🛠️Android Application Pentesting

Android PT Mindmap

Reversing

Java/Kotlin

React Native

Cordova/Ionic/Phone Gap

Xamarin

Flutter

Apk Signature

  • Verify Signature

    • apksigner verify --verbose example.apk

    • apksigner verify --print-certs --verbose example.apk

Static Analysis

Insecure Crypto-Methods

Interesting File

  • Android Manifest AndroidManifest.xml

  • Network Security Config NetworkSecurityConfig.xml

  • assets directory

  • res/xml directory

Find Secret/URL/Endpoint

WebView

  • Arbitrary Resources Load

  • JavascriptInterface

  • Javascript Enable

  • Local File Inclusion

  • XSS

Setup Device

Emulator

Physical Device

Root Detection

  • Missing Root Detection

  • Bypass

    • Frida

    • Code / Repack

    • Magisk Hide

Emulator Detection

  • Missing Check

  • Bypass

    • Frida

    • Code Manipulation / Patching

Anti-Tampering

  • Check if signature is verified

    • use uber-apk-signer and try to execute app

  • Check if integrity of code is verified

    • patch code (native, hermes, js, smali), sign app and try to execute againg

Dynamic Analysis

Pull apk

  • list apk

    • adb shell pm list packages

  • get path apk (or apks)

    • adb shell pm path sg.vp.owasp_mobile.omtg_android

  • Download apk

    • abd pull <path>

Content Provider

Binary Instrumentation

  • Dynamic Analysis on non rooted device

    • objection patchapk --source UnCrackable-Level1.apk

Interact with App

Process Exploration

Method Tracing

Hooking Method

Library Injection

Debugger

Network

Network Monitoring

SSL Pinning bypass

Storage

Sensitive information in Local Storage

  • path /data/data/<package_name>

    • SharedPref

    • Database

    • Other files

  • Objection objection -g sg.vp.owasp_mobile.omtg_android explore

File in External Storage

  • Get list of file in /sdcard

    • adb pull /sdcard

  • Using Frida and monitoring Api

    • getExternalStorageDirectory

    • getExternalStoragePublicDirectory

    • getExternalFilesDir or FileOutPutStream

  • Permission WRITE_EXTERNAL_STORAGE, and MANAGE_EXTERNAL_STORAG

Sensitive Information Logcat

  • adb logcat

  • Log, Logger, System.out.print, System.err.print, and java.lang.Throwable#printStackTrace

Misconfiguration

Android Backup

Debug Certificate

  • Check if app use debug certificate

    • apksigner verify --verbose example.apk

    • "CN=Android Debug,O=Android,C=US"

App Tampering

  • Modifying [smali](https://github.com/JesusFreke/smali/wiki/TypesMethodsAndFields

  • Resign apk uber-apk-signer

    # create sign key (can be found in "Android Studio\jbr\bin\keytool.exe" )
    keytool -genkey -v -keystore your-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <key alias name>
    # align the app (can be found in build-tools)
    zipalign -v 4 <your_app.apk> <your_app_aligned.apk>
    # sign the key (can be found in build-tools )
    apksigner.bat sign --ks your-keystore.jks --ks-key-alias <key alias name> --out <signed_apk.apk> <not_signed_apk.apk>

Useful Tools

Useful Resources

Last updated