Android Tamer

Abstract

Android is emerging as a leading mobile brand however, with rise of any system also rises the misuse, and so we need a security tool to keep a check on stuff.
This presentation will look at the available toolset for security professionals and will introduce some new combinations in a consolidated form of a VM environment. This will be a one stop tool required to perform any kind of operations on Android devices / applications / network, be it forensic evaluation or source code review or software security testing or customizing ROM with pre embedded stuff. everything is provided in a single package. More usages will include malware analysis along with review check of new applications inside a controlled environment. Environment will be bundled with eclipse, droiddraw, gingerbread source code. And most of the well known security tools in one single package. You can call it swiss army knife for android security.

Slides

Video

Part 1

Part 2

AI Generated Summary

This is the first public presentation about Android Tamer, delivered at ClubHack 2011. The talk introduces a comprehensive virtual machine environment designed as a “Swiss Army knife for Android security” - a one-stop tool for all Android security operations.

Key Topics Discussed

Android Market Context:

• Market share: Android has 40%+ phone market share (conservative estimate - could be 80%+)
• Tablet market: Around 10% of tablet market
• Various manufacturers: Pitching in on Android (OS by Google)
• Linux-based: Sort of Linux-based operating system
• Market trend: Moving up significantly

Why Security on Android is Needed:

• Corporate integration: People are using Android, reality is they want to integrate into corporate environment
• Security review needed: How can you be sure that a product which has not been tested could well integrate in corporate environment? That’s where security review is needed
• Operating system with software: Every phone (Android, iPhone) is basically operating system with some softwares running on it
• PC malicious lifecycle repeat: If look at whole PC malicious lifecycle - simple Trojans (TSRs), then various versions of viruses, root kits, everything - same scenario is going to get repeated over and over with mobile market
• Malware already seen: Already seen lots of malware in both iPhone and Android (one demonstrated in MalCon around 2-3 days back)
• Need checks: Need some kind of security review, some kind of checks to be done

Security Professional’s Point of View for Android:

• Application/platform/protocol level testing: Trying to do some application, platform, or protocol level testing
• ROM analysis: Trying to do analysis of Android ROM - what malicious content does it hold?
• Malware analysis: Looking at malicious applications for malware analysis
• Black side: Going towards black side - customizing ROM, generating own malware, distributing it
• Need setup: Need some kind of setup

The Problem:

• Current trend: Look at various talks or presentations - you have to download this tool, download SDK, download NDK, download proxy, download decompiler, then configure it on machine and use it
• That’s general trend: That’s where speaker stepped in
• OAS standardization: OAS on one hand is trying to do some standardization on mobile security standards
• This project: On other side, building complete tool chain
• Large number of tools: Have large number of tools which need to download, configure, and get running

Android Tamer Solution:

• Alternative to BackTrack: Sort of alternative for BackTrack (everyone familiar with BackTrack)
• BackTrack for Android: It is sort of BackTrack for Android where you have all those tools which you need for any kind of Android interaction on single VM
• VMware application: Right now VMware application has followed basic functionalities:
  • Application pen testing
  • Malware analysis
  • ROM-based modification
  • Analyze existing ROM
  • Application or native code development (if want to do native code development or application level development - be it for malware or something else, have those toolkits available)

VM Background:

• Ubuntu 10.04: Actually Ubuntu 10.04 - last LTS (long-term support) release
• Non-essential softwares removed: All non-essential softwares have been removed
• Not standalone OS: Not targeting this VM as standalone OS for system - actually complimentary OS which will run coexisting with existing OS
• Desktop operation: Have everything needed for normal desktop operation on main desktop, use this particular VM only for Android operations
• Minimum repositories: Mixed minimum repositories
• PPA approach problem: More you try to add PPAs and other stuff, upgrade starts failing - won’t get proper upgrade
• Only two PPAs added: One is Firefox PPA, other is menu-based PPA (using as menu)

Comparison with Android Reverse Engineering Toolkit:

• Recently launched: Another VM launched named “Android Reverse Engineering Toolkit” by Hyet
• Differences:
  1. Size: Tried to trim down its size
  2. Scope: Covers lot more scope than just malware or reverse engineering
  3. Integration: Has some kind of integration - paths or default settings configured right inside VM, so don’t need to do any setup-based configurations
• Browser bookmarks: Browser has pre-loaded bookmarks for various things you’ll be needing

Personal Repository:

• Configured personal repository: Own repository which will be used to distribute latest versions of various tools already included
• Automatic updates: If have decompiler, latest release comes in - don’t have to go and download that latest compiler and again do all setups, just click on “update my system” and it’ll automatically get updated (if have compiled package for it)

Application Pen Testing:

• Proxy requirement: Require proxy to trap all requests
• Basic problem with Android: Can redirect browser traffic, but application traffic redirection is tricky part
• T-Proxy: Transparent socket proxy - diverts all existing network traffic to socket proxy
• Certificate issue: If using any kind of proxy environment, emulator or device will not accept it till have valid certificate
• Root CA certificate: Emulator configured has root CA certificate added for OWASP ZAP
• Customized: Given OWASP ZAP, so root certificate is added into emulator - don’t need to do that configuration part
• DDMS: Debugging engine provided by Google - again configured and available

Menu Structure:

• Main menu: All available on console
• Similar tradition to BackTrack: Following similar tradition as followed by BackTrack
• Arsenal folder: Instead of “pentest”, have “Arsenal” folder which contains various tools needed

Malware Analysis:

• Google projects: Recently some Google projects produced tools like DroidBox or APK Inspector - single point Android malware analysis tools
• DroidBox: One-stop shop - select which Android virtual device want to run, which application want to install, automatically starts emulator, pushes APK inside, executes it, does all tracing:
  • File system changes
  • Parameter changes
  • Whatever changes happening
  • Logs getting generated
  • All captured and presented in easily readable environment
• APK Inspector: Decompiler sort of tool - gives direct view of what APK holds:
  • Permission model
  • Decompilation of app using JD-GUI or JAD as decompiler
• Four different decompilers available: Dex2jar, JD-GUI, JAD, SMALI/Baksmali
• Dex2jar: Converts DEX object files into JAR file which can easily be used by all other three to decompile class files
• SMALI/Baksmali: Alternative approach - different format than Java
• Android Guard: Again Android APK inspector kind of tool
• Tools directly available: Those tools directly available for malware analysis

ROM Analysis and Modification:

• Interesting aspect: One of interesting aspects
• XDA Developers: Development forums - large number of thread discussions, downloads available
• ROM cookers/makers: Large number of ROM cookers or ROM makers create customized version of ROMs
• Example: Have Sony handset, don’t like default UI, like UI of HTC - don’t want to buy HTC device, download customized version of Sony ROM which has UI of HTC, download it, run it on machine
• Carrier IQ example: Recently heard about Carrier IQ - company which gives analytic capacities, recently discovered large number of service providers in US have been using Carrier IQ which not only tracks basic information (how many calls making), also keeps tracking keystrokes and whatever data traffic going on - all getting transferred to remote server (claiming anonymous, but who knows)
• Security concern: Large amount of chance that ROM installing might not be as secure as claims to be
• Security professional role: Can go inside, look into ROM content, analyze it, see what’s wrong with it or what could be wrong with it, then deduce want to use it or don’t want to use it
• Black side: Want to distribute customized ROM which contains all kind of good features (surfing without paying charge), in return asking to install keyboard application which silently snips all keystrokes back to own server
• Tools available: Can do all those with these tools
• DSIXDA Android Kitchen: Singular application which allows customize all aspects of ROM
• YAFFS (Yet Another File System): Version 2 is standard format used on most Android devices
• Recovery/backup softwares: Softwares used to take backup of Android devices use these formats
• ROM/backup analysis: If want to analyze ROM or analyze backup of system, can use these tools to see what is there inside
• Split Boot Image: Very simple PoC script - allows analyze kernel
• Android boot format: Android has simple format - has Linux kernel inside, similar to how Linux machine boots up:
  • Has kernel, loads
  • Then initial RAM disk (initrd) loads, installs all basic system setup
  • Then main system gets mounted
  • System starts
• IMG file: Android has given single IMG file - that single file contains kernel as well as initial RAM disk
• Split Boot Image: Allows split tool - have different kernel and different RAM disk
• Modification: If want, can change RAM disk content, again compile it, again get boot file

Development Tools:

• Eclipse: Available (when talking about development, talking about all kind of development - usage depends upon who is using it and how using it)
• NDK: Available - faster media to create applications (not exactly applications, but having faster interaction)
• Code Sourcery G++ Lite: ARM compiler which allows compile existing applications in ARM port
• ARM DS5 C: Recent release (around 2-3 days back) - ARM group launched Design Studio version 5 with Community Edition - basically NDK compiler and complete Design Studio where can design NDK related applications

Future Malware Landscape Prediction:

• Hunch: Speaker has sort of hunch
• Current malware: Right now if look at malware of whole Android market, find large number of malware can be easily detected if pay small attentions (example: look at permission model, decompile source code, find various instances where calls are there - those are checkpoints which can apply)
• PC market evolution: Just like PC market - batch files acted as virus, then COM files, then executables, now have obfuscated executables
• Prediction: Can foresee malware landscape where malware code resides inside NDK binary which is C binary doing all tasks in background with just one Java call calling that particular function
• That’s kind of idea: Speaker has

Key Features:

• One-stop tool: Required to perform any kind of operations on Android devices/applications/network
• Operations supported:
  • Forensic evaluation
  • Source code review
  • Software security testing
  • Customizing ROM with pre-embedded stuff
• Everything in single package: More usages include malware analysis along with review check of new applications inside controlled environment
• Bundled with: Eclipse, DroidDraw, Gingerbread source code, most well-known security tools in one single package
• Swiss Army knife: For Android security

Key Insights:

• Android security needs consolidated toolset - current approach requires downloading and configuring many tools separately
• Android Tamer provides BackTrack-like experience for Android security
• VM approach allows coexistence with existing OS
• Pre-configured setup saves time and reduces configuration errors
• Personal repository enables automatic updates
• ROM security is concern - need tools to analyze custom ROMs
• Future malware may use NDK binaries to evade detection

Actionable Takeaways:

1. Android market share is significant and growing - security is critical
2. Mobile malware lifecycle will repeat PC malware lifecycle
3. Need consolidated toolset for Android security operations
4. VM approach provides isolated, pre-configured environment
5. ROM analysis important - custom ROMs may contain malicious content
6. Application traffic redirection is tricky - T-Proxy helps
7. Certificate configuration needed for proxy-based testing
8. Multiple decompilers available for different needs
9. NDK may be future vector for malware
10. Pre-configured bookmarks and paths save time

Ref: clubhack.com/2011/events/technical-briefings/#androidtamer