Saturday, August 19, 2017

Android Penetration Testing - Part 1

Mobile apps are all the rage these days! People are using mobile apps for everything from banking to transferring money to finding dates online. The security aspect of these apps is still in its infancy. Where most pentesters are accustomed to hacking web apps, mobile apps are rather unique in a way because the Android OS is built differently than a PC OS. The highly sandboxed environment enables virtualization of any apps that run on it. Thus, each app is protected and has limited access to the underlying hardware abstract layer. In my 3 part series, I will approach hacking Android mobile apps by first introducing the adb connector and running an emulated version of Android. In my next series, I will run thru the steps of using drozer to do dynamic analysis using a vulnerable app for practice.

Pentesting mobile apps on Android Operating System requires you to interact directly with the mobile device or via an emulator. The adb (android debugger bridge) utility allows you to do just that, it is included in the android-sdk package on Linux. You can download it here or run:

# apt-get install android-sdk

The adb command is in the ~/android-sdk/platform-tools/ directory, you can just do a:

# ln -s ~/android-sdk/platform-tools/adb /usr/local/bin/adb

Once you have it installed, run the command:

# adb
Android Debug Bridge version 1.0.39
Revision 3db08f2c6889-android
Installed as /mnt/sdb3/android-sdk/platform-tools/adb

global options:
....
....

Now, you have 2 options:

1. Run the Android SDK Android Virtual Device Manager(AVD) to emulate a virtual Android device on your PC.
OR
2. Plug your phone directly into the PC with a usb cable.

Since I don't wanna screw my real device up, I'll opt for the emulator option, that way any mistake I make, I can just revert the emulator. It's sort of like running a Virtual Machine for Androids. 

The AVD is in the ~/android-sdk/tools/android. Just symbolic link it to your /usr/local/bin for convenience.

# ln -s ~/android-sdk/tools/android /usr/local/bin/android

Now execute 'android':

Next, make sure you install the required Android API, eg if you intend to create an Andoird 4.4.2 (API 19), check it and install.

Create your Virtual Device and select the appropriate settings:

Your Android Virtual Device should look like this:

Now, it is time to connect to this emulator via adb. Take note of the port assigned, in this case 5554. You are going to use adb to connect to it

Follow these instructions:

1. Enable USB Debugging on the emulator, just like you would do on a real device, go to settings, tap on build no 5 times then go to developer settings and check usb debugging.

2. Use adb to list the devices ready:
# adb devices
List of devices attached
emulator-5554    device

This means you are connected to the Android emulator! In my next article, we will cover how to use Drozer to start the penetration test on a vulnerable app.

Happy hacking folks! :-)

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)