A security attack on a service, application or server can be split into 7 different steps.
- Reconnaissance
- Scanning
- Access and escalation
- Exfiltration
- Sustainment
- Assault
- Obfuscation
Even if these steps are very clear when we perform an attack on a website or server, we can follow a similar pattern to perform an attack on a mobile application and so assess its security.
1. Reconnaissance on an Android App
Let’s focus on an Android application for the rest of this post (but the pattern is very similar on iOS).
As soon as you have defined which application you want to test the first steps is to know how the application is working and how the organization that builds it is working as it could then give a great hint to where we should put the efforts in the next steps.
An Android application is basically zipped files. Its extension is “apk”.
2. Scanning
To start, we must scan the app to know how it works internally.
It is very common on Android to do that and Google is helping us assessing the security of our applications with the Android Debug Bridge.
When connected to a computer, the Android Debug Bridge allows us to send commands to the device to perform some actions.
I highly recommend that you read more about the possibilities that the Android Bridge offer.
On an Android application, scanning is basically setting up the application to debug mode, repackage it and play with it on the device.
I am using apktool to do this. You should install it on your device and have a look at the documentation to use apktool.
Then you can access all the information from the storage and check if something valuable has leaked (password, cookies, etc…). It is the Insecure Local Storage from the OWASP Mobile Top10.
As we are working on the apk, it is very interesting to decompile the apk and have a look at its source code and then see if something valuable is available in the codebase, from password, to key, to mechanism to block a user from specific behavior.
I am personally using Jadx to do that, which is a very popular Dex to Java decompiler.
However I prefer the Command Line Jadx over the Graphical User Interface.
To decompile an Android application using Jadx, you must just run the following command :
> jadx --deobf ~/app/javaFiles/ ~/insecureApp.apk
Once you have the source code and the files from the local storage, you can use grep commands to look for specific strings in the files.
> grep -Eo '(http|https)://["]+' -R .
Looking for “admin”, “password” or any internet links can give you a lot of very valuable information.
If you think that your passwords are well encrypted and well preserved by companies, please think again about the massive leaks from Yahoo, Tinder or …
And it is very similar in Android application. Some applications are storing your login and password as plain text in the local storage.
Now that we have the source code, and a debuggable application on the device, we can access it.
3. Access
As you can see in the capture above from one of my penetration testing, as soon as we get to the “shared_preferences” folder through an adb shell, we can see a “Credentials.xml” file. And I can find the login and password stored as plain text in it. 😱
You can think of an app/malware that would ex-filtrate these data from a user’s phone and can then create a login/password database very easily. That is indeed a very critical flaw. 🙅
Something similar is to look at the logs from the device while we are using the application.
> adb logcat > ~/grep-result.txt
And then use grep commands to look for specific strings in the logs.
> grep password ~grep-result.txt > ~grep-password-result.txt
We have looked quickly at the local storage, to continue on the “Access and escalation” step, we are going to look at the network.
I am using mitmproxy or bettercap to look at the network calls between the application and the device.
Owasp ZAP and Burp are also very popular tools and they have a Graphical User Interface. Choose whichever you prefer.
Owasp ZAP
Burp Proxy
Let’s consider that we are going to look at the HTTP requests and responses to begin with. I will write a post to explain how to get information from https requests.
After you set up you device properly to follow the device’s internet traffic to your computer.
On Android, it is under :
/Settings/Networks/Wifi/yourwifissid/Modify network/Proxy manual
You just have to install mitmproxy on your computer, launch it and then use the application on your device.
You should see very quickly all the requests and responses from your application.
I love to get all the responses/requests in a file and study later automatically with grep and with Wireshark.
Then you must use your brain and your experience to look for specific strings and try to hack the application.
It depends a lot on the application and its behavior.
Next Steps — 4, 5, 6, 7
I will not cover the 4, 5, 6 and 7 steps as it is not necessary for a security assessment but are used as part of a real attack.
As you can see, a lot of this setup is very similar whatever the application you start assessing.
That’s why I made a Go application that is doing all of this setup and the static attacks automatically
It is called “AndroSecTest” and is available on Github. Here is a quick Cheat Sheet to test the security of an Android app that AndroSecTest is doing. You can have a quick look at how the application is pentesting an Android app on Youtube : https://youtu.be/zzyTFjnwolo Build the Docker Container that has all the dependencies and tools already installed. Connect your Android Device 2.1. Be sure that the "adb server" is not running on the host machine as an android phone can only be connected to one adb server at a given time. 2.2. USB connection is not working from host device to Container on MacOS, so it is only working on a Linux host for the time being. Run the Docker Container 3.1 3.2.
Shosta
/
androSecTest
From this app, Connect a Phone, Extract any app from It, Decompile, Deobfuscate, Remove Certificate Pinning and Repackage it. Meanwhile, Perform some Static and Dynamic Analysis on It.
Android-Static-Security-Audit
Easiest Way to Try It
Use the docker Container
docker build .
docker run -it --privileged -v /dev/bus/usb:/dev/bus/usb "The Container ID"
-it
is here so that we can have an iteractive session.--privileged
…
It is still work in progress but I hope to release it very soon for the public.
Video produced by Wild & Secure, your consulting firm to all things security and real estate.
If you want to receive weekly quality content about security, subscribe to our newsletter on our website.
Top comments (7)
I really loved this article... Cannot wait to read the others ;)
Did you already tried to use truffleHog to search for secrets in a code base?
Did you ever tried the Mobile Security Framework to decompile and analyze an APK for security and potential secrets?
Yes, I used TruffleHog (among others) to search for secrets in a codebase.
I am a heavy user of MobSF, that I modified slightly to automate the process to a bunch of apps at once.
It is working pretty well. One of my colleague is a MobSF contributor by the way. We are working on this in my department.
Oh very nice to know... now I know to who I can complain to ;)
Thanks for pointing out the badly linked "mitmproxy".
Solved by now. :-)
This is a really good article,is there a place where I can get more info about this practice?
Thanks for your reply.
That means a lot to me and I am happy that someone finds my article useful.
The other ones are moving into further Android security assessment.
I learned almost on my own about this on the internet.
And I must say that there is very good material on the internet.
You should try reading for article about "Android Pentesting" and have a look at some videos about it.
Then you should try do do some Capture The Flag about android security. It is the best way to really learn something.
You can have a look at this Github repository that has a list of great materials and tools for penetration testing.
Awesome! I'm still new with pentesting and I found the repo a very useful source. Thanks for sharing!