Mobile Application Pentesting-Part 1

Piyush Patil
May 17, 2019 · 5 min read

The 1.1.1 Release of the Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers.

I will cover all the most common attacks found in mobile applications.

-Android architecture and filesystem
-Reverse engineering android application(Apktool, Dex2jar, Jadx)
-Signing Application(Keytool, Jarsigner)
-ADB(Android Debugger)
-Insecure Logging(Logcat)
-Hardcoding Issues
-Shared Object Files/Libraries vulnerability
-Insecure Data Storage(Preferences, SQL, Permissions)
-Input Validation Issues(SQL, XSS, Directory Traversal, Webview, Buffer Overflow)
-Access Control Issues(Intent filter vulnerability)
-Drozer(Activities enumeration, Exploiting android broadcast receiver, Content provider enumeration, Service enumeration)
-Andbug and JDB(Java Debugger)
-Android Backup Vulnerability
-Bypassing Certificate Pinning


Android Architecture

https://developer.android.com/topic/libraries/architecture

The architecture works in such a way that the bottom layer supports the upper layer.

Android runs on a two-tier security model which is a combination of Linux based and Android-based model.

Linux model provides security and each application has its own UID and GID.

Android model provides permissions like accessing SD card or Make calls etc.

Android permissions are defined in filename AndroidManifest.xml file. Its created and specified by the developer. It also contains information like the minimum Android version required to run the application and permission like READ_EXTERNAL_STORAGE and etc.


Android application components

*Activities

*Services

*Broadcast Receivers

*Shared Preferences

*Intents

*Content Providers

Activities

-Visual screens of Android application

-Contains different layouts

-Anything you could interact with

Services

Another important component of an Android application is service. It does not provide the user interface. It does long-running operations in the background. Service doesn’t terminate even if the component which initiated it got terminated or switched to another application. A service can be connected to a component which can even do interprocess communication (IPC). For example, when you receive your email updates in inbox it is a service. You get the notification of new e-mail even if you are not using the e-mail app or doing something else

Intents

-In order for activities and services to communicate with each other, we need intents

-To bind different Android components

-Used to perform a different kind of actions

-Changing activities, invoking activities in another application, starting an action, etc.

-Intent Filters

Activity Manager

-Interact with activity

-Could be used to launch applications and pass data while launching

-Could be used to launch specific activities within the application

Content Provides

-Storing and sharing application data

-Acts as a middle layer

-SQLite, XML, Plaintext

Shared preferences

-way of storing data in android application

-XML file with name value pairs

-Located in the shared_prefs folder inside the app directory

Broadcast Receivers

-Receives broadcast from various events

-Used by lot malware: can listen to SMS received and trigger some action


Practical Approach: Learning While Exploiting

We will test all vulnerabilities in the Android application by using vulnerable applications like Diva and InsecureBank.

Let’s start…

Diva

Download the application from the following link:

https://github.com/payatu/diva-android

To install this application on mobile, we can use ADB.

Android debug bridge(ADB)

This tool allows you to perform many development tasks, including:

  • Deploying apps to a device.
  • Debugging apps.
  • Viewing device and app logs.
  • Profiling apps.

adb devices =>to see all devices

Connecting to android phone

adb connect ip

Or

adb -s ip shell

Uploading and Downloading Files

adb push yo.txt /mnt/sdcard/yoyo.txt

adb pull /mnt/sdcard/yoyo.txt yo.txt

Taking backup of any application

adb backup package_name -f store.ab

Process ID of app

adb shell ps | grep -i appname

Log of what your device is doing at current moment.(device based log + application based log)

adb logcat

adb logcat | grep -i process_id

Starting and Stopping the ADB server

adb start-server

adb kill-server

Installing and Uninstalling Application

adb install appname.apk

adb uninstall package_name


Once the application is installed in mobile, we can reverse engineer it to see its components and code.

Reverse Engineering Android application

Dex2jar => Convert APK file into JAR

Installation

https://sourceforge.net/projects/dex2jar/

unzip -x dex2jar

cd dex2jar

chmod +x *

sh d2j-dex2jar.sh diva-beta.apk

JD-GUI => To open jar file

http://java-decompiler.github.io/

java -jar jd-gui-1.4.3.jar


Another way is to use APKTOOL

APKTOOL

A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc.

https://ibotpeaches.github.io/Apktool/install/

apktool d appname.apk -o folder

d=>decompile


Another way is to use JADX

JADX

https://github.com/skylot/jadx/releases

unzip jadx

cd jadx/bin

./jadx application.apk -d outputfolder

There will be so many warnings and errors but don’t worry, it doesn’t matter.

cd diva

So you must be confused, which tool to use to reverse engineer application?

Actually, it depends, but this is what I usually suggest:-

Dex2jar=>To see the code of an app in GUI format

Apktool => To read AndroidManifest.xml

Jadx=>To read activities, classes and methods


INSECURE LOGGING

It means the application is storing some sensitive information in its log.

Finding Process ID of Application

adb shell ps | grep -i appname

Now we have entered the credit card number, let’s check the log if we can see it or not.

adb shell logcat | grep -i 19586

Piyush Patil

Written by

Reverse Engineering, Penetration Testing( Web, Mobile, IoT, Network, Infra)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade