Mobile Penetration Testing - Android
Testing Environment
Android Emulator
Geny Motion: https://www.genymotion.com/fun-zone/
Android Debug Bridge (ADB)
C:\Users\<User>\AppData\Local\Android\Sdk\platform-tools
adb -s <specific device> shell #Specific Device
adb -d shell #Device
adb -e shell #Emulator
Basic ADB command
adb install <apk file>
adb pull <location>
adb push <file> <location>
Basic Linux command
cat /proc/version #Kernel version
cat /proc/cpuinfo #Processor Information
ps #Processes
cat /system/etc/permissions/platform.xml #Permission and GID
Information Gathering
Retrieve APK file from Device (Recommended)
adb shell
pm list packages
pm path <package>
adb pull <apk path>
Retrieve APK file from Internet
keytool -printcert -file CERT.RSA #C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe
Android Manifest Analysis
1. Activity, Service, Content Provider, Broadcast Receiver are not exported
cat AndroidManifest.xml | grep "<activity\|<provider\|<receiver\|<service" | grep -v "android:exported=\"false\"" | grep "android:name" --color
am start -n <package name>/<activity name>
content query -–uri <URI>
Recommended Value:
android:debuggable="false"
android:allowBackup="false"
android:exported="false"
Reverse Engineering
APK file is just a package for application files |
APKTool
apktool d <apk file>
After decompile application using APKTool, we can analyse AndroidManifest.xml file manually |
Code Tampering
Before Code Tampering:
After Code Tampering:
change the value of is_admin to "yes" |
Compile the application back to APK format |
Modified APK cannot be installed into the device unless signed * |
Create user button is appeared for admin! |
Dex2Jar
d2j-dex2jar <apk file>
A jar file is created after the execution of command dex2jar |
The JAR file can be open by JD-GUI |
Penetration Testing
Insecure Data Storage
adb shell
cd data/data
ls | grep <keyword>
cd <package name>
find
grep -ir <keyword in file> /
adb pull <data folder>
SQL file can be open using DB Browser for SQLite |
Shared Preference can be open by using any text editor |
Automating Android Penetration Testing
Drozer *
Turn on Drozer agent in testing device
Run drozer server in workstation
adb forward tcp:31415 tcp:31415
drozer.bat console connect
Selecting the targeted application and perform initial analysis
run app.package.list
run app.package.list -f <keyword>
run app.package.info -a <package name>
run app.package.attacksurface <package name>
Attacking exported activities
run app.activity.info -a <package name>
run app.activity.start --component <package name> <activity name>
APICredsActivity accessed directly |
Attacking exported content provider
run app.provider.info -a <package name>
run scanner.provider.finduris -a <package name>
run app.provider.query <URI>
Inserting data into content provider
run app.provider.insert <URI> --<data type> <column name> <value>
Mobile Security Framework (MobSF) *
python manage.py runserver
Browse http://127.0.0.1:8000 and upload APK file |
Scan result from MobSF |
Permission granted to the application |
Manifest and Code issue detected |
Java source code |
URL detected in the source code |
Android Security
Permissionhttps://www.kaspersky.com/blog/android-permissions-guide/14014/
10 tips for maximum security
https://www.kaspersky.com/blog/android-maximum-security-tips/6579/
Obfuscate Android Code
build.gradleandroid {
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
debug {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
}
proguard-rules.pro
-dontwarn android.support.v7.**
-keep class android.support.v7.internal.** { *; }
-keep interface android.support.v7.internal.** { *; }
-keep class android.support.v7.** { *; }
Reference:
https://developer.android.com/topic/security/best-practices.html