Android Hacking

There's a big difference between hackers (people who like to experiment with computer systems to make them do unintended things) and attackers (criminals who exploit vulnerabilities in computer systems to gain access to data or processes).

In this article, we'll cover the basics of hacking on Google's widely used Android system.

Introduction to Android Hacking

Since its release in 2008, adoption of Android has soared, and it is now by far the most common mobile operating system.

The reasons for Android's success are tied to its release as open source software, which allows application developers much better insight into its inner workings. The robust set of applications and extensions to Android translates to Android appearing on many different types of hardware.

In fact, Android has been so successful that it already captures more than 80% of the market share for mobile operating systems, with that number expected to climb to nearly 90% by 2022, according to Statista.

The same openness that makes Android appealing to mobile developers also makes it attractive to hackers. The open platform makes it easy to hack on. Of course, while most hackers simply enjoy experimenting with hardware and software, there are always going to be attackers who seek to exploit vulnerabilities. Download our free secure coding handbook to make sure your Android applications aren’t vulnerable to common exploits.

Android Hacking Resources

There are hundreds of resources on the internet for people who want to get involved in Android hacking, from communities to lists of tools and guidebooks.

Here are a few places to get started:

• Veracode Community - Chat with security experts, hackers, and developers about all things application development, including security and modification.
• Android-Exploits - This is an open source guide on Android exploits and hacks from GitHub user sundaysec, with links to additional resources and tools.
• Hacking Android: 80 Pages of Experts' Tutorials - You'll find code and tutorials on Android security, hacking, and exploits from monthly hacking and cybersecurity magazine Hakin9.
• XDA Developers forum - This is an Android development and hacking community with millions of users.

Android Hacking Tools / Android Hacking Apps

In addition to manual coding, there are many applications built around hacking Android systems. These range from apps targeted at end users who want to extend their Android device's battery life or customize other parts of its operating system to deep system hacks used by more sophisticated hackers and attackers.

Here are a few of the most popular:

• Apktool – This tool is used for reverse engineering third party, closed, binary Android applications.
• Dex2jar – This widely available tool works with Android .dex and Java .class files, enabling the conversion of one binary format to another.
• JD-GUI – This is a graphic utility tool that stands alone and displays Java sources from .class files.

How to Secure Your Android Device From Attackers

Although most people who use these hacking applications have no ill intent, they can also be used by attackers to find and exploit security flaws found in Android software.

Developers and organizations can use a secure software development lifecycle to minimize their risk of exposure to exploits that could see their customers' private information leaked or their financial assets stolen or threatened.

The Three Biggest Threats to Android Devices

Threat One: Data in Transit

Mobile devices, including those running Android as an operating system, are susceptible to man-in-the-middle attacks and various exploits that hack into unsecured communications over public Wi-Fi networks and other wireless communication systems. By hijacking a user's signal, attackers can impersonate legitimate web services, steal data, or intercept calls and text messages.

Threat Two: Untrustworthy App Stores

Untrustworthy app stores can cause headaches due to lack of security protocols. Ensure that your app store of choice for Android applications takes adequate security precautions and has a strong security review program in place. Sideloading, in which you install apps without an app store, is also a process to manage carefully due to a lack of foundational security measures.

Threat Three: SMS Trojans

Malicious apps can sometimes include SMS trojans, which come in the form of compromised applications. This type of app accesses a mobile device's calling or text message capabilities, allowing them to do things like send text messages with malicious links to everyone in a user's address book. These links can then be used by attackers to distribute computer worms and other malicious messages to fee-based services, incurring fees on behalf of the user and profiting scammers.

Three Ways to Protect Your Android Devices

Use TLS Encryption

OWASP shows that insufficient encryption is a big problem for many types of applications. By using Transport Layer Security (TLS), you can encrypt internet traffic of all types for securely generating and exchanging session keys. This protects data against most man-in-the-middle and network spying attacks.

Test Third-Party App Security

The best way to avoid malicious apps is to only use apps from the official Google Play store. Google Play uses significantly better security checks than third-party sites, some of which may contain hundreds of thousands of malicious apps. If you absolutely need to download an app from a third-party store, check its permissions before installing, and be on the lookout for apps which that for your identity or the ability to send messages to your contacts when they don't need to.

Use Caution When Using SMS Payments

Set your Android phone to limit the ability of apps to automatically spend your money. Apps that ask for payment via SMS are a red flag and should be avoided if at all possible.

Veracode for Application Security

Veracode is designed to help developers and organizations secure their applications — whether they're released on Android or any other system. Contact us today to learn how we can help you.