Getting Started With Android App Pentesting

The beginner guide to Android App Penetration testing, from setting up the local lab to exploitation

In this blog post will discuss everything you need to know as an Android app penetration tester. Whether you are a Bug bounty hunter, a working cyber security professional, or a random security researcher, this blog will surely benefit you.

Android App Pentesting

I will simplify everything in this tutorial so that you do not struggle while setting up your Android Pentesting lab.  I wish no one should face the same issues which I faced earlier. That's why I put my hard work here to give you a clear picture so you can start quickly.

Having a developer background, I Know how to build Android Mobile applications using Java, Kotlin, Flutter, and React Native. I am also good at Building web applications, having good knowledge of frontend and backend, along with OWASP knowledge for Both Web and Android apps. I will share my knowledge through this blog.

Without wasting your valuable time, let me tell you the resources and tools you should have before jumping into Android app pentesting. Also, there are some frequently asked questions you have to know.

Table of Contents

Frequently Asked Questions

Is Programming Knowledge required for Android Pentesting?

Sometimes Yes, having knowledge of Java helps you understand the application better

How much Java/Kotlin Knowledge is needed?

You don't have to be a super coder, but having basic knowledge of android app development is a plus

How much time will it take to learn Android Pentesting

It depends on you, and your past experience of Pentesting, Bug Bounty Knowledge

Setting up Android App Pentesting Environment


I will use Windows to set up the android Pentesting lab. You can follow the same steps to install those tools on Linux since the tools are cross-platform.

Required Tools

  • Burp Suite
  • VirtualBox
  • Android Emulator
  • ADB
  • Jadx GUI
  • Python
  • apktool
  • apkleaks
  • Frida
  • Objection

There are no limitations when it comes to pentesting tools, I personally use these tools, and there are some advanced tools, which we will discuss in another blog post.

Note:
If you try to Run Android Emulators inside Virtual machines, then it won't work. When I was new to Android pen testing, I used to do the same but later realised and Switched all my tools to my Primary machine.

Android app pentesting tools

Burp Suite

Burp Suite is a must-have tool for hackers. In case you don't know what Burp Suite is, Burp suite is a proxy between client and server.

Download Link

VirtualBox

VirtualBox is a virtualization software used to install and use multiple operating systems inside your primary machine; in our case, we will use Genymotion to install Android Emulators.

Download Link

Genymotion

Genymotion offers Android Emulators. You can test as many as for free. The limit is that it is free for personal use; again, they provide cross-platform software.

Download Link

Note:
You can use Android Studio for Android Emulators. If you use android studio,  then there is no need for Virtual Box software

Adb

Android Debug bridge is used to run shell commands on the android device, transfer files and do many other tasks, which we will discuss later.

Adb Installation Guide

Jadx GUI

Jadx is a tool to convert Dex files to java source code. We will use this tool to decompile the apk file and read its source code up to a certain level.

Download Jadx

apktool

apktool, a tool for android app reverse engineering. We will use this tool to decompile android apps, modify some code and recompile

install apktool

apkleaks

apkleaks a tool for automatic scanning for secret keys, URLs, IP addresses, API endpoints etc

install apkleask

Python

We need Python to use dynamic hooking tools like Frida.

Download Python

Frida

Frida tool/script is used for dynamic hooking so that we can test the application at the run time, overriding the functions, 

You have to install the Frida server on your android emulator, and the Frida client on your machine

Frida on the local machine

if  Python is installed on your local PC, then you can install frida by typing the following in a terminal

pip install frida-tools

you can check if frida is installed or not by typing

frida --version

Alternatively, you can use npm to install frida binaries. As a pentester, I hope everyone is familiar with Python 

Frida server on Android Emulator

This is the frida server; you must download the frida server file according to your emulator's architecture.


Download Frida Server


After downloading the zip file, unzip it, and use adb shell to connect your android emulator

then go to the directory  /data/local/tmp

push the frida-server there

adb push frida-server /data/local/tmp


Now 

adb shell 


then

cd tmp

since it is already an executable file, if not then you can make it executable by giving the permissions

chmod 777 frida-server

run the server

./frida-server

soon we will discuss how to use frida in depth

Objection

objection is a runtime exploitation toolkit based on frida

You can install objection by typing the below command in a terminal

pip3 install objection

Objection on GitHub

How to intercept Android app traffic in Burp Suite


In this section, we will set up the Burp suite to intercept the android app's traffic. Note that if you choose an android emulator for android version 6, it is easy to install the burp suite's CA certificate. You can still install burp CA on android 7 and above.

Configure Burp Suite Proxy

Open Burp Suite

Go to the Proxy tab, then Options, then Click on Add.

Burp proxy settings

Make these settings and bind to port 8080 (You can choose any)

And tick on All Interfaces and save

Configure Proxy settings on Android 

Now its time to configure the proxy on your Android; before that, we will find our local machine's IP and configure that IP on your Android Emulator's Wifi Proxy

To Find the IP address on your Local Machine

Open any terminal and type: 

ipconfig

 (or ifconfig for Linux)

Now Open Android Emulator's Wifi settings, and you will notice that the device is connected to a network, now long click or right-click on the network, and then you will see the options, click on Modify Network.

Now click Advanced, and configure the IP address and port.

Android wifi settings

Note:
For some emulators, there is another way to achieve this. In the emulator's settings, you will find the settings to change the proxy settings of the device


Configure CA certificate on up to Android 6

Now we have to configure a CA certificate 

Open any Browser, visit htttp://burp

and download the file, rename the file cacert.der to cacert.cer

rename ca certs

Now open Settings, then Security, then Install from SD Card.

Now Choose the file, and you are asked to enter a name for the certificate. You can give any name and then click Ok.

install ca cert

Now you are ready to intercept the traffic of your android emulator. Now open Burp suite, and you will see the traffic in the proxy section.


intercepting android mobile traffic on burp

Installing CA cert on Android devices above Android 6

on android version 7, you  need root access to install the CA certificate on your device, 

if you are on Windows, then you need gitbash or WSL to continue


Download OpenSSL Installer for Windows

Steps to Proceed

Export the CA cert from Burp, and save the file as cacert.der

then type the commands

openssl x509 -inform DER -in cacert.der -out cacert.pem

We will use openssl to convert the der file to pem, generate a self-signed certificate, then move the file to Emulator's and install it.

openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1

You will get a hash. Now you have to rename the perm file with this hash.0

mv cacert.pem 9a5ba575.0 

Now move the file to the android emulator's sdcard



It requires root to move the certificate to /system/etc/security/cacerts

For that, we will log in to adb as the root

adb root

then

adb remount 

now open adb shell, goto sdcard

cd sdcard 

Now move the file to  /system/etc/security/cacerts

mv 9a5ba575.0 /system/etc/security/cacerts/



Now, In the device Settings, Security, Encryption, and Trusted Credentials, you will see PortSwigger's CA certificate.



Conclusion

Android application penetration testing is a broader topic and cannot be covered in a single blog post, and we have to discuss many android pentesting frameworks. We will be publishing several blog posts to cover all of them.

Hi, am Basudev From Andhra Pradesh, India. a Blogger & Hacker Interested in Infosec, Web Development, Programming

Post a Comment

Comments will be reviewed before publishing