Android security travel series blog Introduction

Android security travel series blog Introduction

Summarize the learning experience of the last year, taking China's New Year as the node. The time ranges from January 1, 2015 to today, and the end of January 1, 2015.

First of all, I must thank my predecessors for their books and high-quality blogs.

1. I re-learned the Linux kernel source code Scenario Analysis in the next book. Mao de operated, recorded the learning process, and wrote a blog.

2. After studying the source code Scene Analysis of the Android system again, Luo shengyang recorded the entire process from startup to Home.

3. I learned the source code of a small Java virtual machine, debugged and modified the errors in the source code, and finally ran it. Please refer to the following link for more information: https://github.com/cloudsec/ajvm.

4. I learned how the Dalvik virtual machine works. I wrote this blog by Lao Luo and listed it as follows:

1) brief introduction and learning plan of Dalvik virtual machine.

2) Analysis of the Startup Process of the Dalvik virtual machine.

3) analyze the running process of the Dalvik virtual machine.

4) Analysis of the registration process of Dalvik Virtual Machine JNI method.

5) analyze the creation process of Dalvik Virtual Machine processes and threads.

6) brief introduction and learning plan of Dalvik Virtual Machine garbage collection mechanism.

7) analyze the Java heap creation process of the Dalvik virtual machine.

8) analyze the process of allocating memory to newly created objects by the Dalvik virtual machine.

There is also a deep understanding of the Dalvik Virtual Machine written by Mr. Deng recently. before reading the article by Mr. Deng, it is best to read the article by Mr. Luo first. Lao Luo's article is systematic, instructor Deng's article is a summary of the virtual machine, which is not easy to understand.

In order to understand the Dalvik virtual machine, it is best to understand the Java Virtual Machine. However, Java virtual machines on the market do not involve the source code and are useless. Therefore, we recommend that you check the small jvm implemented by github, for a blog that explains the code, see http://club.alibabatech.org/article_detail.htm? ArticleId = 6.

My learning idea is to look at the source code and less at the theory level. This may be a good way for low-end users to learn. Experts are generally willing to look at the theory. When they look at the theory, the code is generated in their hearts.

5. I have learned about Android security and have written several articles on Android security mechanisms and decompilation.

6. Next I will focus on it. I have not updated my blog since the 11th. During this time, I have been studying Android security. I plan to share my recent research results over the next three weeks. Now let's take a look at it to facilitate subsequent blog writing.

Each of the following titles is written as a blog independently. All blogs provide source code.

Android Reverse Analysis

0x00

I have studied the principles of Android reinforcement. Most of them only provide the source code on the Internet. Refer to the Apk reinforcement (shelling) Principle in Android for analysis and implementation, but I have not explained why, from the perspective of the source code of the system, I analyzed the principle of common shelling, and used the Android2.3 source code.

 

0x01

When we analyzed the Ali shell, we found that the shell did not involve the java Layer Code at all. It can be seen that the core shell program was written in the native layer. In this blog, I will move all the shelling programs to the native layer through JNI, run successfully on the simulator of Android2.3, and publish the source code.

0x02

Describe the principle of DexClassLoader and PathClassLoader. The principle of adb install and dex loading upon Automatic startup are all through PathClassLoader. Dynamic shelling uses DexClassLoader.

Explain the entire process above, including optimizing dex. Simple shelling is all performed under the dvmDexFileOpenPartial breakpoint. In combination with the following article, you can see why breakpoint under this function.

0x03

This article describes the dex file optimization. The dex file is parsed as DexFile, and the data loaded as ClassObject at runtime is the final running process. It is explained based on the Android2.3 source code.

0x04

This section describes how to tamper with bytecode when a Davlik virtual machine is running. For details, refer to the implementation method of apk self-protection-Self-tampering dalvik command during running.

0x05

Alibaba's shell will use a technique to decompile dex. The methods we see are replaced with throw exception (). How can this be done? How can we fix it dynamically during the runtime? In this article, I will give you some advice and change one of the methods to throw exception () and fix them dynamically at runtime. Of course, all the code will be stored on github.

0x06

Describe DexHunter, an open-source shell removal machine. Refer to the Android runtime to create our shell Removal Artifacts. Further understand the Dalvik virtual machine execution process. It is actually a figure:

 

0x07

Using ida for static and dynamic debugging of so, there are many such articles on the Internet. To break a breakpoint under init_array, everyone is different, one of the most efficient ones is the dynamic debugging of seven weapons in Android. In addition to analyzing the dynamic debugging of so, we also need to analyze the stack of so call functions, it is easy to understand the so arm assembly language.

0x08

Describes common native anti-debugging methods, and explains how to modify so to remove these anti-debugging methods.

0x09

You can use ida to dynamically debug dex's smali source code in two ways: decompile apk + debug smali in eclipse, and directly use ida to call dex.

0x0a

Describes common anti-decompilation methods, such as verifying the signature to verify whether it is running in a moderate mode on a VM. This part of code may be at the java layer or native layer.

0x0b

This section describes how to dynamically analyze the running of a program by injecting a log or calling stack of the injection method into smali.

0x0c

To explain so shelling, the first is to shell the section, and the other is to shell the function. Refer to Android reverse journey-so reinforcement based on section encryption technology in so, Android reverse journey-so reinforcement based on function encryption technology in so.

0x0d

EXPLAINS so injection and hook using the GOT table in c/c ++. Refer to so injection and hook-For both x86 and arm in Android.

0x0e

For more information about dex injection, see dex injection.

0x0f

To explain the java interception technology, the simplest interception is replacement. We can see it in the shelling program. Another way is through the Dalvik Virtual Machine. If we can change a Java function to a Native function and set the nativeFunc pointer to a custom function, we can intercept it, for more information, see inject Android processes and hook the java World.

0x10

Explains the process from system. loadlibrary to executing init_array.

 

Android APP vulnerability Mining

Security Vulnerabilities exposed by components

Content Provider file Directory Traversal Vulnerability

AndroidManifest. xml configuration Security Detection

Intent hijacking risk Security Detection

Data Storage Security Detection

WebView high-risk interface Security Detection: webview high-risk interface vulnerabilities, vulnerability exploitation code and detailed explanations.

Denial of Service Attack Security Detection

WebView plaintext storage Password Vulnerability

Random Number generation function usage Error

WebView does not check certificate Vulnerabilities

Man-in-the-middle attack vulnerability: contains the vulnerability code and detailed explanation.

Dex loading vulnerability from sdcard

Risk of Activity hijacking

File Cross-origin access: webview cross-origin access file, vulnerability exploitation code and detailed explanation.

Port Development: mainly analyzes the Baidu map and AMAP, and uses code to show the actual effect. Through decompiling smali, we analyzed why the vulnerability exploitation code should be written like this.

Plaintext storage and transmission

 

Android system vulnerabilities

0x00

Explains the Linux drop-down program. For more information, see ROP _x86.

0x01

I have explained the following topics in android: ROP, DEP, ASLR, and Information Leak. For more Information, see the android-arm-32-bit android-arm.

0x02

Explained the cve-2014-7911, explained the Dalvik-Heap Spray, C ++ decompilation code after the use, reference Cve-2014-7911 Android Elevation of Privilege Vulnerability Analysis, and then on the CVE-2014-7911 Android serialization vulnerability.

0x03

This section describes how to discover and exploit the heap damage vulnerability caused by integer overflow in the Android Libcutils library. The vulnerability exploitation code is complex and only describes part of the vulnerability.

The actual blog may be in or out, and I am still learning. You are welcome to talk about it. I will reply every reply carefully.