Physical attacks
Pentesting

Android Applications Pentesting

Static Analysis

Java Code

You could navigate through the Java code using: jd-gui or jadx. Just download the latest version and execute it from the bin folder:

jadx-gui

If you only want the java code but without using a GUI a very easy way is to use the jadx cli tool:

jadx app.apk

Some interesting options of jadx (GUI and CLI versions) are:

-d <path to output dir>
--no-res #No resources
--no-src #No source code
--no-imports #Always write entire package name (very useful to know where is the function that you might want to hook)

Another interesting option that I haven't test yet but looks really good is https://github.com/charles2gan/GDA-android-reversing-Tool

Then I recommend you to search for interesting information in the code. Learn the flow of the app and search for passwords, URLs, api keys an anything interesting that could be there...

Another interesting tool to make a Static analysis is: bytecode-viewer. It allows you to decompile the APK using several decompilers at the same time. Then, you can see for example, 2 different Java decompilers and one Smali decompiler. It allows you also to modify the code:

If you modify the code, then you can export it. One bad thing of bytecode-viewer is that it doesn't have references or cross-references.

A final tool that could be useful for a static analysis is: ClassyShark

At the end of this post you will find different tools that look for static vulnerabilities and private information inside the APK.

Manifest.xml

You can easily find the Manifest.xml of the application using apktool

There you can find very interesting information like:

Smali Code

Sometimes it is interesting to modify the application code to access hidden information for you (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.

Opcodes reference: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

Decompile the APK

Using APKTool you can access to the smali code and resources:

apktool d APP.apk

If apktool gives you any error, try installing the latest version

Some interesting files you should look are:

  • res/values/strings.xml (and all xmls inside res/values/*)

  • AndroidManifest.xml

  • Any file with extension .sqlite or .db

Change smali code

You can change instructions, change the value of some variables or add new instructions. I change the Smali code using VisualCode, you then download the plugin for the smali extension and the editor will tell you if any instruction is incorrect. Some examples can be found here:

Recompile and sign APK

After modifying the code you can recompile the code using:

apktool b . #In the folder generated when you decompiled the application

It will compile the new APK inside the dist folder.

If apktool throws an error, try installing the latest version

Then, you need to generate a key (you will be asked for a password and for some information that you can fill randomly):

keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <your-alias>

Finally, sign the new APK:

jarsigner -keystore key.jks path/to/dist/* <your-alias>

Dynamic Analysis

ADB

It allows you to control your device over USB or Network from a computer, copy files back and forth, install and uninstall apps, run shell commands, and more.

ADB Commands

Online Dynamic analysis

You can create a free account in: https://appetize.io/. This platform allows you to upload and execute APKs, so it is useful to see how an apk is behaving.

You can even see the logs of your application in the web and connect through adb.

Thanks to the ADB connection you can use Drozer and Frida inside the emulators.

Local Dynamic Analysis

You can use some emulator like:

  • Genymotion (Free version: Personal Edition, you need to create an account.)

  • Nox (Free, but it doesn't support Frida or Drozer).

Or you could use a physical device (you need to activate the debugging options and it will be cool if you can root it):

  1. Settings.

  2. (FromAndroid 8.0) Select System.

  3. Select About phone.

  4. Press Build number 7 times.

  5. Go back and you will find the Developer options.

Burp Suite

You can prepare the APK to make a MITM using: https://github.com/shroudedcode/apk-mitm Or you can use Burp+Frida+Genymotion: https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/

I am not going to explain what is Burp Suite or how to use it. But here you have a tutorial of how to configure Android so you can capture all the HTTP requests being made by the (emulated) device.

Drozer

Drozer allows you to assume the role of an Android app and interact with other apps. It can do anything that an installed application can do, such as make use of Android’s Inter-Process Communication (IPC) mechanism and interact with the underlying operating system. From Drozer Guide.

It very useful to exploit exposed:

It could also find debuggeable applications.

Learn how to use it reading the Drozer Tutorial.

Frida

Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Learn more at www.frida.re.

Basically: Amazing, hook methods, run code inside the applications and play with the application while it is running. If you want to pentest Android applications you need to know how to use Frida.

Learn how to use Frida: Frida tutorial

Android Application Analyzer

This tool could help you managing different tools during the analysis dynamic: https://github.com/NotSoSecure/android_application_analyzer

Automatic Analysis

MobSF

Vulnerability assessment of the application using a nice web-based frontend. You can also perform dynamic analysis (but you need to prepare the environment).

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Qark

This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. The tool is also capable of creating "Proof-of-Concept" deployable APKs and/or ADB commands, capable of exploiting many of the vulnerabilities it finds. There is no need to root the test device, as this tool focuses on vulnerabilities that can be exploited under otherwise secure conditions.

pip install --user qark # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
qark --java path/to/parent/java/folder
qark --java path/to/specific/java/file.java

  • Displays all extracted files for easy reference

  • Automatically decompile APK files to Java and Smali format

  • Analyze AndroidManifest.xml for common vulnerabilities and behavior

  • Static source code analysis for common vulnerabilities and behavior

    • Device info

    • Intents

    • Command execution

    • SQLite references

    • Logging references

    • Content providers

    • Broadcast recievers

    • Service references

    • File references

    • Crypto references

    • Hardcoded secrets

    • URL's

    • Network connections

    • SSL references

    • WebView references

reverse-apk relative/path/to/APP.apk

SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes .apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.

All rules are centered in a rules.json file, and each company or tester could create its own rules to analyze what they need.

Download the latest binaries from in the download page

super {apk_file}

StaCoAn

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications*.

The concept is that you drag and drop your mobile application file (an .apk or .ipa file) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.

Download latest release:

./stacoan

AndroBugs

AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications.

Windows releases

python androbugs.py -f [APK file]
androbugs.exe -f [APK file]

Androwarn

Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.

The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali, with the androguard library.

This tool looks for common behavior of "bad" applications like: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...

python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

MARA is a Mobile Application Reverse engineering and Analysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.

It is able to:

Obfuscating/Deobfuscating code

ProGuard

ProGuard is an open source command-line tool that shrinks, optimizes and obfuscates Java code. It is able to optimize bytecode as well as detect and remove unused instructions. ProGuard is free software and is distributed under the GNU General Public License, version 2.

ProGuard is distributed as part of the Android SDK and runs when building the application in release mode.

From: https://en.wikipedia.org/wiki/ProGuard_(software)

DeGuard

DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.

You can upload an obfuscated APK to their platform.

Simplify

It is a generic android deobfuscator. Simplify virtually executes an app to understand its behavior and then tries to optimize the code so it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used.

APKiD

APKiD gives you information about how an APK was made. It identifies many compilers, packers, obfuscators, and other weird stuff. It's PEiD for Android.

Labs

Androl4b

AndroL4b is an Android security virtual machine based on ubuntu-mate includes the collection of latest framework, tutorials and labs from different security geeks and researchers for reverse engineering and malware analysis.

OWASP

https://github.com/OWASP/owasp-mstg https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication

References

For more information visit: