[[Android]]
 

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
project:android [2012/10/11 21:03]
biiter [Reverse engineering]
project:android [2016/06/27 01:19] (current)
ruza
Line 3: Line 3:
 name=Android| name=Android|
 image=androidpirate.png?​200| image=androidpirate.png?​200|
-interested=[[user:​ruza]]\\ [[user:​biiter]]|+interested=[[user:​ruza]]\\ [[user:​biiter]]\\ [[user:yan]]|
 status=alive and kicking status=alive and kicking
 }} }}
  
 +People involved in this project are interested in better understanding of android platform, learning ways how to improve android security or customize android platform for their specific needs.
 ===== Research Wishlist ===== ===== Research Wishlist =====
  
-  * application compatibility mechanism in Market, howto fake compatibility,​ what is based on +  * Understand ​application compatibility mechanism in Android ​Market. How to fake compatibility,​ what it is based on. 
-  * USB HID keyboard support, ​howto enable +  * USB HID keyboard support, ​how to enable. 
-  * find realy secure ​"app lock" ​application,​ try to circumvent its security mechanism, find application we can trust or research why its not possible to trust any of those apps+  * Find really ​secure ​[[project:​android#​android_security | app lock]] application,​ try to circumvent its security mechanism, find application we can trust or research why it is not possible to trust any of currently aviable app locks. 
 +  * Do some [[project:​android#​android_security | radio]] research/​review,​ post results on wiki.
  
-===== Android OS =====+===== Equipment ​===== 
 +  * Various tools needed for disassembly/​reassembly and basic diagnostic of android mobile / tablet (heatgun, various screwdrivers,​ osciloscope ..) in HW lab 
 +  * [[:​mentors#​cm_build_enviroment | CM build enviroment]] ready for use (thx. 2 **[[user:​da3m0n22]]**) 
 +  * [[https://​www.nuand.com/​ | bladeRF ]] 
 +  * [[project:​android#​android_open_accessory_development_kit | Android open acessory development kit]]
  
 +===== Knowledge base =====
 +  * [[project:​gsm]]
 +  * [[project:​android#​building_android_from_source | building from source]]
 +  * [[project:​android#​android_security | security]]
 +  * [[project:​android#​android_application_creating_building | application creating & building]]
 +  * [[project:​android#​reverse_engineering | reverse engineering]]
 +  * [[project:​android#​android_rooting | rooting, sideloading]]
 +
 +==== Building Android from source ====
 +If you want to apply more deeply implemented features into android you need to implement them to the source code and then sucesfully build that code. If you need a feature which is implemented in another [[http://​androidforums.com/​threads/​what-is-rom.339633/​ | ROM]] in majority of cases the best solution is [[http://​forum.xda-developers.com/​showthread.php?​t=2763236 | cherry-picking]].
 +
 +Many ROMs' source code is aviable on [[https://​github.com/​ | github ]].
 +
 +A lot has been written about buidling roms, good starting point is to build [[ https://​source.android.com/​ | AOSP ]] or [[ http://​www.cyanogenmod.org/​ | CM ]] ROM from source (guide is on their webpages).
 +
 +=== Unlocking ===
 +Before you install custom rom you need to **unlock** your device first. [[https://​wiki.cyanogenmod.org/​w/​Doc:​_fastboot_intro | Fastboot]]. In case of Samsung you will need [[https://​wiki.cyanogenmod.org/​w/​Install_and_compile_Heimdall | Heimdall ]] which was written by "some guys from MIT."
 +
 +=== Editing your build ===
 +Here are located source-code editing guides/​hints
 +
 +  * [[ http://​forum.xda-developers.com/​showthread.php?​t=2184207 | Editing settings apk on android 4.0+]]
 +  * [[ project:​android:​grouper#​cherry-picking_slimrecents_to_cm_121 | cargo cult cherry-pick of slimrecents]]
 +  * [[ project:​android:​grouper#​debundling_cm_build ]]
 +
 +=== Building for specific roms & devices links ===
 +There is wiki entry related to specific rom & devices building, but tips and tricks could be applied globally.
 +
 +  * [[ :​project:​android:​grouper | building CM on Grouper ]]
 +==== Android Security ====
 +Android have many security features. Some of them are implemented better, some of them not (f.e. [[http://​googleprojectzero.blogspot.cz/​2015/​09/​stagefrightened.html | ALSR ]] ). Our goal in brmlab is to improve usage of those features. Security features implemented in Android are:
 +  * **[[http://​www.netfilter.org/​projects/​iptables/​index.html | iptables]]** - implemented probably from version 1 till current, but without GUI. [[user:yan | I]] use [[https://​github.com/​ukanth/​afwall|AFWall+]] but maybe something better is out there.
 +  * **[[http://​selinuxproject.org/​page/​NB_SEforAndroid_1 | SELinux]]** - permissive from **4.3**, partial enforcement in **4.4**, **enforcing from 5.0**
 +  * **[[https://​en.wikipedia.org/​wiki/​Address_space_layout_randomization#​Android | ALSR]]** - introduced in **4.0**, [[https://​securityblog.redhat.com/​2012/​11/​28/​position-independent-executables-pie/​ | PIE ]] support from **4.1**, **non-PIE support dropped from 5.0**
 +  * **[[https://​source.android.com/​security/​overview/​kernel-security.html#​the-application-sandbox | application sandbox]]** - sometimes could be escaped due to poorly written apps which store sensitive data in shared memory - check for example "​android class hijacking"​ in exploit list below.
 +  * **[[http://​www.xda-developers.com/​protecting-your-privacy-app-ops-privacy-guard-and-xprivacy/​ | Privacy Guard/App Ops]]** - "​Sandboxing customization."​ Introduced in **4.3**, **not supported in new AOSP**, CM supports some features but they dont care about privacy (permissions like "​network acess" and similar is missing). MIUI Permission Manager looks very good, but guys from MIUI [[https://​en.wikipedia.org/​wiki/​MIUI#​Criticisms_and_controversies | have some problems]] with understanding meaning of words "open source." ​ Maybe [[https://​github.com/​M66B/​XPrivacy | XPrivacy]] will do the trick. **further research needed.**
 +  * **[[https://​source.android.com/​security/​encryption/​ | Disc encryption]]** - from **2.3.4**
 +
 + === Android devices attack vectors ===
 +  * Attack android OS **through internet** - Java exploits etc.
 +  * Attacks **through radio** (baseband, modem) - even with very well implemented safety features on Android OS you need to "take care" of another processor, which is in every mobile phone.
 + 
 + == Security - Radio (baseband) related ==
 +RADIO (BASEBAND, MODEM) is another processor inside every mobile phone which is resposible for communication between BTS and your OS. It is closed source and not well documented playground (it is not easy to get nice and easily understandable articles related to this problematic). Source codes are from 80's and 90's with security mindset from that age.
 +
 +  * Samsung (unofficial) RADIO-WIRESHARK bridging: https://​github.com/​2b-as/​xgoldmon
 +  * Samsung "​troubles"​ w radio: https://​www.fsf.org/​blogs/​community/​replicant-developers-find-and-close-samsung-galaxy-backdoor
 +  * Radio workaround (see part w HW selection), misc useful tips, interesting links inside: https://​blog.torproject.org/​blog/​mission-impossible-hardening-android-security-and-privacy
 +
 +=== Android exploits ===
 +If you want to improve android security it's good to know the problem from another point of view, so you could easily adopt policy and changes to the code to prevent attack. It is obvious that nobody can predict how exactly 0day exploit looks like, but if you learn how to minimize impact even after sucesfull exploitation,​ you're one step further to save device.
 +
 +  * Cvedetails - filter on android http://​www.cvedetails.com/​product/​19997/​Google-Android.html
 +  * Cvedetails - listed android vulns. https://​www.cvedetails.com/​vulnerability-list/​vendor_id-1224/​product_id-19997/​Google-Android.html
 +  * Exploit-db - filter on android vuln. https://​www.exploit-db.com/​platform/?​p=android
 +  * Adding exploit from exploit-db to metasploit http://​www.kalitutorials.net/​2014/​06/​add-new-exploits-to-metasploit-from.html
 +  * Nexus security bulletins - list of android security issues with according CVE - **monthly** - https://​source.android.com/​security/​bulletin/​index.html
 +  * Collection of tools - [[https://​github.com/​android-rooting-tools]]
 +
 +== Exploit list ==
 +Here are some of exploits known today to android platform, it serves mainly as link database to get some interesting info on special cases, old one is left in database for educational and historical meanings. For full coverage of known android vulnerabilities use [[https://​www.cvedetails.com/​vulnerability-list/​vendor_id-1224/​product_id-19997/​Google-Android.html|cvedetails]] or [[https://​www.exploit-db.com | exploit-db]] instead.
 +  * CVE-2015-8505,​8506,​8507 http://​www.cvedetails.com/​cve/​CVE-2015-8506/​ interesting is that in https://​source.android.com/​security/​bulletin/​2015-12-01.html where should be reference to this CVE **there is nothing about this CVE number**, bulletin only covers CVE 6616.
 +
 +  * Libstagefright **+ ALSR bypass** (useful for androids **>​5.1.1.** and **some 5.1.1.**): [[ http://​googleprojectzero.blogspot.cz/​2015/​09/​stagefrightened.html | stagefright + ALSR bypass report]] on exploit-db: [[https://​www.exploit-db.com/​exploits/​38124/​ | here]] and [[https://​www.exploit-db.com/​exploits/​38226/​ | here]]
 +
 +  * Android class loading hijacking - **not exactly a bug**, only weaknes which could be used in ODEX handling, usefull for badly writed apps on dalvik machine, androids **>5.0** have dalvik, newer one runs or Art so for them its history: [[http://​www.symantec.com/​connect/​blogs/​android-class-loading-hijacking | symatec official report ]] (if you dont have javascript and similar crap everywhere read [[http://​www.pcworld.com/​article/​234800/​symantec_uncovers_android_apps_security_threat.html | here]])
 +
 +  * One Class to Rule Them All (useful for unpatched androids to some M preview, patched **>​4.4**) - CVE-2015-3825:​ [[https://​www.usenix.org/​system/​files/​conference/​woot15/​woot15-paper-peles.pdf |woot pdf report from usenix ]]
 +
 +  * Browser Cross-Application Scripting (usfel for androids **2.3.4. and 3.1**) - CVE-2011-2357:​ [[http://​blog.watchfire.com/​wfblog/​2011/​08/​android-browser-cross-application-scripting-cve-2011-2357.html | disclosure report from IBM ]]
 +
 +  * GingerBreak (historical root, useful for androids **2.2-3.0**):​ [[https://​code.google.com/​p/​intercept-root/​source/​browse/​trunk/​+intercept-root+--username+spaztecho@gmail.com/​jni/​GingerBreak.c?​r=14 | source from google code]] [[https://​web.nvd.nist.gov/​view/​vuln/​detail?​vulnId=CVE-2011-1823 | link to vuln database]]
 +
 +  * Exploid udev (historical root, useful for androids **1.x/​2.x**) : https://​www.exploit-db.com/​exploits/​16099/​
 +
 +  * RageAgainstTheCage (historical root, useful for androids **1.x/​2.x**) : https://​github.com/​georgiaw/​Smartphone-Pentest-Framework/​blob/​master/​exploits/​Android/​source/​rageagainstthecage.c
 +
 +=== Studies / reports ===
 +  * **7/2015** - [[https://​www.blackhat.com/​docs/​us-15/​materials/​us-15-Bobrov-Certifi-Gate-Front-Door-Access-To-Pwning-Millions-Of-Androids-wp.pdf | Certifi-Gate report ]] - how you can patch mRSTs to perform mRATs functionalities.
 +  * **7/2012** - [[https://​santoku-linux.com/​howto/​mobile-forensics/​how-to-brute-force-android-encryption/​ | Android encryption Brute-Force ]] - unlocked bootloader is needed, than via fastboot.
 +  * **1/2011** - [[http://​www.cis.syr.edu/​~wedu/​Research/​paper/​webview_acsac2011.pdf | WebView Attacks ]] - Attacks on Android web interaction component.
 +
 +=== Security related links ===
 +
 +<​note>​TODO:​ link database outdated - update, improve</​note>​
 +  * https://​www.owasp.org/​index.php/​Projects/​OWASP_GoatDroid_Project
 +  * http://​thomascannon.net/​blog/​2010/​11/​android-data-stealing-vulnerability/​
 +  * http://​www.privateerlabs.net/​research/​whitepapers/​PRIVATEERLABS_MALICIOUS_INTENT.pdf?​attredirects=0
 +  * http://​securitycompass.github.com/​AndroidLabs/​
 +  * http://​securitycompass.github.com/​iPhoneLabs/​
 +  * http://​blogs.iss.net/​archive/​Examining%20the%20recent.html
 +  * https://​www.trustwave.com/​spiderlabs/​advisories/​TWSL2011-008.txt
 +  * http://​blog.spiderlabs.com/​2011/​09/​google-android-focus-stealing-vulnerabiltiy-demo.html
 +  * http://​redmine.honeynet.org
 +  * http://​viaforensics.com/​security/​nopermission-android-app-remote-shell.html
 +  * http://​www.mcafee.com/​us/​downloads/​free-tools/​hacme-bank-android.aspx
 +  * https://​community.qualys.com/​blogs/​securitylabs/​2012/​07/​25/​android-security-evaluation-framework--a-s-e-f
 +  * https://​github.com/​thomascannon/​android-sms-spoof
 +
 +
 +==== Android application creating & building ====
 +
 +  * [[event:​android_development|]] (thx. 2 **[[user:​da3m0n22]]**)
 +  * [[http://​www.vogella.com/​tutorials/​Android/​article.html | Introduction to Android development with Android Studio ]] - Basic intro to Android Studio
 ==== Reverse engineering ==== ==== Reverse engineering ====
  
 +=== links ===
 +<​note>​TODO:​ link database outdated - update, improve</​note>​
   * http://​thomascannon.net/​projects/​android-reversing/​   * http://​thomascannon.net/​projects/​android-reversing/​
   * http://​www.woodmann.com/​collaborative/​tools/​index.php/​Category:​Android_Tools   * http://​www.woodmann.com/​collaborative/​tools/​index.php/​Category:​Android_Tools
   * http://​forum.xda-developers.com/​showthread.php?​t=1910873   * http://​forum.xda-developers.com/​showthread.php?​t=1910873
   * http://​code.google.com/​p/​android-apktool/​   * http://​code.google.com/​p/​android-apktool/​
-==== Speeding up the android emulator ​====+  * http://​wiki.base48.cz/​AndroidRE 
 + 
 +==== Android rooting ==== 
 +In many cases if you want to modify your device first you need to root it. 
 +There are many ready to use toolkits online but usually many of those have uknown source. 
 + 
 +One solution to this problem is to compile your own root toolikt from open-source - f.e. [[https://​github.com/​android-rooting-tools/​android_run_root_shell | Android run root shell]] (thx. 2 **[[user:​da3m0n22]]** for link) 
 + 
 +===== GPLv2 Android ===== 
 + 
 +From [[https://​en.wikipedia.org/​wiki/​Replicant_%28operating_system%29 | wiki]]: Replicant is a **free and open source** operating system based on the Android mobile platform, which aims to **replace all proprietary Android components** with their free software counterparts. This also makes it a **security focused** operating system as it **closes** discovered Android **backdoors**. 
 + 
 +The problem is that it unfortunately cares only about radio implementation into android, but **not radio itself**. 
 + 
 +[[ http://​replicant.us/​ | Official project website ]] 
 +  
 +===== Misc Links ===== 
 + 
 +<​note>​TODO:​ link database outdated - update, improve</​note>​ 
 + 
 +== Speeding up the android emulator ==
  
   * http://​blogs.nuxeo.com/​dev/​2011/​10/​speeding-up-the-android-emulator.html   * http://​blogs.nuxeo.com/​dev/​2011/​10/​speeding-up-the-android-emulator.html
  
-==== Cool appz ====+== Cool appz ==
  
-  * https://​market.android.com/​details?​id=it.android.demi.elettronica +  * [[https://​market.android.com/​details?​id=it.android.demi.elettronica ​| ElectroDroid]] - Electronics work cheatsheet. 
-  * https://​market.android.com/​details?​id=cn.opda.android.softwarelock +  * [[https://​market.android.com/​details?​id=com.overlook.android.fing | Fing - Network Tools]] - Device discovery on wifi. 
-  * https://market.android.com/​details?​id=com.overlook.android.fing+  * [[https://github.com/​ukanth/​afwall|AFWall+]] - Front-end for iptables. 
 +  * [[https://​play.google.com/store/apps/​details?​id=org.proxydroid | ProxyDroid]] - Proxy for android. ​(better implementation) 
 +  * [[https://​f-droid.org/​repository/​browse/?​fdfilter=pdf&​fdid=org.sufficientlysecure.viewer | DocumentViewer ]] - Document Viewer is a fork of the last GPL version of EBookDroid 
 +  * [[https://​wiki.strongswan.org/​projects/​strongswan/​wiki/​AndroidVPNClient | strongSwan ]] - OpenSource IPsec-based VPN Solution
  
-==== Cool soft ====+== Cool soft ==
  
   * http://​code.google.com/​p/​androguard/​   * http://​code.google.com/​p/​androguard/​
   * [[http://​forum.xda-developers.com/​showthread.php?​t=1703488|Samsung Galaxy S3 tooolkit]] + Odin (formerly known as fastboot) (win)   * [[http://​forum.xda-developers.com/​showthread.php?​t=1703488|Samsung Galaxy S3 tooolkit]] + Odin (formerly known as fastboot) (win)
-==== Cool links ====+== Cool links ==
   * http://​kitchen.yaam.mobi/​   * http://​kitchen.yaam.mobi/​
   * http://​lyt.no-ip.org/​blog/​Tag/​dropad-a8/​ (blog about Dropad A8 flashing, etc)   * http://​lyt.no-ip.org/​blog/​Tag/​dropad-a8/​ (blog about Dropad A8 flashing, etc)
Line 44: Line 178:
   * [[http://​blog.linuxconsulting.ro/​2010/​04/​porting-wifi-drivers-to-android.html|How WiFi works on Android]]   * [[http://​blog.linuxconsulting.ro/​2010/​04/​porting-wifi-drivers-to-android.html|How WiFi works on Android]]
  
-==== Security ​==== +  
-  * https://​www.owasp.org/​index.php/​Projects/​OWASP_GoatDroid_Project +===== Misc Notes =====  
-  * http://​blog.watchfire.com/​wfblog/​2011/​08/​android-browser-cross-application-scripting-cve-2011-2357.html +== Devices ==
-  * http://​thomascannon.net/​blog/​2010/​11/​android-data-stealing-vulnerability/​ +
-  * http://​www.symantec.com/​connect/​blogs/​android-class-loading-hijacking +
-  * http://​www.privateerlabs.net/​research/​whitepapers/​PRIVATEERLABS_MALICIOUS_INTENT.pdf?​attredirects=+
-  * www.cis.syr.edu/​~wedu/​Research/​paper/​webview_acsac2011.pdf +
-  * http://​securitycompass.github.com/​AndroidLabs/​ +
-  * http://​securitycompass.github.com/​iPhoneLabs/​ +
-  * http://​blogs.iss.net/​archive/​Examining%20the%20recent.html +
-  * https://​www.trustwave.com/​spiderlabs/​advisories/​TWSL2011-008.txt +
-  * http://​blog.spiderlabs.com/​2011/​09/​google-android-focus-stealing-vulnerabiltiy-demo.html +
-  * http://​web.nvd.nist.gov/​view/​vuln/​detail?​vulnId=CVE-2011-1823 +
-  * http://​redmine.honeynet.org +
-  * http://​viaforensics.com/​security/​nopermission-android-app-remote-shell.html +
-  * http://​www.mcafee.com/​us/​downloads/​free-tools/​hacme-bank-android.aspx +
-  * https://​community.qualys.com/​blogs/​securitylabs/​2012/​07/​25/​android-security-evaluation-framework--a-s-e-f +
-  * https://​santoku-linux.com/​howto/​mobile-forensics/​how-to-brute-force-android-encryption +
-==== Devices ​====+
  
 /dev/mtd/ /dev/mtd/
Line 72: Line 190:
   * mtd5 holds user data   * mtd5 holds user data
  
-==== Blbinky ​====+== Blbinky ==
   * /​system/​media/​bootanimation.zip ​ /​system/​bin/​bootanimation   * /​system/​media/​bootanimation.zip ​ /​system/​bin/​bootanimation
-==== Jak se dostat do nastaveni i kdyz to UI neumoznuje ​====+ 
 +== Jak se dostat do nastaveni i kdyz to UI neumoznuje ==
  
   ./adb shell am start -a android.intent.action.MAIN -n com.android.email/​.Settings   ./adb shell am start -a android.intent.action.MAIN -n com.android.email/​.Settings
  
 http://​www.anddev.org/​novice-tutorials-f8/​using-the-am-tool-start-activities-intens-from-a-shell-t368.html  ​ http://​www.anddev.org/​novice-tutorials-f8/​using-the-am-tool-start-activities-intens-from-a-shell-t368.html  ​
-==== Random MAC ====+ 
 +== Random MAC ==
  
   echo 00:50:`expr $RANDOM % 89 + 10`:`expr $RANDOM % 89 + 10`:`expr $RANDOM % 89 + 10`:`expr $RANDOM % 89 + 10`   echo 00:50:`expr $RANDOM % 89 + 10`:`expr $RANDOM % 89 + 10`:`expr $RANDOM % 89 + 10`:`expr $RANDOM % 89 + 10`
  
-==== Know Your Exploits ==== +== StrongSwan ​== 
- +CA certificate needs to be imported to verify server side of communicationCertificate can be in tis binary form with .pem filename suffix
-  * GingerBreak,​ Exploid, RageAgainstTheCage +
-===== Android source ===== +
- +
-http://​source.android.com/​source/​ +
- +
-===== SEAndroid ===== +
- +
-http://​selinuxproject.org/​page/​SEAndroid +
-===== GPLv2 Android ===== +
- +
-http://​replicant.us/​ +
- +
 ===== Android Open Accessory Development Kit ===== ===== Android Open Accessory Development Kit =====
  
Line 108: Line 215:
 <​note>​Vyzaduje Platform 2.3.3, API Level 10, na Android telefonu</​note>​ <​note>​Vyzaduje Platform 2.3.3, API Level 10, na Android telefonu</​note>​
  
-===== Dropad A8/Heropad =====+===== Dropad A8/​Heropad ​Related ​=====
  
 {{youtube>​29Btnas2He8}} {{youtube>​29Btnas2He8}}
Line 155: Line 262:
   ​   ​
 more info about [[http://​blog.linuxconsulting.ro/​2010/​04/​porting-wifi-drivers-to-android.html|Android WPA supplicant]] more info about [[http://​blog.linuxconsulting.ro/​2010/​04/​porting-wifi-drivers-to-android.html|Android WPA supplicant]]
 +
 +===== Nexus 2012 (grouper/​tilapia) related =====
 +  * [[ http://​dmitry.gr/​index.php?​r=06.%20Thoughts&​proj=04.%20Android%20M%20on%20Grouper | porting to AOSP 6.0]]
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki