Methodology: Learn Android Application Security Testing

Dec 07, 17

Methodology

Hello and welcome. Hopefully, this will turn into a series covering the basic methodology behind a variety of forms of penetration testing!

OWASP Top 10

While neither a Bible, nor a complete list - the OWASP Top 10 is a good jumping off point when thinking about potential security issues.

OWASP 2016 Mobile Top 10:

  1. Improper Platform Usage

  2. Insecure Data Storage

  3. Insecure Communication

  4. Insecure Authentication

  5. Insufficient Cryptography

  6. Insecure Authorization

  7. Client Code Quality

  8. Code Tampering

  9. Reverse Engineering

  10. Extraneous Functionality

Tooling

A variety of tools exist for Android security assessments. I’ll address those I’ve found most helpful, and attempt to outline their best use case, and their drawbacks. These tools run the gamut from static source code analysis, to dynamic, on device hooking.

Manitree

Manitree is an AndroidManifest.xml security auditor. Every Android application must contain an app manifest, which provides a variety of configuration and permission information. Manitree is one of many tools that uses static analysis to highlight potential vulnerabilities introduced by the misconfiguration of the AndroidManifest.xml.

Drawbacks

  • Hasn’t been updated in six years

  • Functionality is a subset of that in other tools

How to use

Nice and easy, clone the github repo and point manitree.py at the AndroidManifest.xml.

(requires adb and python)

droid-hunter

droid-hunter is an Android application vulnerability analysis and Android pentest tool. When run on an android package (apk), it performs a number of functions.

  1. App info check (manifest analysis)
  2. Baksmaling android app
  3. Decompile android app
  4. Extract class files
  5. Extract java code

Drawbacks

  • Minimal automated vulnerability analysis

How to use

Again, nice and easy (if you already have ruby installed) - clone the repo and run dhunter.rb against the target apk.

QARK

QARK is a tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. It runs interactively, and can identify 25 different classes of vulnerabiltiies. It can then generate Proof of Concept deployable APKs or ADB commands.

Drawbacks

  • Report frequently fails

  • Many findings are informational, and report can be hard to parse

How to use

And again, clone the repo and run qarkMain.py interactively.

MobSF

MobSF is an all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework. MobSF can perform both Static and Dynamic analysis, and additionally can perform Web API fuzzing. It even supports Windows and iOS.

P.S Go read [$ git blame MobSF]((/2017/12/06/git-blame-mobsf/) to see my minor contribution to the framework!

Drawbacks

  • Complicated configuration

How to use

For just static analysis, its easy to use docker:

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Dynamic analysis gets significantly more complicated, the github wiki provides step by step instructions that require spinning up a MobSF VM. link

drozer

drozer is an on-device, interactive security testing framework. It includes both a server and client agent, which allow it to interact with the target by assuming the role of an app.

Drawbacks

  • Complicated configuration

  • Sophisticated to use, requires significant manual tooling

How to use

Install the Drozer Agent on a jailbroken Android device

For Ubuntu:

Install the .deb (sudo dpkg -i) from https://github.com/mwrlabs/drozer/releases
sudo apt install -f
sudo apt install android-tools-adb
On the android device download the apk for Drozer agent and install
On your computer 'drozer console connect --server {ANDROID_IP}'

Useful commands

    'run app.package.info -a {PACKAGE}'
    'run app.package.attacksurface {PACKAGE}'
    'run app.activity.info -a {PACKAGE}'
    'run app.provider.info -a {PACKAGE}'

Other testing

A few other tips and methods:

Manual testing:

  • Proxy application traffic

  • check for certificate pinning

  • enumerate mobile endpoints

  • check for “hidden” information included in responses

Unzip the APK (try using droid-hunter):

  • look for usage of Proguard - easy to identify when you use Android Studio’s “Profile or Debug APK”

  • look for the inclusion of extraneous, potentially sensitive files