# Android Pentesting ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FAEbCw7MNycPJCOQD30Zg%2Fimage.png?alt=media\&token=06fdffe9-7282-4e7b-a83b-093418c280f8) ## Resources > OWASP Mobile Application Pentesting Gitbook: > > > > OWASP Mobile Top 10 : > > > > SecJuic Introduction to Frida and Objection: > > > > HackTricks Website with IOS/Android Pentest Checklists : > > > > InjuredAndroid > > ## **Tools** > Jadix-gui > > > > Apktool > > > > Objection > > ## **Static Analysis** ![static analysis](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FmIDI6010NGGFlHOKdKBi%2Fimage.png?alt=media\&token=d321f407-b4e2-4463-bb2c-6a27a5bfd7b1) ### Pull APK From Google Playstore First, you need to install the apk from google playstore in your enumerator. Drop the shell with adb `adb shell`. To list every packages application that install in your enumlator. `pm list packages` ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FNeXcpjUczBDJCQLdal25%2Fimage.png?alt=media\&token=7be06db5-6a18-48e7-94c1-19151a88db32) Now find the `path` of the this apk located. `pm path [package name]` ``` generic_x86:/ $ pm path b3nac.injuredandroid package:/data/app/b3nac.injuredandroid-fBw3LmlBTAq04Q5CC8sHg==/base.apk ``` Now we know where is the file path. Exit from `adb` and pull the apk form that `path`. ``` adb pull /data/app/b3nac.injuredandroid-fBw3LmlBTAq04Q5CC8sHg==/base.apk injuredAndroid_pulled.apk ``` ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FQHICMRHZ8YsfRlhU1ni4%2Fimage.png?alt=media\&token=786570e6-f392-40b4-af01-0903f4b28337) ### Android Mainifest.xml The Android Manifest is an XML file which contains important metadata about the Android app. This includes the package name, activity names, main activity (the entry point to the app), Android version support, hardware features support, permissions, and other configurations. ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2F3phrjhtVAE0caWLvyIUH%2Fimage.png?alt=media\&token=5ce31e29-0892-4b29-93f2-cf9e6fa9b482) ### **Decompiled APK** `apktool d apkname.apk` ```javascript ┌─[sheinn101@parrot]─[~/ctf/android] └──╼ [??]$ apktool d injuredAndroid.apk I: Using Apktool 2.5.0-dirty on injuredAndroid.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /home/sheinn101/.local/share/apktool/framework/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... ┌─[sheinn101@parrot]─[~/ctf/android/injuredAndroid] └──╼ [??]$ ls AndroidManifest.xml apktool.yml assets kotlin lib original res smali unknown ┌─[sheinn101@parrot]─[~/ctf/android/injuredAndroid] └──╼ [??]$ ``` ### Find Hardcoded Strings Often hardcoded strings can be found in `resources/strings.xml` and also in `activity` source code.Sometimes you may find client credentials, urls exposed, apikeys, firebase url, etc... ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2F4iD9llOBJpLLjBEP1fND%2Fimage.png?alt=media\&token=f90fc41d-fad1-425e-be4f-316b16571f9e) ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2F118jyjcyf7fjkcVpk5c3%2Fimage.png?alt=media\&token=1c4794c2-94db-47cc-a9a8-6b28d0ee7303) ### Exported Activity An exported activity is the one that can be accessed by external components or apps. We can say that exported activities are like `Public` functions in Java, any other parent class or even package can call them. Let's say you are on your home screen and now you want to start the Twitter app so you’ll click on the app icon to invoke its launcher activity but technically you were already in some activity(home page) and then you started another activity(launching the Twitter app). Now if the `launcher` activity of the Twitter app isn’t exported(not public) then no one will be able to invoke the activity and the app won’t start. That is why there has to at least one activity exported so other components of android can start it.That can also be `XSS` attack. Find `android:exported=true` in `AndroidManifest.xml` ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FDHj4QyMNWufVXJ8r6wux%2Fimage.png?alt=media\&token=4ce4ae9e-6bb5-4b5b-908a-eb4b69bacc33) Let's find ,we can access that activity anywhere from the phone (could be from different application). To exploit this, enter `adb shell` and type this `am start [activity name]` Don't forget to add forward slash in front of activity name `/.b25lActivity` ```javascript ┌─[sheinn101@parrot]─[~/Documents/bug_program/h1/monday] └──╼ [??]$ adb shell picasso:/ $ am start b3nac.injuredandroid/.b25lActivity Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=b3nac.injuredandroid/.b25lActivity } picasso:/ $ ``` It will automatically pop up that activity in our phone. {% hint style="danger" %} In real world or bug bounty hunting , you need to make sure that activity has any sensitive data or can allow us some UI (like admin panel) which we don't have access to it. {% endhint %} ### Enumerating AWS Storage Bucket > ``` python3 cloud_enum.py -k injuredandroid ``` ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FDXocH6wk9m8fgbrO46Dd%2Fimage.png?alt=media\&token=0585c42a-0f20-415e-a61b-3ca5f51d44f6) ### Enumerating Firebase Databases > ```javascript ┌─[sheinn101@parrot]─[~/ctf/android/firebaseEnum] └──╼ [??]$ python3 firebaseEnum.py -k injuredandroid ______ _ _ _____ | ___(_) | | | ___| | |_ _ _ __ ___| |__ __ _ ___ ___| |__ _ __ _ _ _ __ ___ | _| | | '__/ _ \ '_ \ / _` / __|/ _ \ __| '_ \| | | | '_ ` _ \ | | | | | | __/ |_) | (_| \__ \ __/ |__| | | | |_| | | | | | | \_| |_|_| \___|_.__/ \__,_|___/\___\____/_| |_|\__,_|_| |_| |_| github.com/sambal0x ========================== Keyword based Enumeration ========================== [+] Mutations list imported: 227 items [+] Mutated results: 909 items [+] Checking for open firebase databases... 5/909 complete.. ``` When you find a `firebase` url , keep that in mind , may be there is some area are not protected. You can check with `.json` like this. ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FacI6wFAid3DIwWwSH1EH%2Fimage.png?alt=media\&token=c0ef596e-d766-4345-95fb-223e66e2bb41) ## Dynamic Analysis ### Disable SSL Pinning #### Patching Apk using Objection We can use `objection` for automatically patch the application to bypass SSL Pinning. Installation : `pip3 install objection` ```javascript ┌─[sheinn101@parrot]─[~/ctf/android] └──╼ [??]$ objection patchapk --source injuredAndroid.apk No architecture specified. Determining it using `adb`... Detected target device architecture as: arm64-v8a Using latest Github gadget version: 15.1.10 Patcher will be using Gadget version: 15.1.10 Detected apktool version as: 2.5.0-dirty Running apktool empty-framework-dir... I: Removing 1.apk framework file... Unpacking injuredAndroid.apk App already has android.permission.INTERNET Target class not specified, searching for launchable activity instead... Reading smali from: /tmp/tmpeohig7rk.apktemp/smali/b3nac/injuredandroid/MainActivity.smali Injecting loadLibrary call at line: 10 Attempting to fix the constructors .locals count Current locals value is 0, updating to 1: Writing patched smali back to: /tmp/tmpeohig7rk.apktemp/smali/b3nac/injuredandroid/MainActivity.smali Copying Frida gadget to libs path... Rebuilding the APK with the frida-gadget loaded... Rebuilding the APK may have failed. Read the following output to determine if apktool actually had an error: Built new APK with injected loadLibrary and frida-gadget Performing zipalign Zipalign completed Signing new APK. Signed the new APK Copying final apk from /tmp/tmpeohig7rk.apktemp.aligned.objection.apk to injuredAndroid.objection.apk in current directory... Cleaning up temp files... ``` Sometime this method does not work properly. You can do manually to patch. #### Manual Patching Patch the apk with `apktool` `apktool -d apkname.apk` and download `frida-gadget.so` from [github](https://github.com/frida/frida). ```bash wget https://github.com/frida/frida/releases/download/15.1.10/frida-gadget-15.1.10-android-x86.so.xz ``` Move that file to the `lib/x86_64/` folder, you should add `lib` in front of that filename because sometimes the app can crash. (libfrida-gadget.so). Add this code to `MainActivity.smali` file. ```bash const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V ``` ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FMDaLqdtqsibpsC0BUGFO%2Fimage.png?alt=media\&token=4127315b-cabf-4e31-87cd-b85a5ade070e) And then rebuild the apk with `apktool` ``` apktool b injuredAndroid -o injured_patch.apk ``` Note: add this first if it's not already there.In this case we already have this. ```xml ``` ### Signing The APK ```bash # create keystore keytool -genkey -v -keystore demo.keystore -alias demokeys -keyalg RSA -keysize 2048 -validity 10000 # sign the apk jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore demo.keystore -storepass demopass injured_patch.apk demokeys # verify the signature jarsigner -verify injured_patch.apk # zipalign the APK zipalign 4 injured_patch.apk injured_path_final.apk ``` Install the apk in enumerator and then when you open that you will see white screen for a little while and type this command to hook with `frida`. `objection explore` ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FcE1kmqUQWxYQaKj81bfU%2Fimage.png?alt=media\&token=ce469d1f-a2da-41b2-aba3-8cb0dfb6c29c) ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FDtjrg9UzgaOxLSxnCsBR%2Fimage.png?alt=media\&token=47646e78-dc1e-4a30-a81a-cedc28094a65) ### Insecure Logging * `> adb logcat -c` (clear the log) * `> adb logcat | grep "password"` ### Drozer usage #### Port Forward ``` adb forward tcp:31415 tcp:31415 ``` #### Connect Drozer ``` drozer console connect ``` #### Show App Info ``` run app.package.info -a com.android.insecurebankv2 ``` #### Show Activity Info ``` run app.activity.info -a com.android.insecurebankv2 ``` #### Show Content Provider ``` run app.provider.finduri com.android.insecurebankv2 ``` #### Check Vulnerable Injection in Content Provider ``` run scanner.provider.injection -a com.android.insecurebankv2 ``` #### Show Broadcast Receiver ``` run app.broadcast.info -a com.android.insecurebankv2 -i ``` ```javascript run app.broadcast.send --action theBroadcast --extra string 095634534345 --extra string newpass NewPassword ``` ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FwjUkgG62gkK9fxJHQXTY%2FPasted%20image%2020211008212441.png?alt=media\&token=9b60a922-54c0-4015-9c49-537201e328e3) ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2Fd36evndo3uFUjB78aPyS%2FPasted%20image%2020211008200015.png?alt=media\&token=d6361909-9cf0-4ba5-ab66-434d8959ab2f) ``` run app.package.attacksurface com.android.insecurebankv2 ``` ### Run Acitivity Directly ```bash run app.activity.start --component com.android.insecurebankv2 com.android.insecurebankv2.ViewStatement run activity directly ``` ### ADB #### Insecure Login Mechanism ```bash $ adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin ``` * When backupallow is `true` , we can backup data even we don't have root privilege. ### Tool to extract that backup file > ```bash $ adb backup com.android.insecurebankv2 ``` ### Checking Log ```bash $ adb logcat | grep "$(adb shell ps | grep com.android.insecurebankv2 | awk '{print $2}')" ``` Can also use `pidcat` ``` pidcat [packageName] ``` {% hint style="success" %} Will update more. {% endhint %}