Android Application Penetration Testing

What are the prerequisites for Android Application Penetration Testing

• Rooted Device / Emulator (Genymotion, MEMU, Android Studio)

• Mobexler OS (VMware Player Distro)

Configuration

Being a Developer (without learning)

Settings > About Device/About Phone > Build Number (Tap 7 Times) > "You are now a developer!" 

Making the device debuggable

Developer Options > USB Debugging (Toggle On) + Wireless Debugging (Toggle On)

Intercepting an API request in Burp

Detailed explanation here

Static Analysis

• Automation testing using MobSF

• Reverse engineering using JADX (API Key, Hardcoded Credentials, Sensitive Data)

• Check for Root Detection Bypass using RootClock/Frida Script/Objection

• Check for SSL Pinning Bypass using SSLUnpinning 2.0/Frida Script/Objection

• Check for sensitive data in logs using adb logcat

• Check for sensitive data in heap memory using fridump

• Check for sensitive data in Android local storage using adb shell (/data/data/<package name>/)

• Check the AndroidManifest.xml file for misconfigured flags, exposed activities, services, broadcast receivers, Exposed API Calls, API Keys, etc.

• Check for Exploitation of Activities, Receivers, and Services using Drozer

• Check for sensitive data leakage using screenshots and app-switchers in mobile devices.

• Check for the missing Minimum Device Access Policy in the mobile application

• Check the signing certificate of the application after reversing using Jadx-Gui (Certificate Version, Algorithm, Debug Certificate)

Dynamic Analysis

• Check for WebView vulnerabilities

• Check for authentication and authorisation vulnerabilities.

• Check all input fields for vulnerabilities.

• Check for business logic vulnerabilities

Inject Frida Gadget (Non-Rooted Device)

• Disassemble the app with APKTool

• Download Frida-Gadget from https://github.com/frida/frida/releases

• Frida-Gadget will be in the format frida-gadget-{version}-android-{arch of device}.so.xz after decoding it will be frida-gadget-{version}-android-{arch of device}.so

• Move frida-gadget-{version}-android-{arch of device}.so to armeabi directory under lib folder

• Modify the smali code in Main Activity to load the lib-gadget

const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

• Add Internet permission in the AndroidManifest.xml

<uses-permission android:name="android.permission.INTERNET" />

• Repack the application using APKTool

• Sign the application using JarSigner

• Zipalign the application once the signing is done

Vulnerable APKs

• AndroGoat

• Android UnCrackable L1/L2/L3

• DIVA

• InsecureBankV2

• InsecureShop