I. Introduction
Smartphone technologies have made undeniable strides during the last decade. You can find for yourself the mind-boggling statistics of that rapid growth in this blog.
With the dominance of this relatively new generation of Internet connected devices, it’s vital to improve on its security aspects. Among them all, Android and IOS are the most popular systems. This blog post will guide you through the absolute fundamental installations and concepts of Android pentest.
II. Android Pentest preparation
1. Get a device
No matter it’s an emulator or a real device, first you have to set up one for testing purposes. Keep this only for testing - never put any sensitive information or application in it.
[*] For physical devices
You will soon find out that there’s not much you can do with a newly unboxed Android phone. Therefore, the absolute first step should be rooting it. The recommended tool is the open-source rooting software Magisk.
You can find a quite detailed tutorial in this blog.
[*] For emulators
You can use the basic Android Emulator in Android Studio. On my machine (Linux), however, there’s a memory leak issue that led to a restriction of 30 minutes of usage at most before whole system halt and required a forced reboot. Therefore, I switched to Genymotion. Not open-source, but the smoothest emulating feeling I’ve ever experienced.
You may also want to install BURP cert on the device, or maybe ZAP certificate if you’re too broke or just prefer open-source.
Be it a physical device or an emulator, installing necessary Android tools is still a must. There’re a few ways to do so, but the simplest method is to install Android Studio along with its SDK tools.
2. Get the APK
If you’ve ever used an Android at least once, you probably have used APKs, or least heard about it.
“The Android Package with the file extension
apkis the file format used by the Android operating system, and a number of other Android-based operating systems for distribution and installation of mobile apps, mobile games and middleware. It can be written in either Java or Kotlin.”
~ From Wikipedia ~
For more information, see this comprehensive fileinfo explanation.
Here’s a list of most famous 3rd party APK repositories that you can find:
apkpure.com: the largest APK library. The apps themselves are verified to be the same as on PlayStore. The apkpure app, however, once alleged for being infected by trojan. The problem seems to be fixed now, and APKPure is now my go-to place when finding a new APK.
apkmirror.com: As its name, it mirrors, which means it’s generally safe. Still, its APK library isn’t as large as APKPure.
And some other locations:
And evozi to download directly from PlayStore.
4. APK decompiling tools
Any apk is actually a valid zip file, so you can just change its extension to .zip and unzip it using 7zip or anything. However, there are specialized tools for working with APKs, with remarkable support in reverse engineering.
- APKtool: Might be hard to install for beginners, but it’s the tool of the trade for APK RE
- jadx, along with jadx-gui: the legendary Java decompiler. Now with GUI for more intuitive usage
- APKLab: My favourite all-in-one tool as a VSCode extension for all your needs
3. Static analysis tools
“Static analysis”, as the name suggests, is the process of examining the application while not run it. It’s the preferred method against source code and most malwares. There’s also a number of helpful tools assisting researchers in this process:
- Mobile Security Framework: All-in-one mobile application testing framework, capable of doing both static and dynamic analysis
MobileAudit: Performs static analysis with a nice web interface (written in Django).
apk-deguard: deobfuscating apk files on the web
deoptfuscator: Local code deobfuscator, stands out for its control flow graph
4. Dynamic analysis tools
Opposite to static analysis, dynamic analysis is the act of analyzing the application while it is running. This is the conventional procedure for testing most applications. As usual, there are lots of tools aiding in the research:
Honorary re-mention: the Mobile Security Framework
qark: A tool from LinkedIn the company. It’s extremely easy to use, work with common Android app exploits and can work on unrooted devices
- frida: Basically, it’s the tool for highly complex android app testing, capable of doing an overwhelming number of things, and is scriptable
- objection: built upon Frida, mostly for SSL unpinning
III. Common pre-pentest problems
1. SSL Pinning
If you want to know details about SSL certificates, here’s an article worth reading: https://medium.com/@appinventivinsider/how-to-bypass-ios-ssl-pinning-7a65ea149e69
But to keep it short:
When a mobile app communicates with a server, it uses SSL for protecting the transmitted data against tampering and eavesdropping. On a default mode, the SSL implementations used in the apps trust any server having certificates trusted by an operating system’s trust store.
With SSL pinning, the app is devised to reject every but one or limited predefined certificates. When the app connects with a server, it compares the certificate with the pinned certificate. Only when there is a match, the server is trusted and SSL connection gets established.
Basically there’re 3 types of pinning:
- Certificate pinning
- Public key pinning
- SPKI pinning
Bypassing SSL pinning is trivial in most cases. Normally you can go with the Frida and Burp’s CA Certificate route.
2. Anti VM
Pentesting on emulator is my overall preferred choice: in the matter of few clicks, you can instantly get for yourself an emulator of any Android version. The most popular emulator is, no doubt, Genymotion.
Actually for most professional pentesters, this is but a matter, because they mainly utilize a real device. On the other hand, although we have just started out, reversing the app to remove the detection should not be excessively difficult.
The ways applications use to detect an emulator are multivarious by itself. This is an example:
Simply modify all the strings and this function will be rendered harmless.
3. Root detection
While VM detection can be avoided with ease using a real device, the same thing can not be said for root detection. No matter it’s a physical device or an emulator, having it rooted is a must as it concerns many problems in the process of pentesting.
Here we have a fundamental script to detect root in 3 different ways:
/** @author Kevin Kowalewski */
public class RootUtil {
public static boolean isDeviceRooted() {
return checkRootMethod1() || checkRootMethod2() || checkRootMethod3();
}
private static boolean checkRootMethod1() {
String buildTags = android.os.Build.TAGS;
return buildTags != null && buildTags.contains("test-keys");
}
private static boolean checkRootMethod2() {
String[] paths = { "/system/app/Superuser.apk", "/sbin/su", "/system/bin/su", "/system/xbin/su", "/data/local/xbin/su", "/data/local/bin/su", "/system/sd/xbin/su",
"/system/bin/failsafe/su", "/data/local/su", "/su/bin/su"};
for (String path : paths) {
if (new File(path).exists()) return true;
}
return false;
}
private static boolean checkRootMethod3() {
Process process = null;
try {
process = Runtime.getRuntime().exec(new String[] { "/system/xbin/which", "su" });
BufferedReader in = new BufferedReader(new InputStreamReader(process.getInputStream()));
if (in.readLine() != null) return true;
return false;
} catch (Throwable t) {
return false;
} finally {
if (process != null) process.destroy();
}
}
}
And several other methods and packages support root detection.
A common practice is to review the source code and modify them as needed. There’re also plenty of tutorials on bypassing root detection.
4. Code obsfucation
Nothing much can be said about this. Remember those nightmare codes your colleagues showed you that looked just like it had been obsfucated? What did you do with them? In any case, just apply the exact same strategy with this one.
Indeed, there’re tools to support deobsfucating code. But in my opinion, those usually doesn’t help much, and for the most part you just grin and bear it.
IV. Where to go now?
There’re several guides on mobile pentesting on the Internet. In my experience, this is the most exhaustive one: https://mobile-security.gitbook.io/mobile-security-testing-guide/.
And as with any other topic, there’re an awesome repository for it.
And that’s about all the fundamentals to get your feet wet in Android penetration testing. As a final word, I wish you the best on your learning journey ahead!