar unpack backup.ab backup.tar [password]
>>> tar xvf backup.tar 

Keyboard Cache¶

Location: /data/data/com.google.android.inputmethod.latin/files

Grep for a known unique value:

bullhead:/data/data/com.google.android.inputmethod.latin/files # grep -R 'gdsteststring' /data/data/com.google.android.inputmethod.latin/files

Biometrics¶

New Biometric API Information

• FingerprintManager has been deprecated and should not be used
  • This just returns a success, failure or error and can easily be bypassed
  • Can also use a Symmetric Key stored in the keystore to verify data. This key needs setUserAuthenticationRequired(true) to be set.
• BiometricManager should use a CryptoObject when being created.
  • This is the best Option for new Apps
• FingerprintManager should use a CryptoObject when being created.
  • setUserAuthenticationRequired(true) requires fingerprint to access key
  • setInvalidatedByBiometricEnrollment(boolean invalidateKey) removes key when a new fingerprint is added

Attributes & Settings¶

Dalvik Executable (DEX) File¶

Application Data Storage¶

Unexported Application¶

Components¶

Application Logging¶

Application Data in Memory¶

Insufficient Cryptography¶

Anti-Reverse Engineering¶

Other Security Checks¶

Incorrect Python Interpretor¶

Check for user inputed code that goes to PythonInterprter