|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 14.07.2017

Setup a test environment for android


install android studio


If you want to write your own android applications it is recommended to install android studio.

~/.local/share/applications/android-studio.desktop

#!/usr/bin/env xdg-open
[Desktop Entry]
Type=Application
Name=Android Studio
Exec=/bin/sh "/opt/android-studio/bin/studio.sh"
Icon=/opt/android-studio/bin/studio.png
Categories=Application;

run android virtual devices from the command line

~/Android/Sdk/tools/emulator -list-avds
~/Android/Sdk/tools/emulator -avd <name of avd>

If the emulator is not starting try setting hw.gpu.mode=off in its config.ini or add export ANDROID_USE_SYSTEM_LIBS=1 to your .profile.

debugging via adb


Enable usb debugging in the settings of the android device by tapping on the build number seven times.

adb shell
adb install test.apk

decompile apks


The java runtime environment is needed for some of the following tools.

apt install openjdk-8-jre 

apktool

To unzip and decode apk files download and install apktool

java -jar apktool_2.2.2.jar d example.apk -s

dex2jar

Dex2jar can be used to decompile dex files from the apk.

d2j-dex2jar.sh example.apk -o output.jar
d2j-baksmali.sh classes.dex -o classes.smali
d2j-smali.sh classes.smali -o classes_new.dex

jd-gui

The decompiled jar files can be opened with jd-gui.

jadx

Jadx represents an all in one solution as an alternative to apktool, dex2jar and jd-gui.

analyze tls connections


Many apps exchange data with remote servers via tls connections. To analyze the security of the tls connection and the content of the transmission burp suite can be setup.

make burp prefer ipv4

Add "-Djava.net.preferIPv4Stack=true" right behind "$app_java_home/bin/java" in the execution line of the BurpSuiteFree script

set the proxy in the avd

Settings -> Category "Wireless & networks" -> More -> Cellular networks -> 
Access Point Names -> "T-Mobile US" -> set Proxy and Port and Save settings

install ca certificate on device

Download the ca certificate from http://burp and rename it to burp.crt

Settings -> Security -> Install from SD card -> choose crt file

browse installed apps


From inside an adb shell or on a terminal directly on the device you can query the package manager (pm) to gain information on the installed apps. If want to investigate an explicit app you can download it from the device.

adb shell 'pm list packages'
adb shell 'pm path com.example.app'
adb pull /data/app/com.example.app-1/base.apk app.apk

patch apks


An easy way to quickly patch some functionality in an apk is to change the corresponding smali code. Afterwards the apk has to be packed and signed again. All versions which are signed with a different key have to be uninstalled first.

apktool d unpatched.apk
vim unpatched/path/to/file.smali
apktool b unpatched -o patched.apk
keytool -genkeypair -alias patcher -keystore patcher.keystore
zipalign 4 patched.apk patched_aligned.apk
apksigner sign --ks user.keystore patched.apk 
adb install patched_aligned.apk

connect drozer


Drozer is a comprehensive security and attack framework for android.

adb install agent.apk
adb forward tcp:31415 tcp:31415
drozer console connect

sending intents


java

Intent i = new Intent("com.example.app.bypass");
this.startActivity(i);

sending broadcasts


adb

adb shell 'am broadcast -n org.owasp.goatdroid.fourgoats/.broadcastreceivers.SendSMSNowReceiver --es phoneNumber 123456789 --es message "adb explicit"'
adb shell 'am broadcast -a org.owasp.goatdroid.fourgoats.SOCIAL_SMS --es phoneNumber 123456789 --es message "adb implicit"'

drozer

dz> run app.broadcast.send --component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.broadcastreceivers.SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "drozer explicit"
dz> run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --extra string phoneNumber 123456789 --extra string message "drozer implicit"

query content providers


adb

adb shell 'content query --uri content://com.example.credentialstore/credentials --projection "* from sqlite_master--"'
adb shell 'content read --uri content://com.example.filebrowser/etc/hosts'

drozer

dz> run app.provider.query content://com.example.credentialstore/credentials --projection '* from sqlite_master--'
dz> run app.provider.read content://com.example.filebrowser/etc/hosts

java

Uri uri = Uri.parse("content://com.example.credentialstore/credentials");
Cursor c = getContentResolver().query(uri, new String[] {"* from sqlite_master--"}, null, null, null);
String result=dumpCursorToString(c);