SlideShare a Scribd company logo

Android Application Penetration Testing - Mohammed Adam

Download as PPTX, PDF
Mohammed Adam, profile picture
Mohammed Adam

The document is a comprehensive guide on Android penetration testing, covering static and dynamic analysis techniques, common vulnerabilities, and best practices for Android application security. It discusses the Android security model, tools for testing, and various methods to analyze application components like manifests, permissions, and webview vulnerabilities. Additionally, it highlights the importance of secure coding practices and provides references for further study.

Technology
Related topics:
Penetration-Testing
1 of 53
Downloaded 176 times
1
2
3
4
5
6
7
8
9
Most read
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Most read
41
42
43
44
45
46
47
48
49
50
51
52
53
Android Application Penetration Testing - Mohammed Adam
./ABOUT ME • MOHAMMED ADAM • INFORMATION SECURITY RESEARCHER • SECURITY CONSULTANT AT CROSSBOW LABS • FOSS ACTIVIST IN VGLUG (VILUPPURAM GNU/LINUX USERS GROUP) • ACKNOWLEDGED BY TOP 50+ COMPANIES LIKE OPPO, NOKIA, HONEYWELL, MCAFEE, VIRUS TOTAL, MASTERCARD, BITDEFENDER, DELL TECHNOLOGIES, ASUS, INTEL, DUCKDUCKGO, CARBON BLACK ETC IN BUG BOUNTIES.
./AGENDA • INTRODUCTION TO ANDROID PENETRATION TESTING • REQUIREMENTS & TOOLS • STATIC ANALYSIS - AUTOMATION & MANUAL TESTING • DYNAMIC ANALYSIS - AUTOMATION & MANUAL TESTING • DISCUSSION ON OWASP TOP 10 MOBILE 2016 VULNERABILITIES
ANDROID INTERNALS • BASED ON LINUX KERNEL • LATEST VERSION - ANDROID PIE • ANDROID Q 10.0 ON THE WAY • APPLICATION RUNS THROUGH DALVIK VM (DALVIK VIRTUAL MACHINE) • DALVIK VM RUNS EXECUTABLE FILES LIKE DEX (DALVIK EXECUTABLE) OR APK FILES • APK FILES ARE ZIPPED CONTENT OF RESOURCES, SIGNATURES, CLASSES.DEX AND ANDROID MANIFEST.XML FILE.
ANDROID SECURITY MODEL • APPLICATION ARE SANDBOXED (RUNS WITH DIFFERENT UID & GID) • ZYGOTE SPAWNS A NEW PROCESS FOR EACH APPLICATION • EACH APPLICATION RUNS WITH A SEPARATE INSTANCE OF DALVIK VM • SPECIAL PERMISSIONS ARE PROVIDED TO ACCESS HARDWARE API'S • PERMISSIONS ARE MENTIONED IN ANDROID MANIFEST.XML FILE.
ANDROID APPLICATION .APK • JUST AN ARCHIVE ! • WRITTEN MAINLY IN JAVA & XML • MULTIPLE ENTRY POINTS, SUCH AS ACTIVITY, SERVICES, INTENTS, CONTENT PROVIDERS, ETC.
REQUIREMENTS & TOOLS • Android Tamer- https://androidtamer.com/ • Genymotion - https://www.genymotion.com/fun-zone/
Android Application Penetration Testing - Mohammed Adam
WHAT IS ADB ? • ANDROID DEBUG BRIDGE (ADB) IS A COMMAND LINE TOOL THAT LETS YOU COMMUNICATE WITH AN EMULATOR OR CONNECTED ANDROID DEVICE. • ADB DEBUGGING - ADB DEVICES - ADB FORWARD - ADB KILL-SERVER • WIRELESS - ADB CONNECT - ADB USB • PACKAGE MANAGER - ADB INSTALL - ADB UNINSTALL- ADB SHELL PM LIST PACKAGES - ADB SHELL PM PATH - ADB SHELL PM CLEAR • NETWORK - ADB SHELL NETSTAT- ADB SHELL PING - ADB SHELL NETCFG - ADB SHELL IP • LOGCAT - ADB LOGCAT -ADB SHELL DUMPSYS - ADB SHELL DUMPSTATE • REFERENCES - HTTP://ADBSHELL.COM/
STATIC ANALYSIS - MANUAL TESTING• REVERSE ENGINEERING ANDROID APPLICATIONS • THE UNZIP UTILITY CAN BE USED TO EXTRACT FILES THAT ARE STORED INSIDE THE APK.
APKTOOL • APKTOOL - A TOOL FOR REVERSE ENGINEERING 3RD PARTY, CLOSED, BINARY ANDROID APPS. IT CAN DECODE RESOURCES TO NEARLY ORIGINAL FORM AND REBUILD THEM AFTER MAKING SOME MODIFICATIONS. • DISASSEMBLING ANDROID APK FILE APKTOOL D <APK FILE>
EVERY APK CONTAINS THE FOLLOWING FILES: • ANDROIDMANIFEST.XML - DEFINES THE PERMISSIONS OF THE APPLICATION • CLASSES.DEX - CONTAINS ALL THE JAVA CLASS FILES • RESOURCES.ARSC - CONTAINS ALL THE META-INFORMATION ABOUT THE RESOURCES AND NODES
SECURITY GUIDELINES FOR ANDROID MANIFEST.XML
CAN THESE PERMISSION BE BYPASSED ?
ANDROID MANIFEST.XML OMG! • ACTIVITIES, SERVICES, RECEIVERS SHOULD NOT BE EXPORTED OR ELSE YOU CAN BYPASS THOSE ACTIVITIES!
UPLOADING A SENSITIVE FILES FROM SD-CARD TO REMOTE SERVER WITHOUT ANY PERMISSION !
ANDROID MANIFEST.XML OMG! • ANDROID:EXPORTED="TRUE" IN <PROVIDER> WILL TURN INTO A NIGHTMARE! • BTW BY DEFAULT IT IS "TRUE" IF EITHER ANDROID:MINSDKVERSION OR ANDROID:TARGETSDKVERSION TO "16" OR LOWER. • FOR APPLICATIONS THAT SET EITHER OF THESE ATTRIBUTES TO "17" OR HIGHER, THE DEFAULT IS "FALSE"
DEBUG MODE • THE DEBUG TAG DEFINES WHETHER THE APPLICATION CAN BE DEBUGGED OR NOT. IF THE APPLICATION CAN BE DEBUGGED THEN IT CAN PROVIDE PLENTY OF INFORMATION TO AN ATTACKER. <APPLICATION ANDROID:DEBUGGABLE="FALSE" </APPLICATION>
BACKUP FLAG • THIS SETTING DEFINES WHETHER APPLICATION DATA CAN BE BACKED UP AND RESTORED BY A USER WHO HAS ENABLED USB DEBUGGING. THEREFORE APPLICATIONS THAT HANDLE AND STORE SENSITIVE INFORMATION SUCH AS CARD DETAILS, PASSWORDS ETC. <APPLICATION ANDROID:ALLOWBACKUP="FALSE" </APPLICATION>
EXTERNAL STORAGE • APPLICATIONS THAT HAVE THE PERMISSION TO COPY DATA TO EXTERNAL STORAGE SHOULD BE REVIEWED TO ENSURE THAT NO SENSITIVE INFORMATION IS STORED. • <USES-PERMISSION ANDROID:NAME="ANDROID.PERMISSION.WRITE_EXTERNAL_STORAGE"/>
ANDROID:PROTECTIONLEVEL • THE ANDROID:PROTECTIONLEVEL ATTRIBUTE DEFINES THE PROCEDURE THAT THE SYSTEM SHOULD FOLLOW BEFORE GRANTS THE PERMISSION TO THE APPLICATION THAT HAS REQUESTED IT. THERE ARE FOUR VALUES THAT CAN BE USED WITH THIS ATTRIBUTE: • NORMAL – DANGEROUS – SIGNATURE – SIGNATURE OR SYSTEM • ALL THE PERMISSIONS THAT THE APPLICATION REQUESTS SHOULD BE REVIEWED TO ENSURE THAT THEY DON’T INTRODUCE A SECURITY RISK. <PERMISSION> ANDROID:PROTECTIONLEVEL="SIGNATURE" </PERMISSION>
INTENTS • INTENTS CAN BE USED TO LAUNCH AN ACTIVITY, TO SEND IT TO ANY INTERESTED BROADCAST RECEIVER COMPONENTS, AND TO COMMUNICATE WITH A BACKGROUND SERVICE. INTENTS MESSAGES SHOULD BE REVIEWED TO ENSURE THAT THEY DOESN’T CONTAIN ANY SENSITIVE INFORMATION THAT COULD BE INTERCEPTED. <INTENT-FILTER> <ACTION ANDROID:NAME="STRING" /> <CATEGORY ANDROID:NAME="STRING" /> </INTENT-FILTER>
CLASSES DEX • THE CLASSES.DEX FILE CONTAINS ALL THE JAVA CLASSES OF THE APPLICATION AND IT CAN BE DISASSEMBLED WITH BAKSMALI TOOL TO RETRIEVE THE JAVA SOURCE CODE.
CONVERT CLASSES.DEX FILES TO JAR • TO DECOMPILE CLASSES.DEX FILE > D2J-DEX2JAR CLASSES.DEX
TO READ JAR FILE – USE JDGUI • IN JDGUI, FILE-> OPEN THE FILE/DIRECTORY WHERE JAR FILE IS PRESENTED
ANDROID WEBVIEW VULNERABILITIES • WEBVIEWS ARE USED IN ANDROID APPLICATIONS TO LOAD CONTENT AND HTML PAGES WITHIN THE APPLICATION. DUE TO THIS FUNCTIONALITY THE IMPLEMENTATION OF WEBVIEW IT MUST BE SECURE IN ORDER NOT TO INTRODUCE THE APPLICATION TO GREAT RISK.
LOADING CLEAR-TEXT CONTENT • IF WEBVIEW IS ALLOWING TO LOAD CLEAR-TEXT CONTENT FROM THE INTERNET THEN IT WOULD BE OPEN TO VARIOUS FORMS OF ATTACK SUCH AS MITM. • MYWEBVIEW.LOADURL("HTTP://WWW.DROIDSEC.ORG/TESTS/ADDJSIF/");
SSL ERROR HANDLING • THE CODE BELOW INSTRUCTS THE WEBVIEW CLIENT TO PROCEED WHEN AN SSL ERROR OCCUR. THIS MEANS THAT THE APPLICATION IS VULNERABLE TO MITM ATTACKS AS IT COULD ALLOW AN ATTACKER TO READ OR MODIFY CONTENT THAT IS DISPLAYED TO THE USER SINCE ANY CERTIFICATE WOULD BE ACCEPTED BY THE APPLICATION. @OVERRIDE PUBLIC VOID ONRECEIVEDSSLERROR(WEBVIEW VIEW, SSLERRORHANDLER HANDLER, SSLERROR ERROR) { HANDLER.PROCEED(); }
JAVASCRIPT ENABLED • ALLOWING JAVASCRIPT CONTENT TO BE EXECUTED WITHIN THE APPLICATION VIA WEBVIEW MIGHT GIVE THE OPPORTUNITY TO AN ATTACKER TO EXECUTE ARBITRARY JAVASCRIPT CODE IN ORDER TO PERFORM MALICIOUS ACTIONS. THIS SETTING ALLOW WEBVIEW TO EXECUTE JAVASCRIPT CODE. WEBSETTINGS WEBSETTINGS = MYWEBVIEW.GETSETTINGS(); WEBSETTINGS.SETJAVASCRIPTENABLED(TRUE);
ACCESSING LOCAL RESOURCES • IF THE WEBVIEW IS ALLOWING TO ACCESS CONTENT FROM OTHER APPLICATIONS THAT EXIST ON THE SAME DEVICE THEN IT COULD BE POSSIBLE FOR AN ATTACKER TO CREATE A MALICIOUS HTML FILE THAT COULD BE INJECTED INSIDE THE TARGET APPLICATION THROUGH THE USE FILE:SCHEME. IN ORDER FOR THIS MALICIOUS FILE TO BE LOADED NEEDS TO HAVE WORLD READABLE PERMISSIONS.
ANDROID CODING BEST PRACTICES • FOLLOW -> HTTPS://DEVELOPER.ANDROID.COM/GUIDE/PRACTICES/COMPATIBILITY • TOP 10 MOBILE RISKS OWASP 2016 – HTTPS://WWW.OWASP.ORG/INDEX.PHP/MOBILE_TOP_10_2016-TOP_10 • HTTPS://WIKI.SEI.CMU.EDU/CONFLUENCE/DISPLAY/ANDROID/DRD02- J.+DO+NOT+ALLOW+WEBVIEW+TO+ACCESS+SENSITIVE+LOCAL+RESOURCE+THROU GH+FILE+SCHEME • HTTPS://LABS.MWRINFOSECURITY.COM/BLOG/WEBVIEW- ADDJAVASCRIPTINTERFACE-REMOTE-CODE-EXECUTION/ • HTTPS://WWW.RAPID7.COM/DB/MODULES/EXPLOIT/ANDROID/BROWSER/WEBVIEW_AD DJAVASCRIPTINTERFACE
DYNAMIC ANALYSIS WIDELY USED TOOLS •BURPSUITE •DROZER
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • TO CONFIGURE THE PROXY GO TO SETTINGS. A SCREEN SOMETHING LIKE THE BELOW ONE WILL COME UP. SELECT “MORE”.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE INTERCEPTION CAN BE DONE BY USING WIFI NETWORKS AS WELL AS MOBILE NETWORKS. HERE IM SHOWING MOBILE NETWORK IN THE NEXT MENU, SELECT “MOBILE NETWORKS”.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE SELECT ACCESS POINT NAMES OPTION AS SHOWN IN THE IMAGE.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NO, THERE MUST BE A MOBILE NETWORK ALREADY CONFIGURED, AND THE NAME OF THE NETWORK WILL BE “TELKILA”, AS SHOWN IN THE IMAGE BELOW. CHOOSE THIS NETWORK.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • PUT THE IP ADDRESS OF YOUR INTERFACE WHERE YOU WILL BE LISTENING THE TRAFFIC, I.E. WHERE YOU WILL RUN BURP. DOWN TO THAT, PUT THE PORT NUMBER ON WHICH YOU WANT TO LISTEN. BY DEFAULT IT’S 8080 IN BURP, BUT FEEL FREE TO CHANGE IT, JUST MAKE SURE YOU HAVE SAME PORT NUMBER CONFIGURED AT BOTH END POINTS.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NOW IN BURPSUITE, GO TO THE “PROXY” TAB, SELECT THE “OPTIONS” TAB. SELECT THE DEFAULT CONFIGURED INTERFACE, AND CLICK ON “EDIT”.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE PROXY > INTERCEPT > “INTERCEPT IS ON”
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE “INTERCEPT RESPONSE BASED ON THE FOLLOWING RULES”
SSL PINNING BYPASS • REQUIRED TOOLS FOR SSL PINNING BYPASS • ROOTED MOBILE • SSLUNPINNING APK • XPOSED FRAMEWORK & XPOSED INSTALLER APK FOR SPECIFIC MOBILE (DEPENDS ON SDK)
DROZER – GAME CHANGER TOOL FOR ANDROID APP PT • CONNECTING DROZER TO THE MOBILE DEVICE • CONNECT YOUR MOBILE DEVICE TO YOUR COMPUTER USING A USB CABLE; • OPEN DROZER AGENT APPLICATION ON YOUR MOBILE DEVICE AND CLICK THE ON BUTTON FROM THE BOTTOM-RIGHT;
DROZER – CONT. • USE ADB.EXE TO OPEN A TCP SOCKET BETWEEN YOUR COMPUTER AND THE SERVER EMBEDDED IN DROZER AGENT: • ADB.EXE FORWARD TCP:31415 TCP:31415 • GO TO THE FOLDER WHERE YOU INSTALLED DROZER AND CONNECT TO THE MOBILE DEVICE: • DROZER CONSOLE CONNECT
STARTING AN ACTIVITY FROM ANOTHER PACKAGE • OK, NOW WE HAVE AN INTERACTIVE DROZER CONSOLE. WHAT CAN WE DO? LET’S START AN ACTIVITY, COMMAND BY COMMAND: • LIST, WILL DISPLAY A LIST OF COMMANDS AVAILABLE IN DROZER
FIND A LIST OF PACKAGES • RUN APP.PACKAGE.LIST -F FIREFOX TO FIND A LIST OF PACKAGES THAT CONTAIN THE STRING “FIREFOX”; WE FOUND ORG.MOZILLA.FIREFOX.
IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION • RUN APP.PACKAGE.ATTACKSURFACE ORG.MOZILLA.FIREFOX TO IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION; WE FOUND 113 EXPORTED ACTIVITIES, 12 EXPORTED BROADCAST RECEIVERS, 8 EXPORTED CONTENT PROVIDERS AND 1 EXPORTED SERVICE; THIS IS A GOOD EXAMPLE OF A BIG ATTACK SURFACE.
MORE INFORMATION ABOUT A SPECIFIC PACKAGE
INSPECT THE MANIFEST FILE OF A SPECIFIC APPLICATION
LIST THE EXPORTED ACTIVITIES • RUN APP.ACTIVITY.INFO -A ORG.MOZILLA.FIREFOX TO LIST THE EXPORTED ACTIVITIES; WE CAN SEE THAT THERE IS AN EXPORTED ACTIVITY NAMED ORG.MOZILLA.FIR EFOX.APP THAT DOES NOT REQUIRE ANY PERMISSION TO BE STARTED.
LIST OF VULNERABLE ANDROID APPLICATIONS • DAMN VULNERABLE HYBRID MOBILE APPLICATION • ANDROID DIGITAL BANK • DAMN INSECURE AND VULNERABLE APPLICATION • HACKME BANK • INSECURE BANK • DAMN VULNERABLE ANDROID APPLICATION • OWASP GOATDROID • DODO VULNERABLE BANK
Android Application Penetration Testing - Mohammed Adam
REFERENCES: • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APPLICATION-SECURITY-TESTING-GUIDE-PART-1/ • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APP-SEC-TEST-GUIDE-PART-2/ • HTTPS://KING-SABRI.NET/ANDROID-HACKING-DROZER-SECURITY-ASSESSMENT-FRAMEWORK/ • HTTPS://SECURITYGRIND.COM/USING-THE-DROZER-FRAMEWORK-FOR-ANDROID-PENTESTING/ • HTTPS://PENTESTLAB.BLOG/CATEGORY/MOBILE-PENTESTING/ • HTTPS://GITHUB.COM/TANPRATHAN/MOBILEAPP-PENTEST-CHEATSHEET • HTTPS://PENTESTLAB.BLOG/2016/11/07/LIST-OF-VULNERABLE-ANDROID-APPLICATIONS/
THANKS https://twitter.com/iam_amdadam https://www.linkedin.com/in/ mohammedadam24/

More Related Content

PPTX
Pentesting Android Apps
Abdelhamid Limami
 
PPTX
Crisis Communication ppt
Muhammad Rawaha Saleem
 
PPTX
Android Security
Arqum Ahmad
 
PDF
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
PDF
generative-ai-fundamentals and Large language models
AdventureWorld5
 
PPTX
Introduction to GCP (Google Cloud Platform)
Pulkit Gupta
 
PDF
Penetration Testing Report
Aman Srivastava
 
PDF
Cisa domain 1
Ismail aboulezz
 
Pentesting Android Apps
Abdelhamid Limami
 
Crisis Communication ppt
Muhammad Rawaha Saleem
 
Android Security
Arqum Ahmad
 
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
generative-ai-fundamentals and Large language models
AdventureWorld5
 
Introduction to GCP (Google Cloud Platform)
Pulkit Gupta
 
Penetration Testing Report
Aman Srivastava
 
Cisa domain 1
Ismail aboulezz
 

What's hot (20)

PDF
Mobile Application Penetration Testing
BGA Cyber Security
 
PDF
Android Security & Penetration Testing
Subho Halder
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
PDF
Android pentesting
Mykhailo Antonishyn
 
PPTX
Android pentesting
Mykhailo Antonishyn
 
PDF
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
PDF
Threat Modelling
n|u - The Open Security Community
 
PPTX
SSRF For Bug Bounties
OWASP Nagpur
 
PPTX
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
PPT
Secure code practices
Hina Rawal
 
PDF
HTTP Security Headers
Ismael Goncalves
 
PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
PDF
Cross site scripting
n|u - The Open Security Community
 
PPTX
Burp Suite Starter
Fadi Abdulwahab
 
PPTX
Web application security
Kapil Sharma
 
PPT
Web Application Security
Abdul Wahid
 
PDF
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
ODP
XSS
Hrishikesh Mishra
 
PDF
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
PDF
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Mobile Application Penetration Testing
BGA Cyber Security
 
Android Security & Penetration Testing
Subho Halder
 
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Android pentesting
Mykhailo Antonishyn
 
Android pentesting
Mykhailo Antonishyn
 
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Threat Modelling
n|u - The Open Security Community
 
SSRF For Bug Bounties
OWASP Nagpur
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Secure code practices
Hina Rawal
 
HTTP Security Headers
Ismael Goncalves
 
OWASP Top 10 2021 What's New
Michael Furman
 
Cross site scripting
n|u - The Open Security Community
 
Burp Suite Starter
Fadi Abdulwahab
 
Web application security
Kapil Sharma
 
Web Application Security
Abdul Wahid
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
XSS
Hrishikesh Mishra
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Ad

Similar to Android Application Penetration Testing - Mohammed Adam (20)

PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
PDF
(Pdf) yury chemerkin _ath_con_2013
STO STRATEGY
 
PPTX
Android pentesting the hackers-meetup
kunwaratul hax0r
 
PDF
From ci to cd - LavaJug 2012
Henri Gomez
 
PPTX
Hacking mobile apps
kunwaratul hax0r
 
PPTX
lecture 8 weeb vs native mobile apps and frameworks
ssuser26ff68
 
PDF
YURY_CHEMERKIN__NullCon_2013_Conference.pdf
Yury Chemerkin
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
PPTX
Best online js training institute in chandigarh and
shubhamrana767862
 
PPTX
Shanghai Breakout: Access Management with Aruba ClearPass
Aruba, a Hewlett Packard Enterprise company
 
PDF
YURY_CHEMERKIN__AthCon_2013._Conference.pdf
Yury Chemerkin
 
PDF
Primend praktiline konverents - Samsung Cloud. Management. Security
Primend
 
PDF
(Pdf) yury chemerkin _confidence_2013
STO STRATEGY
 
PDF
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
PPTX
Brocade vADC Portfolio Overview 2016
Scott Sims
 
PPTX
Android Penetration Testing - Day 3
Mohammed Adam
 
PDF
YURY_CHEMERKIN__CONFidence_2013_Conference.pdf
Yury Chemerkin
 
PDF
Best online js training institute in chandigarh and converted
shubhamrana767862
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
(Pdf) yury chemerkin _ath_con_2013
STO STRATEGY
 
Android pentesting the hackers-meetup
kunwaratul hax0r
 
From ci to cd - LavaJug 2012
Henri Gomez
 
Hacking mobile apps
kunwaratul hax0r
 
lecture 8 weeb vs native mobile apps and frameworks
ssuser26ff68
 
YURY_CHEMERKIN__NullCon_2013_Conference.pdf
Yury Chemerkin
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
Best online js training institute in chandigarh and
shubhamrana767862
 
Shanghai Breakout: Access Management with Aruba ClearPass
Aruba, a Hewlett Packard Enterprise company
 
YURY_CHEMERKIN__AthCon_2013._Conference.pdf
Yury Chemerkin
 
Primend praktiline konverents - Samsung Cloud. Management. Security
Primend
 
(Pdf) yury chemerkin _confidence_2013
STO STRATEGY
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
Brocade vADC Portfolio Overview 2016
Scott Sims
 
Android Penetration Testing - Day 3
Mohammed Adam
 
YURY_CHEMERKIN__CONFidence_2013_Conference.pdf
Yury Chemerkin
 
Best online js training institute in chandigarh and converted
shubhamrana767862
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Ad

More from Mohammed Adam (20)

PPTX
Android Penetration testing - Day 2
Mohammed Adam
 
PPTX
Android Penetration Testing - Day 1
Mohammed Adam
 
PPTX
Wireless Penetration Testing
Mohammed Adam
 
PPTX
Network Penetration Testing
Mohammed Adam
 
PPTX
Basic Foundation For Cybersecurity
Mohammed Adam
 
PPTX
Golden Ticket Attack - AD - Domain Persistence
Mohammed Adam
 
PPTX
Evading Antivirus software for fun and profit
Mohammed Adam
 
PDF
Introduction to Network Fundamentals
Mohammed Adam
 
PPTX
Breaking out of crypto authentication
Mohammed Adam
 
PPTX
Cybersecurity Awareness Session by Adam
Mohammed Adam
 
PPTX
Career Guidance on Cybersecurity by Mohammed Adam
Mohammed Adam
 
PPTX
Introduction to null villupuram community
Mohammed Adam
 
PPTX
Internet security
Mohammed Adam
 
PDF
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
PPTX
Webinar On Ethical Hacking & Cybersecurity - Day2
Mohammed Adam
 
PPTX
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
Mohammed Adam
 
PPTX
Vulnerability assessment &amp; Penetration testing Basics
Mohammed Adam
 
PPT
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
PPT
Network Security
Mohammed Adam
 
PPTX
Networking in Windows Operating System
Mohammed Adam
 
Android Penetration testing - Day 2
Mohammed Adam
 
Android Penetration Testing - Day 1
Mohammed Adam
 
Wireless Penetration Testing
Mohammed Adam
 
Network Penetration Testing
Mohammed Adam
 
Basic Foundation For Cybersecurity
Mohammed Adam
 
Golden Ticket Attack - AD - Domain Persistence
Mohammed Adam
 
Evading Antivirus software for fun and profit
Mohammed Adam
 
Introduction to Network Fundamentals
Mohammed Adam
 
Breaking out of crypto authentication
Mohammed Adam
 
Cybersecurity Awareness Session by Adam
Mohammed Adam
 
Career Guidance on Cybersecurity by Mohammed Adam
Mohammed Adam
 
Introduction to null villupuram community
Mohammed Adam
 
Internet security
Mohammed Adam
 
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Mohammed Adam
 
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
Mohammed Adam
 
Vulnerability assessment &amp; Penetration testing Basics
Mohammed Adam
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
Network Security
Mohammed Adam
 
Networking in Windows Operating System
Mohammed Adam
 

Recently uploaded (20)

PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Encapsulation theory and applications.pdf
gurumoop
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
A Presentation on Artificial Intelligence
memembruh336
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 

Android Application Penetration Testing - Mohammed Adam

  • 2. ./ABOUT ME • MOHAMMED ADAM • INFORMATION SECURITY RESEARCHER • SECURITY CONSULTANT AT CROSSBOW LABS • FOSS ACTIVIST IN VGLUG (VILUPPURAM GNU/LINUX USERS GROUP) • ACKNOWLEDGED BY TOP 50+ COMPANIES LIKE OPPO, NOKIA, HONEYWELL, MCAFEE, VIRUS TOTAL, MASTERCARD, BITDEFENDER, DELL TECHNOLOGIES, ASUS, INTEL, DUCKDUCKGO, CARBON BLACK ETC IN BUG BOUNTIES.
  • 3. ./AGENDA • INTRODUCTION TO ANDROID PENETRATION TESTING • REQUIREMENTS & TOOLS • STATIC ANALYSIS - AUTOMATION & MANUAL TESTING • DYNAMIC ANALYSIS - AUTOMATION & MANUAL TESTING • DISCUSSION ON OWASP TOP 10 MOBILE 2016 VULNERABILITIES
  • 4. ANDROID INTERNALS • BASED ON LINUX KERNEL • LATEST VERSION - ANDROID PIE • ANDROID Q 10.0 ON THE WAY • APPLICATION RUNS THROUGH DALVIK VM (DALVIK VIRTUAL MACHINE) • DALVIK VM RUNS EXECUTABLE FILES LIKE DEX (DALVIK EXECUTABLE) OR APK FILES • APK FILES ARE ZIPPED CONTENT OF RESOURCES, SIGNATURES, CLASSES.DEX AND ANDROID MANIFEST.XML FILE.
  • 5. ANDROID SECURITY MODEL • APPLICATION ARE SANDBOXED (RUNS WITH DIFFERENT UID & GID) • ZYGOTE SPAWNS A NEW PROCESS FOR EACH APPLICATION • EACH APPLICATION RUNS WITH A SEPARATE INSTANCE OF DALVIK VM • SPECIAL PERMISSIONS ARE PROVIDED TO ACCESS HARDWARE API'S • PERMISSIONS ARE MENTIONED IN ANDROID MANIFEST.XML FILE.
  • 6. ANDROID APPLICATION .APK • JUST AN ARCHIVE ! • WRITTEN MAINLY IN JAVA & XML • MULTIPLE ENTRY POINTS, SUCH AS ACTIVITY, SERVICES, INTENTS, CONTENT PROVIDERS, ETC.
  • 7. REQUIREMENTS & TOOLS • Android Tamer- https://androidtamer.com/ • Genymotion - https://www.genymotion.com/fun-zone/
  • 9. WHAT IS ADB ? • ANDROID DEBUG BRIDGE (ADB) IS A COMMAND LINE TOOL THAT LETS YOU COMMUNICATE WITH AN EMULATOR OR CONNECTED ANDROID DEVICE. • ADB DEBUGGING - ADB DEVICES - ADB FORWARD - ADB KILL-SERVER • WIRELESS - ADB CONNECT - ADB USB • PACKAGE MANAGER - ADB INSTALL - ADB UNINSTALL- ADB SHELL PM LIST PACKAGES - ADB SHELL PM PATH - ADB SHELL PM CLEAR • NETWORK - ADB SHELL NETSTAT- ADB SHELL PING - ADB SHELL NETCFG - ADB SHELL IP • LOGCAT - ADB LOGCAT -ADB SHELL DUMPSYS - ADB SHELL DUMPSTATE • REFERENCES - HTTP://ADBSHELL.COM/
  • 10. STATIC ANALYSIS - MANUAL TESTING• REVERSE ENGINEERING ANDROID APPLICATIONS • THE UNZIP UTILITY CAN BE USED TO EXTRACT FILES THAT ARE STORED INSIDE THE APK.
  • 11. APKTOOL • APKTOOL - A TOOL FOR REVERSE ENGINEERING 3RD PARTY, CLOSED, BINARY ANDROID APPS. IT CAN DECODE RESOURCES TO NEARLY ORIGINAL FORM AND REBUILD THEM AFTER MAKING SOME MODIFICATIONS. • DISASSEMBLING ANDROID APK FILE APKTOOL D <APK FILE>
  • 12. EVERY APK CONTAINS THE FOLLOWING FILES: • ANDROIDMANIFEST.XML - DEFINES THE PERMISSIONS OF THE APPLICATION • CLASSES.DEX - CONTAINS ALL THE JAVA CLASS FILES • RESOURCES.ARSC - CONTAINS ALL THE META-INFORMATION ABOUT THE RESOURCES AND NODES
  • 13. SECURITY GUIDELINES FOR ANDROID MANIFEST.XML
  • 14. CAN THESE PERMISSION BE BYPASSED ?
  • 15. ANDROID MANIFEST.XML OMG! • ACTIVITIES, SERVICES, RECEIVERS SHOULD NOT BE EXPORTED OR ELSE YOU CAN BYPASS THOSE ACTIVITIES!
  • 16. UPLOADING A SENSITIVE FILES FROM SD-CARD TO REMOTE SERVER WITHOUT ANY PERMISSION !
  • 17. ANDROID MANIFEST.XML OMG! • ANDROID:EXPORTED="TRUE" IN <PROVIDER> WILL TURN INTO A NIGHTMARE! • BTW BY DEFAULT IT IS "TRUE" IF EITHER ANDROID:MINSDKVERSION OR ANDROID:TARGETSDKVERSION TO "16" OR LOWER. • FOR APPLICATIONS THAT SET EITHER OF THESE ATTRIBUTES TO "17" OR HIGHER, THE DEFAULT IS "FALSE"
  • 18. DEBUG MODE • THE DEBUG TAG DEFINES WHETHER THE APPLICATION CAN BE DEBUGGED OR NOT. IF THE APPLICATION CAN BE DEBUGGED THEN IT CAN PROVIDE PLENTY OF INFORMATION TO AN ATTACKER. <APPLICATION ANDROID:DEBUGGABLE="FALSE" </APPLICATION>
  • 19. BACKUP FLAG • THIS SETTING DEFINES WHETHER APPLICATION DATA CAN BE BACKED UP AND RESTORED BY A USER WHO HAS ENABLED USB DEBUGGING. THEREFORE APPLICATIONS THAT HANDLE AND STORE SENSITIVE INFORMATION SUCH AS CARD DETAILS, PASSWORDS ETC. <APPLICATION ANDROID:ALLOWBACKUP="FALSE" </APPLICATION>
  • 20. EXTERNAL STORAGE • APPLICATIONS THAT HAVE THE PERMISSION TO COPY DATA TO EXTERNAL STORAGE SHOULD BE REVIEWED TO ENSURE THAT NO SENSITIVE INFORMATION IS STORED. • <USES-PERMISSION ANDROID:NAME="ANDROID.PERMISSION.WRITE_EXTERNAL_STORAGE"/>
  • 21. ANDROID:PROTECTIONLEVEL • THE ANDROID:PROTECTIONLEVEL ATTRIBUTE DEFINES THE PROCEDURE THAT THE SYSTEM SHOULD FOLLOW BEFORE GRANTS THE PERMISSION TO THE APPLICATION THAT HAS REQUESTED IT. THERE ARE FOUR VALUES THAT CAN BE USED WITH THIS ATTRIBUTE: • NORMAL – DANGEROUS – SIGNATURE – SIGNATURE OR SYSTEM • ALL THE PERMISSIONS THAT THE APPLICATION REQUESTS SHOULD BE REVIEWED TO ENSURE THAT THEY DON’T INTRODUCE A SECURITY RISK. <PERMISSION> ANDROID:PROTECTIONLEVEL="SIGNATURE" </PERMISSION>
  • 22. INTENTS • INTENTS CAN BE USED TO LAUNCH AN ACTIVITY, TO SEND IT TO ANY INTERESTED BROADCAST RECEIVER COMPONENTS, AND TO COMMUNICATE WITH A BACKGROUND SERVICE. INTENTS MESSAGES SHOULD BE REVIEWED TO ENSURE THAT THEY DOESN’T CONTAIN ANY SENSITIVE INFORMATION THAT COULD BE INTERCEPTED. <INTENT-FILTER> <ACTION ANDROID:NAME="STRING" /> <CATEGORY ANDROID:NAME="STRING" /> </INTENT-FILTER>
  • 23. CLASSES DEX • THE CLASSES.DEX FILE CONTAINS ALL THE JAVA CLASSES OF THE APPLICATION AND IT CAN BE DISASSEMBLED WITH BAKSMALI TOOL TO RETRIEVE THE JAVA SOURCE CODE.
  • 24. CONVERT CLASSES.DEX FILES TO JAR • TO DECOMPILE CLASSES.DEX FILE > D2J-DEX2JAR CLASSES.DEX
  • 25. TO READ JAR FILE – USE JDGUI • IN JDGUI, FILE-> OPEN THE FILE/DIRECTORY WHERE JAR FILE IS PRESENTED
  • 26. ANDROID WEBVIEW VULNERABILITIES • WEBVIEWS ARE USED IN ANDROID APPLICATIONS TO LOAD CONTENT AND HTML PAGES WITHIN THE APPLICATION. DUE TO THIS FUNCTIONALITY THE IMPLEMENTATION OF WEBVIEW IT MUST BE SECURE IN ORDER NOT TO INTRODUCE THE APPLICATION TO GREAT RISK.
  • 27. LOADING CLEAR-TEXT CONTENT • IF WEBVIEW IS ALLOWING TO LOAD CLEAR-TEXT CONTENT FROM THE INTERNET THEN IT WOULD BE OPEN TO VARIOUS FORMS OF ATTACK SUCH AS MITM. • MYWEBVIEW.LOADURL("HTTP://WWW.DROIDSEC.ORG/TESTS/ADDJSIF/");
  • 28. SSL ERROR HANDLING • THE CODE BELOW INSTRUCTS THE WEBVIEW CLIENT TO PROCEED WHEN AN SSL ERROR OCCUR. THIS MEANS THAT THE APPLICATION IS VULNERABLE TO MITM ATTACKS AS IT COULD ALLOW AN ATTACKER TO READ OR MODIFY CONTENT THAT IS DISPLAYED TO THE USER SINCE ANY CERTIFICATE WOULD BE ACCEPTED BY THE APPLICATION. @OVERRIDE PUBLIC VOID ONRECEIVEDSSLERROR(WEBVIEW VIEW, SSLERRORHANDLER HANDLER, SSLERROR ERROR) { HANDLER.PROCEED(); }
  • 29. JAVASCRIPT ENABLED • ALLOWING JAVASCRIPT CONTENT TO BE EXECUTED WITHIN THE APPLICATION VIA WEBVIEW MIGHT GIVE THE OPPORTUNITY TO AN ATTACKER TO EXECUTE ARBITRARY JAVASCRIPT CODE IN ORDER TO PERFORM MALICIOUS ACTIONS. THIS SETTING ALLOW WEBVIEW TO EXECUTE JAVASCRIPT CODE. WEBSETTINGS WEBSETTINGS = MYWEBVIEW.GETSETTINGS(); WEBSETTINGS.SETJAVASCRIPTENABLED(TRUE);
  • 30. ACCESSING LOCAL RESOURCES • IF THE WEBVIEW IS ALLOWING TO ACCESS CONTENT FROM OTHER APPLICATIONS THAT EXIST ON THE SAME DEVICE THEN IT COULD BE POSSIBLE FOR AN ATTACKER TO CREATE A MALICIOUS HTML FILE THAT COULD BE INJECTED INSIDE THE TARGET APPLICATION THROUGH THE USE FILE:SCHEME. IN ORDER FOR THIS MALICIOUS FILE TO BE LOADED NEEDS TO HAVE WORLD READABLE PERMISSIONS.
  • 31. ANDROID CODING BEST PRACTICES • FOLLOW -> HTTPS://DEVELOPER.ANDROID.COM/GUIDE/PRACTICES/COMPATIBILITY • TOP 10 MOBILE RISKS OWASP 2016 – HTTPS://WWW.OWASP.ORG/INDEX.PHP/MOBILE_TOP_10_2016-TOP_10 • HTTPS://WIKI.SEI.CMU.EDU/CONFLUENCE/DISPLAY/ANDROID/DRD02- J.+DO+NOT+ALLOW+WEBVIEW+TO+ACCESS+SENSITIVE+LOCAL+RESOURCE+THROU GH+FILE+SCHEME • HTTPS://LABS.MWRINFOSECURITY.COM/BLOG/WEBVIEW- ADDJAVASCRIPTINTERFACE-REMOTE-CODE-EXECUTION/ • HTTPS://WWW.RAPID7.COM/DB/MODULES/EXPLOIT/ANDROID/BROWSER/WEBVIEW_AD DJAVASCRIPTINTERFACE
  • 32. DYNAMIC ANALYSIS WIDELY USED TOOLS •BURPSUITE •DROZER
  • 33. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • TO CONFIGURE THE PROXY GO TO SETTINGS. A SCREEN SOMETHING LIKE THE BELOW ONE WILL COME UP. SELECT “MORE”.
  • 34. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE INTERCEPTION CAN BE DONE BY USING WIFI NETWORKS AS WELL AS MOBILE NETWORKS. HERE IM SHOWING MOBILE NETWORK IN THE NEXT MENU, SELECT “MOBILE NETWORKS”.
  • 35. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE SELECT ACCESS POINT NAMES OPTION AS SHOWN IN THE IMAGE.
  • 36. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NO, THERE MUST BE A MOBILE NETWORK ALREADY CONFIGURED, AND THE NAME OF THE NETWORK WILL BE “TELKILA”, AS SHOWN IN THE IMAGE BELOW. CHOOSE THIS NETWORK.
  • 37. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • PUT THE IP ADDRESS OF YOUR INTERFACE WHERE YOU WILL BE LISTENING THE TRAFFIC, I.E. WHERE YOU WILL RUN BURP. DOWN TO THAT, PUT THE PORT NUMBER ON WHICH YOU WANT TO LISTEN. BY DEFAULT IT’S 8080 IN BURP, BUT FEEL FREE TO CHANGE IT, JUST MAKE SURE YOU HAVE SAME PORT NUMBER CONFIGURED AT BOTH END POINTS.
  • 38. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NOW IN BURPSUITE, GO TO THE “PROXY” TAB, SELECT THE “OPTIONS” TAB. SELECT THE DEFAULT CONFIGURED INTERFACE, AND CLICK ON “EDIT”.
  • 39. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE PROXY > INTERCEPT > “INTERCEPT IS ON”
  • 40. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE “INTERCEPT RESPONSE BASED ON THE FOLLOWING RULES”
  • 41. SSL PINNING BYPASS • REQUIRED TOOLS FOR SSL PINNING BYPASS • ROOTED MOBILE • SSLUNPINNING APK • XPOSED FRAMEWORK & XPOSED INSTALLER APK FOR SPECIFIC MOBILE (DEPENDS ON SDK)
  • 42. DROZER – GAME CHANGER TOOL FOR ANDROID APP PT • CONNECTING DROZER TO THE MOBILE DEVICE • CONNECT YOUR MOBILE DEVICE TO YOUR COMPUTER USING A USB CABLE; • OPEN DROZER AGENT APPLICATION ON YOUR MOBILE DEVICE AND CLICK THE ON BUTTON FROM THE BOTTOM-RIGHT;
  • 43. DROZER – CONT. • USE ADB.EXE TO OPEN A TCP SOCKET BETWEEN YOUR COMPUTER AND THE SERVER EMBEDDED IN DROZER AGENT: • ADB.EXE FORWARD TCP:31415 TCP:31415 • GO TO THE FOLDER WHERE YOU INSTALLED DROZER AND CONNECT TO THE MOBILE DEVICE: • DROZER CONSOLE CONNECT
  • 44. STARTING AN ACTIVITY FROM ANOTHER PACKAGE • OK, NOW WE HAVE AN INTERACTIVE DROZER CONSOLE. WHAT CAN WE DO? LET’S START AN ACTIVITY, COMMAND BY COMMAND: • LIST, WILL DISPLAY A LIST OF COMMANDS AVAILABLE IN DROZER
  • 45. FIND A LIST OF PACKAGES • RUN APP.PACKAGE.LIST -F FIREFOX TO FIND A LIST OF PACKAGES THAT CONTAIN THE STRING “FIREFOX”; WE FOUND ORG.MOZILLA.FIREFOX.
  • 46. IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION • RUN APP.PACKAGE.ATTACKSURFACE ORG.MOZILLA.FIREFOX TO IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION; WE FOUND 113 EXPORTED ACTIVITIES, 12 EXPORTED BROADCAST RECEIVERS, 8 EXPORTED CONTENT PROVIDERS AND 1 EXPORTED SERVICE; THIS IS A GOOD EXAMPLE OF A BIG ATTACK SURFACE.
  • 47. MORE INFORMATION ABOUT A SPECIFIC PACKAGE
  • 48. INSPECT THE MANIFEST FILE OF A SPECIFIC APPLICATION
  • 49. LIST THE EXPORTED ACTIVITIES • RUN APP.ACTIVITY.INFO -A ORG.MOZILLA.FIREFOX TO LIST THE EXPORTED ACTIVITIES; WE CAN SEE THAT THERE IS AN EXPORTED ACTIVITY NAMED ORG.MOZILLA.FIR EFOX.APP THAT DOES NOT REQUIRE ANY PERMISSION TO BE STARTED.
  • 50. LIST OF VULNERABLE ANDROID APPLICATIONS • DAMN VULNERABLE HYBRID MOBILE APPLICATION • ANDROID DIGITAL BANK • DAMN INSECURE AND VULNERABLE APPLICATION • HACKME BANK • INSECURE BANK • DAMN VULNERABLE ANDROID APPLICATION • OWASP GOATDROID • DODO VULNERABLE BANK
  • 52. REFERENCES: • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APPLICATION-SECURITY-TESTING-GUIDE-PART-1/ • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APP-SEC-TEST-GUIDE-PART-2/ • HTTPS://KING-SABRI.NET/ANDROID-HACKING-DROZER-SECURITY-ASSESSMENT-FRAMEWORK/ • HTTPS://SECURITYGRIND.COM/USING-THE-DROZER-FRAMEWORK-FOR-ANDROID-PENTESTING/ • HTTPS://PENTESTLAB.BLOG/CATEGORY/MOBILE-PENTESTING/ • HTTPS://GITHUB.COM/TANPRATHAN/MOBILEAPP-PENTEST-CHEATSHEET • HTTPS://PENTESTLAB.BLOG/2016/11/07/LIST-OF-VULNERABLE-ANDROID-APPLICATIONS/