Diving Deep: A Comprehensive Guide to Android Penetration Testing — Part 4
Securing Mobile Applications: Navigating Insecure Data Storage, Code Manipulation, and Automated Scans
Embarking on Part 4 of our series, ‘Guarding Your Data: Android’s Insecure Data Storage,’ this chapter is a seamless continuation from our beginner’s guide to decoding Android apps in Part 3. In the Journey we will learn about Insecure data storage, Code manipulation and Automated Scans.As we transition, our focus sharpens on the critical aspect of data storage vulnerabilities in the Android landscape. Join us as we navigate through the intricacies of insecure data storage practices, providing you with insights and strategies to fortify your data against potential breaches. Let the journey into securing Android data continue!
Guarding Your Data: Android’s Insecure Data Storage
Android provides a number of methods for data storage depending on the needs of the user, developer, and application
The following list of persistent storage techniques are widely used on the Android platform:
- SQLite Databases : SQLite is an SQL database engine that stores data in .db files. The data is stored in an unencrypted manner.
In Application Data has been saved in Sqlite database
Now dump the sqlite data from storage
Connect the Device to Desktop with adb
Locate the directory of application (data/data/<Packagename>)
Check inside the Database directory. We can see aGoat file is available but while using cat command we are not getting any data.
So we can pull the file using adb pull command
Open aGoat file in Sqlite Browser to Download Sqlite Click Here.
We can see the username and password in plain text
• Shared Preferences : The SharedPreferences API is commonly used to permanently save small collections of key-value pairs.Data stored in a SharedPreferences object is written to a plain-text XML file. The SharedPreferences object can be declared world-readable (accessible to all apps) or private.
We had save some data in sharedPreferences.
Locate the directory with adb. And check the users.xml file we can see the credentials
• Logs : Logs are used for keeping track of crashes, errors, and usage statistics. However, logging sensitive data may expose the data to attackers or malicious applications, and it might also violate user confidentiality.
Applications will often use the Log Class and Logger Class to create logs
Use command adb logcat
We’ll explore the process of modifying code using APKTool
Code Tampering : Reverse engineering and code tampering were once primarily the domain of crackers and malware analysts. However, the landscape is evolving, and security testers now often require these skills for mobile app assessments. Reverse engineering involves dissecting compiled apps to understand their source code, while tampering entails modifying an app’s behavior, even in the face of defense mechanisms. For example, it can be used to adapt apps that refuse to run on rooted devices for testing purposes.
If you don’t have APKTOOL GUI kindly check the Part 2 and download the APKTOOL GUI
1. Open the APK Tool
Browse the apk that you want to decompile and click on Decompile Button
2. Decompile is completed check into the folder
4. We can now edit the code according to our requirement. After tampering the code again browse the folder of tampered code and click on compile button
5. These tool will automatically compile and sign the apk
Android Guardian: Your Automated Security Companion for App Scanning
- MOBSF
MOBSF, or Mobile Security Framework, is an open-source framework designed to assist mobile application security testers and developers in identifying and addressing security issues in Android and iOS mobile applications. It offers a wide range of features and tools for dynamic and static analysis, allowing users to assess various security aspects of mobile apps, such as network communication, code vulnerabilities, and data storage.
Key features of MOBSF include the ability to scan apps for known security vulnerabilities, analyze network traffic, and even conduct reverse engineering. It’s a valuable resource for both security professionals and developers to enhance the security of mobile applications. MOBSF can be used as a command-line tool or through a web-based interface.
Download and setup Mobsf : https://allabouttesting.org/quick-tutorial-mobsf-installation-on-linux-windows/
Or you can use online
https://mobsf.live/?__cf_chl_tk=dpP_DrB5ioXkT_YRvmdhyxzyPt8Pdp8nEieSzK.aesU-1699438874-0-gaNycGzNCiU
After Setup Mobsf you can upload APK file in the Upload Field
We can analyze the Application and download the Report
2. AndroBugs Framework
AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications. No splendid GUI interface, but the most efficient (less than 2 minutes per scan in average) and more accurate.
For more information and Documentation Below is the Refrence
https://github.com/AndroBugs/AndroBugs_Framework
Use the Below Command to Specify the APK file
Report that has been created by Androbug
3. APKLeaks
Download APKLeaks refer official page
https://github.com/dwisiswant0/apkleaks
Concluding Part 4, we’ve explored the complexities of securing mobile applications, navigating through insecure data storage, code manipulation, and automated scans. Brace yourself for the next chapter in our cybersecurity voyage as we smoothly transition into Part 5. Stay tuned to uncover more layers of mobile application security, expecting fresh insights and challenges in the upcoming segment. The journey persists! 🚀
Feel free to connect with me on LinkedIn for more discussions and insights related to Android Penetration Testing.
You can find me on LinkedIn at @Omkar Gaikwad
