Image for post
Image for post
Source: Unsplash

Efficient way to pentest Android Chat Applications

Article on how to setup environment to pentest the network calls of Android chat applications

Chandrapal Badshah
Mar 20, 2019 · 5 min read

Assumptions:

Before we continue with the article I assume that:

  • The app doesn’t have any SSL pinning or root detection. Even if the app has, it is assumed that you have bypassed it successfully.
  • The app supports x86 architecture based hardware as Genymotion emulates an x86 Android device. If the app only supports ARM, please use Android Virtual Device (AVD) instead of Genymotion. Please note that running apps on AVD might be comparatively slow.
  • Two or more simultaneously running Android emulators are required for understanding and testing the functionality of the app.
  • You were able to successfully setup Genymotion and BurpSuite Community Edition.
  • Last but not the least, you have permission to test the Android app.

Setup the test environment:

Open Genymotion and download two device types. You can also feel free to download one device and create another clone of it.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

BurpSuite tweaks:

Android apps are always built with analytics enabled. Even if analytics is not enabled by the app, there’s always connectivity checks by Android itself. If you intercept all traffic, you would end up intercepting the uninteresting analytics and connectivity check HTTP calls. Coming back to our example, let’s say we want to target requests made to any subdomain of facebook.com, i.e *.facebook.com.

Adding the target to scope:

Goto TargetScopeTarget Scope. Enable advanced scope control, click on Add button, enter .*\.facebook\.com$ in the Host or IP range and click OK. (If your target domain is targetdomain.com, then the hosts regex would be .*\.targetdomain\.com$ ). Now you can set the BurpSuite HTTP history tab to only show traffic for the target domain.

Image for post
Image for post

Intercepting HTTP requests only to the target requests:

Even after you add the target domains to scope, network calls to other non-target domains will be intercepted by default if the “Intercept” is on. To enable interception only on the target domains, goto ProxyOptionsIntercept Client Requests, click add, enter the same regex we had used earlier and click OK. In this example, the regex would be.*\.facebook\.com$ .

Image for post
Image for post

Download links:


If you liked the article, please hit the 👏 button and have a look at AndroidTamer — an open source virtual platform for Android Security Professionals.

AndroidTamer

Project Android Tamer: a single point of reference for all…

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store