Android Pen-Testing Checklist

  1. Reversing and static analysis
  2. Dynamic analysis
  3. Storage/Database/Log analysis

0. Preparation

0.1 Device or Emulator

Emulator: Nox app player or Genymotion.

0.2 ADB commands

#adb devices  //To check what all devices are connected
#adb connect  //To connect to a particular mobile device through IP
#adb shell // To get a shell on the emulator or phone
#adb push/pull  //To upload and download files to and from the device
#adb install vulnerableapp.apk
#adb uninstall com.package.test  
Always while uninstalling you should use the package name to uninstall.

0.3 Drozer

// Starting a session
$ adb forward tcp:31415 tcp:31415
$ drozer console connect

// Retrieving package information
dz>run app.package.list -f "app name"
dz>run -a "package name"

// Identifying the attack surface
dz>run app.package.attacksurface "package name"

// Exploiting Activities
dz>run -a "package name" -u
dz>run app.activity.start --component "package name" "component name"

// Exploiting Content Provider
dz>run -a "package name"
dz>run scanner.provider.finduris -a "package name"
dz>run app.provider.query "uri"
dz>run app.provider.update "uri" --selection "conditions" "selection arg" "column" "data"
dz>run scanner.provider.sqltables -a "package name"
dz>run scanner.provider.injection -a "package name"
dz>run scanner.provider.traversal -a "package name"

// Exploiting Broadcast Receivers
dz>run -a "package name"
dz>run app.broadcast.send --component "package name" "component name" --extra "type" "key" "value"
dz>run app.broadcast.sniff --action "action"

// For exploiting exported broadcast receivers:

// Exploiting Service
dz>run -a "package name"
dz>run app.service.start --action "action" --component "package name" "component name"
dz>run app.service.send "package name" "component name" --msg "what" "arg1" "arg2" --extra "type" "key""value" --bundle-as-obj


1. Static Analysis

1.1 Unzip apk

  1. Rename .apk to .zip and extract contents to folder.
  2. cd /res/raw, find anything valuable, e.g. config information, authentication token, admin credentials, etc.

1.2 AndroidManifest.xml

Decompile the apk

apktool d my.apk

Examine the AndroidManifest.xml file.

What should be checked?

  1. Android Permissions
  2. android:debuggable=true
  3. android:allowBackup=true
  4. meta-data

Exploit1 - backup

#adb backup com.package.test -f vuln.ab
// A pop-up will appear on phone click backup my data.

// We have to remove the first 24bytes which is the header
#dd if=vuln.ab bs=24 skip=1| openssl zlib -d > vuln.tar

// OR Download androidbackupextractor. You will get a file abe.jar
#java -jar abe.jar unpack vuln.ab vuln.tar
#tar -tf vuln.tar > vuln.list
#tar -xvf vuln.tar

Ref: androidbackupextractor

You could also modify anything you want within the app folder and restore it to overwrite the files.

#star -c -v -f vuln_new.tar -no-dirslash list=vuln.list

// Now we will have our newtar file i.e vuln_new.tar
#java -jar abe.jar pack vuln_new.tar vuln_new.ab

// We need to get the 24bytes header back again, for that do
#dd if=vuln_new.ab bs=24 count=1 of=vuln_2.ab
#openssl zlib -in vuln_new.tar >> vuln_2.ab
#adb restore vuln_2.ab

1.3 Source code

Go through all java files with jadx-gui.

What should be checked?

  1. Check for Log storage codes
  2. Codes that saves any info in the system
  3. Database codes and what are saved in that
  4. Check for type of encryption or encoding any encryption keys can be hardcoded
  5. Look for import security, crypto.cipher codes
  6. Look for webview codes, which can be used for XSS in dynamic testing
  7. Look for Hardcoded keys, Passwords, Phone numbers, emails in comments, Internal IP and URLs.

Grep for these for WebView:

JavascriptInterface, if there is jsvar then we can get XSS and do command exec, check cve2012-6636, sdk <=17 are vulnerable

2. Dynamic Analysis

2.1 SSL Pinning Bypass

  1. Adding a custom CA to the trusted certificate store
  2. Overwriting a packaged CA cert with a custom CA cert
  3. Using Frida to hook and bypass SSL certificate checks (script)
  4. Reversing custom certificate code
$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
$ adb shell "/data/local/tmp/frida-server &"
$ frida -U -f -l frida-android-repinning.js --no-pause

Ref: Four Ways to Bypass Android SSL Verification and Certificate Pinning

2.2 Emulator Detection Bypass

Option 1: Check for goldfish.

#grep -r goldfish
#grep -r goldfish smali*

Once we find the location of this, we can go there and modify it as needed.

ro.hardware will be "goldfish" or "ranchu" for qemu or qemu2 based emulators

ref: 1, 2

Option 2: Searches code for "Build.Props" like

Build.FINGERPRINT.startsWith("generic") || Build.FINGERPRINT.startsWith("unknown")

Change the string with a editor app

2.3 Root Detection Bypass

1.Look for binary, file or directory:(Looking for SuperUser.apk):
Solution: Just rename the binary. If the app is searching for SuperUser.apk , then rename to notsuperuser.apk, if app is searching for /system/bin/su change to /system/bin/notsu

2.Checking /system attributes:
App will check for read-write permission for /system.
Solution: change to read only using the following command:
mount -o ro,remount,ro /system

3.Hashing Files:
App create a hash of superuser.apk and then checks.
Solution: Patch the binary OR no-op out the check ,OR change value in memory via a debugger

4.Binary check:
App will run whoami and check if its root.
Solution:Replace whoami binary on phone which does not give root
Patch out checks in binary
Modify Value in debugger.


2.4 Drozer related checks

Type Description
Activity Visual represetation change is an activity.
Service Long running process, running in background like playing music
Intent receiver Responds to input, input can be SMS, phone reboot, losing WiFi. Intents are ways of sending messages between different functions.
Content provider Content providers are used by applications to communicate and share data with other applications. A misconfiguration will allow other apps to access unintended or sensitive data.
Broadcast receivers Listen for something
Explicit intent Recipient of the intent is specified. So we can specify that only certain app/broadcast receiver can take a particular intent.
Implicit Intent The platform decides where it should be delivered, like we open a link and it asks how do you want to open? Chrome or Mozilla etc.

What should be checked?

  1. Find package name
  2. Get app details like permissions
  3. Find attack surface
  4. Find content providers
  5. Query content provider

Exploit1 - Directory Traversal

Use content provider to read file from SD card using drozer.

dz>run app.package.list -f vulnerableApp
dz>run app.package.attacksurface com.package.test
dz>run app.provider.finduri com.package.test
// Shows permission: android.permission.READ_EXTERNAL_STORAGE
dz>run -a com.package.test

//Since query will not work we will try to use "read"

dz>run content://com.package.test.file/../../../../mnt/sdcard/secret.txt

Exploit 2 - Exploiting custom permission


2.5 Logcat

Start Logcat before pen-testing

#adb logcat > log.txt

2.6 Response Tamper

Example: Bypass OTP validation on Password Reset

2.7 Webview Vulns

Ref: Abusing WebView JavaScript Bridges – dead && end

3. Storage / Database / Log Analysis

$ adb pull /data/data/com.package.test .

What should be checked?

  1. shared_prefs.xml
  2. db files (Tool: sqlite browser)


A Virgil's Guide to Pentest: Operation Android

Show Comments