After web applications more concern area is mobile application penetration test Let’s start with some basics.
Basic architecture for android device
For hardware we always required drivers as software so that those hardware can smoothly work. We choose Linux kernel because it has Security features like
- A user-based permissions model
- Process isolation
- Extensible mechanism for secure IPC
- The ability to remove unnecessary and potentially insecure parts of the kernel
Hardware Abstraction Layer just gives Applications direct access to the Hardware resources.
Bluetooth, audio, radio are examples …
On top of Hardware Abstraction Layer sits a layer that contains some of the most important and
Useful libraries as follows:
- Surface Manager: This manages the windows and screens
- Media Framework: This allows the use of various types of codecs for playback and recording of different media
- SQLite: This is a lighter version of SQL used for database management
- WebKit: This is the browser rendering engine
- OpenGL: This is used to render 2D and 3D contents on the screen properly the libraries in Android are written in C and C++
Dalvik Virtual Machine which is specifically designed by Android Open Source Project to execute application written for Android. Each app running in the Android Device has its own Dalvik Virtual Machine.
Android Runtime (ART) is an alternative to Dalvik Virtual Machine which has been released with Android 4.4 as an experimental release, in Android Lollipop (5.0) it will completely replace Dalvik Virtual Machine. Major change in ART is because of ahead-of-time (AOT) Compilation and Garbage Collection.In Ahead-of-time(AOT) Compilation ,android apps will be compiled when a
In Ahead-of-time(AOT) Compilation ,android apps will be compiled when user installs them on their device whereas in the Dalvik used Just-in-time(JIT) compilation in which bytecode are compiled when the ser runs the app.
Moving to the last one, these are common.From Android Version 4.4, there is also the availability of another runtime called Android Runtime (ART), and the user is free to switch between the DVM and the ART Runtime environments
The Application Framework layer provides many higher-level services to applications in the form of Java classes. Application developers are allowed to make use of these services in their applications.
The Android framework includes the following key services
Activity Manager- application lifecycle and stack are controlled by activity manager
Content Provider component supplies data from one application to others on request.
You can store the data in the file system, an SQLite database, on the web, or any other persistent storage location your app can access.
Through the content provider, other apps can query or even modify the data (if the content provider allows it).
Content Provider is useful in cases when an app wants to share data with another app.
Resource Manager – Provides access to non-code embedded resources such as strings, colour settings and user interface layouts.
Notifications Manager – Allows applications to display alerts and notifications to the user.
View System – An extensible set of views used to create application user interfaces.
Package Manager – The system by which applications are able to find out information about other applications currently installed on the device.
Telephony Manager – Provides information to the application about the telephony services available on the device such as status and subscriber information.
Location Manager – Provides access to the location services allowing an application to receive updates about location changes.
Located at the top of the Android software stack are the applications. These comprise both the native applications provided with the particular Android implementation (for example web browser and email applications) and the third party applications installed by the user after purchasing the device. Typical applications include Camera, Alarm, Clock, Calculator, Contacts, Calendar, Media Player, and so forth.
About we had a look on basic architecture of the android device.
Now Let’s collect some android application Pen-test tools and build a setup for hacking:
There are many tools for an android application penetration test, But which tools are used for which purpose and which details we can extract from it is the most important thing.
We can also use set of all tools built in some framework. They all are available as open source
Appuse, Appie, Santoku, Pentestbox, MobSF etc.
Let’s start with Appuse
AppUse is a VM (Virtual Machine) developed by AppSec Labs. It is a unique platform for mobile application security testing in the Android environment and includes exclusive custom-made tools created by AppSec Labs. Free version is sufficient … Download: https://appsec-labs.com/appuse-pro/
It is built in Appuse framework or else external rooted mobile device can be attached and tested. Launching emulator will give you virtual device.
Root Device: It will root emulator device and give sudo access by using superuser.apk
Open ADB shell: It will open ADB shell
Mobile device can be connected to App use if you don’t want to use emulator
Step1: On mobile device enable USB debugging and connect to the machine
Step2: adb devices will show you attached devices
Some basic tools for pentesting which will be useful in many test cases are already there for you. You just have to click on the tool …
- Burp Suite Burp Suite is the leading software for web security testing. It is a proxy tool which will help to intercept request between client and server.
- Wireshark It is network traffic capture tool which will give a clear picture on packets on the network.
- IDA – IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
- Eclipse – Eclipse provides IDEs and platforms for nearly every language and architecture
- Firefox browser– because its hackers browser
- SQLite browser – It uses to see database files
- Nmap – network scanner we can install it as it is an open source
Reversing of .apk file
For reverse engineering and many Pentest tools are already built in App use.
Click on load APK if you want to load .apk file which is already installed in device/emulator. Else you can select .apk file from Local i.e. from the base machine. Google play option is also available.
- Mainly we will be decoding an APK file for that we need to run apktool d filename.apk. After running that, it will create a folder in the same directory with decompiled files in it. Or another way, in app, use it all linked up with the dashboard which we can use directly.
Apk file is a zip file. Zip file consists of XML and other android application resources. Apktools decodes the resource files and converts the android bytecode into assembly level small files. Dex2jar converts the dex files into java bytecode file archived inside the jar file. JD GUI and Luyten decompiles java byte code to java source code file.
- After installing or selecting .apk file, we can View android manifest file by clicking view Manifest.
Dalvik Virtual Machine does not use java bytecode. Instead, it uses its own file format called dex (Dalvik Executable Format). It holds the definition of multiple classes and relative data.
- Smali /Baksmali is reassembler / disassembler for dex file format respectively.
- Save java sources – The dex2jar tool is used to decode the .dex file to a .jar file
- JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files.
It is not in built-in app use you can install with guidance mwri-drozer-user-guide-2015-03-23
Drozer allows you to assume the role of an Android app and interact with other apps. It can do anything that an installed application can do, such as make use of Android’s Inter-Process Communication (IPC) mechanism and interact with the underlying operating system.
Information Gathering is the most basic stride of an application security test. The security test should attempt to test however much of the code base as could reasonably be possible.
Therefore mapping every conceivable way through the code to encourage exhaustive testing is principal.
- General Information. Rundown of general application information.
- Testing for Common Libraries and Fingerprinting.
- Rundown of application components and Component authorizations.
- Reverse Engineering the Application Code.
Application Local Storage Flaws
Android gives a few alternatives to you to spare persevering application information. The storage you pick relies on upon your particular needs.
For example, regardless of whether the information should be private to your application or open to different applications (and the client) and how much space your data requires.
- Sensible data found in logs and cache.
- Putting away Sensitive Data on Shared Storage (presented to all applications with no restrictions).
- Content Providers SQL Injection and Access Permissions.
- Check if sensitive data stays there even after log out.
- Privacy and Metadata Leaks.
Transport Layer Security
Encryption with Transport Layer Security continues prying eyes far from your messages while they’re in flying. TLS is a protocol that encodes and conveys data safely, for both inbound and outbound traffic data, it avoids spying.
- Older Insecure Transport Layer Protocols.
- TLS Weak Encryption(CRIME, BREACH, BEAST, Lucky13, RC4, etc) can be found with tools like (sslscan, sslyze, osaft etc.).
- Insecure Data Storage.
- Bypassing TLS Certificate Pinning.
- TLS Authenticity Flaws.
IPC Security(Inter process communication)
The Android IPC mechanisms allow you to verify the identity of the application connecting to your IPC and set security policy for each IPC mechanism.
- Device Denial of Service attacks.
- Permissions & Digital Signature Data Sharing Issues.
- An illegitimate application could get access to sensitive data.
- Uncovered Components and Cross Application Authorization.
- Sensitive information disclosed in application error message.
- Insecure permissions set by application through AndroidManifest.xml file.
- Integer, Heap, and Stack Based Buffer Overflow.
Authentication is a basic part of this procedure, yet even strong validation authentication can be undermined by imperfect credential management functions, including password change, forgot my password, remember my password, account update, and other related functions.
- Authentication Inconsistency.
- Cross Application Authentication.
- Session handling errors.
- Client Side Based Authentication Flaws.
- The absence of account lockout policy.
Business logic vulnerability
vulnerabilities with components more centered around on design rather codification are incorporated. Both execution trick and the capacity of the application to work in a startling way influencing its work process are incorporated.
- Check for server side validation.
- Admin/user account compromise.
- Check for root detection method/bypass it.
- Bruteforce authentication.
Server side checks
- Check for client side injection (XSS).
- Username enumeration.
- SQL injection
- Malicious file upload.
- Check for all HTTP methods (PUT, DELETE etc. Use burp intruder using HTTP verb tampering).
- Check for session management (cookie flaws, session overriding, session fixation etc.).
- CAPTCHA implementation flaws & bypass.
- Run nikto, dirb websever scanner.