Scribd
Upload
156 views

Remoting Android Applications For Fun and Profit

The document discusses remoting Android applications for testing and analysis. It introduces Fino, a framework that allows injecting a service into an Android app to remotely control and inspect it. It covers getting the original app APK, injecting Fino's code, and installing the modified app. It also describes using Android phones as IVR systems by creating an app that can dial numbers, accept DTMF tones, and record conversations for fuzz testing purposes.

Uploaded by

foosaa
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
156 views

Remoting Android Applications For Fun and Profit

The document discusses remoting Android applications for testing and analysis. It introduces Fino, a framework that allows injecting a service into an Android app to remotely control and inspect it. It covers getting the original app APK, injecting Fino's code, and installing the modified app. It also describes using Android phones as IVR systems by creating an app that can dial numbers, accept DTMF tones, and record conversations for fuzz testing purposes.

Uploaded by

foosaa
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Android remoting 101

Fino architecture
Exploring and reversing
DTMF Fuzzing
Fun & profit
Conclusion

Remoting Android applications


for fun & profit

Damien Cauquil, Pierre Jaury

Hack In Paris
June 20, 2013

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 1 / 30
Android remoting 101
Fino architecture
Exploring and reversing
DTMF Fuzzing
Fun & profit
Conclusion

Introduction
Damien Cauquil
Company Sysdream (head of research)
Twitter @virtualabs
Blog http://virtualabs.fr
Pierre Jaury
Company Sysdream
Twitter @kaiyou
Blog http://kaiyou.fr
Sysdream, IT security services
Location Paris, France
Website http://sysdream.com
Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 2 / 30
Table Of Contents

1 Android remoting 101

2 Fino architecture

3 Exploring and reversing

4 DTMF Fuzzing

5 Fun & profit


Android remoting 101

1 Android remoting 101


To debug or not to debug
Remoting vs. Debugging
Root?

2 Fino architecture

3 Exploring and reversing

4 DTMF Fuzzing

5 Fun & profit


Android remoting 101
Fino architecture
To debug or not to debug
Exploring and reversing
Remoting vs. Debugging
DTMF Fuzzing
Root?
Fun & profit
Conclusion

To debug or not to debug

Some ways to debug applications


Dalvik Debugging Monitor Server combined with JDWP
Android logcat
Many drawbacks:
Very difficult to alter and monitor the target application state
Requires Android Debug Bridge (ADB)
Bytecode level
Why debugging?
Debugging android apps is very useful for developers . . .
But not convenient for reverse engineers (sic) !

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 5 / 30
Android remoting 101
Fino architecture
To debug or not to debug
Exploring and reversing
Remoting vs. Debugging
DTMF Fuzzing
Root?
Fun & profit
Conclusion

Remoting vs. Debugging


App phone home

Debugging is so low-level and hardcore, why not getting a higher


level view of an application and its components?
Many benefits:
Abstraction of Android Dalvik VM bytecode
Better idea of how the application works
Java-like access to core components or the application itself
Bypass OOP restrictions
Objectives:
Interact with the target application
Automate complex processes through scripting

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 6 / 30
Android remoting 101
Fino architecture
To debug or not to debug
Exploring and reversing
Remoting vs. Debugging
DTMF Fuzzing
Root?
Fun & profit
Conclusion

Remoting vs. Debugging


First infection

How?
Through the injection of a service running inside the
application context
Compatible with Android > 2.0
Remotely controlled over the service API
Limitations:
Cannot send your private information to the NSA
Can only interact with known and launched activities or
services
Cannot interact with native applications

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 7 / 30
Android remoting 101
Fino architecture
To debug or not to debug
Exploring and reversing
Remoting vs. Debugging
DTMF Fuzzing
Root?
Fun & profit
Conclusion

Root?
Where we go, we dont need root.

Rooting your Android phone . . .


May void its warranty
May alter the behavior of your phone
May be detected by an application
Remoting applications does not require:
Root access to the phone
USB debugging
Any special option set

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 8 / 30
Fino architecture

1 Android remoting 101

2 Fino architecture
Application components
General overview

3 Exploring and reversing

4 DTMF Fuzzing

5 Fun & profit


Android remoting 101
Fino architecture
Exploring and reversing Application components
DTMF Fuzzing General overview
Fun & profit
Conclusion

Application components
Components. . . so many components

Fino Hundreds of bytes of dalvik bytecode


Provides a minimal inspection API
Listens for service connections
Dynamic macro loading
Gadget Listens for network connections
Forwards calls to the Fino service
Client Python-driven gadget client
Handles modules and uploads macros

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 10 / 30
Android remoting 101
Fino architecture
Exploring and reversing Application components
DTMF Fuzzing General overview
Fun & profit
Conclusion

General overview

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 11 / 30
Exploring and reversing

1 Android remoting 101

2 Fino architecture

3 Exploring and reversing


Getting the original APK
Injecting
Installing

4 DTMF Fuzzing

5 Fun & profit


Android remoting 101
Fino architecture
Getting the original APK
Exploring and reversing
Injecting
DTMF Fuzzing
Installing
Fun & profit
Conclusion

Getting the original APK

Some usual adb magic


Must have USB debug and root access enabled

adb shell su -c ls /data/app

Some more adb pull


Any other APK source is valid!

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 13 / 30
Android remoting 101
Fino architecture
Getting the original APK
Exploring and reversing
Injecting
DTMF Fuzzing
Installing
Fun & profit
Conclusion

Injecting

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 14 / 30
Android remoting 101
Fino architecture
Getting the original APK
Exploring and reversing
Injecting
DTMF Fuzzing
Installing
Fun & profit
Conclusion

Installing
Then have fun!

Some more adb magic!

adb install package.apk

Be careful with certificate inconsistency


Run the Gadget server

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 15 / 30
DTMF Fuzzing

1 Android remoting 101

2 Fino architecture

3 Exploring and reversing

4 DTMF Fuzzing
IVR testing
Android as an IVR testing platform
Creating the system application
Dial, send DTMF and record conversation
Sign and install
Lets fuzz !

5 Fun & profit


Android remoting 101 IVR testing
Fino architecture Android as an IVR testing platform
Exploring and reversing Creating the system application
DTMF Fuzzing Dial, send DTMF and record conversation
Fun & profit Sign and install
Conclusion Lets fuzz !

IVR testing
What is DTMF fuzzing about?

Interactive Voice Response Service


Provides a voice service to customers (i.e. answering service)
Interaction is DTMF-based
Fuzzing DTMF tones
DTMF: Dual-Tone Multi-Frequency
Supported by a large number of phones
Fuzzing consists in sending a large amount of randomly
generated DTMF sequences

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 17 / 30
Android remoting 101 IVR testing
Fino architecture Android as an IVR testing platform
Exploring and reversing Creating the system application
DTMF Fuzzing Dial, send DTMF and record conversation
Fun & profit Sign and install
Conclusion Lets fuzz !

Android as an IVR testing platform


Reveal the power of the Droid

Usual IVR testing systems


Not affordable (Call Master, NuBot, . . . )
Requires specific hardware
Android phones
Open-source
Cheap
May be tweaked to allow IVR testing

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 18 / 30
Android remoting 101 IVR testing
Fino architecture Android as an IVR testing platform
Exploring and reversing Creating the system application
DTMF Fuzzing Dial, send DTMF and record conversation
Fun & profit Sign and install
Conclusion Lets fuzz !

Android as an IVR testing platform


Simon says, make a phone call!

App Custom system application


Provides an interface with the phone
Fino service already injected
DTMFuzz Python controller based on Gadget
Drives the DTMF fuzzing application

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 19 / 30
Android remoting 101 IVR testing
Fino architecture Android as an IVR testing platform
Exploring and reversing Creating the system application
DTMF Fuzzing Dial, send DTMF and record conversation
Fun & profit Sign and install
Conclusion Lets fuzz !

Creating the system application

1 Root your Android phone


2 Patch ADT to allow access to com.android.internal.*1
3 Build an android.jar with Android internal classes
4 Hack into the Phone application through
AndroidManifest.xml and reflection
5 Compile, sign and install

1
http://virtualabs.fr/msi/android-core-hacking.pdf
Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 20 / 30
Android remoting 101 IVR testing
Fino architecture Android as an IVR testing platform
Exploring and reversing Creating the system application
DTMF Fuzzing Dial, send DTMF and record conversation
Fun & profit Sign and install
Conclusion Lets fuzz !

Creating the system application


Knock knock, Neo.

Import some internals

import com.android.internal.telephony.*;
Get a Phone instance with a line of Java

Phone phone = PhoneFactory.getDefaultPhone();


Modify the AndroidManifest.xml to start the application
inside the Phone application process

<activity android:process=com.android.phone/>
Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 21 / 30
Android remoting 101 IVR testing
Fino architecture Android as an IVR testing platform
Exploring and reversing Creating the system application
DTMF Fuzzing Dial, send DTMF and record conversation
Fun & profit Sign and install
Conclusion Lets fuzz !

Dial, send DTMF and record conversation


PRISM ?

Use Phone.dial() method


To send DTMF, get a Call object and use sendDtmf()

Call call = phone.getForegroundCall();


call.getPhone().sendDtmf(1);

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 22 / 30
Android remoting 101 IVR testing
Fino architecture Android as an IVR testing platform
Exploring and reversing Creating the system application
DTMF Fuzzing Dial, send DTMF and record conversation
Fun & profit Sign and install
Conclusion Lets fuzz !

Dial, send DTMF and record conversation


PRISM ?

To record, Android provides android.media.MediaRecorder

1 Set audio source (VOICE DOWNLINK)


2 Set output format (THREE GPP)
3 Set audio encoder and output file
4 Start recording (call start())

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 23 / 30
Android remoting 101 IVR testing
Fino architecture Android as an IVR testing platform
Exploring and reversing Creating the system application
DTMF Fuzzing Dial, send DTMF and record conversation
Fun & profit Sign and install
Conclusion Lets fuzz !

Sign and install


Like a boss.

Signing requires your custom ROM certificates, public and


private keys
Remount root and drop into /system/app/

# adb remount
# adb push DTMFuzz.apk /system/app/

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 24 / 30
Android remoting 101 IVR testing
Fino architecture Android as an IVR testing platform
Exploring and reversing Creating the system application
DTMF Fuzzing Dial, send DTMF and record conversation
Fun & profit Sign and install
Conclusion Lets fuzz !

Lets fuzz !
1*#098675#**0875#*747654765

Connect to the fuzzing system app


Remote control the system app
Retrieve the conversation record

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 25 / 30
Fun & profit

1 Android remoting 101

2 Fino architecture

3 Exploring and reversing

4 DTMF Fuzzing

5 Fun & profit


Uploading macros
Lets cheat!
Android remoting 101
Fino architecture
Exploring and reversing Uploading macros
DTMF Fuzzing Lets cheat!
Fun & profit
Conclusion

Uploading macros
Compiled to dex, packed as apk
Shipped over the network
Class loaded or replaced dynamically

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 27 / 30
Android remoting 101
Fino architecture
Exploring and reversing Uploading macros
DTMF Fuzzing Lets cheat!
Fun & profit
Conclusion

Lets cheat!
Sounds like good old times

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 28 / 30
Android remoting 101
Fino architecture
Exploring and reversing
DTMF Fuzzing
Fun & profit
Conclusion

Conclusion

Fino github.com/sysdream/fino
Gadget github.com/sysdream/gadget
Client github.com/sysdream/gadget-client

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 29 / 30
Android remoting 101
Fino architecture
Exploring and reversing
DTMF Fuzzing
Fun & profit
Conclusion

Conclusion

Damien Cauquil, Pierre Jaury Remoting Android applications for fun & profit 30 / 30

You might also like