Android Pen-testing/Hunting 101

Noobie BoY
Jul 27 · 4 min read

Currently I’m Pen-testing on private projects so if you have any project to test kindly reach me on Twitter @hst_kishan

A huge Shout out to my brother Mustafa Khan and I would like to thank him for helping me in writing this write up thanks bro for your motivation.

So, I was given a private project by a Singapore based company to Pen-test. Today’s write-up will be a bit cooler than other web based write-ups because I’ll be writing on Android Pen-testing the best part for me is that I’ll be demonstrating these android flaws on a live environment which is really rare in this time you can find lots of write-ups, tutorials for android Pen-testing but most of them are on virtual environment not on a live program so the main point is I’ll be demonstrating on a live program.

For improving your android skills or to learn more about android pen-testing you can check the following resources.

Honorable mentions

1: Aditya Agrawal (https://manifestsecurity.com/android-application-security/?fbclid=IwAR05NAISuICZTcXa4iBLRWFHIUFSJYA5iziY_-h4LIXxkW8DBYcnnVVdArE)

2: Sergey Toshin — bagipro (https://hackerone.com/bagipro)

3: Thefluffy007 (https://sourceforge.net/projects/introandroidsecurity/)

Required Tools

1: Apktool

2: dex2jar

3: JD-GUI

4: Burp suite

5: Frida

So, let’s proceed First you need to Decompile the .apk file with the help of Apktool.

Commands for using apktool

So, using the same process I got a sensitive API key which I can’t disclose it but I can tell you that you can find lots of sensitive information inside of “AndroidManifest.xml”.

I have to install this application into my device so after that I had connected to my Wi-Fi and turned on the proxy interception.

And now we have to start capturing every request which is being made by the application. While logging into the application I faced a login via mobile number which sends OTP.

So, I entered a random number and forwarded the request and I again forwarded the request in repeater tab so I got the OTP in the response.

Then I checked ADB logcat and I found credentials.

Bug: Insecure Communication

Broken Access Control (IDOR)

Now I have logged in into my account when I navigated to my wallet section, I noticed that the application is vulnerable with Insecure communication vulnerability.

It’s time to get the help of great Intruder so I noticed the u_id parameter which is numeric and I tried for brute forcing and it worked I got lots of u_id which was disclosing user’s wallet details in the response.

List of Vulnerabilities

Static:

1. Reverse Engineering Leads to Source Code & Application Piracy

2. Insecure Application Certificate Signing

3. Application exported is set to true

4. Insecure Permission Requested

Dynamic:

1. SQL Injection

2. Cross-Site Scripting

3. OTP Brute Force & Strength

4. OTP Flooding

5. Lack of Authentication

6. Request Flooding

7. Insecure Deserialization

8. Insecure Data Storage

9. OTP Expiry.

10. Buffer Overflow.

11. Insecure Coding Practices.

12. Improper Error Handling.

13. Improper Schema Validation.

14. Password Complexity not maintained.

15. Password History not maintained.

16. Session Timeout Not Implemented.

17. Audit Trails Not Implemented.

18. Brute Force possible.

19. Server Banner Disclosure.

20. Application Works on Rooted Device.

If you have any question or need any help regarding android pen-testing please reach me without any hesitation.

#Happy_hunting #happy_hacking.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade