Android Application Pentesting

Android PT Mindmap

Reversing

Java/Kotlin

• Decompile apk

• Native

  • Identify .so inside app lib/<arch>/*.so

  • rabin2 -I lib/x86_64/libnative-lib.so | grep -E "canary|pic"

  • Decompile with Ghidra/IDApr/R2

• Resources

  • [Smali](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0016/

React Native

• Disassembler and Assembler assets/index.android.bundle
• Resources

Cordova/Ionic/Phone Gap

• Source code located in assets/www

• Resources

Xamarin

• Find assemblies in apk
• Resources

Flutter

Apk Signature

• Verify Signature

  • apksigner verify --verbose example.apk

  • apksigner verify --print-certs --verbose example.apk

Static Analysis

Insecure Crypto-Methods

• • DES, 3DES

  • RC2

  • RC4

  • BLOWFISH

  • MD4

  • MD5

  • SHA1

• SecureRandom with Empty Argument

Interesting File

• Android Manifest AndroidManifest.xml

• Network Security Config NetworkSecurityConfig.xml

• assets directory

• res/xml directory

Find Secret/URL/Endpoint

• strings command

Insecure DeepLink

• Check if exists /.well-known/assetlinks.json

WebView

• Arbitrary Resources Load

• JavascriptInterface

• Javascript Enable

• Local File Inclusion

• XSS

Setup Device

Emulator

Physical Device

• Rooting

• Magisk

  • lsposed

  • Magisk Hide

  • Enable Zygisk

• Useful Modules

Root Detection

• Missing Root Detection

• Bypass

  • Frida

  • Code / Repack

  • Magisk Hide

Emulator Detection

• Missing Check

• Bypass

  • Frida

  • Code Manipulation / Patching

Anti-Tampering

• Check if signature is verified

  • use uber-apk-signer and try to execute app

• Check if integrity of code is verified

  • patch code (native, hermes, js, smali), sign app and try to execute againg

Dynamic Analysis

Pull apk

• list apk

  • adb shell pm list packages

• get path apk (or apks)

  • adb shell pm path sg.vp.owasp_mobile.omtg_android

• Download apk

  • abd pull <path>

Content Provider

Binary Instrumentation

• Dynamic Analysis on non rooted device

  • objection patchapk --source UnCrackable-Level1.apk

• Tools

Interact with App

• Attack Surface

  • run app.package.attacksurface <package_name>

Process Exploration

• Objection

  • objection --gadget sg.vantagepoint.helloworldjni explore

  • memory dump all

Method Tracing

Hooking Method

• Getting loaded classes

Library Injection

Debugger

• Resources

Network

Network Monitoring

• iptables

• tcpdump

SSL Pinning bypass

• Using Frida
• Flutter App
• Tools

Storage

Sensitive information in Local Storage

• path /data/data/<package_name>

  • SharedPref

  • Database

  • Other files

• Objection objection -g sg.vp.owasp_mobile.omtg_android explore

File in External Storage

• Get list of file in /sdcard

  • adb pull /sdcard

• Using Frida and monitoring Api

  • getExternalStorageDirectory

  • getExternalStoragePublicDirectory

  • getExternalFilesDir or FileOutPutStream

• Permission WRITE_EXTERNAL_STORAGE, and MANAGE_EXTERNAL_STORAG

Sensitive Information Logcat

• adb logcat

• Log, Logger, System.out.print, System.err.print, and java.lang.Throwable#printStackTrace

Misconfiguration

Android Backup

• android:allowBackup="true"

Debug Certificate

• Check if app use debug certificate

  • apksigner verify --verbose example.apk

  • "CN=Android Debug,O=Android,C=US"

App Tampering

• Modifying [smali](https://github.com/JesusFreke/smali/wiki/TypesMethodsAndFields

• Copy

  # create sign key (can be found in "Android Studio\jbr\bin\keytool.exe" )
  keytool -genkey -v -keystore your-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <key alias name>
  # align the app (can be found in build-tools)
  zipalign -v 4 <your_app.apk> <your_app_aligned.apk>
  # sign the key (can be found in build-tools )
  apksigner.bat sign --ks your-keystore.jks --ks-key-alias <key alias name> --out <signed_apk.apk> <not_signed_apk.apk>

Useful Tools

Useful Resources

• OWASP Mobile
• Frida Script