Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
    • Basic IT Tasks
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  1. Notes
  2. AppSec Testing
  3. Checklists

Android Pentesting Checklist

PreviousAPI Testing ChecklistNextIoS Pentesting Checklist

Last updated 5 months ago

Android Security Architecture

Android Overview:

  • Solely based on the Linux OS

    • Commands such as ls, cd, rm, mkdir are all functional within android

    • Keep the Linux file permission in mind during testing

  • Has to support multiple CPU types such as SoC, ARM and also 32/64 bit versions of each

Android Runtime (ART)

  • Translation layer from bytecode to instructions

  • Every app is sandboxed as its own VM

  • Applications are isolated by creating a unique new user for the account

Android Identity and Access Management (IAM)

  • This also follows the UID structure as designed in Linux

  • Android must be rooted to access certain directories for testing

User Profiles

  • Primary User is created the first time the phone starts, always running and can only be removed by factory reset

  • Secondary user can be added to the device and can be deleted by the primary user

  • Guest User is only allowed one account on device

  • Kids Mode this is often found on Google Kids Spaces devices(currently tablets only)

Hardware Abstraction Layer (HAL)

  • Allows apps to access various hardware component on the device

  • HALs include technologies such as Apple Car Play, Android Auto, IoT Devices, Smart watches

Test Environment setup

  • Debian-Based Distro - Run command sudo apt-get install default-jdk -y

Install Dex to Java decompiler:

  • For Mac run the command brew install jadx

  • Debian-based distro - Run command sudo apt-get install jadx

  • This is the shell for accessing the Android

  • For Mac run the command brew install apktool

  • Debian Based Distro - sudo apt-get install apktool -y

Enable Developer Mode on device

  • For physical device enable USB Debugging as well

How to start ADB with port open on host machine:

  • adb -a nodaemon server

(if you receive an error that the port is already in use, kill the adb process - this will vary per your Operating System)

  • taskkill /f /t /im adb.exe

  • then run: adb -a nodaemon server

From the networked machine, or VM run the following command to connect to the emulator via the newly opened port:

adb -H <host_machine_IP> -P 5037 shell

Android Manifest.xml

  • Present in every Android App

  • It is also where the basic of the application are defined such as permissions, Content Providers, Activities, and minSDKVersion

Information Gathering:

Find information about the company via Google Play store

  • Read app reviews and app announcements

  • Enumerate the creator of the application

  • Enumerate versions and patch notes

  • Enumerate other apps that belong to the company

TargetSdkversion OS version an app was designed for < package= com.vulnerableapp.test> Describes package/app name <uses-sdk android:minSdkVersion="17" android:minSdkVersion="21"/> App minimum and maximum supported versions(range)

Pulling an APK

  1. Download app from google play store on the android device OR an .apk file will be provided by client

  2. Run the following commands in a terminal:

    1. abd shell (this drops you into a shell on your emulator or physical phone)

    2. pm list packages | grep <Identifier> (this will display the name of the package installed on the phone, in our case we did grep injured, copy result for step 5 below)

    3. pm path <packagename> (list the file path of the package, copy the file path for step 7 below)

    4. Exit the adb shell with: exit

    5. adb pull <PathToPackage> <NameOfNewFile>.apk (this will pull the apk from the file path on the phone and save it to whatever file name we want

APK from phone to computer: To get apk from the phone to your computer use the following commands

Testing Methodology

  1. Open android studio

  2. Plug in phone and make sure it connects to android studio

  3. Run the following to make a connection over usb to get traffic from the phone through burp. (physical phone)

  4. Pull the APK or install the APK

  5. Throw the APK in mobsf for static analysis (mobsf will look through all the files and pull out data for you)

  6. Use apktool to pull files from the phone to do a more manual static analysis

  7. Can also use jadx-gui to search files manually

  8. Open the APP on phone or emulator

  9. Make sure traffic is being proxied through burp

  10. Run objection

  11. Disable sslpinning if the app is preventing from exploring

  12. Check android keystore for any credentials

  13. Run Drozer and the following commands

  14. if there is a firebase url navigate to the url and add the following json check to see if its vulnerable

  15. In android studio check the /data/data/<com.example.android>

  16. Copy db to sdcard

  17. Pull dbs to local machine

  18. View dbs in db browser sqlite

  19. Do a manual click through and generate some traffic with burp

  20. Run a burp scan

  21. Test app like it’s a web app. (XSS, SQL injection, login bypass etc)

  22. Check logs in android studio to see if any sensitive data is passed through.

for your testing OS (if not installed already)

.exe (Add .exe to C:\\Windows for CLI)

ADB Install - Download for your host OS

Install for the testing OS

Download , , or for the testing OS

- analyze compiled APK file

Source:

Official Android Security Documentation
Install Java
JADX-GUI for Windows
SDK Platform-Tools
Apktool
Android Studio
GenyMotion
Visual Studio Emulator for Android
APKLeaks
https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05b-basic-security_testing