A Practical Approach to Android Mobile Application Security

: In parallel to rapid developments in computer technology, the number of mobile applications developed for the devices also increases. Mobile applications make life easier, but also bring some risks. These applications may create some weaknesses due to mistakes in the app development or use phase. In this study, a sample security test was performed for mobile application security awareness. This paper related to phising attacks to Android mobile users and data storage security on Android device. The sample mobile application has been decompiled. The malicious code was injected into the sample app. After the code was injected into the sample banking application developed, the user interface was modified. In addition, when the application is open, the user's credit card information is requested. After the user fills information, the credit card information is sent to a different phone number (attacker’s phone number) through an SMS. The mobile user is at risk of stealing sensitive information. This study also shows that the data stored in the device can be accessed through the Android Debug Bridge (ADB) shell commands. As a result, this paper shows that the application developer should be more careful during the development phase and the device user should be more careful during the use phase.


Introduction
Depending on the advancement of technology, the use of smart devices such as phones and tablets is rapidly increasing.Digital marketing agency We Are Social provides detailed information about mobile device usage.The report states that more than five billion people use mobile devices in the world [1].The usage rates of operating systems can be displayed interactively on the official website of Kantar Worldpanel [2].As seen in the reports, the most used operating system is the Android operating system.Therefore, in this study, the Android mobile operating system was preferred.In the study "Android Applications and Security Breach" [3] some types of cyber attacks and mobile threats that attackers perform to steal user information are described.In addition, the Remote Access Trojan example that called Dendroid was analyzed.In the study "Android Malware Detection & Protection: A Survey" [4], malware applications on Android are described.In the paper that called "An Enhanced Security Framework for Reliable Android Operating System" [5], an increase in the number of applications installed as malware in the Android operating system has been mentioned.The study, titled "An Android-based Trojan Spyware to Study the NotificationListener Service Vulnerability" [6], a trojan application, known as SMS backup, is developed to spy the notifications of other applications.The study, "Mobil Kötücül Yazılımlar ve Güvenlik Çözümleri Üzerine Bir İnceleme" [7], it was targeted some researches on security solutions for mobile devices to present a comprehensive view.The study, titled "Android Security" [8], this thesis shows the security-relevant structures of Android's system and application architecture.In order to provide infrastructure-independent education, the exercises are based on Android Virtual Devices (AVDs).The paper, titled "Mobile Security Testing Approaches and Challenges" [9] presents four security testing approaches for mobile security.The study, "An effective behavior-based Android malware detection system" [10] proposes a behavior-based malware detection system.The study titled "Keyboard or Keylogger?: a security analysis of third-party keyboards on Android" [11] is shown that third-party keyboard applications can work as keylogger.The study titled "Android Zararlı Yazılımlarını Tespit Etme, İmza Oluşturma ve Sınıflandırma" [12], a new malware detection infrastructure, developed for the Android operating system, signature algorithms, correlation with other malware families and evaluation of proposed system are discussed.In the studies, titled "Mobil Yaşamda Siber Güvenlik Yaklaşımı" [13] and titled "Android Keylogging Threat" [14], mobile security risks and measures are described.The study, "Mobil Bankacılıkta Güvenlik Sorunlarının Analizi" [15] mobile application security methods are described and presented.In the studies, "Android Kötücül Yazılım Tespit Sistemleri İncelemesi" [16], "An Android Malware Detection Method Based on AndroidManifest File" [17] "Permission-Based Android Malware Detection" [18] and "MAMA: Manifest Analysis for Malware Detection in Android" [19], AndroidManifest.xmlfile has been seen that how important it is for application security.As seen in the literature, if there is not enough security on mobile devices, personal information of the users can be stolen, their privacy can be violated and the applications of the users can be disabled.In this study has been shown that malicious code can be injected into some applications because of the sensitive data obtained after reviewing the AndroidManifest.xmlfile.Some mobile applications on the non-rooted device have been reverse _______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ 1 Kuveyt Türk Participation Bank Research & Development Center, Kocaeli -41420, TURKEY 2 Computer Engg., Selcuk University, Konya -42002, TURKEY engineered.In addition, some applications were analyzed through ADB terminal commands and it was shown that important information stored on the device can be access.After injecting new codes into the application in this study; • Some UI changes (color changes, text changes etc.).

•
The Toast message will be displayed every time the application is opened.• Dialog screen will be displayed.After users fill their credit cards information and the users click the OK button, user's credit cards information will be sent as SMS to the attacker's phone.As a result of the changes, there is no malfunction in the application.Some risks arise as a result of carelessness during application development and use.In order to draw attention to these risks, this study was carried out entirely ethically.Also in the figures in this study, information that is thought to remind any original application has been modified and censored.Very importantly, this study does not harm any application developer or company.The pentest (Penetration Test) was carried out entirely on the user's device.

Materials and Method
The smart phone using android operating system was preferred in this paper.
Android is an open source operating system developed for mobile devices [20,21].Android is Linux based and developed by Google.Nowadays, Android has the largest share in mobile application stores because it is the most widely used mobile operating system.The tools and system requirements used in the study are as follows; Android (smart phone) device

Code Injection
The Lenovo P2a42 (Android version 6.0.1)mobile device and Samsung Galaxy Tab A (Android version 5.1.1)were used for code injection.The operations performed on this device can also be performed on the Genymotion virtual device.Sample mobile banking application on the device has been reverse engineered.First, the application APK (Android Package) name should be detected by using ADB shell commands.Then the APK file must be transferred to the computer.A connection is established between the computer and the device.After the connection, the APK name of the application should be known.Therefore, the list of all application packages in the connected device is displayed by using ADB commands.After the name of the application's APK file is detected in the list, it is transferred to the computer.As shown in Figure 1, after the APK file has been decompiled, important files such as the AndroidManifest.xmlfile is appearing.Another way to detect the launcher activity is to use the ADB logcat command.However, this method is difficult and laborious.After the activity class has been detected, a new project is created in Android Studio.The path of the new launcher Activity class in the new project must be the same as the path of the launcher Activity class in the original application.The malicious code that will run when the application is opened is written in this Activity class.A new Activity class is created in the new project with the same name as the launcher Activity class in the original application.A new application is developed to inject code by using this method.
The new application's APK file is decompiled.After Decompile, the SMALI file of the new Activity class is copied to the location of the SMALI files of the original application.Recompile is performed after making the necessary changes in the AndroidManifest.xmlfile of the original application.After the recompiling, this application is installed on the device.Figure 3 shows the original screen of the application and the screen that after code injection.In this study, the user interfaces of the application are censored.In this study, two different examples were made for mobile application security awareness.Injected codes may vary depending on the intent and purpose of the attacker.For example, an ADB logcat or a JD-GUI tool can be used to find other Activity and classes.Important information on the device can be obtained by a Service that is running when the application is opened.Also, a sample phishing attack was carried out in the same mobile application.The user interface of the mobile banking application will be used in the user interface of the developed new application.In addition to this, a dialog screen will appear for user's credit card information.After completing the information, the user will proceed with the button "OK".However, the information entered in the dialog screen will be sent as SMS to the number specified (attacker's phone number) in the injected code after the button is pressed.
For this code injection, it is necessary to access the Hexadecimal (HEX) codes of the layout file within the SMALI files.The HEX code to be injected is replaced by the layout HEX code in the original SMALI file.The icon of the mobile is used in the dialog screen shown to the user for the phishing attack.The AndroidManifest.xml file is also modified to send SMS. Figure 4 shows the user interface of the original application and the user interface of the phishing attack application.As seen in the figure, phishing attack was carried out with the same screen design.The interface of the phishing app is similar to the interface of the original application.The user will think that this UI belongs to the original application.So the mobile user is at risk of stealing sensitive information.In the previous example, it has been shown that the user interface can be modified by code injection.In the second example, malware is embedded in the original application to obtain the user's information.
Figure 5 shows the layout HEX codes in the SMALI file.The code shown in the marked field will be replaced by the layout HEX code in the SMALI files of the Activity classes.After the user card information is entered, card information will be sent to the phone number that embedded in the malware code.
Figure 6 shows the dialog screen and a screenshot of the attacker's phone.As shown in these figures, the entered card information was sent to another device through an SMS.The user will switch to the user interface of the original application after pressing the button "OK".No errors were encountered in the application.The application continues to run successfully.There is no attack against the developer or application owner.All these operations are in the device and only affect the owner of the device.

Data Storage Security in Android Mobile Application
This section shows that some application data stored in the device can be access.The purpose of this section is that application developers should be careful when storing data into the mobile device.Especially, important information such as password, ID, etc. should be stored after it is encrypted.Firstly, a test was performed on the application in the Genymotion virtual device.
The connection was established after the Internet Protocol (IP) address of the virtual device was detected by using the ADB shell command.
/data/data/<appname> directory is accessed by using ADB commands.This directory contains SQLite database tables and a SharedPreferences storage file.There is a database in the /data/data/databases directory.In Figure 7, the database name has been detected by using ADB commands.Database contents will be accessed using sqlite3 commands.After learning database names, database table names are learned by using sqlite3 commands.After the table names are detected, the table can be examined with Structured Query Language (SQL) "select" query.As shown in Figure 8, the data in the application database is stored unencrypted.Thus sensitive data can be accessed.Extensible Markup Language (XML) files are available in the shared_prefs located in the application directory.In the application, if there is data stored by using SharedPreferences, it can be accessed.Figure 9 shows data stored by using SharedPreferences.<map> tags contain application data stored using the "key-value" principle.Figure 10 and Figure 11 show that data of a social media application installed on the virtual device can be accessed.The user's e-mail address and the user's name etc. information has been accessed.In this social media application, data stored by using SharedPreferences can be accessed.Information such as username, ID has been accessed.There are many records in this XML file.The file in which the user's name is stored is shown in figure 12.

Conclusion and Recommedations
This work was carried out for mobile application security awareness in the Android mobile operating system.In this study, the Android operating system was preferred because has the largest share in the mobile application store.
As seen in the literature, studies are carried out for the detection of malware applications.The number of malware applications is increasing every day.There are many academic studies in order to malware applications.There are also academic studies in which new approaches are presented.In the academic studies where malware detection is detected by a static analysis approach, the AndroidManifest.xmlfile is examined in detail.In addition to these approaches, malware detection has been realized by classification algorithms.Also in the literature, malware applications developed to demonstrate security risks have been tested in devices.Android malware applications can violate user privacy by using Android Service classes in order to obtain many important data on the device.Service is the classes that perform the background operations in Android applications.It does not provide a UI.Service may not have any interaction with the user.In this way, the attacker will steal the important information of the user without interaction.For this reason, it is useful for users to periodically check the applications in the device and the services running in the background.Another way to ensure security is to perform scans on the device with known reliable antivirus programs.In the application development phase, the application developer should consider the APK can be decompiled by attackers.In this study, a security test was performed on the sample mobile applications to show the risks that application developers and users may face.In addition, this study was carried out ethically.The security testing steps in this study may vary depending on the developer's knowledge, purpose.This study was carried out to show the basic concepts of reverse engineering and mobile security.In addition, this study was carried out to guide application developers and researchers who will work ethically in this regard.At the end of this study, it is described how the attackers can access the data stored on the device.It is also shown that the data stored using by the SQLite database and SharedPreferences can be accessed.The developer must consider such risks when storing data to the device during the application development phase.For example, sensitive data can be encrypted.The sample mobile application on the non-root device was reverse engineered.In this study, malicious codes were embedded in the application.Two different examples were shown after embedding codesIn the first example, there are some design changes.For example, in this malware application, the UI color was changed and the Toast message was shown.In the second example, a phishing attack was performed against the user.The device user should be careful about Android permissions.In the application development phase, especially application developers should develop applications by considering the weaknesses that attackers can use.A vulnerability of the application may cause a great risk for personal safety.As a result, the application developer should be more careful during the development phase and the device user should be more careful during the use phase.Users should not install applications that require unnecessary permissions on the device.Otherwise, user privacy may be violated.

Fig. 1 .
Fig. 1.After decompiling APK file.The Android Smali Assembly Source Code (SMALI) files of the classes used in the application are located in the smali folder.Important files to be used for code injection are in this folder.The AndroidManifest.xml file has been examined to detect the launcher Activity class of the application.As shown in Figure2, the launcher Activity class was detected.In this way, a new Activity class with the same name will be created and then embedded in the original application.

Fig. 3 .
Fig. 3. Original screen and screen that after code injection.

Fig 4 .
Fig 4. Original application UI and Phishing application UI.

Fig. 10 .
Fig. 10.Social media application data (Table and Column name) in database.