Quickstart - TairinySimeonato/Android-App-Auditing GitHub Wiki
Introduction
- A security audit of a mobile app should include an audit of the API as well
- Both iOS and Android were designed with a reduced attack surface
- Permission model: each app can define which API they want to access. The manifest.xml file tells you what are the permissions needed for an app
- Android apps usually are written in Java, so no need to worry about memory corruption vulnerabilities
- Some apps might have some native code (C/C++), which might have memory corruption vulns
Intents
- Entry points to your app that can be called externally
- Intents may allow for data to be passed around
APK Container
- Android apps come in the APK format, which is really a ZIP file. In this file, there is a signature, the app code and all the resources used. This can be unzipped with any standard archive tool, if you rename to .zip. The apktool will aromatically unpack this more deeply.
DEX files
- DEX files (Dalvick Executables) contain the compiled Java code for an Android Application. A DEX file can be disassembled with apktool to a format called smali and decompiled with dex2jar into Java.
- dex2jar to translate dex files to jar files
- jd-gui to view the java files in the jar
- Using dex2jar to transform the dex file in to a .class file, and then use a jar decompiler (such as the free jd-gui) to plain text java.
Manifest.xml
- Every application contain this file.
- The file contains key information regarding the name and version of the app, requested permissions, activities, intents, and more.
- apktool decodes this to a readable format
- Initially this is saved as a binary in the apk file.
Resources
- An Android App has many resources from images and strings, to XML files which describes UI layouts.
Tools
Android Studio
- (https://developer.android.com/studio)
- This is the standard Android development environment
- You can build or run apps as an emulator
Apktool
- Let you unpack and decode APK files to a readable format, which can be manipulated and rebuilt into a working application
dex2jar
- translates APK or DEX file to a JAR, which can be later decompiled with JD-GUI.
JD-GUI
- Decompile for Java .class and .jar files
- optimal for turning an APK into readable Java code after running dex2jar
Burp Suite + CA certificate setup
Proxy setup
Android Emulator
- For the Android emulator, proxy settings are located on the settings section on the "Extended controls" screen.
- These can be set to localhost and the port Burp is listening on.
Physical Devices
- On phones or other physical devices, proxy are under WiFi settings.
- Long press the network you're connected to, click 'Modify network', then the proxy settings will open
- Make sure the proxy listener in Burp is set to either listen on all interfaces or on the local network interface, not just localhost, otherwise the device won't connect to the proxy at all.
- After that, point the devices proxy settings that your proxy computer's internal IP and port Burp is listening on
- Next step is to install the CA cert.
Installing CA cert
- On the device, go to http://burp and install the certificate so the device can trust Burp for SSL connections
- Then go: Android Settings > Security & location > Encryption & credentials > Install from SD card.
- All done! You should have HTTP(S) running through Burp.
- However, there are some caveats. Some applications may make direct Network requests which bypass the proxy and some applications use certificate pinning, where the application validates the server certificate is a known certificate or belongs to a known organization.
- TODO - how to bypass certificate pinning
- We can bypass direct network requests using the VPN functionality in android and connecting your computer and proxy that way.
Rooting
- Process to get super-user access, meaning you'll be able to do everything you want in the device (kind of)
- For example, you can look or tamper any file, modify configurations that are hidden from regular users, and install Frida at system level
- NEVER ROOT A DEVICE WITH YOUR PERSONAL INFORMATION!!!
- rooting Google devices, they are easier to root.
- Google " root instructions"
Rooting Nexus 5
- enable USB debugging (Settings> Developer options> check USB debugging)
o make this procedure work correctly, on a Linux/Ubuntu system, you need to type the following commands in terminal, while your device is on, with developer mode activated, and connected to USB:
`` sudo apt-get install android-tools-adb sudo apt-get install android-tools-fastboot
sudo adb devices
sudo adb reboot bootloader sudo fastboot oem unlock sudo fastboot boot CF-Auto-Root-hammerhead-hammerhead-nexus5.img `` The first part, it installs the software you need. Second part, checks to see if you can see your device connected to the comp. Third part, it unlocks and roots. Make sure you download the zip file mentioned in this article first, unzip it and "cd" into the "image" directory before launching this step.
There are a few things you need before we get started: an unlocked bootloader, USB Debugging enabled and ADB Tools installed on your computer. Please note that unlocking the bootloader will wipe your device, so please back up your data first.
https://www.youtube.com/watch?v=1M-yhQIho48
Decompilation
- Converting the apk into a format readable by a Java decompiler, run
dex2jar -f path/to/app.apk
- You just created a Java JAR file
- Open this resulting jar file in JD-GUI and you'll see the Java code.
- JD-GUI has a very limited interface.
- Once you load the Jar file,, use the Save all sources option in the file menu to save all the decompiled .java files to disk, so you can open the entire thing in the editor f=of your choosing.
- In many cases, you can turn the entire thing into a new android studio project.
Testing tips
adb logcat
- will display the running log of everything occurring in the device, often allowing you to see debug messages in flight.- Disable certificate pinning - https://blog.it-securityguard.com/the-stony-path-of-android-%F0%9F%A4%96-bug-bounty-bypassing-certificate-pinning/
- Intent Filter Check - Android's intent filters allow for an app to handle URL patterns or protocols schemas. These can lead to vulnerabilities where a website can open malicious payloads in the target application. (https://hackerone.com/reports/283063)