Last changed: 25.09.2019
Pentesting android applications
As many android apps were created by unexperienced or uneducated developers many long known security issues have resurfaced in android applications. Since smartphones often contain loads of personal or financial data, the security of the installed apps should be reviewed.
decompile apks
apktool
To unzip and decode apk files download and install apktool
apktool d example.apk -s
dex2jar
Dex2jar can be used to decompile dex files from the apk.
d2j-dex2jar.sh example.apk -o output.jar
d2j-baksmali.sh classes.dex -o classes.smali
d2j-smali.sh classes.smali -o classes_new.dex
jd-gui
The decompiled jar files can be opened with jd-gui.
jadx-gui
Jadx represents an all in one
solution as an alternative to apktool
, dex2jar
and jd-gui
.
basic app analysis steps
To analyze an app you have to know where to find its entry point and how its resources are connected.
The following example uses the default values for a "Hello World" app with an
empty activity, which was created by android studio
.
AndroidManifest.xml
Here you can find the permissions the app requests and the class names of all
activities
which are started when a certain intend
is captured.
The intent-filter
android.intent.action.MAIN
shows the name of the class
which is run, when the application starts.
com.example.myapplication.MainActivity
In the function onCreate
you should be able to find a call to setContentView
.
This shows which layout
from the res
section will be drawn.
res.layout.activity_main.xml
This shows the visual elements of the displayed view. Here you can find control elements like buttons and see the methods which will be called.
resources.arcs/res.values.strings.xml
Sometimes strings are outsourced to this file. You can resolve its IDs via the
R.class
file.
original/META-INF/CERT.RSA
The signing certificate contains issuer information and the date of signing.
openssl pkcs7 -inform DER -in original/META-INF/CERT.RSA -noout -print_certs -text
patch apks
download installed apk from phone
From inside an adb shell or on a terminal directly on the device you can query the package manager (pm) to gain information on the installed apps. If want to investigate an explicit app you can download it from the device.
adb shell 'pm list packages'
adb shell 'pm path com.example.app'
adb pull /data/app/com.example.app-1/base.apk app.apk
modify source and repack apk
An easy way to quickly patch some functionality in an apk is to change the corresponding smali code. Afterwards the apk has to be packed and signed again. Old versions which are signed with a different key have to be uninstalled first.
apktool d unpatched.apk
vim unpatched/path/to/file.smali
apktool b unpatched -o patched.apk
zipalign 4 patched.apk patched_aligned.apk
sign apk
keytool -genkeypair -alias user -keystore user.keystore -keyalg RSA -keysize 4096
apksigner sign --ks user.keystore patched_aligned.apk
install apk on phone
adb install patched_aligned.apk
install android studio
If you want to write your own android applications it is recommended to install
android studio. This ide
includes the AVD Manager
to setup and run virtual android devices.
To run android studio
from the gnome launcher create the following file.
~/.local/share/applications/android-studio.desktop
#!/usr/bin/env xdg-open
[Desktop Entry]
Type=Application
Name=Android Studio
Exec=/bin/sh "/opt/android-studio/bin/studio.sh"
Icon=/opt/android-studio/bin/studio.png
Categories=Application;
run android virtual devices from the command line
To create virtual devices and download the needed system images I use the AVD Manager
inside android studio
. Afterwards the virtual devices can be started
from the command line.
~/Android/Sdk/emulator/emulator -list-avds
~/Android/Sdk/emulator/emulator -avd <name of avd>
Be aware that images containing Google Play
are considered production builds
and prohibit root access to the device.
emulator console
The emulator provides a console for advanced configuration. To connect you need the tcp port and an auth token.
adb devices
cat ~/.emulator_console_auth_token
telnet localhost <console-port>
auth <token>
packet capture
From the eumlator console you can capture network traffic of the emulator to a file.
network capture start traffic.pcap
network capture stop traffic.pcap
Alternatively the complete session can be captured.
~/Android/Sdk/emulator/emulator -avd <name of avd> -tcpdump traffic.pcap
debugging via adb
Enable usb debugging in the settings of the android device by tapping on the build number seven times.
adb devices
adb [-s <device>] shell
adb [-s <device>] install test.apk
Access as root is only allowed on virtual devices without Google Play.
adb root
adb shell
Alternatively a shell can be started directly in the current terminal.
~/Android/Sdk/emulator/emulator -avd <name of avd> -shell
android system information
Android devices provide some tools to display system information or to monitor log entries.
dumpsys -l
dumpsys diskstats
dumpsys package
logcat
connect drozer
Drozer is a comprehensive security and attack framework for android.
adb install agent.apk
adb forward tcp:31415 tcp:31415
drozer console connect
sending intents
An activity
can be started by explicitly calling its class or by implicitly
calling an intent
.
adb
adb shell 'am start-activity -a android.intent.action.MAIN' -d data:implicit'
adb shell 'am start-activity -n com.example.app/.MainActivity' -d data:explicit
java (implicit)
Intent i = new Intent("android.intent.action.MAIN", Uri.parse("extra:my_data"));
this.startActivity(i);
java (explicit)
Intent i = new Intent();
i.setClassName("com.example.app", "com.example.app.MainActivity");
this.startActivity(i);
sending broadcasts
adb
adb shell 'am broadcast -n org.owasp.goatdroid.fourgoats/.broadcastreceivers.SendSMSNowReceiver --es phoneNumber 123456789 --es message "adb explicit"'
adb shell 'am broadcast -a org.owasp.goatdroid.fourgoats.SOCIAL_SMS --es phoneNumber 123456789 --es message "adb implicit"'
drozer
dz> run app.broadcast.send --component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.broadcastreceivers.SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "drozer explicit"
dz> run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --extra string phoneNumber 123456789 --extra string message "drozer implicit"
query content providers
adb
adb shell 'content query --uri content://com.example.credentialstore/credentials --projection "* from sqlite_master--"'
adb shell 'content read --uri content://com.example.filebrowser/etc/hosts'
drozer
dz> run app.provider.query content://com.example.credentialstore/credentials --projection '* from sqlite_master--'
dz> run app.provider.read content://com.example.filebrowser/etc/hosts
java
Uri uri = Uri.parse("content://com.example.credentialstore/credentials");
Cursor c = getContentResolver().query(uri, new String[] {"* from sqlite_master--"}, null, null, null);
String result=dumpCursorToString(c);
analyze tls connections
Many apps exchange data with remote servers via tls connections. To analyze the security of the tls connection and the content of the transmission burp suite can be setup.
make burp prefer ipv4
Add "-Djava.net.preferIPv4Stack=true"
right behind "$app_java_home/bin/java"
in the execution line of the BurpSuiteFree
script
set the proxy in the avd
Settings -> Category "Wireless & networks" -> More -> Cellular networks ->
Access Point Names -> "T-Mobile US" -> set Proxy and Port and Save settings
install ca certificate on device
Download the ca certificate from http://burp and rename it to burp.crt
Settings -> Security -> Install from SD card -> choose crt file
redirect all traffic to inetsim
If you want to redirect the network traffic to inetsim
you can redirect all
traffic from the host to the local machine.
iptables -t nat -A OUTPUT -j DNAT --to-destination 127.0.0.1
inetsim
To still being able to browse the web you can add an exception for a socks
proxy. This has to be placed above the DNAT
rule.
iptables -t nat -A OUTPUT -p tcp --dport 9000 -d <socks proxy> -j ACCEPT
iptables -t nat -A OUTPUT -p udp --dport 53 -d <dns server> -j ACCEPT
You can setup your own socks proxy with ssh
. Replace the <socks proxy>
with
your ssh server ip and the dport
with 22.
ssh -D 9000 -q -N user@server
virustotal androguard
VirusTotal uses androguard and offers VirusTotal Intelligence customers to search in its results
androguard:"android.intent.action.BOOT_COMPLETED" androguard:"android.permission.ACCESS_FINE_LOCATION"
disambiguation
DEX (Dalvik Executable): bytecode to be run in the Dalvik VM (prior to Android 4.4) or Android Runtime (ART) VM
ODEX (Optimized DEX): optimized for device; created during installation of APK (Dalvik VM)
OAT: compiled ELF binary from dex & native code; created during installation of APK (ART VM)
Application Sandbox: limiting applications access based on Linux user IDs and group IDs
smali/baksmali: "assembler"/"disassembler" for dex bytecode