Android Pentesting Checklist

Android Security Architecture

Official Android Security Documentation

Android Overview:

• Solely based on the Linux OS

  • Commands such as ls, cd, rm, mkdir are all functional within android

  • Keep the Linux file permission in mind during testing

• Has to support multiple CPU types such as SoC, ARM and also 32/64 bit versions of each

Android Runtime (ART)

• Translation layer from bytecode to instructions

• Every app is sandboxed as its own VM

• Applications are isolated by creating a unique new user for the account

Android Identity and Access Management (IAM)

• This also follows the UID structure as designed in Linux

• Android must be rooted to access certain directories for testing

User Profiles

• Primary User is created the first time the phone starts, always running and can only be removed by factory reset

• Secondary user can be added to the device and can be deleted by the primary user

• Guest User is only allowed one account on device

• Kids Mode this is often found on Google Kids Spaces devices(currently tablets only)

Hardware Abstraction Layer (HAL)

• Allows apps to access various hardware component on the device

• HALs include technologies such as Apple Car Play, Android Auto, IoT Devices, Smart watches

Test Environment setup

Install Java for your testing OS (if not installed already)

• Debian-Based Distro - Run command sudo apt-get install default-jdk -y

Install Dex to Java decompiler:

• JADX-GUI for Windows .exe (Add .exe to C:\\Windows for CLI)

• For Mac run the command brew install jadx

• Debian-based distro - Run command sudo apt-get install jadx

ADB Install - Download SDK Platform-Tools for your host OS

• This is the shell for accessing the Android

Install Apktool for the testing OS

• For Mac run the command brew install apktool

• Debian Based Distro - sudo apt-get install apktool -y

Download Android Studio, GenyMotion, or Visual Studio Emulator for Android for the testing OS

Enable Developer Mode on device

• For physical device enable USB Debugging as well

How to start ADB with port open on host machine:

• adb -a nodaemon server

(if you receive an error that the port is already in use, kill the adb process - this will vary per your Operating System)

• taskkill /f /t /im adb.exe

• then run: adb -a nodaemon server

From the networked machine, or VM run the following command to connect to the emulator via the newly opened port:

adb -H <host_machine_IP> -P 5037 shell

Android Manifest.xml

• Present in every Android App

• It is also where the basic of the application are defined such as permissions, Content Providers, Activities, and minSDKVersion

Information Gathering:

Find information about the company via Google Play store

• Read app reviews and app announcements

• Enumerate the creator of the application

• Enumerate versions and patch notes

• Enumerate other apps that belong to the company

TargetSdkversion OS version an app was designed for < package= com.vulnerableapp.test> Describes package/app name <uses-sdk android:minSdkVersion="17" android:minSdkVersion="21"/> App minimum and maximum supported versions(range)

APKLeaks - analyze compiled APK file

Pulling an APK

1. Download app from google play store on the android device OR an .apk file will be provided by client

2. Run the following commands in a terminal:

   1. abd shell (this drops you into a shell on your emulator or physical phone)

   2. pm list packages | grep <Identifier> (this will display the name of the package installed on the phone, in our case we did grep injured, copy result for step 5 below)

   3. pm path <packagename> (list the file path of the package, copy the file path for step 7 below)

   4. Exit the adb shell with: exit

   5. adb pull <PathToPackage> <NameOfNewFile>.apk (this will pull the apk from the file path on the phone and save it to whatever file name we want

APK from phone to computer: To get apk from the phone to your computer use the following commands

• adb shell pm list packages (this will list all packages) or adb shell pm list packages | grep <identifier>

• adb pm path (domain.com)

• adb pull <copied file path> OR adb pull <copied file path> <newname>.apk (second command renames the base apk)

Testing Methodology

Source: https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05b-basic-security_testing

1. Open android studio

2. Plug in phone and make sure it connects to android studio

3. Run the following to make a connection over usb to get traffic from the phone through burp. (physical phone)

   • adb revserse tcp:<port from burp i.e 8082> tcp:<same port i.e 8082>

4. Pull the APK or install the APK

5. Throw the APK in mobsf for static analysis (mobsf will look through all the files and pull out data for you)

   • Check mobsf findings (url's, harded coded keys, etc)

   • Check out the manifest.xml (where some important things can be stored)

6. Use apktool to pull files from the phone to do a more manual static analysis

   • apktool d <example.apk>

   • Manuel click through of the files

7. Can also use jadx-gui to search files manually

   • jadx-gui

   • Pick apk file to drop in

   • Look at manifest.xml file

   • Check resrources.arsc for strings, xml, json i. Resrouces.ars -> res -> values

   • Can also use the search to look through all the files i. i.e password, api_key, etc

8. Open the APP on phone or emulator

9. Make sure traffic is being proxied through burp

10. Run objection

    • objection --gadget explore

11. Disable sslpinning if the app is preventing from exploring

    • a. android sslpinning disable --quiet

12. Check android keystore for any credentials

    • a. android keystore list

13. Run Drozer and the following commands

    • Check attack surface

      • run app.package.attacksurface <com.app.android>

    • Check activity info

      • run app.activity.info -a <com.app.android>

    • Check package info

      • run app.package.info -a <com.app.android>

    • Check Broadcasts

      • run app.broadcast.info -a <com.app.android>

    • Scan URI's

      • run scanner.provider.finduris -a <com.app.android>

    • Directory traversal

      • run scanner.provider.traversal -a <com.app.android>

    • SQL Injection

      • Run scanner.provider.injection -a <com.app.android>

14. if there is a firebase url navigate to the url and add the following json check to see if its vulnerable

    • a. https://example-mobile.firebaseio.com/.json

    • b. If this is denied you can try and fuzz an endpoint i. i.e https://example-mobile.firebaseio.com/FUZZ/.json

15. In android studio check the /data/data/<com.example.android>

    • Check xml files, strings, .json files, DB's

16. Copy db to sdcard

    • adb shell "su -c cp /data/data/<com.exampleapp.android>/databases/ /sdcard/Dwonload"

17. Pull dbs to local machine

    • adb pull /sdcard/Download/

18. View dbs in db browser sqlite

19. Do a manual click through and generate some traffic with burp

20. Run a burp scan

21. Test app like it’s a web app. (XSS, SQL injection, login bypass etc)

22. Check logs in android studio to see if any sensitive data is passed through.

    • a. Can also use the command line tool to check the logs or you can use android studio to view the logs

    • b. adb logcat