Android Penetration testing — The tools.
This provides a summary of the tools I use to perform Android Pentest.
Setting up the Environment.
- Physcial device
- ADB tools
- APKTOOL
- Jadx-GUI
- Mobsf
- Burpsuite Community edition
- Frida and Objection
- Drozer
Toiled for a month trying to jailbreak my phone. Well I deleted my entire bootloader. Crashed the phone and gave up for a whole month. I asked someone for help and it was fixed/rooted in less than 24hrs
Let’s setup the tools.
- ADB
One of the resourceful tools required. Has a client-server model that creates a connection between the android device/emulator and host.
For more details; https://developer.android.com/tools/adb
Can be installed with sudo apt install adb.
Ensure ADB can connect to the phone’s shell and be root using su rootcommand.
Common adb commands
adb devices — view connected devices.
adb shell — get shell connection to the android phone
adb logcat — view logs
adb push/pull — copy file from host to android / copy file from android to host
adb install/uninstall — install/uninstall apks on android device.
adb shell pm list packages — Lists all packages.
2. APKTOOL.
A tool used to decompile and compile apks. Comes into place when viewing contents of an apk, editing configurations and recompiling. The best way to install apktool is using the github steps; https://ibotpeaches.github.io/Apktool/install/ as compared to apt.
apktool d myapk.apk — Decompile apk
apktool b myapk — Recompile apk
3. Jadx-GUI
Works exactly as apktool to reverse engineer the code with a GUI view. Gives a better analysis of the files present on the apk for review.
sudo apt install jadx
4. Mobsf
Best known SAST tool for apk review. Download, install, upload apk and wait. The output reverse engineers the entire apk and displays the existing vulnerabilities. However, has several false positives and therefore need for dynamic testing.
Preferably install the docker version (Kali 2023 has python 3.11 mobsf uses upto 3.10 the troubleshooting is exhausting)
sudo docker pull opensecurity/mobile-security-framework-mobsf
sudo docker run -it — rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Access via browser;
Upload the apk and mobsf will perform a scan.
5. Burpsuite Listener
For proper understanding of how burpsuite works check https://portswigger.net/
Setting up the listener. Add a new listener on the proxy tab. Go to network settings on your phone and add the new IP as a manual proxy. (Community edition means you’ll have to add the proxy listener every day)
https://portswigger.net/burp/documentation/desktop/external-browser-config/check-listener#
Don't forget to add the Portswigger CA to you trust certificates in Android — “Got the image online I was using a physical device”
Now this is not the end? Most applications have enabled SSL pinning that prevents traffic from being monitored and will not allow connection if a proxy is deteced. Will discuss more in Part II
6. Frida
A dynamic code instrumentation toolkit that let’s one inject snippets of JavaScript or your own library into native apps. (Picked straight from the official site, frida.re)
Setting up Frida
pip install frida-tools done on the host/kali linux.
Download frida server from https://github.com/frida/frida/releases that matches the previously installed frida version (frida — version) and the android device architecture (x86 or x64)
Push the frida server to the android device using adb push, change permissions to 755 and start the server.
#adb push frida-server /data/local/tmp/
#adb shell “chmod 755 /data/local/tmp/frida-server”
#adb shell “/data/local/tmp/frida-server &”
Common frida commands.
frida-ps -U — Lists running processes.
frida-ps -Uai — Lists all installed applications
frida -U -f package name -l disableroot.js — Add ing external scripts into the application
7. Objection;
Powered by Frida and comes in hand when using a non-rooted device.
To install pip install objection.
Important note; for objection to work the frida setup above has to be working. Will dig deeper into frida and objection in Part II
8. Drozer
Has an agent and client communication process to perform security assessments and surface visualizations.
This article made it easy-peasy to install Drozer Client https://hackmd.io/@4n4l1st-ch4rl3s/H1fzfG12t
Install Drozer agent;
Download the agent from https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
adb install drozer-agent.apk on the emulator/android device.
I will perform the pending process on the physical device. This involves;
- start the application and turn on the Embedded server which will be running on port 31415 and waiting for connection.
2. Port forward to enable connection between the agentServer and the Client adb forward tcp:31415 tcp:31415
3. Run drozer console connect on the host and check the Agent for established connection.
PS.
There are many tools listed above and most of the time picking 3 would be best depending on what works for you and the application tested.
Tools are one side of penetration testing. Some of the tools haven’t been extensively discussed, as some tweaking is required based on the security A full APK Pentest process on Part II will provide more details.