Open in app

Sign in

Write

Sign in

Android Penetration testing — The tools.

vkfrost_kenya
5 min readJun 7, 2023

--

This provides a summary of the tools I use to perform Android Pentest.

Setting up the Environment.

  • Physcial device
  • ADB tools
  • APKTOOL
  • Jadx-GUI
  • Mobsf
  • Burpsuite Community edition
  • Frida and Objection
  • Drozer

Toiled for a month trying to jailbreak my phone. Well I deleted my entire bootloader. Crashed the phone and gave up for a whole month. I asked someone for help and it was fixed/rooted in less than 24hrs

Let’s setup the tools.

  1. ADB

One of the resourceful tools required. Has a client-server model that creates a connection between the android device/emulator and host.

For more details; https://developer.android.com/tools/adb

Can be installed with sudo apt install adb.

Ensure ADB can connect to the phone’s shell and be root using su root command.

Common adb commands

adb devices — view connected devices.

adb shell — get shell connection to the android phone

adb logcat — view logs

adb push/pull — copy file from host to android / copy file from android to host

adb install/uninstall — install/uninstall apks on android device.

adb shell pm list packages — Lists all packages.

2. APKTOOL.

A tool used to decompile and compile apks. Comes into place when viewing contents of an apk, editing configurations and recompiling. The best way to install apktool is using the github steps; https://ibotpeaches.github.io/Apktool/install/ as compared to apt.

apktool d myapk.apk — Decompile apk

apktool b myapk — Recompile apk

3. Jadx-GUI

Works exactly as apktool to reverse engineer the code with a GUI view. Gives a better analysis of the files present on the apk for review.

sudo apt install jadx

4. Mobsf

Best known SAST tool for apk review. Download, install, upload apk and wait. The output reverse engineers the entire apk and displays the existing vulnerabilities. However, has several false positives and therefore need for dynamic testing.

Preferably install the docker version (Kali 2023 has python 3.11 mobsf uses upto 3.10 the troubleshooting is exhausting)

sudo docker pull opensecurity/mobile-security-framework-mobsf

sudo docker run -it — rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Access via browser;

http://127.0.0.0:8000/

Upload the apk and mobsf will perform a scan.

5. Burpsuite Listener

For proper understanding of how burpsuite works check https://portswigger.net/

Setting up the listener. Add a new listener on the proxy tab. Go to network settings on your phone and add the new IP as a manual proxy. (Community edition means you’ll have to add the proxy listener every day)

https://portswigger.net/burp/documentation/desktop/external-browser-config/check-listener#

Don't forget to add the Portswigger CA to you trust certificates in Android — “Got the image online I was using a physical device”

Medium — Adam Sturge
Traffic intercepted.

Now this is not the end? Most applications have enabled SSL pinning that prevents traffic from being monitored and will not allow connection if a proxy is deteced. Will discuss more in Part II

6. Frida

A dynamic code instrumentation toolkit that let’s one inject snippets of JavaScript or your own library into native apps. (Picked straight from the official site, frida.re)

Alexander Fadeev’s blog

Setting up Frida

pip install frida-tools done on the host/kali linux.

Download frida server from https://github.com/frida/frida/releases that matches the previously installed frida version (frida — version) and the android device architecture (x86 or x64)

Push the frida server to the android device using adb push, change permissions to 755 and start the server.

#adb push frida-server /data/local/tmp/

#adb shell “chmod 755 /data/local/tmp/frida-server”

#adb shell “/data/local/tmp/frida-server &”

Common frida commands.

frida-ps -U — Lists running processes.

frida-ps -Uai — Lists all installed applications

frida -U -f package name -l disableroot.js — Add ing external scripts into the application

7. Objection;

Powered by Frida and comes in hand when using a non-rooted device.

To install pip install objection.

Important note; for objection to work the frida setup above has to be working. Will dig deeper into frida and objection in Part II

Successful objection + frida connection

8. Drozer

Has an agent and client communication process to perform security assessments and surface visualizations.

This article made it easy-peasy to install Drozer Client https://hackmd.io/@4n4l1st-ch4rl3s/H1fzfG12t

Install Drozer agent;

Download the agent from https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk

adb install drozer-agent.apk on the emulator/android device.

I will perform the pending process on the physical device. This involves;

  1. start the application and turn on the Embedded server which will be running on port 31415 and waiting for connection.

2. Port forward to enable connection between the agentServer and the Client adb forward tcp:31415 tcp:31415

3. Run drozer console connect on the host and check the Agent for established connection.

PS.

There are many tools listed above and most of the time picking 3 would be best depending on what works for you and the application tested.

Tools are one side of penetration testing. Some of the tools haven’t been extensively discussed, as some tweaking is required based on the security A full APK Pentest process on Part II will provide more details.

Apk
Android Pentesting
Cybsersecurity
Tutorial

--

--

vkfrost_kenya

Written by vkfrost_kenya

28 Followers

Every day learning, every day growing. Flexible and adaptable. Be nice be kind and be Happy. Live a life you will remember!!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams