Creating a kewl and simple Cheating Platform on Android

Presented at DeepSec 2014 „Do you want to know more?“, Unknown date/time (Unknown duration).

Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal information to different servers. Sometimes when communication between mobile application and server is encrypted we have hard time to decrypt it to understand how things actually work. So we need to find new method or even tools to make our lives as security testers much easier and to achieve better results. In the presentation some runtime techniques will be discussed and a tool will be presented that offers two approaches to analyze Android applications. Basic principle of first approach is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work. This method is possible with little knowledge and it even works on non-rooted Android devices. The second approach offers much the same functionality, but can be used without modifying an application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. In this case Android JNI is used to hook some methods and then to inject our code at runtime without modification of APK packages. And this method is new method based on some research in this area lately. Tool is Java based and simple to use, but offers quite few new possibilities for security engineers and pentesters and eases a process of analyzing mobile applications. It offers new possibilities to see, evaluate or even change internal variables an in this way opens news horizon of evaluating security of mobile applications. With help of this tool we can also create really simple cheating platform as a side effect and this will be demonstrated at the end.

Presenters:

  • Danijel Grah - Viris
    Milan Gabor is a Founder and CEO of Viris, Slovenian company specialized in information security. He is security professional, pen-tester and researcher. Milan is a distinguished and popular speaker on information security. He has previously been invited to speak at various events at different IT conferences in Slovenia and loves to talk to IT students at different Universities. He also does trainings regarding ethical hacking. He is always on a hunt for new and uncovered things and he really loves and enjoys his job.
  • Milan Gabor - Viris
    Milan Gabor is a Founder and CEO of Viris, Slovenian company specialized in information security. He is security professional, pen-tester and researcher. Milan is a distinguished and popular speaker on information security. He has previously been invited to speak at various events at different IT conferences in Slovenia and loves to talk to IT students at different Universities. He also does trainings regarding ethical hacking. He is always on a hunt for new and uncovered things and he really loves and enjoys his job.

Links:

Similar Presentations: