Open source reverse engineering suite and static code scanner showcased at virtual hacking conference

Black Hat 2020 - Android app hunting scanners showcased

UPDATED Android apps can be probed comprehensively for known security vulnerabilities without being fooled by code obfuscation techniques, attendees at Black Hat Asia heard yesterday.

Adhrit, an APK reversing and analysis suite, scans Android applications “for vulnerable code patterns in the bytecode rather than the Java or source code”, the open source project’s lead, Abhishek J M, told virtual attendees.

As a result, the application’s search for tell-tale vulnerability patterns is “immune to usual code obfuscation techniques”, he added.

Adhrit was one of two security tools that scan Android apps for security flaws to be showcased on day one of the Black Hat Asia Arsenal sessions this week.

One-stop shop

Developed for Indian credit card payment app CRED, Adhrit performs bytecode analysis based on Ghera benchmarks, automated ADB payload generation for exported activities, and reconnaissance for embedded URLs, API keys, and native library strings.

“The idea was to come up with a lightweight, easy-to-set-up tool that would be a one-stop for all things Android Security,” said Abhisheka, an application security engineer at CRED.

More specifically, CRED’s development team wanted an application that could “scan for vulnerable code patterns at the source code level” in order to “provide an overview of what lies under the hood” and to identify “the root causes of a lot of problems”.

READ MORE Grinder Framework helps overcome Shodan false negatives and blind spots

They also wanted to map “the major components of the application”, which could reveal, for example, “whether the application is storing data on the device, if it is using SQL databases, or using shared preferences.”

Finally, the tool should have the capacity to scan “for hardcoded secrets embedded in the app.”

Speaking to The Daily Swig in the wake of his presentation, Abhishek said he was unsure the team could “pull off” the bytecode analysis since “Android uses smali bytecode” and they could only find “one smali parser called Smalisca”.

The challenge of manually “identifying patterns for various vulnerable implementations in Java and how they translate to smali bytecode” for “every vulnerable code implementation” also posed a fiendish challenge.

“Fortunately, we could automate and cover checks for a fairly good number of vulnerabilities.”

Ghera benchmarks

“One of the pros” of using the Ghera benchmarks (PDF), which document known Android security flaws for the benefit of developers, pen testers, and security researchers, “is that it covers issues even on recent Android versions and every issue is well documented,” said Abhishek.

Each of the 61 known Android vulnerabilities so far included in Ghera’s open source repository “has a vulnerable app, a corresponding malicious app which exploits that particular vulnerability, and a secure app that has patched that issue”.

The security flaws are assigned to categories – web, storage, networking, crypto, and Inter-Component Communication (ICC) bugs – and classified “based on various factors like the attack surface, the exploitability of the attack, the severity of the affected components, etc”, said the speaker.

Use cases

Abhishek suggests use two use cases for the tool.

“Database used to store relational data on the device will reflect in the bytecode analysis results since the tool scans for usages of SQLite DBs,” he explains. The user can then check for “content providers defined for that activity” that “can be exploited to get access to the DB”.

Second, if JavaScript is “enabled on a WebView from the bytecode scan results and then we see deeplinks in the manifest analysis results, this narrows down our approach and helps take quicker, well-informed decisions because now we can check if the deeplink could be exploited to access the JS interface”.

The security engineer said future updates would include a dashboard with wider vulnerability benchmarks coverage, secure code refactoring recommendations for vulnerable implementations, a search and retrieve function for previous scan results, PDF report printouts, Slack/Jira integrations, scans for app changelogs between versions/builds, and selective scanning based on user preferences.

Static analysis tool

Later on in the Arsenal schedule at Black Hat Asia this week, a quartet of security engineers showcased a ‘static application scanning tool’ – or SAST – which they claimed could cost-effectively achieve a low rate of false positives.

Thanks to the application’s “static taint analysis engine”, the team was able to “cover most vulnerabilities occurring in Android APKs,” attendees heard.

The speakers contend that tools with both dynamic and static scanning functions are typically plagued by false positives. And even those that achieve a higher accuracy only do so at the cost of being unwieldy and expensive to maintain.

In contrast, SAST, claim its developers, boasts a simple architecture, is easy to use and inexpensive to maintain, and is highly accurate despite lacking the capacity for dynamic scans.

Read more of the latest news from Black Hat Asia 2020

The tool leverages Androguard, a customizable open source tool and Python library for reverse engineering Android applications.

Vulnerability patterns can be added easily as new security flaws emerge, claims the project team.

Using SAST, the security engineers told Black Hat attendees that they had already uncovered and reported several potential security vulnerabilities to some of the most popular applications available in Google Play, including a path traversal and SQL injection vulnerability on one hugely popular app.

The speakers were Todd Han and Lilang Wu from Sangfor Technologies, Lance Jiang from TopSec, and Junzhi Liu from Trend Micro.

This article was updated with the addition of comments from Abhishek J M on October 6.

COMMENT Black Hat Asia: Need for global security perspectives underlined at virtual event