😏Android Basic Security Testing

Android Testing Setup

Host Device

Useful tools to install on the host device:

• Android Studio - Install to run an emulator

• SDK Tools - Install to run emulator

• SDK Platform Tools - Install to run emulator and adb

• Android NDK - Install if working with native libraries

• Scrcpy - Control physical device from computer (host device) using USB

Testing Device

Testing on a Real Device

• ADB - Android Debugging Interface

Testing on an Emulator

• Android Virtual Device (AVD) - Android Studio Emulator FREE

• Android X86 - Run on any virtualization software FREE

• Genymotion - Emulator with many features PAID

• Corellium - Online emulator PAID

• Nathan - Custom Emulator for mobile security assessment FREE / NOT MAINTAINED

• Mobile Security Framework (MobSF) - Mobile security assessment framework FREE

Getting Priviledged Access

• Magisk - Rooting Tool

• XDA forums - Rooting guides

Basic Testing Operations

Accessing the Device Shell

Rmeote Shell

Connect to Multiple Devices

Include the -s option if you have multiple devices attached

Connect to a Device Over Wi-Fi

Connect to a Device via SSH

Host Device data Transfer

Using ADB

Using Android Studio Device File Explorer

Using Objection

Used for exploring/manipulating files from an app Sandbox, while the app running

• Objection - Explore files inside the sandbox

Using Termux

• Termux - Android terminal and Linux environment - Includes package manager

• FileZilla - Acess files via SFTP

Obtaining and Extracting Apps

Alternative App Stores

• APKMirror

• APKPure

Using gplaycli

• gplaycli - Google Paly Store APK downloader

Extracting the App Packages from the Device

• APK Extractor

• Via ADB:

Testing Instant Apps

• Google Play Instant App - Try apps without downloading them

Static Analysis Considerations

Dynamic Analysis Considerations

Repackaging Apps

• Objection - Objection tool ap patching guide

Installing Apps

Information Gathering

Listing Installed Apps

List all installed packages with ADB:

List all third-party apps with ADB:

Use frida-ps -Uai to get all apps (-a) currently installed (-i) on the connected USB device (-U):

Exploring the App Package

• apktool - Decode Android APKs

The Android Manifest

App Binary

Compiled App Binary

Native Libraries

• Objection - Retrieve libraries with objection

Other App Resources

Accessing App Data Directories

• Objection - Retrieve app directory information

Monitoring System Logs

• Logcat - Log system messages

Setting Up a Network Testing Environment

Basic Network Monitoring/Sniffing

• Android tcpdump

• netcat (nc)

• Wireshark

Firebase Cloud Messaging

Preparation of Test Setup

End-to-End Encyption for Push Notifications

Setting Up an Interception Proxy

• OWASP ZAP

• Burp Suite

Interception Proxy for a Virtual Device

Installing a CA Certificate on the Virtual Device

Interception Proxy for a Physical Device

Bypassing the Network Security Configuration

• Android-CertKiller - Patches the .APK with a user defined certificate or simply remove the certificate pinning from the .APK and repackages the .APK

• MagiskTrustUserCerts - Add user-installed certificates to the list of system trusted CA's

Potential Obstacles

Client ISolation in Wireless Networks

Non-Proxy Aware Apps

• iptables - Redirect all traffic to the interception proxy

• bettercap - MITM

Proxy Detection

Bypass using:

• Frida - Overload isProxySet

• iptables

• bettercap - MITM

Bypassing Certificate Pinning

• Android-SSL-TrustKiller - Bypass certificate pinning with Cydia Substrate

• frida-multiple-unpinning - Bypass certificate pinning with frida

• android sslpinning disable - Disable SSL pinning with objection

• TrustMeAlready and SSLUnpinning_Xposed - SSL unpinning with Xposed framework

Bypass Custom Certificate Pinning Statically

• keytool - Use keytool to add your proxy certificate to the truststore

Bypass Custom Certificate Pinning Dynamically

• Bypass obfuscated code