Time
3 hours 58 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
something that we have a good understanding of the frameworks. Let's dive into security and applications.
00:05
Now. I promised elections almost on after this. It's pretty much all hands on. So have your PM's loaded with RAM and be ready to go.
00:13
All right, So the goal of Android security is to protect the data, isolate users, protect applications, system processes and resource is as well as provide secure inter process communication. Injury does this by implementing controls in the OS and the limits. Colonel
00:30
enforcing application, signing and relying on permissions and access controls throughout the platform. We can really break this up into three components
00:38
clinic system, security applications, security end user security. So let's examine the system, then user security. And then we'll roll into applications security, which is most important to us as Mauer analysts. But before we do just a note because Android implements Lennox security, there's a lot of the internals that
00:56
aren't covered in the course due to its scope.
00:59
But rest assured, I'm going to give you an overview of the features and will point out anything you should note.
01:04
Okay, so the foundation of Android is Lennox, and linens provides android with several key security features. The first of these include user base permissions. This is to insure one user cannot read another user's files. The user permissions insurers process in resource isolation
01:22
in essence, each process and application running its own sandbox.
01:26
This is the application sandbox
01:29
to decide in foresees permissions, Android uses security and Hansel mix. This enforces mandatory access control over all processes, even those running with privileged access. Android also implements permissions on inter process communications. When applications communicate,
01:45
we talk about this a little bit more. One we're discussing applications applications also utilize cryptography by implementing a set of AP eyes for use with applications.
01:55
These include common primitives such as A S, R s, a. D s a and shop. Lastly, Android verified, booed guarantees the integrity of a device by verifying the integrity authenticity of the next stage of the boot loader before executing it. This establishes a full chain of trust, starting from hardware to the loading of the operating system.
02:15
An injured permissions are enforced by two cooperative models.
02:17
The first is inherited and enforced by Lin excusing users in groups. Clinics uses these permissions to enforce access to these files and resource is this is the application sandbox. The other is enforced by the art end Ablett VM by the user when they install an application.
02:36
This defines the apse permissions and limits the applications ability.
02:39
An android the permissions of the file system insure one person cannot read another's files but also creates resource isolation. If the correct permissions are implemented now, only our user A's files not readable by user B, but user A can't exhaust any of user bees. Resource is or devices in vice a versa.
03:00
This is because each application runs us his own user.
03:04
Android also implements the vice control password protections that only does this prevent unauthorized access, but the password is used to protect the cryptographic key for the file system. The last feature Android Implements is the vice administration. This allows users in administrators to implement application level security policies
03:23
and perform promote white procedures,
03:25
the last topic in security. We're going to discuss his application security, But instead of talking about applications security and then the second, the applications will do both at the same time. This will serve us well as Android has built security into their applications
03:39
in This section will also take a closer look at the pieces of the tablet Virtual Machine and other associate ID application service is
03:46
so android applications are typically written in Java, but they now support other languages such as Scotland and go. These applications can also be written in native code, which is then run in the dad like virtual machine in a German application is composed of several files which we'll see next
04:02
that are then packaged together in single file with a dot a P K extension.
04:09
The injured A P K. Has several components, and the basic ones you'll encounter across most environments are seen here. The first item will discuss is the android manifest file. All applications must include this file and there's a lot of information inside. This is really where you want to start performing your mouth or analysis
04:26
the android manifest files going to include information about the additional components we've got listed here, as well as the package name information about any of the external libraries
04:34
and even permissions the manifest files gonna be generated by your development environment. Activity is a main you. Why component of your app? Okay, well, what's that Well, when you touch your APS icon and it starts or you pause it or stop it, these are all controlled through activities. It's basically a single focus thing a user can d'oh
04:55
and then came include things that are happening in the background
04:58
similar to an activity. A service is an application component that on Lee runs in the background. Ah, good example. This is the SMS or Bluetooth, that even if you don't have your SMS app roaming, the service will still allow you to get text messages.
05:11
Okay, so you may be asking yourself. Well, how does the SMS app note that one has arrived? Or how does the email application No to launch the browser when you click a link inside of it? Well, that's where intense commit these air. A key part of inter application communication and intent is a messaging object.
05:28
This is a facility used when an application intends to do something or even interact with another application,
05:33
a similar to intense our broadcast receivers. Broadcast receivers are like intense, but think of it as a generic listener for messages.
05:43
Broadcast receivers are listening to all the inter process communication. If there's a message for the app that's listening than the apple Do something. Ah, good way to think about this is an intent is a message for me as if someone was talking to me directly and broadcast Receiver is a message of waiting for, and once I get it, I'll act.
06:01
For instance,
06:02
if I'm at the airport waiting for my flight to board, I may hear many broadcasted messages throughout the airport before my flight is called. I hear them and simply discard them. When my fly is called, I act by getting into the boarding line
06:15
the application themselves. They run in an application sandbox. This is so that each process and it's re sources are isolated from each other. To do this, the colonel sets in the application sandbox with a unique I. D. The sandbox is quite simple in its enforced by Lennox's process and file permissions. Once the permissions air checked
06:34
access to the resource is granted
06:36
all the code above the software kernel, for example, libraries frameworks run times all occur within the sandbox. As an ad security measure applications air signed to verify the authenticity of the author and to allow for updates of applications aren't sign there rejected by the Google play store or the installer on the device
06:56
as we mentioned Applications Air package into a P K Files.
07:00
But how are they executed in the environment? Well, this is done using the android runtime or dabbling virtual machine when an application is created. First, the Java code is compiled using a job, a C compiler. This creates java bite code. Next, the code is minimized and office skated if required.
07:16
At this stage, the bike code is converted into dabbling by code
07:20
in the form of a dex, file the deck styles and translated into machine code, which is executed in the android runtime environment or dabbling virtual machine.
07:30
So before I move on, you may be thinking to yourself, Android Ron, time Dad, look rich machine What? Why? How? Well, the answer is speed thes environments, their virtual processors, their little machines, handling processes, computations, member management. So on
07:46
the Dabiq virtual machine was introduced because it was supposed to be fast,
07:50
and at the time, maybe it was. But since Android 4.4 Thean droid run time has been used in favor of the Devil virtual machine due to its speed and extended features
08:00
before we move on to application file structure. Let's look at the building clocks that allow applications to communicate. So we already know that applications and processes running their own sandbox, which isolates them in their environment to allow applications to move data between processes they can communicate using UNIX sockets and signals.
08:18
But the preferred method is to use a binder.
08:22
The binder is simply a lightweight mechanism designed to work at high performance while performing in process across process calls.
08:30
The binder is implemented using a custom limits driver that works with the application via the necessary manager. When the need to request data from other processes or applications arises,
08:41
the Davis typically stored within a content provider. Ah content provider is a data storehouse that is available to other applications. For example, the email application needs a contact in the context application databases. To get this information, the email APP would invoke an activity to pause the application. This possibly facilitated by the activity manager
09:01
activity manager would then utilize the binder driver
09:05
to request the data from the content provider and move the data back to the requesting application
09:11
are enteric files or a P. K's are bundled together into an application directory. Theat files a zip file just like our i p A file E p K archive usually contains the files in directories you see here, some of the files my actually look familiar to you. We've discussed the android manifest XML file already.
09:30
This file's required and contains information about our application.
09:33
Also, we have the duck Dex file name classes dot backs. This is our compiled CO that has executed within the runtime environment. We also have the rest directory. This would contain any non code related resource files. The live directory would contain library files and assets would contain assets. This would be used by the asset manager.
09:54
The asset manager is the facility to access. The resource is
09:56
finally we have the certain files. Thes containing a list of hash is for all the A P K contents and the application certificate.
10:05
Okay, so that you've got a pretty good idea of our android applications. We looked at the security and we looked building blocks. We're gonna review the applications structure of an A p. K file. We'll do this using our Callie Lennox environment. You don't to really worry here. All the software we need is installed.
10:24
Will launch command prompt, taken MD five of the file,
10:26
identify it, using the file command, and then we'll decompress it and we'll look at the contents. All right, so just a quick note here. Before we get started in this lab, we can use our Callie limits environment. But typically, when I'm doing some type of reverse engineering or Mao analysis android, I like to use this and Tuco environment,
10:45
but the Santa Kun environment needs a little bit of maintenance, and we're gonna hold off doing that until later.
10:50
So for now you're Callie Lennox. Environ will be perfect. That's got all the tools. They're all updated and it's ready to go.
10:56
All right, so we have our command prompt here. I've already copied at the lab the files over. As you can see, there is a folder on the desktop called Lab Files, and I've navigated to the folder named Exercise, too. So if we take a look at the contents of that directory, we've got two files we've got
11:13
at the a. P. K. And we've got MD five star t x t.
11:18
Okay, So what we'll do first here is taken m b five of the a p k file and compare it to what we've got in MD five. So we could do that using the MD five command like we did last time
11:33
K, and then we will catch the output.
11:43
Okay, there we go. Files do match. So we're working on the right file. That's great. Now let's go ahead and identify the file and using the file command.
11:54
Okay, so it's a zip file, exactly what we're expecting. So let's go ahead and unzip it and look at the contents.
12:09
All right? It looks like it extracted successfully.
12:13
Let's see what we get here.
12:16
Okay, So the application structure should match what we have in our slides, which it does. We've got the android manifest file. We've got the classes dot Dex, we've got the meta i n f older and we've got the rest folder and we've got the resource is file.
12:37
Okay, so let's just clear the screen. Get rid, get some more room here.
12:43
All right,
12:48
So now we can start identifying some files. Let's see, what is Thea Android manifest file type of file. Is that okay? Binary XML data
13:00
type of file is classes that Dex.
13:03
Okay, Dad. Look, Dex, file version 035 And that's what that is. Okay, we could go into the meta folder
13:13
that should contain the certifications. And I'm sorry. That should contain certificates.
13:24
Yeah, which it does. You can see that we've got the certificates there, and then we've got the android X files. Those are just files left over from my development environment. Amusing jetpacks. Oh, that's that's some artifacts there.
13:39
See what the
13:43
sir files are certain. Arcee is probably data.
13:48
Yep. Data.
13:56
Okay, we got asking text in the manifest file. Okay, we go back out,
14:01
we can go into the
14:05
resource is folders.
14:11
All right? I've got lots of folders here. Let's go into the layout.
14:16
What we got in there?
14:20
Who? We got some other XML files.
14:24
Okay, let's go back a little bit.
14:30
Okay, so let's read the android manifest file. How about that? So let's catch the output of that, or let's open it up. It's an X amount for it's an XML file. Right? So let's open it up in a text. Editor.
14:48
Ooh, Look at that
14:52
what's happening here? Well, this is expected because when we unzip the AP K, it doesn't decode a the data. So we can't look at the actual files that are binary data. We're gonna have to use a different tool for that *** tight during the static analysis section, we're gonna get to it.
15:09
All right. In that brief exercise, we took a look at AP case and we know they're in the zip format and we took a look at the directory structure. We have the Android XML file, which of course, is required in every a p k.
15:22
And then, curiously, there's some files in binary format that are going to need some further tools to look at the contents. Also, we have the classes that Dex file these get executed in our android run time and are dabbling BM.
15:35
And the whole purpose of this exercise is just to get you familiar with what files you're gonna be seeing and interacting with when we start doing some more of the malware analysis exercises

Up Next

Mobile Malware Analysis Fundamentals

In the Mobile Malware Analysis Fundamentals course, participants will obtain the knowledge and skills to perform basic malware analysis on mobile devices. Participants will perform these tasks by learning and implementing tools and techniques while examining malicious programs.

Instructed By

Instructor Profile Image
Brian Rogalski
CEO of Hexcapes
Instructor