Remoting Android Applications For Fun and Profit

Android remoting 101
Fino architecture
Exploring and reversing
DTMF Fuzzing
Fun & profit
Conclusion
Remoting Android applications

for fun & profit
Damien Cauquil, Pierre Jaury
Hack In Paris
June 20, 2013
Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 1 / 30
Fino architecture
DTMF Fuzzing
Fun & profit
Conclusion
Introduction
Damien Cauquil
Company Sysdream (head of research)
Twitter @virtualabs
Blog http://virtualabs.fr
Pierre Jaury
Company Sysdream
Twitter @kaiyou
Blog http://kaiyou.fr
Sysdream, IT security services
Location Paris, France
Website http://sysdream.com
Table Of Contents
1 Android remoting 101
2 Fino architecture
3 Exploring and reversing
4 DTMF Fuzzing
5 Fun & profit


To debug or not to debug
Remoting vs. Debugging
Root?
2 Fino architecture
4 DTMF Fuzzing
5 Fun & profit

Fino architecture
DTMF Fuzzing
Root?
Fun & profit
Conclusion
Some ways to debug applications

Dalvik Debugging Monitor Server combined with JDWP
Android logcat
Many drawbacks:
Very difficult to alter and monitor the target application state
Requires Android Debug Bridge (ADB)
Bytecode level
Why debugging?
Debugging android apps is very useful for developers . . .
But not convenient for reverse engineers (sic) !
Fino architecture
DTMF Fuzzing
Root?
Fun & profit
Conclusion

App phone home
Debugging is so low-level and hardcore, why not getting a higher

level view of an application and its components?
Many benefits:
Abstraction of Android Dalvik VM bytecode
Better idea of how the application works
Java-like access to core components or the application itself
Bypass OOP restrictions
Objectives:
Interact with the target application
Automate complex processes through scripting
Fino architecture
DTMF Fuzzing
Root?
Fun & profit
Conclusion

First infection
How?
Through the injection of a service running inside the
application context
Compatible with Android > 2.0
Remotely controlled over the service API
Limitations:
Cannot send your private information to the NSA
Can only interact with known and launched activities or
services
Cannot interact with native applications
Fino architecture
DTMF Fuzzing
Root?
Fun & profit
Conclusion
Root?
Where we go, we dont need root.
Rooting your Android phone . . .

May void its warranty
May alter the behavior of your phone
May be detected by an application
Remoting applications does not require:
Root access to the phone
USB debugging
Any special option set
Fino architecture
2 Fino architecture
Application components
General overview
4 DTMF Fuzzing
5 Fun & profit

Fino architecture
Exploring and reversing Application components
DTMF Fuzzing General overview
Fun & profit
Conclusion
Application components
Components. . . so many components
Fino Hundreds of bytes of dalvik bytecode

Provides a minimal inspection API
Listens for service connections
Dynamic macro loading
Gadget Listens for network connections
Forwards calls to the Fino service
Client Python-driven gadget client
Handles modules and uploads macros
Fino architecture
Exploring and reversing Application components
DTMF Fuzzing General overview
Fun & profit
Conclusion
General overview
2 Fino architecture

Getting the original APK
Injecting
Installing
4 DTMF Fuzzing
5 Fun & profit

Fino architecture
Injecting
DTMF Fuzzing
Installing
Fun & profit
Conclusion
Some usual adb magic

Must have USB debug and root access enabled
adb shell su -c ls /data/app
Some more adb pull

Any other APK source is valid!
Fino architecture
Injecting
DTMF Fuzzing
Installing
Fun & profit
Conclusion
Injecting
Fino architecture
Injecting
DTMF Fuzzing
Installing
Fun & profit
Conclusion
Installing
Then have fun!
Some more adb magic!
adb install package.apk
Be careful with certificate inconsistency

Run the Gadget server
DTMF Fuzzing
2 Fino architecture
4 DTMF Fuzzing
IVR testing
Android as an IVR testing platform
Creating the system application
Dial, send DTMF and record conversation
Sign and install
Lets fuzz !
5 Fun & profit

Android remoting 101 IVR testing
Fino architecture Android as an IVR testing platform
Exploring and reversing Creating the system application
DTMF Fuzzing Dial, send DTMF and record conversation
Fun & profit Sign and install
Conclusion Lets fuzz !
IVR testing
What is DTMF fuzzing about?
Interactive Voice Response Service

Provides a voice service to customers (i.e. answering service)
Interaction is DTMF-based
Fuzzing DTMF tones
DTMF: Dual-Tone Multi-Frequency
Supported by a large number of phones
Fuzzing consists in sending a large amount of randomly
generated DTMF sequences

Reveal the power of the Droid
Usual IVR testing systems

Not affordable (Call Master, NuBot, . . . )
Requires specific hardware
Android phones
Open-source
Cheap
May be tweaked to allow IVR testing

Simon says, make a phone call!
App Custom system application

Provides an interface with the phone
Fino service already injected
DTMFuzz Python controller based on Gadget
Drives the DTMF fuzzing application
1 Root your Android phone

2 Patch ADT to allow access to com.android.internal.*1
3 Build an android.jar with Android internal classes
4 Hack into the Phone application through
AndroidManifest.xml and reflection
5 Compile, sign and install
1
http://virtualabs.fr/msi/android-core-hacking.pdf

Knock knock, Neo.
Import some internals
import com.android.internal.telephony.*;
Get a Phone instance with a line of Java
Phone phone = PhoneFactory.getDefaultPhone();

Modify the AndroidManifest.xml to start the application
inside the Phone application process
<activity android:process=com.android.phone/>

PRISM ?
Use Phone.dial() method

To send DTMF, get a Call object and use sendDtmf()
Call call = phone.getForegroundCall();

call.getPhone().sendDtmf(1);

PRISM ?
To record, Android provides android.media.MediaRecorder
1 Set audio source (VOICE DOWNLINK)

2 Set output format (THREE GPP)
3 Set audio encoder and output file
4 Start recording (call start())
Sign and install

Like a boss.
Signing requires your custom ROM certificates, public and

private keys
Remount root and drop into /system/app/
# adb remount
# adb push DTMFuzz.apk /system/app/
Lets fuzz !
1*#098675#**0875#*747654765
Connect to the fuzzing system app

Remote control the system app
Retrieve the conversation record
Fun & profit
2 Fino architecture
4 DTMF Fuzzing
5 Fun & profit

Uploading macros
Lets cheat!
Fino architecture
Exploring and reversing Uploading macros
DTMF Fuzzing Lets cheat!
Fun & profit
Conclusion
Uploading macros
Compiled to dex, packed as apk
Shipped over the network
Class loaded or replaced dynamically
Fino architecture
Exploring and reversing Uploading macros
DTMF Fuzzing Lets cheat!
Fun & profit
Conclusion
Lets cheat!
Sounds like good old times
Fino architecture
DTMF Fuzzing
Fun & profit
Conclusion
Conclusion
Fino github.com/sysdream/fino
Gadget github.com/sysdream/gadget
Client github.com/sysdream/gadget-client
Fino architecture
DTMF Fuzzing
Fun & profit
Conclusion
Conclusion

Remoting Android Applications For Fun and Profit

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Remoting Android Applications For Fun and Profit

Enviado por

Direitos autorais:

Formatos disponíveis

Android remoting 101

Remoting Android applications

Damien Cauquil, Pierre Jaury

1 Android remoting 101

3 Exploring and reversing

5 Fun & profit

1 Android remoting 101

3 Exploring and reversing

5 Fun & profit

To debug or not to debug

Some ways to debug applications

Remoting vs. Debugging

Debugging is so low-level and hardcore, why not getting a higher

Remoting vs. Debugging

Rooting your Android phone . . .

1 Android remoting 101

3 Exploring and reversing

5 Fun & profit

Fino Hundreds of bytes of dalvik bytecode

1 Android remoting 101

3 Exploring and reversing

5 Fun & profit

Getting the original APK

Some usual adb magic

adb shell su -c ls /data/app

Some more adb pull

Some more adb magic!

adb install package.apk

Be careful with certificate inconsistency

1 Android remoting 101

3 Exploring and reversing

5 Fun & profit

Interactive Voice Response Service

Android as an IVR testing platform

Usual IVR testing systems

Android as an IVR testing platform

App Custom system application

Creating the system application

1 Root your Android phone

Creating the system application

Import some internals

Phone phone = PhoneFactory.getDefaultPhone();

Dial, send DTMF and record conversation

Use Phone.dial() method

Call call = phone.getForegroundCall();

Dial, send DTMF and record conversation

To record, Android provides android.media.MediaRecorder

1 Set audio source (VOICE DOWNLINK)

Sign and install

Signing requires your custom ROM certificates, public and

Connect to the fuzzing system app

1 Android remoting 101

3 Exploring and reversing

5 Fun & profit

Você também pode gostar