jueves, 3 de abril de 2014

First steps performing penetration testing on an Android application

This article will list the first steps to perform a security review of an Android application. These steps will cover an initial information collection, APK decompilation for static analysis and APK modification to enable debugging and dynamic analysis.
If you feel that any of these steps can be improved or simplified through existing tools, please leave your comment and I will update the article.
The number of tools available to assist in understanding Android applications has significantly increased offering powerful and robust features to easily understand and review our target application.

For the initial assessment we will be using the following tools:
Drozer: https://www.mwrinfosecurity.com/products/drozer/
APKTool: https://code.google.com/p/android-apktool/
Androguard: http://code.google.com/p/androguard/
ApkAnalyser: http://developer.sonymobile.com/knowledge-base/tools/analyse-your-apks-with-apkanalyser/
Netbeans IDE: https://netbeans.org/downloads/
Android SDK: https://developer.android.com/sdk/index.html#ExistingIDE
 APK Downloader: http://www.01net.com/telecharger/windows/Internet/plugins/fiches/118788.html

1- APK Retrieval

To download the target APK, the easiest way is using APK downloader. The tool is a Chrome extension that add a download button at the address once an APK URL is detected.

 2- Android SDK Installation & Emulator Setup

The installation of Android SDK is very straightforward and available at the Android Developer portal.
To test our application we will be using the Android Emulator, which could be created using the AVD Manager. The rest of these steps can also be performed on a root'd phone.

To execute the Emulator we won't be using the start button as several options are only accessible from the command line. Among the interesting option is the http-proxy feature which allow proxification of HTTP/HTTPS.
./emulator -avd watchever -http-proxy -scale 0.6
Other traffic will requirea slightly complex setup which is already covered in this blog post: https://intrepidusgroup.com/insight/2010/12/mallory-and-me-setting-up-a-mobile-mallory-gateway/
We can this way inspect the HTTP traffic using our favorite Proxy like ZAP or Burp.

3- Installation and Information Collection

APK should be installed using the following command:
 $ adb install uk.co.aifactory.chessfree.apk
1986 KB/s (7412910 bytes in 3.644s)
    pkg: /data/local/tmp/uk.co.aifactory.chessfree.apk

Once the application is installed, we might want to identify its different feature like authentication which might trigger storage of password for instance, which will allow result in the creation of Data files . The location of these files will depend on your application, but the usual folders are /data/data/ and /sdcard/Android/data/.


Fuente: Yet Another P0wn Blog