|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 25.09.2019

Pentesting android applications


As many android apps were created by unexperienced or uneducated developers many long known security issues have resurfaced in android applications. Since smartphones often contain loads of personal or financial data, the security of the installed apps should be reviewed.

android

decompile apks


apktool

To unzip and decode apk files download and install apktool

apktool d example.apk -s

dex2jar

Dex2jar can be used to decompile dex files from the apk.

d2j-dex2jar.sh example.apk -o output.jar
d2j-baksmali.sh classes.dex -o classes.smali
d2j-smali.sh classes.smali -o classes_new.dex

jd-gui

The decompiled jar files can be opened with jd-gui.

jadx-gui

Jadx represents an all in one solution as an alternative to apktool, dex2jar and jd-gui.

basic app analysis steps


To analyze an app you have to know where to find its entry point and how its resources are connected.

The following example uses the default values for a "Hello World" app with an empty activity, which was created by android studio.

AndroidManifest.xml

Here you can find the permissions the app requests and the class names of all activities which are started when a certain intend is captured.

The intent-filter android.intent.action.MAIN shows the name of the class which is run, when the application starts.

com.example.myapplication.MainActivity

In the function onCreate you should be able to find a call to setContentView. This shows which layout from the res section will be drawn.

res.layout.activity_main.xml

This shows the visual elements of the displayed view. Here you can find control elements like buttons and see the methods which will be called.

resources.arcs/res.values.strings.xml

Sometimes strings are outsourced to this file. You can resolve its IDs via the R.class file.

original/META-INF/CERT.RSA

The signing certificate contains issuer information and the date of signing.

openssl pkcs7 -inform DER -in original/META-INF/CERT.RSA -noout -print_certs -text

patch apks


download installed apk from phone

From inside an adb shell or on a terminal directly on the device you can query the package manager (pm) to gain information on the installed apps. If want to investigate an explicit app you can download it from the device.

adb shell 'pm list packages'
adb shell 'pm path com.example.app'
adb pull /data/app/com.example.app-1/base.apk app.apk

modify source and repack apk

An easy way to quickly patch some functionality in an apk is to change the corresponding smali code. Afterwards the apk has to be packed and signed again. Old versions which are signed with a different key have to be uninstalled first.

apktool d unpatched.apk
vim unpatched/path/to/file.smali
apktool b unpatched -o patched.apk
zipalign 4 patched.apk patched_aligned.apk

sign apk

keytool -genkeypair -alias user -keystore user.keystore -keyalg RSA -keysize 4096
apksigner sign --ks user.keystore patched_aligned.apk 

install apk on phone

adb install patched_aligned.apk

install android studio


If you want to write your own android applications it is recommended to install android studio. This ide includes the AVD Manager to setup and run virtual android devices.

To run android studio from the gnome launcher create the following file.

~/.local/share/applications/android-studio.desktop

#!/usr/bin/env xdg-open
[Desktop Entry]
Type=Application
Name=Android Studio
Exec=/bin/sh "/opt/android-studio/bin/studio.sh"
Icon=/opt/android-studio/bin/studio.png
Categories=Application;

run android virtual devices from the command line

To create virtual devices and download the needed system images I use the AVD Manager inside android studio. Afterwards the virtual devices can be started from the command line.

~/Android/Sdk/emulator/emulator -list-avds
~/Android/Sdk/emulator/emulator -avd <name of avd>

Be aware that images containing Google Play are considered production builds and prohibit root access to the device.

emulator console

The emulator provides a console for advanced configuration. To connect you need the tcp port and an auth token.

adb devices
cat ~/.emulator_console_auth_token
telnet localhost <console-port>
auth <token>

packet capture

From the eumlator console you can capture network traffic of the emulator to a file.

network capture start traffic.pcap
network capture stop traffic.pcap

Alternatively the complete session can be captured.

~/Android/Sdk/emulator/emulator -avd <name of avd> -tcpdump traffic.pcap

debugging via adb


Enable usb debugging in the settings of the android device by tapping on the build number seven times.

adb devices
adb [-s <device>] shell
adb [-s <device>] install test.apk

Access as root is only allowed on virtual devices without Google Play.

adb root
adb shell

Alternatively a shell can be started directly in the current terminal.

~/Android/Sdk/emulator/emulator -avd <name of avd> -shell

android system information


Android devices provide some tools to display system information or to monitor log entries.

dumpsys -l
dumpsys diskstats
dumpsys package
logcat

connect drozer


Drozer is a comprehensive security and attack framework for android.

adb install agent.apk
adb forward tcp:31415 tcp:31415
drozer console connect

sending intents


An activity can be started by explicitly calling its class or by implicitly calling an intent.

adb

adb shell 'am start-activity -a android.intent.action.MAIN' -d data:implicit'
adb shell 'am start-activity -n com.example.app/.MainActivity' -d data:explicit

java (implicit)

Intent i = new Intent("android.intent.action.MAIN", Uri.parse("extra:my_data"));
this.startActivity(i);

java (explicit)

Intent i = new Intent();
i.setClassName("com.example.app", "com.example.app.MainActivity");
this.startActivity(i);

sending broadcasts


adb

adb shell 'am broadcast -n org.owasp.goatdroid.fourgoats/.broadcastreceivers.SendSMSNowReceiver --es phoneNumber 123456789 --es message "adb explicit"'
adb shell 'am broadcast -a org.owasp.goatdroid.fourgoats.SOCIAL_SMS --es phoneNumber 123456789 --es message "adb implicit"'

drozer

dz> run app.broadcast.send --component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.broadcastreceivers.SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "drozer explicit"
dz> run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --extra string phoneNumber 123456789 --extra string message "drozer implicit"

query content providers


adb

adb shell 'content query --uri content://com.example.credentialstore/credentials --projection "* from sqlite_master--"'
adb shell 'content read --uri content://com.example.filebrowser/etc/hosts'

drozer

dz> run app.provider.query content://com.example.credentialstore/credentials --projection '* from sqlite_master--'
dz> run app.provider.read content://com.example.filebrowser/etc/hosts

java

Uri uri = Uri.parse("content://com.example.credentialstore/credentials");
Cursor c = getContentResolver().query(uri, new String[] {"* from sqlite_master--"}, null, null, null);
String result=dumpCursorToString(c);

analyze tls connections


Many apps exchange data with remote servers via tls connections. To analyze the security of the tls connection and the content of the transmission burp suite can be setup.

make burp prefer ipv4

Add "-Djava.net.preferIPv4Stack=true" right behind "$app_java_home/bin/java" in the execution line of the BurpSuiteFree script

set the proxy in the avd

Settings -> Category "Wireless & networks" -> More -> Cellular networks -> 
Access Point Names -> "T-Mobile US" -> set Proxy and Port and Save settings

install ca certificate on device

Download the ca certificate from http://burp and rename it to burp.crt

Settings -> Security -> Install from SD card -> choose crt file

redirect all traffic to inetsim


If you want to redirect the network traffic to inetsim you can redirect all traffic from the host to the local machine.

iptables -t nat -A OUTPUT -j DNAT --to-destination 127.0.0.1
inetsim

To still being able to browse the web you can add an exception for a socks proxy. This has to be placed above the DNAT rule.

iptables -t nat -A OUTPUT -p tcp --dport 9000 -d <socks proxy> -j ACCEPT
iptables -t nat -A OUTPUT -p udp --dport 53 -d <dns server> -j ACCEPT

You can setup your own socks proxy with ssh. Replace the <socks proxy> with your ssh server ip and the dport with 22.

ssh -D 9000 -q -N user@server

virustotal androguard


VirusTotal uses androguard and offers VirusTotal Intelligence customers to search in its results

androguard:"android.intent.action.BOOT_COMPLETED" androguard:"android.permission.ACCESS_FINE_LOCATION" 

disambiguation


DEX (Dalvik Executable): bytecode to be run in the Dalvik VM (prior to Android 4.4) or Android Runtime (ART) VM

ODEX (Optimized DEX): optimized for device; created during installation of APK (Dalvik VM)

OAT: compiled ELF binary from dex & native code; created during installation of APK (ART VM)

Application Sandbox: limiting applications access based on Linux user IDs and group IDs

smali/baksmali: "assembler"/"disassembler" for dex bytecode