My name is M.Qasim Munir and this is my first blog article that I’m writing about getting started in android apps pen-testing. I hope this article will help you with learning something new.
Amazing development and growth in mobile apps have carried a bunch of vulnerabilities that attackers are ready to exploit. if you are developing applications for Android and iOS devices and you’re not up to speed on pen-testing strategies, you have to get into it quickly.
In this article, I’m not gonna only write about android apps pen-testing but I’ll also describe how to setup Android testing LAB/ENVIRONMENT including different open source tools and scripts.
Pen-testing android apps require different methodologies than web applications. The difference is that you have to figure out a different method by reverse engineering applications. Additionally, you need to set up a virtual or real device according to which type of applications you wanna test.
Android is an open-source Linux-based system created for a wide array of devices. The below diagram shows the major components of the Android platform.
Android comes with different sets of apps for SMS, Email, internet browsers, etc. Any third-party application can become the user’s default usage.
Some core Android system components, such as ART and HAL, are built from native code that requires native libraries written in C and C++.
The Android OS is available to you through APIs written in the Java language. These APIs form the building blocks you need to create Android apps by simplifying the reuse of core, modular system components.
The foundation of the Android platform is the Linux kernel. For example, the Android Runtime (ART) relies on the Linux kernel for underlying functionalities such as threading and low-level memory management.
Android’s Security Model consists of two parts:
Security between android application and the system is enforced at the process level through different Linux facilities, such as user and group IDs. there’s another mechanism called “Permission” that enforces different restrictions on the specific operations that a particular process can perform.
I won’t cover the comprehensive details of the security model. So, let’s move to the main thing.
AndroidManifest.xml contains the name of the application, version, access rights, referenced libraries, etc. this file usually present in the form of Android binary XML that can be converted into understandable form (Plain-text XML) with different tools.
This directory contains application assets.
META-INF directory contains the following files:
The lib directory contains the compiled code of the software layer of a processer. this directory further splits into more directories.
Res directory contains the resources that are not compiled into resources.arsc
Classes.dex are the classes that are compiled in the dex file format understandable by Dalvik virtual machine. (Dalvik is a discontinued process virtual machine in Google’s Android operating system that executes applications written for Android.)
This file contains pre-compiled resources.
The below figure shows all the possible attack aspects of pen-testing an android app.
Android pen-testing can be done on both Real devices or VM emulators.
If you wanna test applications that involve any attraction with the camera or fingerprint components including how the device behaves then I would suggest doing it on real mobile devices. make sure that you have the right USB drivers installed on your mobile device and a USB cable in very good condition otherwise, you could face many problems.
Android pen-testing on windows operating system is a little bit difficult due to the unavailability of tools for Windows OS. however, an open-source android apps pen-testing distro called “Santoku ISO” specially made for android apps pen-testing. I would recommend using this distro if you running windows operating system. You can also use this on Linux or macOS but I don’t recommend this as this could slow down your system. you can install the same tools on Linux or macOS.
There are many android emulators available on the internet, But which one is good for pen-testing?
In my opinion, Genymotion is the best android emulator for pen-testing because it is easy to set up and use and it offers excellent user experience.
You can Download Genymotion Android Emulator from here: https://www.genymotion.com/download/
Please note that you also need to install VirtualBox to work with Genymotion. Genymotion emulator doesn’t work without VirtualBox. So you can download Genymotion with a single package from the official Genymotion site.
Now choose the emulator type and install. it. I’ve installed three emulators:
You can install devices according to your requirements.
After installing the emulator choose any device and install it then start it from the GUI.
Install Open GApps from the option located on the top right corner.
Genymotion is x86 based emulator, So If you try to install an application which has ARM code, Genymotion will throw an error:
an error occured while deploying the file.
This probably means that the app contains ARM native code and your Genymotion device cannot run ARM instructions. You should either build your native code to x86 or install an ARM translation tool in your device.
This error will prevent you from installing a lot of apps that you would need to install for bug bounty hunting.
The solution for this error is to install ARM-Translation-Tool which can be downloaded from here: https://github.com/m9rco/Genymotion_ARM_Translation
After downloading the ARM-Translation-Tools simply drag and drop it into the Genymotion and restart the emulator and it will be installed.
Note: Please Download the Translation tool according to your android version.
Android Debug Bridge (ADB) is a versatile command-line tool that lets you communicate with a device. The ADB command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device. It is a client-server program that includes three components:
brew cask install android-platform-tools
sudo apt-get install adb
sudo yum install android-tools
In case if the above commands are not working you can download it from here: https://developer.android.com/studio/releases/platform-tools
If you wanna test android apps on your mobile device then you need to connect Adb with mobile devices using data cable or TCP (Over Network). Let’s do it,
Get a good quality data cable and attach your mobile device to PC/Laptop. Now navigate to mobile settings and enable USB debugging in your phone (A necessary step). now follow the below commands.
This command will list devices connected to ADB.
Connecting over TCP:
Connect your phone using the USB cable to PC/Laptop. now enter the below command:
adb tcpip 5555
you will see a port is restarted now disconnect the mobile phone (remove the USB cable). and connect the phone over TCP using the below commands:
adb connect <ip address of device>:<port>
After connecting the mobile device, you can use the below command to get a shell in android.
the connection will be successful.
First of all, you need BurpSuit to intercept traffic. You can Download BurpSuit from here:
Now let’s configure proxies. Open burp & navigate to the “Proxy Tab” and then “Options Tab”, from here uncheck the selected proxy i.e (127.0.0.1). now open a terminal and enter command “ifconfig” and search “VBOX interface” copy that IP and paste it in the Burp new proxy listener as shown in the below images:
Open mobile wifi and modify the Wifi network with the same proxy used in the BurpSuit.
Now open any internet browser and browse “http://burp”.There will be an option located in the top right corner to download the proxy CA certificate.
The next step is to open any file manager and move to the download folder and rename “cacert.der” to “cacert.crt” and then navigate to Mobile settings > Security > User Credentials > Install from SD Card select the certificate and install it.
FRIDA is a Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. It helps you to inject JS snippets into native apps of Android, iOS, Linux, Mac & Windows. In other words, you can inject your own scripts into the black box processes.
You can install Frida & Frida-Tools into your PC by using below commands:
pip install frida-tools
pip install frida
Now the next part is installing the Frida server in an android emulator. To install Frida into your android you need to determine which architecture your android is running. Follow the below steps to determine your Android architecture.
So, That’s all for the Part (1) folks. In part (2) I’ll write about different attacks and other tools required for pen-testing.
Stay tuned and share your thoughts on it. Thanks!