Android Pentesting 101 — Part 1

Welcome to this new series of Android Pentesting. This series is about how you can hack into Android and find vulnerabilities in it using various methods. In this series, we aim to achieve all the vulnerabilities which you can find along with the methodology. In the first part, we aim to cover a basic description of how android pentesting is done and all the tools required to perform it. So, Gear Up and load your arsenals!!!

Coming to the very basics, Mobile applications are generally of 3 types:

1. Native Applications: These are mobile applications developed for a particular Operating System (OS) or a Platform. They usually need an emulator and web-based attacks (such as XSS) are not possible on this kind of application.
2. Web-Based Applications: These are browser-based applications and generally use WebView (a system component in Android) to display web pages on Android Operating System. They do not need an emulator and web-based attacks (such as XSS) are possible.
3. Hybrid Applications: As the name suggests these are the combination of the above two applications and usually require an emulator for testing. These are the applications that you will find in the real world.

Now, before we learn about android pentesting, it is very important to know how Android Architecture works. I will be giving a short description of each component, but if you want to dig in more you can learn it from here.

1. Applications: The topmost layer of the architecture where all 3rd Party Applications are installed. Examples include Camera, WhatsApp, Google, etc.
2. Application Framework: This is the layer that provides various classes for the creation of the Android Application. Examples Activity Manager, Content Provider, etc.
3. Android Runtime: The most important layer consists of the Dalvik VM. Dalvik Virtual Machine (DVM) is similar to JVM which enables the applications to run and provides various platform libraries such as SSL, SQLite, Media, etc.
4. Linux Kernel: This is the heart of the android architecture and provides features such as security, memory management, process management, etc.

Now let's quickly have a sneak peek at various Android Components.

1. Activity: These are java classes that have some predefined functions which are triggered at different app states. There are in total four app states: Active, Pause, Stop and Destroy. The different methods that can be invoked are onCreate(), onStart(), onResume(), onPause(), onStop(), onDestroy(). Think of a scenario when sensitive data is being transmitted and the onPause() method appears and after n seconds onResume() method is called, how would the application handle the sensitive data then? This could be a good check case.
2. Services: These are operations that happen in the background and do not have a UI. Services are critical and should always be checked as attackers usually plant malware here. An example scenario would be a calculator application asking for call logs permission.
3. Intents: These are bound to different components in an application and are used to perform different kinds of actions and invoke activities in different applications. Intent filters are used to protect activities.
4. Content Providers: Acts as a middle layer to access data from various sources.
5. Broadcast Receivers: These receive broadcast messages from various events which could be from one or many applications. For example, when an application receives an SMS it sends a broadcast message to every other application.

Let’s now talk about the Android File System. The following are the folders found inside the file hierarchy:

1. /boot: Bootable files consisting of the Android kernel and ramdisk
2. /system: The entire Android OS is stored inside this folder. It also consists of the pre-installed system applications which are stored inside /system/app
3. /recovery: This folder is designed for backup and is considered as an alternate boot option.
4. /cache: This folder stores frequently accessed app data and components
5. /misc: Contains miscellaneous system settings
6. /sdcard: This folder is the space that is available to users to store their files and data.
7. /data: This particular folder consists of all user data.

• /data/data: Consists of all applications data installed by the user
• /data/app: Consists of all APKs of the application installed by the user
• /data/system: Consists of files such as gesture.key, password.key
• /data/local/tmp: Writeable temporary

Some certain important files and folders are generally created while the application's creation. In our android pentesting, having a look at these files and folders is critical. The different important files and folders are as follows:

1. AndroidManifest.xml: has the structure and metadata of the application. Usually, all permissions, API keys, etc. are stored inside this particular file.
2. Java: This particular folder contains the Java source code files.
3. drawable: All images, videos, gifs, etc. are stored inside this particular folder.
4. layout: A layout defines the visual structure for a user interface, such as the UI for an Android application.
5. mipmap: The image Asset folder that usually contains different icons.
6. colors.xml: Color resource file of the Android application.
7. strings.xml: String resource file of the Android application.
8. styles.xml: Styles resource file of the Android application.
9. build.gradle: This particular file is used to add various dependencies. This file also has the SDKVersion number and other important details.

So now let's talk about the final topic of the Android architecture the Android Data Storage Model. Android stores data in 5ways:

1. Shared Preferences: Store private data in key-value pairs on the device.
2. Internal Storage: Store private data on the device's memory.
3. External Storage: Store public data on the shared external storage.
4. SQLite Databases: Stored structured data on private databases.
5. Network Connection: Store data on the web with your Network Server.

We all know that once the Android application is created a .apk file is generated. Ever wondered what exactly is this .apk file?? Well, a .apk file is nothing but a zip file of the source code which contains all the resources, dex codes, assets, manifest files, etc. The following diagram shows how a Java Source Code is converted to an APK file.

Perfect! Now since we have learned the entire android architecture, let’s learn about how the actual pentesting methodology works!! There are two types of analysis which is usually done while performing Android pentesting.

1. Static Analysis: This means viewing the source code of the APK and finding out vulnerabilities by reviewing the APK. This is kinda similar to Source Code Review. We usually look out for different Intent functions, Sources, and Sinks, Dangerous Permissions, Hardcoded API Keys, etc. This was the reason we went into the details of the Android Architecture. (I know it is kinda long and boring but much needed as well :P)

2. Dynamic Analysis: Dynamic Analysis is all about playing with requests and responses. But here is a catch, like normal Web Pentesting, in Android (as well as iOS) the requests and responses are not caught directly. We first need to bypass Root Detection and then bypass SSL Pinning. We will be learning more about this in the upcoming articles.

Now its time to pick up your weapons ;) The following is a curated list of all the tools which are required to perform both Static as well as Dynamic Analysis.

1. An Android Device: Obviously, you require an Android Device to perform the testing. It can be a real android device or an emulator as well. If it is a real Android device, make sure that the Android device is rooted. Rooting can easily be performed using a tool called Magisk. For an emulator, you can use Genymotion. Sometimes emulators do lag and having a real android device is much more beneficial.
2. Android Debug Bridge (ADB): This is used to communicate with the device and perform debug operations on the device.
3. Dex2jar: Dex2jar is a wonderful tool that helps you to convert the dex code to jar format so that reading the source code is easier.
4. JD-GUI : JD-GUI is a tool that allows you to view the java source code of an APK file directly.
5. MobSF: MobSF is an all-in-one security tool that helps you to perform automatic static analysis and makes your work a lot simpler.
6. drozer: The Metasploit Framework(MSF)for Android security which allows you to find vulnerabilities and exploit them as well.
7. Frida: A tool that is going to help bypass a lot of things ;)
8. Objection: Another tool that will help us bypass a lot of things ;)
9. apksigner: Used to sign modified APKs.
10. Burp Suite: Oh! Don’t forget the GOD!!

That's all folks for Part One! We hope that you enjoyed this article! We will be back with another part soon, where we will show you'll the methodology of Static Analysis while performing Android Pentesting.

Happy Hunting!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!