Vaccinating Android

by Milan Gabor, Danijel Grah

Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal information to different servers. Sometimes when communication between mobile application and server is encrypted we have hard time to decrypt it to understand how things actually work. So we need to find new method or even tools to make our lives as security testers much easier and to achieve better results. In the presentation some runtime techniques will be discussed and a tool will be presented that offers two approaches to analyze Android applications. Basic principle of first approach is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work. This method is possible with little knowledge and it even works on non-rooted Android devices. The second approach offers much the same functionality, but can be used without modifying an application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. In this case Android JNI is used to hook some methods and then to inject our code at runtime without modification of APK packages. And this method is new method based on some research in this area lately. Tool is Java based and simple to use, but offers quite few new possibilities for security engineers and pentesters and eases a process of analyzing mobile applications. It offers new possibilities to see, evaluate or even change internal variables an in this way opens news horizon of evaluating security of mobile applications.