Android Mobile App Pentesting PDF
Android Mobile App Pentesting PDF
Android Mobile App Pentesting PDF
by Atul Singh
Android Mobile App Pentesting
However, as far as security, no data related to the new vulnerabilities that could prompt weak programming at this
stage is being revealed, realizing that this stage has an outstanding attack surface. After web applications, a bigger con-
cern is mobile application penetration test. Let’s start with some basics.
Understanding the Android Operating System: Below is the basic architecture for an Android device,
might be you are familiar with some components.
➡Linux Kernel: Linux kernel is the base for a mobile computing environment. It provides Android with several
key security features, like:
• Process Isolation
• The ability to remove unnecessary and potentially insecure parts of the kernel.
➡ Hardware Abstraction Layer: It just gives applications direct access to the hardware resources.
• Media Framework: This allows the use of various types of codecs for playback and recording of different me-
dia
➡ Dalvik Virtual Machine is specifically designed by the Android Open Source Project to execute applications
written for Android. Each app running in the Android device has its own Dalvik Virtual Machine.
➡ Android Runtime (ART) is an alternative to Dalvik Virtual Machine which has been released with Android
4.4 as an experimental release, in Android Lollipop (5.0) it will completely replace Dalvik Virtual Machine. A
major change in ART is because of Ahead-of-Time (AOT) Compilation and Garbage Collection. In Ahead-of-
Time (AOT) Compilation, Android apps will be compiled when the user installs them on their device, whereas
in the Dalvik used Just-in-time(JIT) compilation in which bytecode are compiled when user runs the app. Mov-
ing to the last one, these are common.
➡ Application Framework: The Application Framework layer provides many higher-level services to applica-
tions in the form of Java classes. Application developers are allowed to make use of these services in their appli-
cations.
Android Mobile App Pentesting
• Content Provider - Content Provider component supplies data from one application to others on
request. You can store the data in the file system, an SQLite database, on the web, or any other persis-
tent storage location your app can access. Through the content provider, other apps can query or
even modify the data (if the content provider allows it). Content Provider is useful in cases when an
app wants to share data with another app.
• Resource Manager – Provides access to non-code embedded resources such as strings, colour set-
tings and user interface layouts.
• Notifications Manager – Allows applications to display alerts and notifications to the user.
• View System – An extensible set of views used to create application user interfaces.
• Package Manager – The system by which applications are able to find out information about other
applications currently installed on the device.
• Telephony Manager – Provides information to the application about the telephony services avail-
able on the device such as status and subscriber information.
• Location Manager – Provides access to the location services allowing an application to receive up-
dates about location changes.
➡ Applications: Located at the top of the Android software stack are the applications. These comprise both the
native applications provided with the particular Android implementation (for example, web browser and email
applications) and the third party applications installed by the user after purchasing the device. Typical applica-
tions include Camera, Alarm, Clock, Calculator, Contacts, Calendar, Media Player, and so forth.
In the above paragraphs, I have introduced Android architecture and information about various layers. Android apps
are written in the Java programming language. The Android SDK tools compile your code along with any data
and resource files into an APK: an Android package, which is an archive file with an .apk suffix. One APK file contains
all the contents of an Android app and is the file that Android-powered devices use to install the app.
Android Mobile App Pentesting
➡ AndroidManifest.xml: The AndroidManifest.xml file is the control file that tells the system what to do with
all the top-level components (specifically activities, services, broadcast receivers, and content providers de-
scribed below) in an application. This also specifies which permissions are required. This file may be in An-
droid binary XML that can be converted into human-readable plaintext XML with tools such as android-
apktool.
➡ META-INF directory:
• CERT.SF: The list of resources and SHA-1 digest of the corresponding lines in the MANIFEST.MF file.
➡ lib: The directory containing the compiled code that is specific to a software layer of a processor, the directory
is split into more directories within it:
• armeabi-v7a: compiled code for all ARMv7 and above based processors only
➡ res: The directory containing resources not compiled into resources.arsc (see below).
➡ classes.dex: The classes compiled in the dex file format understandable by the Dalvik virtual machine.
➡ resources.arsc: A file containing precompiled resources, such as binary XML, for example.
App components are the essential building blocks of an Android app. Each component is a different point through
which the system can enter your app. Not all components are actual entry points for the user and some depend on
each other, but each one exists as its own entity and plays a specific role—each one is a unique building block that
helps define your app’s overall behavior. You can skip the content given below if you are already familiar with them.
There are the following four components of an app:
Content Provider
• Content Provider component supplies data from one application to others on request.
• You can store the data in the file system, an SQLite database, on the web, or any other persistent storage loca-
tion your app can access.
• Through the content provider, other apps can query or even modify the data (if the content provider allows it).
• Content Provider is useful in cases when an app wants to share data with another app.
• insert()
• update()
• delete()
• query()
Activity
To be simple, an activity represents a single screen with a user interface. For example, one activity for login and an-
other activity after login has been successful. A new activity is created for each new screen. I will discuss more about it
later when needed.
Services
• A service is a component that runs in the background to perform long-running operations or to perform work
for remote processes.
• A service does not provide a user interface, neither component, such as an activity, can start the service and let
it run or bind to it in order to interact with it.
Android Mobile App Pentesting
• For example, a service might play music in the background while the user is in a different application, or it
might fetch data over the network without blocking user interaction with an activity.
Broadcast Receiver
• Many broadcasts originate from the system—for example, a broadcast announcing that the screen has turned
off, the battery is low, or a picture was captured.
• Apps can also initiate broadcasts—for example, to let other apps know that some data has been downloaded to
the device and is available for them to use.
• Although broadcast receivers don’t display a user interface, they may create a status bar notification to alert the
user when a broadcast event occurs.
• More commonly, though, a broadcast receiver is just a “gateway” to other components and is intended to do a
very minimal amount of work. For instance, it might initiate a service to perform some work based on the
event.
• An application may register a receiver for the low battery message for example, and change its behavior based
on that information.
Activating Components
• Three of the four component types—activities, services, and broadcast receivers—are activated by an asynchro-
nous message called an intent.
• Intents bind individual components to each other at runtime (you can think of them as the messengers that re-
quest an action from other components), whether the component belongs to your app or to another.
• In the upcoming post, we will be using Drozer which uses intents to showcase the vulnerabilities.
By default, there are some protected API’s in the Android operating system which can only be accessed by the operat-
ing system. The Protected APIs include:
• Camera functions
• Bluetooth functions
• Telephony functions
• SMS/MMS functions
• Network/data connections
Below is the Permission Dialog while installing the famous social networking app Facebook.
Before Going Into the Battle, You Should Know About Your Arsenals:
• Appie: A portable software package for Android Pentesting and an awesome alternative to existing vir-
tual machines.
• APKTool: A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources
to nearly original form and rebuild them after making some modifications.
• De2Jar: A tool for converting .dex files to .class files (zipped as jar).
• Introspy-Android: Blackbox tool to help understand what an Android application is doing at runtime
and assist in the identification of potential security issues.
• Drozer: Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role
of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
• Burp Suite: Burp Suite is an integrated platform for performing security testing of applications.
• Android SSL Trust Killer - Blackbox tool to bypass SSL certificate pinning for most applications run-
ning on a device.
• RootCoak Plus - Patch root checking for commonly known indications of root.
Let’s start the testing; during the penetration testing time we will use GennyMotion, Santoku, Drozer, etc. You can
download this software from their respective sites. Let’s begin with the very first step in which we will connect our emu-
lator with Santoku.
➡ In the next step, check whether the device is connected or not. Type -
➡ Install the Drozer apk file in emulator, you can simply drag and drop the file into the emulator or you can install it
via Santoku. Set the path of the file and type:
➡ After installing Drozer, set the password in Drozer console and enable ssl.
Android Mobile App Pentesting
➡ After this, turn on the Drozer switch and type the following command for connection
➡ Here I’m going to demonstrate with a few vulnerable applications like OWASP GoatDroid, InsecureBankv2, etc.
➡ Type run app. and press TAB button, it will show the other contents.
➡ Just type list in the Drozer console and it will list all the modules which came pre-installed with Drozer.
➡ You can use –help switch with any of modules given above to get to know more about the functionality of that par-
ticular module.
Android Mobile App Pentesting
➡ Now, we will try to identify the attack surface of the application, type:
➡ Let’s try to reverse the .apk file with APKTool, as I already mentioned that APKTool for reverse engineering, 3rd
party, closed, binary apps. After running that, it will create a folder in the same directory with decompiled files in it.
➡ Dex2jar is mainly used to convert an APK file into a jar file containing reconstructed source code. dex2jar
filename.apk command will convert the APK file into a jar file.
• dex2jar InsecureBankv2.apk
➡ JD-GUI usage:
• Now you can open that jar file in JD-GUI and view that reconstructed source code.
➡ Open the decrypted AndroidManifest.xml file. The following screenshot shows the Activity which is to be ex-
ploited is set to be exported.
➡ Back on the Emulator, notice that the login page has been bypassed.
➡ ADB Shell: Adb provides a UNIX shell that you can use to run a variety of commands on an emulator or connected
device. In terminal you can use all adb commands.
• adb shell
Android Mobile App Pentesting
➡ In case you want to check the process for a particular application, then type dumpsys meminfo application
name.apk
➡ Let’s go with Android Backup Functionality, you can check the same in manifest.xml file. Allow backup and debug
mode should be false in application.
Android Mobile App Pentesting
➡ This setting defines whether application data can be backed up and restored by a user who has enabled usb debug-
ging. In terminal type:
➡ Enter the below command to convert the backup file into readable format.
• cat backup.ab | (dd bs=24 count=0 skip=1; cat) | zlib-flate -uncompress >
backup_compressed.tar
• Open the decrypted AndroidManifest.xml file. The following screenshot shows the broadcast receiver declared
in the application.
➡ Now we are going to attack on content providers of the Android application, in this I’m going to use another vulner-
able application named Sieve. Let’s start:
➡ So by using app.provider.finduri module we have found some of the exported content provider URIs which can be
accessed by other apps installed on the same device. As we can see, we have two similar URIs; let’s try to see what
juicy information is hidden in these content providers.
Android Mobile App Pentesting
➡ Exploiting Android Pasteboard: login in the application with valid credentials. Click on the Transfer option.
➡S e l e c t t h e a c c o u n t n u m b e r f i e l d a n d s e l e c t t h e c o p y o p t i o n .
➡ Now, back on the terminal, enter the below command to find out process details of the running InsecureBankv2 ap-
plication. Note the user and the package name of the InsecureBankv2.application.
➡ I’m going to demonstrate Insecure Logging through the DIVA vulnerable app. The goal is to find out where the user-
entered information is being logged and also the code making this vulnerable. It is common that Android apps log
sensitive information into logcat. So, let's see if this application is logging the data into logcat. Check your logs after
checkout.
Android Mobile App Pentesting
For Client side validation testing, you can refer to OWASP Mobile standard 2016.
References:
• https://github.com/bemre/MobileApp-Pentest-Cheatsheet
• https://github.com/OWASP/owasp-mstg
• https://manifestsecurity.com/android-application-security/