Android pentesting
- 2. Introductions Agenda: 1. Methodology 2. Static testing 3. Dynamic testing
- 3. P.1. Methodology 1. OWASP Mobile Top-10 2. MSTG - Mobile Security Testing Guide 3. MASVS - Mobile Application Security Verification Standard
- 4. P.1. Methodology P.1.1. OWASP Mobile TOP-10 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 M1-Improper Platform Usage M6-Insecure Authorization M2-Insecure Data Storage M7-Poor Code Quality M3-Insecure Communication M8-Code Tampering M4-Insecure Authentication M9-Reverse Engineering M5-Insufficient Cryptography M10-Extraneous Functionality
- 5. P.1. Methodology P.1.2. MSTG General parts Mobile App Authentication Architectures Testing Network Communication Cryptography in Mobile Apps Testing Code Quality Tampering and Reverse Engineering Testing User Education https://github.com/OWASP/owasp-mstg
- 6. P.1. Methodology P.1.2. MSTG Android specific parts Platform Overview Android Basic Security Testing Data Storage on Android Android Cryptographic APIs Local Authentication on Android Android Network APIs Android Platform APIs Code Quality and Build Settings for Android Apps Tampering and Reverse Engineering on Android Android Anti-Reversing Defenses
- 7. P.1. Methodology P.1.3. MASVS v1 Architecture, Design and Threat Modeling Requirements v2 Data Storage and Privacy Requirements v3 Cryptography Requirements v4 Authentication and Session Management Requirements v5 Network Communication Requirements v6 Environmental Interaction Requirements v7 Code Quality and Build Setting Requirements v8 Resiliency Against Reverse Engineering Requirements https://github.com/OWASP/owasp-masvs
- 8. P.2. Static testing Android-app 1. MobSF 2. Androbugs framework 3. QARK 4. VCG scanner
- 9. P.2. Static testing Android-app P.2.1. MobSF Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. https://github.com/MobSF/Mobile-Security-Framework-MobSF
- 10. P.2. Static testing Android-app P.2.1. MobSF
- 11. P.2. Static testing Android-app P.2.2. Androbugs framework AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers to find the potential security vulnerabilities in Android applications. No splendid GUI interface, but the most efficient (less than 2 minutes per scan in average) and more accurate. https://github.com/AndroBugs/AndroBugs_Framework
- 12. P.2. Static testing Android-app P.2.2. Androbug framework
- 13. P.2. Static testing Android-app P.2.3. QARK QARK is an easy to use tool capable of finding common security vulnerabilities in Android applications. Unlike commercial products, it is 100% free to use. QARK features educational information allowing security reviewers to locate precise, in-depth explanations of the vulnerabilities. QARK automates the use of multiple decompilers, leveraging their combined outputs, to produce superior results, when decompiling APKs. Finally, the major advantage QARK has over traditional tools, that just point you to possible vulnerabilities, is that it can produce ADB commands, or even fully functional APKs, that turn hypothetical vulnerabilities into working "POC" exploits. https://github.com/linkedin/qark
- 14. P.2. Static testing Android-app P.2.3. QARK
- 15. P.2. Static testing Android-app P.2.4. VCG scanner VCG is an automated code security review tool for C++, C#, VB, PHP, Java and PL/SQL which is intended to drastically speed up the code review process by identifying bad/insecure code. https://sourceforge.net/projects/visualcodegrepp/
- 16. P.2. Static testing Android-app P.2.4. VCG scanner
- 17. P.3. Dynamic testing Android-app 1. BurpSuite 2. Inspeckage 3. LogCat 4. MobSF 5. Drozer 6. Frida
- 18. P.3. Dynamic testing Android-app P.3.1. BurpSuite https://habr.com/ru/post/432820/
- 19. P.3. Dynamic testing Android-app P.3.1. BurpSuite
- 20. P.3. Dynamic testing Android-app P.3.2. Inspeckage Inspeckage - Android Package Inspector Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime. ● Shared Preferences ● Serialization ● Crypto ● Hash ● SQLite ● HTTP ● FileSystems ● IPC https://github.com/ac-pm/Inspeckage https://habr.com/ru/post/432820/
- 21. P.3. Dynamic testing Android-app P.3.2. Inspeckage
- 22. P.3. Dynamic testing Android-app P.3.3. LogCat https://developer.android.com/studio/command-line/logcat https://habr.com/ru/post/432820/ Logcat is a command-line tool that dumps a log of system messages, including stack traces when the device throws an error and messages that you have written from your app with the Log class.
- 23. P.3. Dynamic testing Android-app P.3.3. LogCat
- 24. P.3. Dynamic testing Android-app P.3.3. LogCat
- 25. P.3. Dynamic testing Android-app P.3.4. MobSF Run a Genymotion Android VM before starting MobSF. Everything will be configured automatically at runtime. MobSF requires Genymotion Android x86 VMs version 4.1 to 9.0 for dynamic analysis. We recommend using Android 7.0 and above. HTTPS Proxy ● For Android versions 4.4 - 9.0, global proxy settings are automatically applied at runtime. ● For Android version 4.1 - 4.3, set Android VM proxy as displayed in Dynamic Analysis page.
- 26. P.3. Dynamic testing Android-app P.3.4. MobSF
- 27. P.3. Dynamic testing Android-app P.3.5. Drozer Drozer (formerly Mercury) is the leading security testing framework for Android. Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS. Drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR's advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT). https://github.com/mwrlabs/drozer https://habr.com/ru/post/352252/
- 28. P.3. Dynamic testing Android-app P.3.5. Drozer
- 29. P.3. Dynamic testing Android-app P.3.5. Drozer
- 30. P.3. Dynamic testing Android-app P.3.6. Frida Frida, as described by its creators as – “ a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, Linux, iOS, Android, and QNX” https://frida.re https://www.notsosecure.com/pentesting-android-apps-using-frida/ https://codeshare.frida.re/browse?page=1
- 31. P.3. Dynamic testing Android-app P.3.6. Frida
- 32. P.3. Dynamic testing Android-app P.3.6. Frida
- 33. Any questions???