Build your own android penetration testing LAB


Nowadays there is a life on every pocket , by increasing number of smartphones and also smartphone’s applications , the question “How secure is this application i use” comes to mind.

These apps should take your privacy and your data safety seriously.

In my opinion there are three major categories to analyze an application

1.Analyzing source code [Can show how application works or sometimes hardcoded credentials or help you understand how app’s cryptography works if there is any]

2.Analyzing stored application’s data [Saved database , sometimes hardcoded credentials ]

3.Analyzing applications behavior to an API or web application [This is where you can find server side vulnerabilities or even exploit them on device]

————————————-

1.Analyzing source code

Here is the list of application for android penetration testing but i myself use AppUse by AppSec lab

you can download AppUse free version here but i highly recommend you to use its pro version for only 99$ per year .

AppUse comes with a vmware image that includes many software you need for testing an application such as apktool,JD-gui,Eclipse,BurpSuite,etc

appuse1

In pro version you can connect your device [Must be rooted] and test directly on device instead of emulator.

Ive installed diva-beta.tar (Damn insecure and vulnerable App) on emulator to show you how to start your android penetration testing.

appuse2

I start with HardCoding issues and you can see with wrong credentials we failed to access the app

appuse3

so lets decompile application and look for any hardcoded credential.

appuse4

so by entering “vendorsecretkey” we should get that Access granted message

appuse5

sometimes when you decompile apk you see something like this

appuse6

its kind of obfuscation by programs such as Proguard , you can use JEB to deobfuscate to original source code .

————————————-

2.Analyzing stored application’s data

Sometimes applications stores data on device with poor encryption or even in plain text

in DIVA i saved my username with password = P@ssword

in this case i pulled the database created by app on the device storage to my on linux machine

appuse8

by browsing this sqlite database we can find user’s credential which is stored in plain text

appuse9

if you dont like use AppUse or such programs , you can browse data using your adb shell

you just need to know whats your installation package name and its path

appuse10

————————————-

3.Analyzing applications behavior to an API or web application

here is where burpsuite comes to the game

all you need is to set burp proxy on your device or emulator , the only thing you need to know is how to set burp CA on your device or emulator which explained completely here and here and the rest is just like penetrating some web application . for emulator to work with burp my suggestion is Leapdroid

for this section i suggest to read “Manipulating Android Applications , How i hacked quiz of kings game” which explain how to play with server side requests and try hack back-end behind the application

Any Questions ?@Mormoroth