Description: Milan Gabor is a Founder and CEO of Viris, Slovenian company specialized in information security. He is security professional, pen-tester and researcher. At DeepSec 2014 Danijel Grah and Milan talked about the Android system and a way to create a platform on Android to analyse applications.
„Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal information to different servers. Sometimes when communication between mobile application and server is encrypted we have hard time to decrypt it to understand how things actually work. So we need to find new method or even tools to make our lives as security testers much easier and to achieve better results. In the presentation some runtime techniques will be discussed and a tool will be presented that offers two approaches to analyze Android applications. Basic principle of first approach is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work. This method is possible with little knowledge and it even works on non-rooted Android devices. The second approach offers much the same functionality, but can be used without modifying an application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. In this case Android JNI is used to hook some methods and then to inject our code at runtime without modification of APK packages. And this method is new method based on some research in this area lately. Tool is Java based and simple to use, but offers quite few new possibilities for security engineers and pentesters and eases a process of analyzing mobile applications. It offers new possibilities to see, evaluate or even change internal variables an in this way opens news horizon of evaluating security of mobile applications. With help of this tool we can also create really simple cheating platform as a side effect and this will be demonstrated at the end.“
For More Information Please Visit:- https://www.deepsec.net/
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.