Talk : Android Penetration testing

ANDROID APPLICATION PENETRATION TESTING Raja Nagori

$WHOAMI • Senior Information Security Engineer at FIS Global. • Cyber Crime Intervention Officer from ISAC (NSD). • Synack Red Team Member. • Actively contributing to OWASP Community.

TODAY’S DISCUSSION • Some Kick off Resources for Mobile VA and PT • Device Requirements and Tools Requirements for starting a Android Application VA and PT • Concept about Android Architecture • Practical implementation for Android Application VA and PT

RESOURCES • MOBILE SECURITY TESTING GUIDE • https://mobile-security.gitbook.io/mobile-security-testing-guide/ • OWASP Mobile Top 10 • https://owasp.org/www-project-mobile-top-10/ • HACKTRICKs • https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting

DEVICE REQUIREMENTS • Android Penetration Testing • Windows, Kali linux, Parrot OS or MacBook • Preferable with 8-16GB of RAM or more and greater than 250GB of drive storage. • For Android interface • You can use emulator like ( Android Studio (My fav) Memu, nox, bluestacks, Genymotion) • You can use rooted a physical device.

TOOLS REQUIREMENTS • JDAX-GUI • APKTOOL • MobSF • Frida • Objection • BurpSuite

ANDROID ARCHITECTURE Ref: OWASP Mobile Security Testing (Link)

LET’S TALK ABOUT PENETRATION TESTING PROCESS Reconnaissance (Active/Passive) Scanning and Enumeration Gathering Information or Gaining Access evidence about the Scanning is the target application. phase before the attack takes in Attackers use action. vulnerabilities identified during the detection and scanning stages to gain access to the identified system and network. Maintaining Access Maintaining access refers to the phase when the attacker tries to retain his or her ownership of the system. Covering Tracks For obvious reasons, such as avoiding legal problems and maintaining access, attackers often try to erase all evidence of their actions. P E N E T R A T I O N T E S T I N G

LET’S TALK ABOUT MOBILE APPLICATION PENETRATION TESTING PROCESS Reconnaissance (Active/Passive) Gathering Information or evidence about the target application. Static Analysis Scanning and go through the code Dynamic Analysis Make changes and manipulating at the runtime of the application. Reporting Report the findings. M O B I L E P E N E T R A T I O N T E S T I N G

SEE, WHO CAME “THE ANDROID”

STATIC ANALYSIS

• Extension is .xml • You’ll get basic information about the application ANDROID MANIFEST FILE • SDK version • Permission • Activities • Content Providers • Intent

• Doesn’t have any extension unfortunately • It defines what data and hardware component can be need at the runtime PERMISSION • Camera • Internet • Access external storage • Bluetooth • ETC.

• It also do not have any extension too • UI element of the application or different screen in the application. (take example of Gpay) ACTIVITIES • First screen will show you Gpay Logo. • Second will ask you the Fingerprint. • Third will display all the payment you did in past. NOTE: Here INTENT is changing from one screen to other.

• Usually find in resources/strings.xml • Threat Vector FINDING HARDCODED STRINGS • Login Bypass • URL’s Exposed • API Keys Exposed • Firebase URL’s

DYNAMIC ANALYSIS

• Intro to SSL Pinning ANDROID DYNAMIC ANALYSIS • Bypassing with BurpSuite • Intro Frida/Objection • Inject Frida Manually /Automatically • Dumping Memory and Sensitive Data • Runtime analysis of Local Storage

• It’s a methodology which ensure no traffic will intercept from the application. SSL PINNING • Some application VERIFY the receiving traffic into the phone as KNOWN CERTIFICATE. • App may crash when we try to intercept the network.

• An adversary will use an automated tool to reverse engineer the code and modify it using malware to ROOT DETECTION perform some hidden functionality. • Root detection are related to binaries • • • • • /system/bin/su /system/xbin/su /sbin/su /system/su /system/bin/.ext/.su

Q-N-A