Android pentest lab in a nutshell

INMUNE7
6 min readMay 19, 2019

Introduction

In this article, I am going to talking about how to configure a penetration testing lab for Android applications in simple steps.

What do we need?

  1. VirtualBox
  2. Santoku ISO (mobile pentest distro)
  3. Genymotion (android emulator)
  4. JADX (Java decompiler)
  5. IDA Pro
  6. Frida

Step 1- Install Santoku

I will assume that the reader already knows how to install VirtualBox so I will begin with the installation of Santoku distro.

Santoku is a version of Linux especially designed for mobile penetration testing. You can download the ISO image here: link

After you configure the settings of the virtual machine (disk, memory, CPU) you will see this screen, select the option “install -start the installer directly” like in Figure 1.

Figure 1. Boot options of Santoku

Configure all settings (disk layout, location, language, etc ) of the virtual machine and press “Install now”, this will launch the installation process.

After this process finishes and reboot the system the santoku distro is fully available. Now let's begin with the installation of the emulator.

Figure 2. Santoku desktop

Step 2 -Install Genymotion

There are different android emulators available but in my opinion, Genymotion is the best because it is simple to set up and it offers an excellent UX(User Experience). You can get a free version (30 days) of Genymotion here: link

Complete the registration process in order to obtain a free version.

Figure 3. Genymotion registration form

After you receive the activation link and download the installer you can start the installation process. You need to install the software and log in with the credentials provided in the web portal, then you will see the main dashboard of Genymotion like show the Figure 4.

Figure 4. Genymotion dashboard

You can select a version of SDK with the corresponding devices. For this example, I will select the 23 with the S7 Galaxy device. You have to right-click the selected device and press “Install”, this will initiate the downloading process like show the Figure 5.

Figure 5. Download Samsung Galaxy S7

After finishing the download process you can start the virtual devices, Genymotion uses Virtualbox to support the emulation process, so each device appears like a Virtual Machine. One important step is the installation of “Open GApps”, this software will provide the tools for Google Apps Package. In the right corner, you can see the Open GAPPS button, click it and this will initiate the installation of Open GApps. After the installation finishes, a restart is required.

Figure 6. Open GApps installation.

Step 3 -Install JADX

This is one of my favorite tools, JADX allows you to decompile .dex file, you can work with the entire APK and also read the AndroidManifest.xml. There are other tools out of there that individually do the same things JD-GUI, APKtool, j2-dex2jar, but with JADX you will do these things with one tool. Of course, do not rely on one tool for penetration testing but when the time goes this is a useful way to do the things faster and for those cases when your pen test are based on real time. You can obtain jadx here: link

The installation steps are very easy just do the following in a terminal

git clone https://github.com/skylot/jadx.git
cd jadx
./gradlew dist

You need Java 8 in order to build JADX.

Figure 7. JADX build process

This will create the folder structure showing in the Figure 8.

Figure 8. Folder structure

Execute the ./jadx-gui and select the APK file. You are ready to go with JADX and view the source code of the application.

Figure 9. JADX-GUI

Step 4 -Install IDA

Hmmm! I know the things here became a little strange, WTH we need IDA for the mobile pen test?

Well, some times in this beautiful place where we live there are applications which use native code. .. so maybe come to your mind this question ..Why an android application uses native code? Well, Why not ?.. Java offers JNI to call native code, but this arise a new vector for attackers because the same vulnerabilities which affect native code also affect this kind of apps.

So, this is why we need IDA (Ghidra, x64dbg, Immunity Debugger) we need a tool with the ability to disassemble machine code and “convert” to a human-readable representation.

You can download IDA from this page: link

Get a free version or pay the PRO version, with the Free version is enough if you already know assembly language. The PRO has hex-rays plugin which allows you to view the code in C format, and of course make your work easy.

Unzip the ./ida64 file in your favorite location and execute it.

Figure 10. IDA launcher

Select the .so file or APK file with the PRO version and after that will appear a screen like show the Figure 11.

Figure 11. IDA main view

It is out of scope to show you how IDA works, but in the future, I will show you how we can use IDA for analyzing native libraries or APK file of Android Applications.

Step 5-Install Frida

Frida is a dynamic code instrumentation toolkit. What does it mean ? Well, It lets you use Javascript/Python to hook native or Java calls in Android Applications. So, in which case I like to use Frida? Well for example in case when you need hook to a specific process to change the behavior of a predefined function (validation, login, etc)

You can obtain Frida here: link

To install Frida you need:

  1. Install Frida Tools with pip -> pip install frida-tools (in host machine, in my case Ubuntu)
  2. Get frida-server from: link
  3. Install frida-server using the following commands:
adb devices# push/copy the latest frida server to phoneadb push frida-server-10.4.0-android-arm /data/local/tmp/frida# set permissions for frida, grant SU permissions if promptedadb shell su -c “chmod 755 /data/local/tmp/frida”# start frida server on android deviceadb shell su -c “./data/local/tmp/frida &”

4. Test Frida using a python terminal.

Python 2.7.15rc1 (default, Nov 12 2018, 14:31:15) 
[GCC 7.3.0] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.
>>> import frida # import frida tools
>>> frida.get_usb_device() # enum avaiable devices
Device(id=”192.168.56.101:5555", name=”Genymotion Samsung Galaxy S7", type=’usb’)
>>>

Well bro that’s all … of course there are a lot of ways to set up an Android lab but I think this is a good way to start. In future articles, I am going talking about the different ways in which we can do pen test of Android applications.

Thank you.

--

--

INMUNE7

INMUNE7 is a group of freelance hackers which offers classic black-box penetration test and white-box tests and source code audit on Web application and mobile.