How To Pentest Android Application
Hi Medium! Here we are again with a new article, today we will see how to analyze an android application in different steps:
1. Make ready our Work environment
2. Pentest our android application
1. Make ready our Work environment
We can either pentest an android application on a phone or on a virtual machine on our PC, personally, I prefer to use a virtual machine so I don’t need to buy a new phone and root it. In my case, we need to install Genymotion from this link on our Kali machine. we need also to download android SDK packages and libraries, this video may be helpful:
When using Genymotion the OS that we will use is already rooted, to install our application on the emulator we simply use the following command:
#adb install application.apk
For more information about adb, you may check this link
In this article, we will just use Drozer.
2. Pentest of the android application
To analyze our .apk application we need to decompress it so simple we change her extension from .apk to .zip:
#cp application.apk application.zip
#unzip application.zip –d application
When we open our new file InsecureBank we will find those files:
- AndroidManifest.xml — This is the most important source of information where we can find information about different components.
- assets — This is used to store the raw assets files.
- res — This is the resources file like images…
- META-INF — We find here information about the signature.
- classes.dex — here where we find the application code, we can read it when we change it to java.
To read information about the certification we can execute this command, we may change this certification if we want to use Burp suit:
#keytool –printcert –v –file META-INF/CERT.RSA
To verify the application integrity:
#jarsigner –verify application.apk
To have a look at the classes in our application we need to run this command:
#d2j-dex2jar application.apk
Now we can check the code of this application and find code vulnerabilities, this need to much time to understand the code but usually, the developer doesn’t use random variable names so you just need to memories them especially when you move from one class to another:
In this code we have different components:
+ android:exported
One of the most things that attackers will try to catch is the components attribute especially if the exported variable is true, here the attacker can jump directly to this activity using “adb”.
“The default value depends on whether the activity contains intent filters. The absence of any filters means that the activity can be invoked only by specifying its exact class name. The presence of at least one filter implies that the activity is intended for external use, so the default value is “true”. This attribute is not the only way to limit an activity’s exposure to other applications. You can also use permission to limit the external entities that can invoke the activity (see the permission attribute).” [Source]
Manifest file
In this file, we can see the relevant activities.
First, we need to decompress the application:
#apktool d application.apk
In the manifest file we can find the tag android:exported true and that mention a vulnerability. And we can call those activities directly.
DROZER is a good tool that you install on the android and you control it from the terminal, this tool helps to interact with other application and try to leak data, jump to activities…
“drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints, and the underlying OS.
drozer provides tools to help you use, share, and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximize the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).” [Source]
This video will help you to understand more about this framework:
From here we can understand that we can directly run the transfer page with this command:
> run app.activity.start –component com.android.application com.android.application.Login
Another useful module is app.package.attacksurface. It tells you about the exported components as well as whether the application is debuggable or not. We will look at exploiting debuggable applications in later articles.
For other tools I would like that you follow those video/links:
- Apktool:
- Burpsuite:
- Andbug:
- Introspy:
- Dex2jar:
Summary
In this small article we saw how we can simply debug an android application and find different vulnerabilities, to train your self I really recommend you to debug the InsecureBank app (Link to download) ;) GL
+ references
https://resources.infosecinstitute.com/android-application-hacking-insecure-bank-part-2/#article
I hope that you enjoyed this article as always, if you have something to add don’t hesitate to write a comment ^^ and follow.
