Pentesting Android applications

Hi all,

I would like to talk about the coolness of android applications. So if you want to perform a security review an android app, how will you go about it? There are so many ways to go about this, i will highlight some of the ways I use.

1) Most android applications work just like Web applications, they send out HTTP requests using POST and GET methods. So a cool thing to do is to intercept and capture these requests, make modifications and monitor responses (which can also be intercepted and modified). So how can this be done?

A sweet way to achieve this is by proxying all traffic from the application on your phone through a proxy tool such as Burp Suite (coolest tool for me). Now how can you direct that phone traffic to your Burp Suite which is probably running on a laptop or system? Well, you can use a great android tool called "Proxy Droid" to direct the traffic to the IP address and port on which the burp suite is listening. You can connect them to the same wireless network to achieve this easily.






From the ProxyDroid image above, we set the Host to 192.168.24.1 and Port to 8008 (you should set these according to your environment).
Then we set our BurpSuite to listen on same IP and port.

At this stage, you should see requests being captured if you have set your intercept.

NB: Your phone has to be rooted to use ProxyDroid.

2) You can decide to do a bit of source code analysis. This means we will have to decompile the android application.

Firstly, install Apk Extractor on your android phone - can be gotten from the Playstore. Run the application and select the target application you want to review. It should store the target apk file in an Apk Extractor folder in SDCard.

Since an Apk file is basically a zipped file, you can rename it to <name-of-application>.apk to <name-of-application>.zip . With this, you can use your unzipping tool and extract the contents.

 On extraction you should see something similar to the image above. The classes.dex file contains the java files used by the application. To convert this .dex file to a jar file, use the "dex2jar" tool. Depending on your OS platform, read the wiki section for how to use dex2jar. 

The result of the dex2jar tool should be a classes.jar file or similar. Then use the a java decompiler such as "jd-gui" to view the java files and source code.
You can also open the assets folder to view some code.

To know the effect of your code modifications, if you did any changes, you have to build the files into an apk file. This can be achieved with the "apktool": C:\>apktool b name-of-the-app-folder

 Once your apk is built, it would most probably not install on you android. This is because apktool builds and does not sign the apk file. We will need the "signapk" tool to sign our apk file.

We can then install and keep testing the application.

I'll add more methods with time. Safe.





Comments

  1. This comment has been removed by the author.

    ReplyDelete
  2. Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!Thanks Pentesting Services

    ReplyDelete
  3. Welcome to the beautiful world of Delhi escorts. Here you will get the most delicious and tempting Delhi escorts who are awaited so much to being physical with you. Yes, it is true just meet our Aerocity escorts girls, they are waiting to provide extraordinary service to you. Delhi Escorts is offering such beautiful and high-profile models available 24x7 hours for you.

    ReplyDelete
  4. Nice Article Keep Posting this kind of information. Androdi Application

    ReplyDelete

Post a Comment

Popular posts from this blog

Global Cyberlympics Finals 2015 Write-up - Tracker.7z

Red Teaming with Covenant and Donut