Android Security Testing (4 Part Series)
A security attack on a service, application or server can be split into 7 different steps.
- Access and escalation
Even if these steps are very clear when we perform an attack on a website or server, we can follow a similar pattern to perform an attack on a mobile application and so assess its security.
Let’s focus on an Android application for the rest of this post (but the pattern is very similar on iOS).
As soon as you have defined which application you want to test the first steps is to know how the application is working and how the organization that builds it is working as it could then give a great hint to where we should put the efforts in the next steps.
An Android application is basically zipped files. Its extension is “apk”.
To start, we must scan the app to know how it works internally.
It is very common on Android to do that and Google is helping us assessing the security of our applications with the Android Debug Bridge.
When connected to a computer, the Android Debug Bridge allows us to send commands to the device to perform some actions.
I highly recommend that you read more about the possibilities that the Android Bridge offer.
On an Android application, scanning is basically setting up the application to debug mode, repackage it and play with it on the device.
I am using apktool to do this. You should install it on your device and have a look at the documentation to use apktool.
Then you can access all the information from the storage and check if something valuable has leaked (password, cookies, etc…). It is the Insecure Local Storage from the OWASP Mobile Top10.
As we are working on the apk, it is very interesting to decompile the apk and have a look at its source code and then see if something valuable is available in the codebase, from password, to key, to mechanism to block a user from specific behavior.
I am personally using Jadx to do that, which is a very popular Dex to Java decompiler.
However I prefer the Command Line Jadx over the Graphical User Interface.
To decompile an Android application using Jadx, you must just run the following command :
> jadx --deobf ~/app/javaFiles/ ~/insecureApp.apk
Once you have the source code and the files from the local storage, you can use grep commands to look for specific strings in the files.
> grep -Eo '(http|https)://["]+' -R .
Looking for “admin”, “password” or any internet links can give you a lot of very valuable information.
If you think that your passwords are well encrypted and well preserved by companies, please think again about the massive leaks from Yahoo, Tinder or …
And it is very similar in Android application. Some applications are storing your login and password as plain text in the local storage.
Now that we have the source code, and a debuggable application on the device, we can access it.
As you can see in the capture above from one of my penetration testing, as soon as we get to the “shared_preferences” folder through an adb shell, we can see a “Credentials.xml” file. And I can find the login and password stored as plain text in it. 😱
You can think of an app/malware that would ex-filtrate these data from a user’s phone and can then create a login/password database very easily. That is indeed a very critical flaw. 🙅
Something similar is to look at the logs from the device while we are using the application.
> adb logcat > ~/grep-result.txt
And then use grep commands to look for specific strings in the logs.
> grep password ~grep-result.txt > ~grep-password-result.txt
We have looked quickly at the local storage, to continue on the “Access and escalation” step, we are going to look at the network.
Let’s consider that we are going to look at the HTTP requests and responses to begin with. I will write a post to explain how to get information from https requests.
After you set up you device properly to follow the device’s internet traffic to your computer.
On Android, it is under :
/Settings/Networks/Wifi/yourwifissid/Modify network/Proxy manual
You just have to install mitmproxy on your computer, launch it and then use the application on your device.
You should see very quickly all the requests and responses from your application.
I love to get all the responses/requests in a file and study later automatically with grep and with Wireshark.
Then you must use your brain and your experience to look for specific strings and try to hack the application.
It depends a lot on the application and its behavior.
I will not cover the 4, 5, 6 and 7 steps as it is not necessary for a security assessment but are used as part of a real attack.
As you can see, a lot of this setup is very similar whatever the application you start assessing.
That’s why I made a Go application that is doing all of this setup and the static attacks automatically
It is called “AndroSecTest” and is available on Github. Here is a quick Cheat Sheet to test the security of an Android app that AndroSecTest is doing. You can have a quick look at how the application is pentesting an Android app on Youtube : https://youtu.be/zzyTFjnwolo
Automate the setup of your Android Pentest and perform automatically static tests
The first part of the Security testing is to :
1. Get the application from your device, using the
1.1. List the applications' package names on your device :
adb shell pm list packages | grep “hint from the app you are looking for”
1.2. Get the path of the desired application on the device :
adb shell pm path app.package.name.apk
1.3. Pull it from your device to your computer :
adb pull app.path
1.4. Change the file name from ".apk"…
It is still work in progress but I hope to release it very soon for the public.
Here is a quick Cheat Sheet to test the security of an Android app that AndroSecTest is doing.
You can have a quick look at how the application is pentesting an Android app on Youtube : https://youtu.be/zzyTFjnwolo