Hacking Mobile Platforms — Basic Penetration Testing on Android Applications
It has been a long time from my last blog post … I was planning to write this article on Mobile hacking since 2018. But things happen, I was too occupied doing other work and completely forget about keep posting on Medium… I do apologize for letting you guys wait for so long
Well, back to the main topic …
Mobile devices are replacing desktops and laptops as they become more and more advanced. They enable users to access email, browse the Internet, navigate via GPS, store critical data including contact lists, passwords, calendars, login credentials and so on. Also, the latest developments in mobile commerce have enabled users to perform transactions such as purchasing goods and applications over wireless networks, redeeming coupons and tickets, banking, and more from their smartphones.
So Investigating mobile security is seriously a necessary thing for us to pay attention.
Mobile apps security is a big component of the mobile security and I would like to discuss some useful tools plus methods for analyzing Android apps in here
First of all, Mobile app security could be summarized into different aspects, APK structural security like user-permissions settings, functional flaws inside apps like OWASP top 10 vulnerabilities and etc. For me, doing the APK analysis is the primary thing when it comes up to Android app testing.
Every app project must have an
AndroidManifest.xml file (with precisely that name) at the root of the project source set. The manifest file describes essential information about your app to the Android build tools, the Android operating system, and Google Play.
(Check the android developer guide for AndroidManifest.xml guideline)
2. Extracting the Android APK package
Check the AndroidManifest.xml file for details
We could see the application name, SDK version, user permissions and application services in the file. This tells us a basic understanding of how this app is designed
android:allowBackup=”true” allows a user to take backup of this application using ADB.
android.exported=[“true”] allows this service to be invoked by external components.
3. Further Analysis of User Permissions
Android mobile applications need user’s permission to access different resources or to perform restricted/privileged actions. These permissions are listed in AndroidManifest.xml file which is packaged in application APK. One of the tell-tale signs of the malicious applications is that they have permissions irrelevant to their advertised purpose
e.g. an alarm app with permission to send SMS.
Identifying the suspicious/unnecessary permissions is our goal at this stage
We could manually do this static analysis with terminal command line tools like apktool, appt, or graphical interface tool like: ClassyShark, jd-gui and etc
Automatic tool for doing static analysis : MobSF (Mobile Security Framework)
This is a very powerful tool for analyzing and report generating
Upload the apk file to the web interface and the analyzing process will be done automatically
We can see the CVS risk rating report coming out including security analysis, manifest analysis and malware analysis