GithubTwitterMediumLinkedin

Android Pentesting

Resources

OWASP Mobile Application Pentesting Gitbook:

https://mobile-security.gitbook.io/mobile-security-testing-guide/overview/0x03-overview

OWASP Mobile Top 10 :

https://owasp.org/www-project-mobile-top-10/

SecJuic Introduction to Frida and Objection:

https://www.secjuice.com/objection-frida-guide/

HackTricks Website with IOS/Android Pentest Checklists :

https://book.hacktricks.xyz/mobile-apps-pentesting/android-checklist

InjuredAndroid

https://github.com/B3nac/InjuredAndroid

Tools

Jadix-gui

https://github.com/skylot/jadx

Apktool

https://github.com/iBotPeaches/Apktool

Objection

https://github.com/sensepost/objection

Static Analysis

static analysis

Pull APK From Google Playstore

First, you need to install the apk from google playstore in your enumerator.

Drop the shell with adb adb shell.

To list every packages application that install in your enumlator.

pm list packages

Now find the path of the this apk located. pm path [package name]

Now we know where is the file path. Exit from adb and pull the apk form that path.

Android Mainifest.xml

The Android Manifest is an XML file which contains important metadata about the Android app. This includes the package name, activity names, main activity (the entry point to the app), Android version support, hardware features support, permissions, and other configurations.

Decompiled APK

apktool d apkname.apk

Find Hardcoded Strings

Often hardcoded strings can be found in resources/strings.xml and also in activity source code.Sometimes you may find client credentials, urls exposed, apikeys, firebase url, etc...

Exported Activity

An exported activity is the one that can be accessed by external components or apps. We can say that exported activities are like Public functions in Java, any other parent class or even package can call them. Let's say you are on your home screen and now you want to start the Twitter app so you’ll click on the app icon to invoke its launcher activity but technically you were already in some activity(home page) and then you started another activity(launching the Twitter app). Now if the launcher activity of the Twitter app isn’t exported(not public) then no one will be able to invoke the activity and the app won’t start. That is why there has to at least one activity exported so other components of android can start it.That can also be XSS attack.

Find android:exported=true in AndroidManifest.xml

Let's find ,we can access that activity anywhere from the phone (could be from different application).

To exploit this, enter adb shell and type this am start [activity name]

Don't forget to add forward slash in front of activity name /.b25lActivity

It will automatically pop up that activity in our phone.

In real world or bug bounty hunting , you need to make sure that activity has any sensitive data or can allow us some UI (like admin panel) which we don't have access to it.

Enumerating AWS Storage Bucket

https://github.com/initstring/cloud_enum

Enumerating Firebase Databases

https://github.com/Sambal0x/firebaseEnum

When you find a firebase url , keep that in mind , may be there is some area are not protected. You can check with .json like this.

Dynamic Analysis

Disable SSL Pinning

Patching Apk using Objection

We can use objection for automatically patch the application to bypass SSL Pinning.

Installation : pip3 install objection

Sometime this method does not work properly. You can do manually to patch.

Manual Patching

Patch the apk with apktool

apktool -d apkname.apk and download frida-gadget.so from github.

Move that file to the lib/x86_64/ folder, you should add lib in front of that filename because sometimes the app can crash. (libfrida-gadget.so).

Add this code to MainActivity.smali file.

And then rebuild the apk with apktool

Note: add this first if it's not already there.In this case we already have this.

Signing The APK

Install the apk in enumerator and then when you open that you will see white screen for a little while and type this command to hook with frida.

objection explore

Insecure Logging

  • > adb logcat -c (clear the log)

  • > adb logcat | grep "password"

Drozer usage

Port Forward

Connect Drozer

Show App Info

Show Activity Info

Show Content Provider

Check Vulnerable Injection in Content Provider

Show Broadcast Receiver

Run Acitivity Directly

ADB

Insecure Login Mechanism

  • When backupallow is true , we can backup data even we don't have root privilege.

Tool to extract that backup file

https://github.com/nelenkov/android-backup-extractor

Checking Log

Can also use pidcat

Will update more.

NextBypass SSL Pinning for flutter apps using reFlutter Framework

Last updated