The real incident of stealing a droid app+data

Download as PPTX, PDF

•0 likes•1,093 views

The presentation by Akash Mahajan and Ankur Bhargava at Droidcon Bangalore 2012 details their experience of successfully extracting and analyzing a stolen Android application and its encrypted data on a rooted device. They emphasize the importance of securing encryption keys and provide recommendations for improving device security. The talk showcases common vulnerabilities and the challenges faced in protecting sensitive data from being exploited.

Technology

The Real Incident of
Stealing
a Droid App & Data

Akash Mahajan and Ankur Bhargava @ DroidCon Bangalore 2012

What we stole

The Android Application Package File

All the encrypted files found in the
external storage

© Akash Mahajan DroidCon Bangalore 2012 2

Not only we successfully
the app + data we
it on another
device which was rooted

© Akash Mahajan DroidCon Bangalore 2012 3

Them devs made it more secure?

A device ID check was added

We reversed the applications added our
device ID and compiled it again.

Able to execute again, yay!

© Akash Mahajan DroidCon Bangalore 2012 4

We had written
permission to
steal!

© Akash Mahajan DroidCon Bangalore 2012 6

All your data are belong to us

All the encrypted data was with us

We didn’t have the encryption key

But we had the device with the key in
internal storage

© Akash Mahajan DroidCon Bangalore 2012 7

GONE IN 300 SECONDS

Android Backup API using Android Debug
Bridge because we had the package name.

ADB pull command, YAY!

> adb pull <remote> <local>

© Akash Mahajan DroidCon Bangalore 2012 8

DISCLAIMER

It is not Rocket
Science

Simple common
security testing
© Akash Mahajan DroidCon Bangalore 2012 9

The Simple Hack

We knew find an exploit to root the device
might take some time and skill

Application written for the same version of
Android will run in all devices

© Akash Mahajan DroidCon Bangalore 2012 10

If the device having the
application can’t be
rooted, let us take the
application to the rooted
device.
© Akash Mahajan DroidCon Bangalore 2012 11

The Simple Hack

Once copied to the rooted device we could see
what the application was doing using DDMS.

Dalvik Debug Monitor Server provides among
other things process information about apps
running on a device connected in USB debug
mode.

© Akash Mahajan DroidCon Bangalore 2012 12

The key to everything
In this particular case, the encryption key was
required to decrypt the data.

We didn’t have file permissions to reach the key.

We decided not to go after the key. We weren’t
being paid enough for that.

© Akash Mahajan DroidCon Bangalore 2012 13

The Encryption Conundrum

If you give away your device, the only way you
can ensure safety of the data is by ensuring that
the symmetric encryption key isn’t stolen.

At any given point depending on the application
the key might be available in memory, temp
file/storage or on the chip itself.

© Akash Mahajan DroidCon Bangalore 2012 14

The Encryption Conundrum

But because the device is with the thieves, they
have all the time in the world to find it.

If nothing works, they can always break open
the device and steal the key from the storage.

© Akash Mahajan DroidCon Bangalore 2012 15

FREE CONSULTING /Checklist

Disable USB debugging port

Disable USB itself

Don’t give internet access in the device.

Obfuscate the source code.

Provide a unique key for each device.
© Akash Mahajan DroidCon Bangalore 2012 16

SUCCESS KIDZ

Client felt assured about their device security

Dev had a more secure solution

We get to pretend that we are Android security
experts. We are not, just love the challenge.

© Akash Mahajan DroidCon Bangalore 2012 17

WANTED
DROID CHORS

@ankurbhargava87 @makash

© Akash Mahajan DroidCon Bangalore 2012 18

More Related Content

PPTX

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource

PDF

DevSecOps: A New Hope for Security in CI/CDFranklin Mosley

PDF

Tackling the Container Iceberg:How to approach security when most of your sof...WhiteSource

PDF

Scale DevSecOps with your Continuous Integration PipelineDevOps.com

PPTX

Google Glass - An Intro presentation to conduct code lab events.getdinesh

PPTX

Defining DevSecOpsUchit Vyas ☁

PDF

DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett

PDF

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource

DevSecOps: A New Hope for Security in CI/CDFranklin Mosley

Tackling the Container Iceberg:How to approach security when most of your sof...WhiteSource

Scale DevSecOps with your Continuous Integration PipelineDevOps.com

Google Glass - An Intro presentation to conduct code lab events.getdinesh

Defining DevSecOpsUchit Vyas ☁

DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon

What's hot (17)

PDF

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa

PDF

DevSecOps The Evolution of DevOpsMichael Man

PDF

Release Your Inner DevSecOpJames Wickett

PDF

Empowering Financial Institutions to Use Open Source With ConfidenceWhiteSource

PDF

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn

PDF

The New Security Playbook: DevSecOpsJames Wickett

PPTX

(Isc)² secure johannesburg Tunde Ogunkoya

PPTX

Practical DevSecOps Using Security InstrumentationVMware Tanzu

PDF

Maturing DevSecOps: From Easy to High ImpactSBWebinars

PDF

Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...DicodingEvent

PDF

10 Myth of DevSecOpsDevOps Indonesia

PDF

Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskWhiteSource

PDF

NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett

PDF

DefCamp 2013 - Android hacking techniquesDefCamp

PDF

Security in the FaaS LaneJames Wickett

PPTX

DevSecOps Days SF at RSA Conference 2018DevSecOps Days

PPTX

Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa

DevSecOps The Evolution of DevOpsMichael Man

Release Your Inner DevSecOpJames Wickett

Empowering Financial Institutions to Use Open Source With ConfidenceWhiteSource

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn

The New Security Playbook: DevSecOpsJames Wickett

(Isc)² secure johannesburg Tunde Ogunkoya

Practical DevSecOps Using Security InstrumentationVMware Tanzu

Maturing DevSecOps: From Easy to High ImpactSBWebinars

Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...DicodingEvent

10 Myth of DevSecOpsDevOps Indonesia

Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskWhiteSource

NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett

DefCamp 2013 - Android hacking techniquesDefCamp

Security in the FaaS LaneJames Wickett

DevSecOps Days SF at RSA Conference 2018DevSecOps Days

Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

Similar to The real incident of stealing a droid app+data (20)

PPTX

Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Rizal Aditya

PDF

Putting real feeling into Android AppsPeter van der Linden

PDF

Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha

PDF

Getting started with Android pentestingMinali Arora

PDF

Securing Android ApplicationsInfosys

PPTX

Getting started with androidVandana Verma

DOCX

Android_Studio_Structure.docxKNANTHINIMCA

PDF

Building Custom Android Malware BruCON 2013Stephan Chenette

PDF

MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz

PPTX

From Reversing to ExploitationSatria Ady Pradana

PDF

Securing User Data with SQLCipherCommonsWare

PDF

YuryMakedonov_TesTrek2013_AndroidTesting_12u_slidesYury M

PDF

Droidcon it-2014-marco-grassi-viaforensicsviaForensics

PPTX

Secure Android Apps- nVisium SecurityJack Mannino

PDF

Android installation & configuration, and create HelloWorld ProjectRakesh Jha

PDF

TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode

PDF

Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa

PDF

Android_Malware_IOAsis_2014_Analysis.pdfjjb117343

PPTX

From Reversing to Exploitation: Android Application Security in EssenceSatria Ady Pradana

PDF

Android tio manualiamkimberlybruno

Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Rizal Aditya

Putting real feeling into Android AppsPeter van der Linden

Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha

Getting started with Android pentestingMinali Arora

Securing Android ApplicationsInfosys

Getting started with androidVandana Verma

Android_Studio_Structure.docxKNANTHINIMCA

Building Custom Android Malware BruCON 2013Stephan Chenette

MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz

From Reversing to ExploitationSatria Ady Pradana

Securing User Data with SQLCipherCommonsWare

YuryMakedonov_TesTrek2013_AndroidTesting_12u_slidesYury M

Droidcon it-2014-marco-grassi-viaforensicsviaForensics

Secure Android Apps- nVisium SecurityJack Mannino

Android installation & configuration, and create HelloWorld ProjectRakesh Jha

TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode

Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa

Android_Malware_IOAsis_2014_Analysis.pdfjjb117343

From Reversing to Exploitation: Android Application Security in EssenceSatria Ady Pradana

Android tio manualiamkimberlybruno

More from Akash Mahajan (17)

PDF

On Writing Well - A talk given at WinjaBlogs SessionAkash Mahajan

PDF

App sec in the time of docker containersAkash Mahajan

PPTX

Venom vulnerability Overview and a basic demoAkash Mahajan

PPTX

Security in the cloud Workshop HSTC 2014Akash Mahajan

ODP

INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereAkash Mahajan

PPTX

Believe It Or Not SSL AttacksAkash Mahajan

PPTX

I haz your mouse clicks and key strokesAkash Mahajan

PPTX

Hackers versus Developers and Secure Web ProgrammingAkash Mahajan

PPTX

Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan

PPTX

Php securityAkash Mahajan

PPTX

Secure passwords-theory-and-practiceAkash Mahajan

PDF

Top 10 web application security risks akash mahajanAkash Mahajan

PDF

Web application securityAkash Mahajan

PPTX

Web application securityAkash Mahajan

PPTX

Web application securityAkash Mahajan

PPTX

Secure Programming In PhpAkash Mahajan

PPT

Startups SecurityAkash Mahajan

On Writing Well - A talk given at WinjaBlogs SessionAkash Mahajan

App sec in the time of docker containersAkash Mahajan

Venom vulnerability Overview and a basic demoAkash Mahajan

Security in the cloud Workshop HSTC 2014Akash Mahajan

INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereAkash Mahajan

Believe It Or Not SSL AttacksAkash Mahajan

I haz your mouse clicks and key strokesAkash Mahajan

Hackers versus Developers and Secure Web ProgrammingAkash Mahajan

Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan

Php securityAkash Mahajan

Secure passwords-theory-and-practiceAkash Mahajan

Top 10 web application security risks akash mahajanAkash Mahajan

Web application securityAkash Mahajan

Secure Programming In PhpAkash Mahajan

Startups SecurityAkash Mahajan

Recently uploaded (20)

PPTX

ChatGPT's Deck on The Enduring Legacy of Fax MachinesGreg Swan

PDF

CIFDAQ's Token Spotlight: SKY - A Forgotten Giant's Comeback?CIFDAQ

PPTX

The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptxsujalchauhan1305

PPTX

How to Build a Scalable Micro-Investing Platform in 2025 - A Founder’s Guide ...Third Rock Techkno

PPTX

cloud computing vai.pptx for the projectvaibhavdobariyal79

PDF

Using Anchore and DefectDojo to Stand Up Your DevSecOps FunctionAnchore

PDF

Event Presentation Google Cloud Next Extended 2025minhtrietgect

PDF

Make GenAI investments go further with the Dell AI Factory - InfographicPrincipled Technologies

PDF

Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...Sandesh Rao

PDF

Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...Sandesh Rao

PDF

Google I/O Extended 2025 Baku - all pptsHusseinMalikMammadli

PDF

GYTPOL If You Give a Hacker a Hostlinda296484

PDF

Software Development Methodologies in 2025KodekX

PDF

How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdfArtjoker Software Development Company

PDF

How Onsite IT Support Drives Business Efficiency, Security, and Growth.pdfCaptain IT

PDF

CIFDAQ's Teaching Thursday: Moving Averages Made SimpleCIFDAQ

PDF

Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...Artjoker Software Development Company

PDF

Software Development Company | KodekXKodekX

PDF

Automating ArcGIS Content Discovery with FME: A Real World Use CaseSafe Software

PDF

Building High-Performance Oracle Teams: Strategic Staffing for Database Manag...SMACT Works

ChatGPT's Deck on The Enduring Legacy of Fax MachinesGreg Swan

CIFDAQ's Token Spotlight: SKY - A Forgotten Giant's Comeback?CIFDAQ

The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptxsujalchauhan1305

How to Build a Scalable Micro-Investing Platform in 2025 - A Founder’s Guide ...Third Rock Techkno

cloud computing vai.pptx for the projectvaibhavdobariyal79

Using Anchore and DefectDojo to Stand Up Your DevSecOps FunctionAnchore

Event Presentation Google Cloud Next Extended 2025minhtrietgect

Make GenAI investments go further with the Dell AI Factory - InfographicPrincipled Technologies

Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...Sandesh Rao

Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...Sandesh Rao

Google I/O Extended 2025 Baku - all pptsHusseinMalikMammadli

GYTPOL If You Give a Hacker a Hostlinda296484

Software Development Methodologies in 2025KodekX

How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdfArtjoker Software Development Company

How Onsite IT Support Drives Business Efficiency, Security, and Growth.pdfCaptain IT

CIFDAQ's Teaching Thursday: Moving Averages Made SimpleCIFDAQ

Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...Artjoker Software Development Company

Software Development Company | KodekXKodekX

Automating ArcGIS Content Discovery with FME: A Real World Use CaseSafe Software

Building High-Performance Oracle Teams: Strategic Staffing for Database Manag...SMACT Works

The real incident of stealing a droid app+data

1. The Real Incident of Stealing a Droid App & Data Akash Mahajan and Ankur Bhargava @ DroidCon Bangalore 2012

2. What we stole The Android Application Package File All the encrypted files found in the external storage © Akash Mahajan DroidCon Bangalore 2012 2

3. Not only we successfully the app + data we it on another device which was rooted © Akash Mahajan DroidCon Bangalore 2012 3

4. Them devs made it more secure? A device ID check was added We reversed the applications added our device ID and compiled it again. Able to execute again, yay! © Akash Mahajan DroidCon Bangalore 2012 4

5. THE DROID JOB A standard Chinese made Tablet running Android 4.0 (Indian Brand) The application contained encrypted data along with other resources. © Akash Mahajan DroidCon Bangalore 2012 5

7. All your data are belong to us All the encrypted data was with us We didn’t have the encryption key But we had the device with the key in internal storage © Akash Mahajan DroidCon Bangalore 2012 7

8. GONE IN 300 SECONDS Android Backup API using Android Debug Bridge because we had the package name. ADB pull command, YAY! > adb pull <remote> <local> © Akash Mahajan DroidCon Bangalore 2012 8

10. The Simple Hack We knew find an exploit to root the device might take some time and skill Application written for the same version of Android will run in all devices © Akash Mahajan DroidCon Bangalore 2012 10

11. If the device having the application can’t be rooted, let us take the application to the rooted device. © Akash Mahajan DroidCon Bangalore 2012 11

12. The Simple Hack Once copied to the rooted device we could see what the application was doing using DDMS. Dalvik Debug Monitor Server provides among other things process information about apps running on a device connected in USB debug mode. © Akash Mahajan DroidCon Bangalore 2012 12

13. The key to everything In this particular case, the encryption key was required to decrypt the data. We didn’t have file permissions to reach the key. We decided not to go after the key. We weren’t being paid enough for that. © Akash Mahajan DroidCon Bangalore 2012 13

14. The Encryption Conundrum If you give away your device, the only way you can ensure safety of the data is by ensuring that the symmetric encryption key isn’t stolen. At any given point depending on the application the key might be available in memory, temp file/storage or on the chip itself. © Akash Mahajan DroidCon Bangalore 2012 14

15. The Encryption Conundrum But because the device is with the thieves, they have all the time in the world to find it. If nothing works, they can always break open the device and steal the key from the storage. © Akash Mahajan DroidCon Bangalore 2012 15

16. FREE CONSULTING /Checklist Disable USB debugging port Disable USB itself Don’t give internet access in the device. Obfuscate the source code. Provide a unique key for each device. © Akash Mahajan DroidCon Bangalore 2012 16

17. SUCCESS KIDZ Client felt assured about their device security Dev had a more secure solution We get to pretend that we are Android security experts. We are not, just love the challenge. © Akash Mahajan DroidCon Bangalore 2012 17