Pentest Book
Search…
Android

Tools

Extract

1
# Jadx - decompiler gui
2
jadx-gui
3
# Jadx - decomp cli (with deobf)
4
jadx -d path/to/extract/ --deobf app_name.apk
5
6
# Apkx decompiler
7
apkx example.apk
8
9
# Apktool
10
apktool d app_name.apk
Copied!

Get sensitive info

1
# Urls and secrets
2
# https://github.com/dwisiswant0/apkleaks
3
python apkleaks.py -f ~/path/to/file.apk
4
5
# Analyze URLs in apk:
6
# https://github.com/shivsahni/APKEnum
7
python APKEnum.py -p ~/Downloads/app-debug.apk
8
9
# Quick wins tool (go branch)
10
# https://github.com/mzfr/slicer
11
slicer -d path/to/extact/apk
12
13
# Unpack apk and find interesting strings
14
apktool d app_name.apk
15
cd apk_folder
16
grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into"
17
grep -Phro "(https?://)[\w\.-/]+[\"'\`]" | sed 's#"##g' | anew | grep -v "w3\|android\|github\|http://schemas.android\|google\|http://goo.gl"
18
19
# Regex FCM Server Keys for push notification services control
20
AAAA[A-Za-z0-9_-]{7}:[A-Za-z0-9_-]{140}
21
AIza[0-9A-Za-z_-]{35}
22
23
# FCM Google Server Keys Validation
24
# https://github.com/adarshshetty18/fcm_server_key
25
python3 fcmserverkey.py file.apk
26
27
# Facebook Static Analysis Tool
28
https://github.com/facebook/mariana-trench/
29
30
# Manifest.xml findings:
31
android:allowBackup = TRUE
32
android:debuggable = TRUE
33
andorid:exported= TRUE or not set (within <provider>-Tag) --> allows external app to access data
34
android.permission.WRITE_EXTERNAL_STORAGE / READ_EXTERNAL_STORAGE (ONLY IF sensitive data was stored/read externally)
35
Use of permissions
36
e.g. the app opens website in external browser (not inApp), however requires "android.permission.INTERNET" --> false usage of permissions. (over-privileged)
37
"android:protectionLevel" was not set properly (<permission android:name="my_custom_permission_name" android:protectionLevel="signature"/>)
38
missing android:permission (permission tags limit exposure to other apps)
Copied!

Static analyzers

1
# Android Malware Analyzer
2
# https://github.com/quark-engine/quark-engine
3
pipenv shell
4
quark -a test.apk -r rules/ --detail
5
6
# Androtickler
7
https://github.com/ernw/AndroTickler
8
java -jar AndroTickler.jar
9
10
# androbugs.py
11
python androbugs.py -f /root/android.apk
12
13
# MobSF
14
# https://github.com/MobSF/Mobile-Security-Framework-MobSF
15
16
- Findings:
17
Cleartext credentials (includes base64 encoded or weak encrypted ones)
18
Credentials cracked (brute-force, guessing, decrypted with stored cryptographic-key, ...)
19
File permission MODE_WORLD_READABLE / MODE_WORLD_WRITEABLE (other apps/users are able to read/write)
20
If http is in use (no SSL)
21
Anything that shouldn't be there (debug info, comments wiht info disclosure, ...)
Copied!

Manual analysis (adb, frida, objection, etc...)

1
# Good Checklist
2
https://mobexler.com/checklist.htm#android
3
4
# Adb
5
# https://developer.android.com/studio/command-line/adb?hl=es-419
6
adb connect IP:PORT/ID
7
adb devices
8
adb shell
9
adb push
10
adb install
11
adb shell pm list packages # List all installed packages
12
adb shell pm path xx.package.name
13
14
15
# DeviceId
16
adb shell
17
settings get secure android_id
18
adb shell sqlite3 /data/data/com.android.providers.settings/databases/settings.db "select value from secure where name = 'android_id'"
19
20
# Frida (rooted device method)
21
# https://github.com/frida/frida/releases
22
adb root
23
adb push /root/Downloads/frida-server-12.7.24-android-arm /data/local/tmp/. # Linux
24
adb push C:\Users\username\Downloads\frida-server-12.8.11-android-arm /data/local/tmp/. # Windows
25
adb root
26
adb shell "chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &"
27
frida-ps -U # Check frida running correctly
28
# Run Frida script
29
frida -U -f com.vendor.app.version -l PATH\fridaScript.js --no-pause
30
31
# Easy way to load Frida Server in Rooted Device
32
https://github.com/dineshshetty/FridaLoader
33
34
# Frida (NON rooted device) a.k.a. patch the apk
35
# a) Lief injector method
36
# https://gitlab.com/jlajara/frida-gadget-lief-injector
37
# b) Objection and dalvik bytecode method
38
https://github.com/sensepost/objection/wiki/Patching-Android-Applications#patching---patching-an-apk
39
40
# Frida resources
41
https://codeshare.frida.re/
42
https://github.com/dweinstein/awesome-frida
43
https://rehex.ninja/posts/frida-cheatsheet/
44
https://github.com/androidmalware/android_frida_scripts
45
46
# Objection
47
# https://github.com/sensepost/objection
48
objection --gadget com.vendor.app.xx explore
49
android sslpinning disable
50
51
# Android Backup files (*.ab files)
52
( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) | tar xfvz -
53
54
# Useful apps:
55
# Xposed Framework
56
# RootCloak
57
# SSLUnpinning
58
59
# Check Info Stored
60
find /data/app -type f -exec grep --color -Hsiran "FINDTHIS" {} \;
61
find /storage/sdcard0/Android/ -maxdepth 7 -exec ls -dl \{\} \;
62
63
/data/data/com.app/database/keyvalue.db
64
/data/data/com.app/database/sqlite
65
/data/app/
66
/data/user/0/
67
/storage/emulated/0/Android/data/
68
/storage/emulated/0/Android/obb/
69
/assets
70
/res/raw
71
/target/global/Constants.java
72
73
# Check logs during app usage
74
https://github.com/JakeWharton/pidcat
75
76
# Download apks
77
https://apkpure.com
78
https://apps.evozi.com/apk-downloader/
79
https://apkcombo.com/
Copied!

Burp Cert Installation > Android 7.0

1
#!/bin/bash
2
# Export only certificate in burp as DER format
3
openssl x509 -inform DER -in cacert.der -out cacert.pem
4
export CERT_HASH=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1)
5
adb root && adb remount
6
adb push cacert.pem "/sdcard/${CERT_HASH}.0"
7
adb shell su -c "mv /sdcard/${CERT_HASH}.0 /system/etc/security/cacerts"
8
adb shell su -c "chmod 644 /system/etc/security/cacerts/${CERT_HASH}.0"
9
rm -rf cacert.*
10
# Reboot device
Copied!

Tips

1
Recon:
2
- AndroidManifest.xml (basically a blueprint for the application)
3
Find exported components, api keys, custom deep link schemas, schema endpoints etc.
4
- resources.arsc/strings.xml
5
Developers are encouraged to store strings in this file instead of hard coding in application.
6
- res/xml/file_paths.xml
7
Shows file save paths.
8
- Search source code recursively
9
Especially BuildConfig files.
10
- Look for firebase DB:
11
Decompiled apk: Resources/resources.arsc/res/values/strings.xml, search for "firebsae.io" and try to access:
12
https://*.firebase.io/.json
13
14
API Keys:
15
- String references in Android Classes
16
getString(R.string.cmVzb3VyY2VzX3lv)
17
cmVzb3VyY2VzX3lv is the string resource label.
18
- Find these string references in strings.xml
19
apikeyhere
20
- Piece together the domains and required params in source code
21
22
Exported components:
23
- Activities - Entry points for application interactions of components specified in AndroidManifest.xml.
24
Has several states managed by callbacks such as onCreate().
25
→ Access to protected intents via exported Activities
26
One exported activity that accepts a user provided intent can expose protected intents.
27
→ Access to sensitive data via exported Activity
28
Often combined with deep links to steal data via unvalidated parameters. Write session tokens to an
29
external file.
30
→ Access to sensitive files, stealing files, replacing imported files via exported Activities
31
external-files-path, external-path
32
Public app directories
33
→ Look for "content://" in source code
34
- Service - Supplies additional functionality in the background.
35
→ Custom file upload service example that is vulnerable because android:exported="true". When exported by third party
36
applications can send data to the service or steal sensitive data from applications depending on the services function. Check if params and intent data can be set with proof of concept application.
37
- Broadcast receivers - Receives broadcasts from events of interest. Usually specified broadcasted intents in the broadcast receiver activity.
38
→ Vulnerable when receiver is exported and accepts user provided broadcasts.
39
→ Any application, including malicious ones, can send an intent to this broadcast receiver causing it to be triggered without any restrictions.
40
- Content providers - Helps applications manage access to stored data and ways to share data with other Android applications
41
→ Content providers that connect to sqlite can be exploited via SQL injection by third party apps.
42
43
Deep links
44
- In Android, a deep link is a link that takes you directly to a specific destination within an app.
45
- Think of deep links as Android urls to specific parts of the application.
46
- Usually mirrors web application except with a different schema that navigate directory to specific Android activities.
47
- Verified deep links can only use http and https schemas. Sometimes developers keep custom schemas for testing new
48
features.
49
- Type of vulnerabilities are based on how the scheme://, host://, and parameters are validated
50
→ CSRF - Test when autoVerify=”true” is not present in AndroidManifest.xml It’s easier.
51
→ Open redirect - Test when custom schemes do not verify endpoint parameters or hosts
52
→ XSS - Test when endpoint parameters or host not validated, addJavaScriptInterface and
53
→ setJavascriptEnabled(true); is used.
54
→ LFI - Test when deep link parameters aren’t validated. appschema://app/goto?file=
55
56
Database encryption
57
- Check database is encrypted under /data/data/<package_name>/
58
- Check in source code for database credentials
59
60
Allowed backup
61
- Lead to sensitive information disclosure
62
- adb backup com.vendor.app
63
64
Logging Enabled
65
- Check logcat when login and any action performed
66
67
Storing Sensitive Data in External Storage
68
- Check data stored after usage /sdcard/android/data/com.vendor.app/
69
70
Weak Hashing Algorithms
71
- MD5 is a weak algorythm and have collisions
72
73
Predictable Random Number Generator (PRNG)
74
- The java.util.Random function is predictable
75
76
Hard-coded Data
77
- Hard-coded user authentication information (credentials, PINs, etc.)
78
- Hard-coded cryptographic keys.
79
- Hard-coded keys used for encrypted databases.
80
- Hard-coded API keys/private
81
- Hard-coded keys that have been encoded or encrypted (e.g. base64 encoded, XOR encrypted, etc.).
82
- Hard-coded server IP addresses.
83
84
Debug Mode enabled
85
- Start a shell on Android and gain an interactive shell with run-as command
86
- run-as com.vendor.app
87
- adb exec-out run-as com.vendor.app cat databases/appName > appNameDB-copy
88
89
If you get built-in WebView and try to access:
90
appscheme://webview?url=https://google.com
91
appscheme://webview?url=javascript:document.write(document.domain)
92
93
If install apk in Genymotion fails with "INSTALL_FAILED_NO_MATCHING_ABIS":
94
- Apk is compiled only for ARM
95
- Download zip for your Android version here https://github.com/m9rco/Genymotion_ARM_Translation
96
- Move zip to VM and flash
97
https://pentester.land/tips-n-tricks/2018/10/19/installing-arm-android-apps-on-genymotion-devices.html
Copied!

Mindmaps