Pentesting Android applications

Hi all,

I would like to talk about the coolness of android applications. So if you want to perform a security review an android app, how will you go about it? There are so many ways to go about this, i will highlight some of the ways I use.

1) Most android applications work just like Web applications, they send out HTTP requests using POST and GET methods. So a cool thing to do is to intercept and capture these requests, make modifications and monitor responses (which can also be intercepted and modified). So how can this be done?

A sweet way to achieve this is by proxying all traffic from the application on your phone through a proxy tool such as Burp Suite (coolest tool for me). Now how can you direct that phone traffic to your Burp Suite which is probably running on a laptop or system? Well, you can use a great android tool called "Proxy Droid" to direct the traffic to the IP address and port on which the burp suite is listening. You can connect them to the same wireless network to achieve this easily.






From the ProxyDroid image above, we set the Host to 192.168.24.1 and Port to 8008 (you should set these according to your environment).
Then we set our BurpSuite to listen on same IP and port.

At this stage, you should see requests being captured if you have set your intercept.

NB: Your phone has to be rooted to use ProxyDroid.

2) You can decide to do a bit of source code analysis. This means we will have to decompile the android application.

Firstly, install Apk Extractor on your android phone - can be gotten from the Playstore. Run the application and select the target application you want to review. It should store the target apk file in an Apk Extractor folder in SDCard.

Since an Apk file is basically a zipped file, you can rename it to <name-of-application>.apk to <name-of-application>.zip . With this, you can use your unzipping tool and extract the contents.
 

 On extraction you should see something similar to the image above. The classes.dex file contains the java files used by the application. To convert this .dex file to a jar file, use the "dex2jar" tool. Depending on your OS platform, read the wiki section for how to use dex2jar. 

The result of the dex2jar tool should be a classes.jar file or similar. Then use the a java decompiler such as "jd-gui" to view the java files and source code.
You can also open the assets folder to view some code.

To know the effect of your code modifications, if you did any changes, you have to build the files into an apk file. This can be achieved with the "apktool": C:\>apktool b name-of-the-app-folder

 Once your apk is built, it would most probably not install on you android. This is because apktool builds and does not sign the apk file. We will need the "signapk" tool to sign our apk file.

We can then install and keep testing the application.

I'll add more methods with time. Safe.





Comments

  1. Omprakash Sonwani18 June 2020 at 03:30

    nice

    ReplyDelete
  2. Aman Singh19 June 2020 at 08:51

    This comment has been removed by the author.

    ReplyDelete
  3. Hijabi Girl26 April 2021 at 08:35

    Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!Thanks Pentesting Services

    ReplyDelete
  4. Mandiren2 May 2021 at 11:06

    Welcome to the beautiful world of Delhi escorts. Here you will get the most delicious and tempting Delhi escorts who are awaited so much to being physical with you. Yes, it is true just meet our Aerocity escorts girls, they are waiting to provide extraordinary service to you. Delhi Escorts is offering such beautiful and high-profile models available 24x7 hours for you.

    ReplyDelete
  5. starhouse11 February 2022 at 03:39

    Nice Article Keep Posting this kind of information. Androdi Application

    ReplyDelete

Post a Comment

Popular posts from this blog

Red Teaming with Covenant and Donut

Image
Red Teaming has rapidly transitioned from Living off the Land (LotL) to Bringing Your Own Land (BYOL). It is now possible to execute .NET assemblies entirely within memory. By developing custom C#-based assemblies, attackers no longer need to rely on the tools present on the target system; they can instead write and deliver their own tools, a technique called Bring Your Own Land (BYOL).  This has led to transitions from PowerShell tools (e.g. PowerShell Empire) to frameworks targeted for .NET assemblies. {shamelessly copied from  https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html } About Covenant Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that
Read more

Covenant Task 101 - PPID Spoof Example

Image
Covenant is a great C2 tool for red teaming. I use it on most engagements as its in C# and easily extensible. This post was inspired by Rasta Mouse's Covenant 101  where he nicely described how to modify Covenant source to add a task. The purpose of this post is to leverage Rasta's post to further simplify the process especially for those new to Covenant. Ryan Cobbr, the main author of Covenant has already done a great job by adding a "Tasks" menu where an admin user can lists all tasks and modify their configurations. I will be be showing how I leveraged this in a recent engagement to bypass certain EDRs and AV behavioural signatures. Story Time Once upon a time, I was contracted to do a red teaming engagement for one of the World's leading pharmaceutical firms. Fast forward to when I crafted and had sent a neat phishing mail (embedded with a link to a malicious Word doc). Within 10 mins, about 9 users had clicked, and I had 9 grunts, however, the grunts we
Read more