SlideShare a Scribd company logo

Android Pentesting

n|u - The Open Security Community, profile picture
n|u - The Open Security Community

This document provides an overview of Android penetration testing. It discusses requirements and tools for static and dynamic analysis, including Apptitude, Genymotion, and ADB. It covers analyzing the Android manifest and classes.dex files. It also describes vulnerabilities in WebViews, such as loading cleartext content and improper SSL handling. Best practices for coding securely on Android are also presented.

Education
Related topics:
Information Security
1 of 53
Download to read offline
1
2
3
4
Most read
5
6
7
8
9
Most read
10
Most read
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Android Pentesting
./ABOUT ME • MOHAMMED ADAM • INFORMATION SECURITY RESEARCHER • SECURITY CONSULTANT AT CROSSBOW LABS • FOSS ACTIVIST IN VGLUG (VILUPPURAM GNU/LINUX USERS GROUP) • ACKNOWLEDGED BY TOP 50+ COMPANIES LIKE OPPO, NOKIA, HONEYWELL, MCAFEE, VIRUS TOTAL, MASTERCARD, BITDEFENDER, DELL TECHNOLOGIES, ASUS, INTEL, DUCKDUCKGO, CARBON BLACK ETC IN BUG BOUNTIES.
./AGENDA • INTRODUCTION TO ANDROID PENETRATION TESTING • REQUIREMENTS & TOOLS • STATIC ANALYSIS - AUTOMATION & MANUAL TESTING • DYNAMIC ANALYSIS - AUTOMATION & MANUAL TESTING • DISCUSSION ON OWASP TOP 10 MOBILE 2016 VULNERABILITIES
ANDROID INTERNALS • BASED ON LINUX KERNEL • LATEST VERSION - ANDROID PIE • ANDROID Q 10.0 ON THE WAY • APPLICATION RUNS THROUGH DALVIK VM (DALVIK VIRTUAL MACHINE) • DALVIK VM RUNS EXECUTABLE FILES LIKE DEX (DALVIK EXECUTABLE) OR APK FILES • APK FILES ARE ZIPPED CONTENT OF RESOURCES, SIGNATURES, CLASSES.DEX AND ANDROID MANIFEST.XML FILE.
ANDROID SECURITY MODEL • APPLICATION ARE SANDBOXED (RUNS WITH DIFFERENT UID & GID) • ZYGOTE SPAWNS A NEW PROCESS FOR EACH APPLICATION • EACH APPLICATION RUNS WITH A SEPARATE INSTANCE OF DALVIK VM • SPECIAL PERMISSIONS ARE PROVIDED TO ACCESS HARDWARE API'S • PERMISSIONS ARE MENTIONED IN ANDROID MANIFEST.XML FILE.
ANDROID APPLICATION .APK • JUST AN ARCHIVE ! • WRITTEN MAINLY IN JAVA & XML • MULTIPLE ENTRY POINTS, SUCH AS ACTIVITY, SERVICES, INTENTS, CONTENT PROVIDERS, ETC.
REQUIREMENTS & TOOLS • Android Tamer- https://androidtamer.com/ • Genymotion - https://www.genymotion.com/fun-zone/
Android Pentesting
WHAT IS ADB ? • ANDROID DEBUG BRIDGE (ADB) IS A COMMAND LINE TOOL THAT LETS YOU COMMUNICATE WITH AN EMULATOR OR CONNECTED ANDROID DEVICE. • ADB DEBUGGING - ADB DEVICES - ADB FORWARD - ADB KILL-SERVER • WIRELESS - ADB CONNECT - ADB USB • PACKAGE MANAGER - ADB INSTALL - ADB UNINSTALL- ADB SHELL PM LIST PACKAGES - ADB SHELL PM PATH - ADB SHELL PM CLEAR • NETWORK - ADB SHELL NETSTAT- ADB SHELL PING - ADB SHELL NETCFG - ADB SHELL IP • LOGCAT - ADB LOGCAT -ADB SHELL DUMPSYS - ADB SHELL DUMPSTATE • REFERENCES - HTTP://ADBSHELL.COM/
STATIC ANALYSIS - MANUAL TESTING• REVERSE ENGINEERING ANDROID APPLICATIONS • THE UNZIP UTILITY CAN BE USED TO EXTRACT FILES THAT ARE STORED INSIDE THE APK.
APKTOOL • APKTOOL - A TOOL FOR REVERSE ENGINEERING 3RD PARTY, CLOSED, BINARY ANDROID APPS. IT CAN DECODE RESOURCES TO NEARLY ORIGINAL FORM AND REBUILD THEM AFTER MAKING SOME MODIFICATIONS. • DISASSEMBLING ANDROID APK FILE APKTOOL D <APK FILE>
EVERY APK CONTAINS THE FOLLOWING FILES: • ANDROIDMANIFEST.XML - DEFINES THE PERMISSIONS OF THE APPLICATION • CLASSES.DEX - CONTAINS ALL THE JAVA CLASS FILES • RESOURCES.ARSC - CONTAINS ALL THE META-INFORMATION ABOUT THE RESOURCES AND NODES
SECURITY GUIDELINES FOR ANDROID MANIFEST.XML
CAN THESE PERMISSION BE BYPASSED ?
ANDROID MANIFEST.XML OMG! • ACTIVITIES, SERVICES, RECEIVERS SHOULD NOT BE EXPORTED OR ELSE YOU CAN BYPASS THOSE ACTIVITIES!
UPLOADING A SENSITIVE FILES FROM SD-CARD TO REMOTE SERVER WITHOUT ANY PERMISSION !
ANDROID MANIFEST.XML OMG! • ANDROID:EXPORTED="TRUE" IN <PROVIDER> WILL TURN INTO A NIGHTMARE! • BTW BY DEFAULT IT IS "TRUE" IF EITHER ANDROID:MINSDKVERSION OR ANDROID:TARGETSDKVERSION TO "16" OR LOWER. • FOR APPLICATIONS THAT SET EITHER OF THESE ATTRIBUTES TO "17" OR HIGHER, THE DEFAULT IS "FALSE"
DEBUG MODE • THE DEBUG TAG DEFINES WHETHER THE APPLICATION CAN BE DEBUGGED OR NOT. IF THE APPLICATION CAN BE DEBUGGED THEN IT CAN PROVIDE PLENTY OF INFORMATION TO AN ATTACKER. <APPLICATION ANDROID:DEBUGGABLE="FALSE" </APPLICATION>
BACKUP FLAG • THIS SETTING DEFINES WHETHER APPLICATION DATA CAN BE BACKED UP AND RESTORED BY A USER WHO HAS ENABLED USB DEBUGGING. THEREFORE APPLICATIONS THAT HANDLE AND STORE SENSITIVE INFORMATION SUCH AS CARD DETAILS, PASSWORDS ETC. <APPLICATION ANDROID:ALLOWBACKUP="FALSE" </APPLICATION>
EXTERNAL STORAGE • APPLICATIONS THAT HAVE THE PERMISSION TO COPY DATA TO EXTERNAL STORAGE SHOULD BE REVIEWED TO ENSURE THAT NO SENSITIVE INFORMATION IS STORED. • <USES-PERMISSION ANDROID:NAME="ANDROID.PERMISSION.WRITE_EXTERNAL_STORAGE"/>
ANDROID:PROTECTIONLEVEL • THE ANDROID:PROTECTIONLEVEL ATTRIBUTE DEFINES THE PROCEDURE THAT THE SYSTEM SHOULD FOLLOW BEFORE GRANTS THE PERMISSION TO THE APPLICATION THAT HAS REQUESTED IT. THERE ARE FOUR VALUES THAT CAN BE USED WITH THIS ATTRIBUTE: • NORMAL – DANGEROUS – SIGNATURE – SIGNATURE OR SYSTEM • ALL THE PERMISSIONS THAT THE APPLICATION REQUESTS SHOULD BE REVIEWED TO ENSURE THAT THEY DON’T INTRODUCE A SECURITY RISK. <PERMISSION> ANDROID:PROTECTIONLEVEL="SIGNATURE" </PERMISSION>
INTENTS • INTENTS CAN BE USED TO LAUNCH AN ACTIVITY, TO SEND IT TO ANY INTERESTED BROADCAST RECEIVER COMPONENTS, AND TO COMMUNICATE WITH A BACKGROUND SERVICE. INTENTS MESSAGES SHOULD BE REVIEWED TO ENSURE THAT THEY DOESN’T CONTAIN ANY SENSITIVE INFORMATION THAT COULD BE INTERCEPTED. <INTENT-FILTER> <ACTION ANDROID:NAME="STRING" /> <CATEGORY ANDROID:NAME="STRING" /> </INTENT-FILTER>
CLASSES DEX • THE CLASSES.DEX FILE CONTAINS ALL THE JAVA CLASSES OF THE APPLICATION AND IT CAN BE DISASSEMBLED WITH BAKSMALI TOOL TO RETRIEVE THE JAVA SOURCE CODE.
CONVERT CLASSES.DEX FILES TO JAR • TO DECOMPILE CLASSES.DEX FILE > D2J-DEX2JAR CLASSES.DEX
TO READ JAR FILE – USE JDGUI • IN JDGUI, FILE-> OPEN THE FILE/DIRECTORY WHERE JAR FILE IS PRESENTED
ANDROID WEBVIEW VULNERABILITIES • WEBVIEWS ARE USED IN ANDROID APPLICATIONS TO LOAD CONTENT AND HTML PAGES WITHIN THE APPLICATION. DUE TO THIS FUNCTIONALITY THE IMPLEMENTATION OF WEBVIEW IT MUST BE SECURE IN ORDER NOT TO INTRODUCE THE APPLICATION TO GREAT RISK.
LOADING CLEAR-TEXT CONTENT • IF WEBVIEW IS ALLOWING TO LOAD CLEAR-TEXT CONTENT FROM THE INTERNET THEN IT WOULD BE OPEN TO VARIOUS FORMS OF ATTACK SUCH AS MITM. • MYWEBVIEW.LOADURL("HTTP://WWW.DROIDSEC.ORG/TESTS/ADDJSIF/");
SSL ERROR HANDLING • THE CODE BELOW INSTRUCTS THE WEBVIEW CLIENT TO PROCEED WHEN AN SSL ERROR OCCUR. THIS MEANS THAT THE APPLICATION IS VULNERABLE TO MITM ATTACKS AS IT COULD ALLOW AN ATTACKER TO READ OR MODIFY CONTENT THAT IS DISPLAYED TO THE USER SINCE ANY CERTIFICATE WOULD BE ACCEPTED BY THE APPLICATION. @OVERRIDE PUBLIC VOID ONRECEIVEDSSLERROR(WEBVIEW VIEW, SSLERRORHANDLER HANDLER, SSLERROR ERROR) { HANDLER.PROCEED(); }
JAVASCRIPT ENABLED • ALLOWING JAVASCRIPT CONTENT TO BE EXECUTED WITHIN THE APPLICATION VIA WEBVIEW MIGHT GIVE THE OPPORTUNITY TO AN ATTACKER TO EXECUTE ARBITRARY JAVASCRIPT CODE IN ORDER TO PERFORM MALICIOUS ACTIONS. THIS SETTING ALLOW WEBVIEW TO EXECUTE JAVASCRIPT CODE. WEBSETTINGS WEBSETTINGS = MYWEBVIEW.GETSETTINGS(); WEBSETTINGS.SETJAVASCRIPTENABLED(TRUE);
ACCESSING LOCAL RESOURCES • IF THE WEBVIEW IS ALLOWING TO ACCESS CONTENT FROM OTHER APPLICATIONS THAT EXIST ON THE SAME DEVICE THEN IT COULD BE POSSIBLE FOR AN ATTACKER TO CREATE A MALICIOUS HTML FILE THAT COULD BE INJECTED INSIDE THE TARGET APPLICATION THROUGH THE USE FILE:SCHEME. IN ORDER FOR THIS MALICIOUS FILE TO BE LOADED NEEDS TO HAVE WORLD READABLE PERMISSIONS.
ANDROID CODING BEST PRACTICES • FOLLOW -> HTTPS://DEVELOPER.ANDROID.COM/GUIDE/PRACTICES/COMPATIBILITY • TOP 10 MOBILE RISKS OWASP 2016 – HTTPS://WWW.OWASP.ORG/INDEX.PHP/MOBILE_TOP_10_2016-TOP_10 • HTTPS://WIKI.SEI.CMU.EDU/CONFLUENCE/DISPLAY/ANDROID/DRD02- J.+DO+NOT+ALLOW+WEBVIEW+TO+ACCESS+SENSITIVE+LOCAL+RESOURCE+THROU GH+FILE+SCHEME • HTTPS://LABS.MWRINFOSECURITY.COM/BLOG/WEBVIEW- ADDJAVASCRIPTINTERFACE-REMOTE-CODE-EXECUTION/ • HTTPS://WWW.RAPID7.COM/DB/MODULES/EXPLOIT/ANDROID/BROWSER/WEBVIEW_AD DJAVASCRIPTINTERFACE
DYNAMIC ANALYSIS WIDELY USED TOOLS •BURPSUITE •DROZER
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • TO CONFIGURE THE PROXY GO TO SETTINGS. A SCREEN SOMETHING LIKE THE BELOW ONE WILL COME UP. SELECT “MORE”.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE INTERCEPTION CAN BE DONE BY USING WIFI NETWORKS AS WELL AS MOBILE NETWORKS. HERE IM SHOWING MOBILE NETWORK IN THE NEXT MENU, SELECT “MOBILE NETWORKS”.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE SELECT ACCESS POINT NAMES OPTION AS SHOWN IN THE IMAGE.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NO, THERE MUST BE A MOBILE NETWORK ALREADY CONFIGURED, AND THE NAME OF THE NETWORK WILL BE “TELKILA”, AS SHOWN IN THE IMAGE BELOW. CHOOSE THIS NETWORK.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • PUT THE IP ADDRESS OF YOUR INTERFACE WHERE YOU WILL BE LISTENING THE TRAFFIC, I.E. WHERE YOU WILL RUN BURP. DOWN TO THAT, PUT THE PORT NUMBER ON WHICH YOU WANT TO LISTEN. BY DEFAULT IT’S 8080 IN BURP, BUT FEEL FREE TO CHANGE IT, JUST MAKE SURE YOU HAVE SAME PORT NUMBER CONFIGURED AT BOTH END POINTS.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NOW IN BURPSUITE, GO TO THE “PROXY” TAB, SELECT THE “OPTIONS” TAB. SELECT THE DEFAULT CONFIGURED INTERFACE, AND CLICK ON “EDIT”.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE PROXY > INTERCEPT > “INTERCEPT IS ON”
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE “INTERCEPT RESPONSE BASED ON THE FOLLOWING RULES”
SSL PINNING BYPASS • REQUIRED TOOLS FOR SSL PINNING BYPASS • ROOTED MOBILE • SSLUNPINNING APK • XPOSED FRAMEWORK & XPOSED INSTALLER APK FOR SPECIFIC MOBILE (DEPENDS ON SDK)
DROZER – GAME CHANGER TOOL FOR ANDROID APP PT • CONNECTING DROZER TO THE MOBILE DEVICE • CONNECT YOUR MOBILE DEVICE TO YOUR COMPUTER USING A USB CABLE; • OPEN DROZER AGENT APPLICATION ON YOUR MOBILE DEVICE AND CLICK THE ON BUTTON FROM THE BOTTOM-RIGHT;
DROZER – CONT. • USE ADB.EXE TO OPEN A TCP SOCKET BETWEEN YOUR COMPUTER AND THE SERVER EMBEDDED IN DROZER AGENT: • ADB.EXE FORWARD TCP:31415 TCP:31415 • GO TO THE FOLDER WHERE YOU INSTALLED DROZER AND CONNECT TO THE MOBILE DEVICE: • DROZER CONSOLE CONNECT
STARTING AN ACTIVITY FROM ANOTHER PACKAGE • OK, NOW WE HAVE AN INTERACTIVE DROZER CONSOLE. WHAT CAN WE DO? LET’S START AN ACTIVITY, COMMAND BY COMMAND: • LIST, WILL DISPLAY A LIST OF COMMANDS AVAILABLE IN DROZER
FIND A LIST OF PACKAGES • RUN APP.PACKAGE.LIST -F FIREFOX TO FIND A LIST OF PACKAGES THAT CONTAIN THE STRING “FIREFOX”; WE FOUND ORG.MOZILLA.FIREFOX.
IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION • RUN APP.PACKAGE.ATTACKSURFACE ORG.MOZILLA.FIREFOX TO IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION; WE FOUND 113 EXPORTED ACTIVITIES, 12 EXPORTED BROADCAST RECEIVERS, 8 EXPORTED CONTENT PROVIDERS AND 1 EXPORTED SERVICE; THIS IS A GOOD EXAMPLE OF A BIG ATTACK SURFACE.
MORE INFORMATION ABOUT A SPECIFIC PACKAGE
INSPECT THE MANIFEST FILE OF A SPECIFIC APPLICATION
LIST THE EXPORTED ACTIVITIES • RUN APP.ACTIVITY.INFO -A ORG.MOZILLA.FIREFOX TO LIST THE EXPORTED ACTIVITIES; WE CAN SEE THAT THERE IS AN EXPORTED ACTIVITY NAMED ORG.MOZILLA.FIR EFOX.APP THAT DOES NOT REQUIRE ANY PERMISSION TO BE STARTED.
LIST OF VULNERABLE ANDROID APPLICATIONS • DAMN VULNERABLE HYBRID MOBILE APPLICATION • ANDROID DIGITAL BANK • DAMN INSECURE AND VULNERABLE APPLICATION • HACKME BANK • INSECURE BANK • DAMN VULNERABLE ANDROID APPLICATION • OWASP GOATDROID • DODO VULNERABLE BANK
Android Pentesting
REFERENCES: • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APPLICATION-SECURITY-TESTING-GUIDE-PART-1/ • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APP-SEC-TEST-GUIDE-PART-2/ • HTTPS://KING-SABRI.NET/ANDROID-HACKING-DROZER-SECURITY-ASSESSMENT-FRAMEWORK/ • HTTPS://SECURITYGRIND.COM/USING-THE-DROZER-FRAMEWORK-FOR-ANDROID-PENTESTING/ • HTTPS://PENTESTLAB.BLOG/CATEGORY/MOBILE-PENTESTING/ • HTTPS://GITHUB.COM/TANPRATHAN/MOBILEAPP-PENTEST-CHEATSHEET • HTTPS://PENTESTLAB.BLOG/2016/11/07/LIST-OF-VULNERABLE-ANDROID-APPLICATIONS/
THANKS https://twitter.com/iam_amdadam https://www.linkedin.com/in/ mohammedadam24/

More Related Content

PDF
Android application penetration testing
Roshan Kumar Gami
 
PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
PDF
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
apidays
 
PPTX
Android pentesting
Mykhailo Antonishyn
 
PPTX
Mobile Application Security Testing (Static Code Analysis) of Android App
Abhilash Venkata
 
PDF
Android pentesting
Mykhailo Antonishyn
 
PDF
Mobile Application Security
cclark_isec
 
PPT
Introduction To OWASP
Marco Morana
 
Android application penetration testing
Roshan Kumar Gami
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
apidays
 
Android pentesting
Mykhailo Antonishyn
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Abhilash Venkata
 
Android pentesting
Mykhailo Antonishyn
 
Mobile Application Security
cclark_isec
 
Introduction To OWASP
Marco Morana
 

What's hot (20)

PPT
OWASP Top Ten
Christian Heinrich
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
PDF
Getting started with Android pentesting
Minali Arora
 
PPTX
Mobile Application Security
Ishan Girdhar
 
PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
PPTX
Mobile security
priyanka pandey
 
PPTX
Hacking and securing ios applications
Satish b
 
PDF
Android Operating System (Androrid OS)
Siddharth Belbase
 
PPTX
Android pentesting the hackers-meetup
kunwaratul hax0r
 
PPTX
Day: 1 Introduction to Mobile Application Development (in Android)
Ahsanul Karim
 
PPTX
Understanding android security model
Pragati Rai
 
PDF
Android reverse engineering: understanding third-party applications. OWASP EU...
Internet Security Auditors
 
PPTX
Android Synopsis
Niraj Rahi
 
PPTX
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
PDF
Malware detection-using-machine-learning
Security Bootcamp
 
PPTX
AN INTRODUCTION TO MOBILE APPLICATION DEVELOPMENT
GbadeboTEkunola
 
PDF
Bug Bounty Secrets
n|u - The Open Security Community
 
PPTX
Mobile security
CyberoamAcademy
 
PDF
The fundamentals of Android and iOS app security
NowSecure
 
PPT
Hacking web applications
Adeel Javaid
 
OWASP Top Ten
Christian Heinrich
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Getting started with Android pentesting
Minali Arora
 
Mobile Application Security
Ishan Girdhar
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Mobile security
priyanka pandey
 
Hacking and securing ios applications
Satish b
 
Android Operating System (Androrid OS)
Siddharth Belbase
 
Android pentesting the hackers-meetup
kunwaratul hax0r
 
Day: 1 Introduction to Mobile Application Development (in Android)
Ahsanul Karim
 
Understanding android security model
Pragati Rai
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Internet Security Auditors
 
Android Synopsis
Niraj Rahi
 
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Malware detection-using-machine-learning
Security Bootcamp
 
AN INTRODUCTION TO MOBILE APPLICATION DEVELOPMENT
GbadeboTEkunola
 
Bug Bounty Secrets
n|u - The Open Security Community
 
Mobile security
CyberoamAcademy
 
The fundamentals of Android and iOS app security
NowSecure
 
Hacking web applications
Adeel Javaid
 
Ad

Similar to Android Pentesting (20)

PPTX
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
TestDevLab
 
PDF
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
PDF
8 Android Implementation Issues (Part 1)
Sam Bowne
 
PPTX
Penetrating Android Aapplications
Roshan Thomas
 
PDF
IRJET- Secure Android Application Development and Security Assessment
IRJET Journal
 
PDF
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
PPTX
Pentesting Android Apps
Abdelhamid Limami
 
PPTX
Security testing of mobile applications
GTestClub
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
PPTX
Untitled 1
Sergey Kochergan
 
PPTX
[Wroclaw #1] Android Security Workshop
OWASP
 
PPTX
Mobile application security
Shubhneet Goel
 
PPTX
From Reversing to Exploitation
Satria Ady Pradana
 
PPT
Securely Deploying Android Device - ISSA (Ireland)
Angelill0
 
PPTX
Android Penetration Testing - Day 3
Mohammed Adam
 
PDF
Hacking your Android (slides)
Justin Hoang
 
PDF
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
Sam Bowne
 
PDF
Hacking Android [MUC:SEC 20.05.2015]
Angelo Rüggeberg
 
PDF
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
Sam Bowne
 
PPTX
From Reversing to Exploitation: Android Application Security in Essence
Satria Ady Pradana
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
TestDevLab
 
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
8 Android Implementation Issues (Part 1)
Sam Bowne
 
Penetrating Android Aapplications
Roshan Thomas
 
IRJET- Secure Android Application Development and Security Assessment
IRJET Journal
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
Pentesting Android Apps
Abdelhamid Limami
 
Security testing of mobile applications
GTestClub
 
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Untitled 1
Sergey Kochergan
 
[Wroclaw #1] Android Security Workshop
OWASP
 
Mobile application security
Shubhneet Goel
 
From Reversing to Exploitation
Satria Ady Pradana
 
Securely Deploying Android Device - ISSA (Ireland)
Angelill0
 
Android Penetration Testing - Day 3
Mohammed Adam
 
Hacking your Android (slides)
Justin Hoang
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
Sam Bowne
 
Hacking Android [MUC:SEC 20.05.2015]
Angelo Rüggeberg
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
Sam Bowne
 
From Reversing to Exploitation: Android Application Security in Essence
Satria Ady Pradana
 
Ad

More from n|u - The Open Security Community (20)

PDF
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
PDF
Osint primer
n|u - The Open Security Community
 
PPTX
SSRF exploit the trust relationship
n|u - The Open Security Community
 
PPTX
Nmap basics
n|u - The Open Security Community
 
PDF
Metasploit primary
n|u - The Open Security Community
 
PDF
Api security-testing
n|u - The Open Security Community
 
PDF
Introduction to TLS 1.3
n|u - The Open Security Community
 
PDF
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
PDF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
PPTX
Building active directory lab for red teaming
n|u - The Open Security Community
 
PPTX
Owning a company through their logs
n|u - The Open Security Community
 
PPTX
Introduction to shodan
n|u - The Open Security Community
 
PDF
Cloud security
n|u - The Open Security Community
 
PDF
Detecting persistence in windows
n|u - The Open Security Community
 
PPTX
Frida - Objection Tool Usage
n|u - The Open Security Community
 
PDF
OSQuery - Monitoring System Process
n|u - The Open Security Community
 
PDF
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
PDF
Extensible markup language attacks
n|u - The Open Security Community
 
PPTX
Linux for hackers
n|u - The Open Security Community
 
PDF
News bytes null 200314121904
n|u - The Open Security Community
 
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
Osint primer
n|u - The Open Security Community
 
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Nmap basics
n|u - The Open Security Community
 
Metasploit primary
n|u - The Open Security Community
 
Api security-testing
n|u - The Open Security Community
 
Introduction to TLS 1.3
n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Building active directory lab for red teaming
n|u - The Open Security Community
 
Owning a company through their logs
n|u - The Open Security Community
 
Introduction to shodan
n|u - The Open Security Community
 
Cloud security
n|u - The Open Security Community
 
Detecting persistence in windows
n|u - The Open Security Community
 
Frida - Objection Tool Usage
n|u - The Open Security Community
 
OSQuery - Monitoring System Process
n|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Extensible markup language attacks
n|u - The Open Security Community
 
Linux for hackers
n|u - The Open Security Community
 
News bytes null 200314121904
n|u - The Open Security Community
 

Recently uploaded (20)

PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 

Android Pentesting

  • 2. ./ABOUT ME • MOHAMMED ADAM • INFORMATION SECURITY RESEARCHER • SECURITY CONSULTANT AT CROSSBOW LABS • FOSS ACTIVIST IN VGLUG (VILUPPURAM GNU/LINUX USERS GROUP) • ACKNOWLEDGED BY TOP 50+ COMPANIES LIKE OPPO, NOKIA, HONEYWELL, MCAFEE, VIRUS TOTAL, MASTERCARD, BITDEFENDER, DELL TECHNOLOGIES, ASUS, INTEL, DUCKDUCKGO, CARBON BLACK ETC IN BUG BOUNTIES.
  • 3. ./AGENDA • INTRODUCTION TO ANDROID PENETRATION TESTING • REQUIREMENTS & TOOLS • STATIC ANALYSIS - AUTOMATION & MANUAL TESTING • DYNAMIC ANALYSIS - AUTOMATION & MANUAL TESTING • DISCUSSION ON OWASP TOP 10 MOBILE 2016 VULNERABILITIES
  • 4. ANDROID INTERNALS • BASED ON LINUX KERNEL • LATEST VERSION - ANDROID PIE • ANDROID Q 10.0 ON THE WAY • APPLICATION RUNS THROUGH DALVIK VM (DALVIK VIRTUAL MACHINE) • DALVIK VM RUNS EXECUTABLE FILES LIKE DEX (DALVIK EXECUTABLE) OR APK FILES • APK FILES ARE ZIPPED CONTENT OF RESOURCES, SIGNATURES, CLASSES.DEX AND ANDROID MANIFEST.XML FILE.
  • 5. ANDROID SECURITY MODEL • APPLICATION ARE SANDBOXED (RUNS WITH DIFFERENT UID & GID) • ZYGOTE SPAWNS A NEW PROCESS FOR EACH APPLICATION • EACH APPLICATION RUNS WITH A SEPARATE INSTANCE OF DALVIK VM • SPECIAL PERMISSIONS ARE PROVIDED TO ACCESS HARDWARE API'S • PERMISSIONS ARE MENTIONED IN ANDROID MANIFEST.XML FILE.
  • 6. ANDROID APPLICATION .APK • JUST AN ARCHIVE ! • WRITTEN MAINLY IN JAVA & XML • MULTIPLE ENTRY POINTS, SUCH AS ACTIVITY, SERVICES, INTENTS, CONTENT PROVIDERS, ETC.
  • 7. REQUIREMENTS & TOOLS • Android Tamer- https://androidtamer.com/ • Genymotion - https://www.genymotion.com/fun-zone/
  • 9. WHAT IS ADB ? • ANDROID DEBUG BRIDGE (ADB) IS A COMMAND LINE TOOL THAT LETS YOU COMMUNICATE WITH AN EMULATOR OR CONNECTED ANDROID DEVICE. • ADB DEBUGGING - ADB DEVICES - ADB FORWARD - ADB KILL-SERVER • WIRELESS - ADB CONNECT - ADB USB • PACKAGE MANAGER - ADB INSTALL - ADB UNINSTALL- ADB SHELL PM LIST PACKAGES - ADB SHELL PM PATH - ADB SHELL PM CLEAR • NETWORK - ADB SHELL NETSTAT- ADB SHELL PING - ADB SHELL NETCFG - ADB SHELL IP • LOGCAT - ADB LOGCAT -ADB SHELL DUMPSYS - ADB SHELL DUMPSTATE • REFERENCES - HTTP://ADBSHELL.COM/
  • 10. STATIC ANALYSIS - MANUAL TESTING• REVERSE ENGINEERING ANDROID APPLICATIONS • THE UNZIP UTILITY CAN BE USED TO EXTRACT FILES THAT ARE STORED INSIDE THE APK.
  • 11. APKTOOL • APKTOOL - A TOOL FOR REVERSE ENGINEERING 3RD PARTY, CLOSED, BINARY ANDROID APPS. IT CAN DECODE RESOURCES TO NEARLY ORIGINAL FORM AND REBUILD THEM AFTER MAKING SOME MODIFICATIONS. • DISASSEMBLING ANDROID APK FILE APKTOOL D <APK FILE>
  • 12. EVERY APK CONTAINS THE FOLLOWING FILES: • ANDROIDMANIFEST.XML - DEFINES THE PERMISSIONS OF THE APPLICATION • CLASSES.DEX - CONTAINS ALL THE JAVA CLASS FILES • RESOURCES.ARSC - CONTAINS ALL THE META-INFORMATION ABOUT THE RESOURCES AND NODES
  • 13. SECURITY GUIDELINES FOR ANDROID MANIFEST.XML
  • 14. CAN THESE PERMISSION BE BYPASSED ?
  • 15. ANDROID MANIFEST.XML OMG! • ACTIVITIES, SERVICES, RECEIVERS SHOULD NOT BE EXPORTED OR ELSE YOU CAN BYPASS THOSE ACTIVITIES!
  • 16. UPLOADING A SENSITIVE FILES FROM SD-CARD TO REMOTE SERVER WITHOUT ANY PERMISSION !
  • 17. ANDROID MANIFEST.XML OMG! • ANDROID:EXPORTED="TRUE" IN <PROVIDER> WILL TURN INTO A NIGHTMARE! • BTW BY DEFAULT IT IS "TRUE" IF EITHER ANDROID:MINSDKVERSION OR ANDROID:TARGETSDKVERSION TO "16" OR LOWER. • FOR APPLICATIONS THAT SET EITHER OF THESE ATTRIBUTES TO "17" OR HIGHER, THE DEFAULT IS "FALSE"
  • 18. DEBUG MODE • THE DEBUG TAG DEFINES WHETHER THE APPLICATION CAN BE DEBUGGED OR NOT. IF THE APPLICATION CAN BE DEBUGGED THEN IT CAN PROVIDE PLENTY OF INFORMATION TO AN ATTACKER. <APPLICATION ANDROID:DEBUGGABLE="FALSE" </APPLICATION>
  • 19. BACKUP FLAG • THIS SETTING DEFINES WHETHER APPLICATION DATA CAN BE BACKED UP AND RESTORED BY A USER WHO HAS ENABLED USB DEBUGGING. THEREFORE APPLICATIONS THAT HANDLE AND STORE SENSITIVE INFORMATION SUCH AS CARD DETAILS, PASSWORDS ETC. <APPLICATION ANDROID:ALLOWBACKUP="FALSE" </APPLICATION>
  • 20. EXTERNAL STORAGE • APPLICATIONS THAT HAVE THE PERMISSION TO COPY DATA TO EXTERNAL STORAGE SHOULD BE REVIEWED TO ENSURE THAT NO SENSITIVE INFORMATION IS STORED. • <USES-PERMISSION ANDROID:NAME="ANDROID.PERMISSION.WRITE_EXTERNAL_STORAGE"/>
  • 21. ANDROID:PROTECTIONLEVEL • THE ANDROID:PROTECTIONLEVEL ATTRIBUTE DEFINES THE PROCEDURE THAT THE SYSTEM SHOULD FOLLOW BEFORE GRANTS THE PERMISSION TO THE APPLICATION THAT HAS REQUESTED IT. THERE ARE FOUR VALUES THAT CAN BE USED WITH THIS ATTRIBUTE: • NORMAL – DANGEROUS – SIGNATURE – SIGNATURE OR SYSTEM • ALL THE PERMISSIONS THAT THE APPLICATION REQUESTS SHOULD BE REVIEWED TO ENSURE THAT THEY DON’T INTRODUCE A SECURITY RISK. <PERMISSION> ANDROID:PROTECTIONLEVEL="SIGNATURE" </PERMISSION>
  • 22. INTENTS • INTENTS CAN BE USED TO LAUNCH AN ACTIVITY, TO SEND IT TO ANY INTERESTED BROADCAST RECEIVER COMPONENTS, AND TO COMMUNICATE WITH A BACKGROUND SERVICE. INTENTS MESSAGES SHOULD BE REVIEWED TO ENSURE THAT THEY DOESN’T CONTAIN ANY SENSITIVE INFORMATION THAT COULD BE INTERCEPTED. <INTENT-FILTER> <ACTION ANDROID:NAME="STRING" /> <CATEGORY ANDROID:NAME="STRING" /> </INTENT-FILTER>
  • 23. CLASSES DEX • THE CLASSES.DEX FILE CONTAINS ALL THE JAVA CLASSES OF THE APPLICATION AND IT CAN BE DISASSEMBLED WITH BAKSMALI TOOL TO RETRIEVE THE JAVA SOURCE CODE.
  • 24. CONVERT CLASSES.DEX FILES TO JAR • TO DECOMPILE CLASSES.DEX FILE > D2J-DEX2JAR CLASSES.DEX
  • 25. TO READ JAR FILE – USE JDGUI • IN JDGUI, FILE-> OPEN THE FILE/DIRECTORY WHERE JAR FILE IS PRESENTED
  • 26. ANDROID WEBVIEW VULNERABILITIES • WEBVIEWS ARE USED IN ANDROID APPLICATIONS TO LOAD CONTENT AND HTML PAGES WITHIN THE APPLICATION. DUE TO THIS FUNCTIONALITY THE IMPLEMENTATION OF WEBVIEW IT MUST BE SECURE IN ORDER NOT TO INTRODUCE THE APPLICATION TO GREAT RISK.
  • 27. LOADING CLEAR-TEXT CONTENT • IF WEBVIEW IS ALLOWING TO LOAD CLEAR-TEXT CONTENT FROM THE INTERNET THEN IT WOULD BE OPEN TO VARIOUS FORMS OF ATTACK SUCH AS MITM. • MYWEBVIEW.LOADURL("HTTP://WWW.DROIDSEC.ORG/TESTS/ADDJSIF/");
  • 28. SSL ERROR HANDLING • THE CODE BELOW INSTRUCTS THE WEBVIEW CLIENT TO PROCEED WHEN AN SSL ERROR OCCUR. THIS MEANS THAT THE APPLICATION IS VULNERABLE TO MITM ATTACKS AS IT COULD ALLOW AN ATTACKER TO READ OR MODIFY CONTENT THAT IS DISPLAYED TO THE USER SINCE ANY CERTIFICATE WOULD BE ACCEPTED BY THE APPLICATION. @OVERRIDE PUBLIC VOID ONRECEIVEDSSLERROR(WEBVIEW VIEW, SSLERRORHANDLER HANDLER, SSLERROR ERROR) { HANDLER.PROCEED(); }
  • 29. JAVASCRIPT ENABLED • ALLOWING JAVASCRIPT CONTENT TO BE EXECUTED WITHIN THE APPLICATION VIA WEBVIEW MIGHT GIVE THE OPPORTUNITY TO AN ATTACKER TO EXECUTE ARBITRARY JAVASCRIPT CODE IN ORDER TO PERFORM MALICIOUS ACTIONS. THIS SETTING ALLOW WEBVIEW TO EXECUTE JAVASCRIPT CODE. WEBSETTINGS WEBSETTINGS = MYWEBVIEW.GETSETTINGS(); WEBSETTINGS.SETJAVASCRIPTENABLED(TRUE);
  • 30. ACCESSING LOCAL RESOURCES • IF THE WEBVIEW IS ALLOWING TO ACCESS CONTENT FROM OTHER APPLICATIONS THAT EXIST ON THE SAME DEVICE THEN IT COULD BE POSSIBLE FOR AN ATTACKER TO CREATE A MALICIOUS HTML FILE THAT COULD BE INJECTED INSIDE THE TARGET APPLICATION THROUGH THE USE FILE:SCHEME. IN ORDER FOR THIS MALICIOUS FILE TO BE LOADED NEEDS TO HAVE WORLD READABLE PERMISSIONS.
  • 31. ANDROID CODING BEST PRACTICES • FOLLOW -> HTTPS://DEVELOPER.ANDROID.COM/GUIDE/PRACTICES/COMPATIBILITY • TOP 10 MOBILE RISKS OWASP 2016 – HTTPS://WWW.OWASP.ORG/INDEX.PHP/MOBILE_TOP_10_2016-TOP_10 • HTTPS://WIKI.SEI.CMU.EDU/CONFLUENCE/DISPLAY/ANDROID/DRD02- J.+DO+NOT+ALLOW+WEBVIEW+TO+ACCESS+SENSITIVE+LOCAL+RESOURCE+THROU GH+FILE+SCHEME • HTTPS://LABS.MWRINFOSECURITY.COM/BLOG/WEBVIEW- ADDJAVASCRIPTINTERFACE-REMOTE-CODE-EXECUTION/ • HTTPS://WWW.RAPID7.COM/DB/MODULES/EXPLOIT/ANDROID/BROWSER/WEBVIEW_AD DJAVASCRIPTINTERFACE
  • 32. DYNAMIC ANALYSIS WIDELY USED TOOLS •BURPSUITE •DROZER
  • 33. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • TO CONFIGURE THE PROXY GO TO SETTINGS. A SCREEN SOMETHING LIKE THE BELOW ONE WILL COME UP. SELECT “MORE”.
  • 34. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE INTERCEPTION CAN BE DONE BY USING WIFI NETWORKS AS WELL AS MOBILE NETWORKS. HERE IM SHOWING MOBILE NETWORK IN THE NEXT MENU, SELECT “MOBILE NETWORKS”.
  • 35. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE SELECT ACCESS POINT NAMES OPTION AS SHOWN IN THE IMAGE.
  • 36. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NO, THERE MUST BE A MOBILE NETWORK ALREADY CONFIGURED, AND THE NAME OF THE NETWORK WILL BE “TELKILA”, AS SHOWN IN THE IMAGE BELOW. CHOOSE THIS NETWORK.
  • 37. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • PUT THE IP ADDRESS OF YOUR INTERFACE WHERE YOU WILL BE LISTENING THE TRAFFIC, I.E. WHERE YOU WILL RUN BURP. DOWN TO THAT, PUT THE PORT NUMBER ON WHICH YOU WANT TO LISTEN. BY DEFAULT IT’S 8080 IN BURP, BUT FEEL FREE TO CHANGE IT, JUST MAKE SURE YOU HAVE SAME PORT NUMBER CONFIGURED AT BOTH END POINTS.
  • 38. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NOW IN BURPSUITE, GO TO THE “PROXY” TAB, SELECT THE “OPTIONS” TAB. SELECT THE DEFAULT CONFIGURED INTERFACE, AND CLICK ON “EDIT”.
  • 39. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE PROXY > INTERCEPT > “INTERCEPT IS ON”
  • 40. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE “INTERCEPT RESPONSE BASED ON THE FOLLOWING RULES”
  • 41. SSL PINNING BYPASS • REQUIRED TOOLS FOR SSL PINNING BYPASS • ROOTED MOBILE • SSLUNPINNING APK • XPOSED FRAMEWORK & XPOSED INSTALLER APK FOR SPECIFIC MOBILE (DEPENDS ON SDK)
  • 42. DROZER – GAME CHANGER TOOL FOR ANDROID APP PT • CONNECTING DROZER TO THE MOBILE DEVICE • CONNECT YOUR MOBILE DEVICE TO YOUR COMPUTER USING A USB CABLE; • OPEN DROZER AGENT APPLICATION ON YOUR MOBILE DEVICE AND CLICK THE ON BUTTON FROM THE BOTTOM-RIGHT;
  • 43. DROZER – CONT. • USE ADB.EXE TO OPEN A TCP SOCKET BETWEEN YOUR COMPUTER AND THE SERVER EMBEDDED IN DROZER AGENT: • ADB.EXE FORWARD TCP:31415 TCP:31415 • GO TO THE FOLDER WHERE YOU INSTALLED DROZER AND CONNECT TO THE MOBILE DEVICE: • DROZER CONSOLE CONNECT
  • 44. STARTING AN ACTIVITY FROM ANOTHER PACKAGE • OK, NOW WE HAVE AN INTERACTIVE DROZER CONSOLE. WHAT CAN WE DO? LET’S START AN ACTIVITY, COMMAND BY COMMAND: • LIST, WILL DISPLAY A LIST OF COMMANDS AVAILABLE IN DROZER
  • 45. FIND A LIST OF PACKAGES • RUN APP.PACKAGE.LIST -F FIREFOX TO FIND A LIST OF PACKAGES THAT CONTAIN THE STRING “FIREFOX”; WE FOUND ORG.MOZILLA.FIREFOX.
  • 46. IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION • RUN APP.PACKAGE.ATTACKSURFACE ORG.MOZILLA.FIREFOX TO IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION; WE FOUND 113 EXPORTED ACTIVITIES, 12 EXPORTED BROADCAST RECEIVERS, 8 EXPORTED CONTENT PROVIDERS AND 1 EXPORTED SERVICE; THIS IS A GOOD EXAMPLE OF A BIG ATTACK SURFACE.
  • 47. MORE INFORMATION ABOUT A SPECIFIC PACKAGE
  • 48. INSPECT THE MANIFEST FILE OF A SPECIFIC APPLICATION
  • 49. LIST THE EXPORTED ACTIVITIES • RUN APP.ACTIVITY.INFO -A ORG.MOZILLA.FIREFOX TO LIST THE EXPORTED ACTIVITIES; WE CAN SEE THAT THERE IS AN EXPORTED ACTIVITY NAMED ORG.MOZILLA.FIR EFOX.APP THAT DOES NOT REQUIRE ANY PERMISSION TO BE STARTED.
  • 50. LIST OF VULNERABLE ANDROID APPLICATIONS • DAMN VULNERABLE HYBRID MOBILE APPLICATION • ANDROID DIGITAL BANK • DAMN INSECURE AND VULNERABLE APPLICATION • HACKME BANK • INSECURE BANK • DAMN VULNERABLE ANDROID APPLICATION • OWASP GOATDROID • DODO VULNERABLE BANK
  • 52. REFERENCES: • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APPLICATION-SECURITY-TESTING-GUIDE-PART-1/ • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APP-SEC-TEST-GUIDE-PART-2/ • HTTPS://KING-SABRI.NET/ANDROID-HACKING-DROZER-SECURITY-ASSESSMENT-FRAMEWORK/ • HTTPS://SECURITYGRIND.COM/USING-THE-DROZER-FRAMEWORK-FOR-ANDROID-PENTESTING/ • HTTPS://PENTESTLAB.BLOG/CATEGORY/MOBILE-PENTESTING/ • HTTPS://GITHUB.COM/TANPRATHAN/MOBILEAPP-PENTEST-CHEATSHEET • HTTPS://PENTESTLAB.BLOG/2016/11/07/LIST-OF-VULNERABLE-ANDROID-APPLICATIONS/