Nowadays there is a life on every pocket , by increasing number of smartphones and also smartphone’s applications , the question “How secure is this application i use” comes to mind.
These apps should take your privacy and your data safety seriously.
In my opinion there are three major categories to analyze an application
1.Analyzing source code [Can show how application works or sometimes hardcoded credentials or help you understand how app’s cryptography works if there is any]
2.Analyzing stored application’s data [Saved database , sometimes hardcoded credentials ]
3.Analyzing applications behavior to an API or web application [This is where you can find server side vulnerabilities or even exploit them on device]
1.Analyzing source code
Here is the list of application for android penetration testing but i myself use AppUse by AppSec lab
you can download AppUse free version here but i highly recommend you to use its pro version for only 99$ per year .
AppUse comes with a vmware image that includes many software you need for testing an application such as apktool ,JD-gui ,Eclipse ,BurpSuite ,etc ...
In pro version you can connect your device [Must be rooted] and test directly on device instead of emulator.
Ive installed diva-beta (Damn insecure and vulnerable App) on emulator to show you how to start your android penetration testing.
I start with HardCoding issues and you can see with wrong credentials we failed to access the app
so lets decompile application and look for any hardcoded credential.
so by entering “vendorsecretkey” we should get that Access granted message
sometimes when you decompile apk you see something like this
its kind of obfuscation by programs such as Proguard , you can use JEB to deobfuscate to original source code .
2.Analyzing stored application’s data
Sometimes applications stores data on device with poor encryption or even in plain text
in DIVA i saved my username with password = P@ssword
in this case i pulled the database created by app on the device storage to my on linux machine
by browsing this sqlite database we can find user’s credential which is stored in plain text
if you dont like use AppUse or such programs , you can browse data using your adb shell
you just need to know whats your installation package name and its path
3.Analyzing applications behavior to an API or web application
here is where burpsuite comes to the game
all you need is to set burp proxy on your device or emulator , the only thing you need to know is how to set burp CA on your device or emulator which explained completely here and here and the rest is just like penetrating some web application . for emulator to work with burp my suggestion is Leapdroid
for this section i suggest to read “Manipulating Android Applications , How i hacked quiz of kings game” which explain how to play with server side requests and try hack back-end behind the application
Any Questions ?@Mormoroth