Android Application Assessment – Part II

I hope my last post helped you to kick off android application pentest. In this post, I will cover application specific attacks/checks using adb.exe (Android Debug Bridge) from SDK toolkit.

Android Application Decompilation

I assume you already have application installable .apk file saved onto your local drive (If not, please refer to my last post). In simpler terms, decompilation is the method to view application files. Steps for application decompilation are:

• Rename your application file from .apk to .zip or .rar
• Extract the zipped file to view application files

Files of interest are:

• AndroidManifest.xml - Contains application permission, configuration settings, filters, service settings. Look for application permission or any external service call. More information can be found here.
• Classes.dex – Contains application source code i.e. class files, java files, xml files, etc. Look for business logic implementation, encryption/decryption logic, hard-coded credentials, test data.

There are high chances of AndroidManifest.xml file being encoded, so you need to decode it using a third party tool before you can actually view it. Download AXMLPrinter2.jar utility from here. Below are the steps to decode AndroidManifest.xml file:

You should now be able to view your application AndroidManifest.xml in cleartext.

Another method to inspect AndroidManifest.xml file is to download and install Manifest Explorer application on to your android device as shown:

The next step is to decompile the classes.dex file. This is the most important file to inspect from security point of view. Here’s how you can decompile it:

• Download a third party tool named dex2jar from here
• Below is the command to convert dex file to jar:

• Locate the created jar file and rename it to rar or zip
• Extract the zipped file and view class files using your favourite java decompiler

Database Inspection

The objective of this test is to look for sensitive information stored in application database. There are high chances of getting the user credentials in cleartext or sensitive information  like user financial details, SSN numbers, etc. Android stores all application-related files under /data/data folder. You can access those files from adb.exe using the below commands:

adb devices – List of connected devices will be shown
adb shell
su
cd /data/data/
ls

Look for your application folder

cd com.android.applicationname
ls

Application database files will be stored in databases folder. To view database file, we need to use sqllite3 utility which comes along with SDK toolkit. Here’s how you can view them:

sqllite3 /data/data/com.android.applicationname/databases/databasename
.table – List all database tables
select * from user_id;

I will cover more application specific attacks and tool list which are essential from pentest perspective in my next post.

Happy Reading!!!

Android Application Assessment – Part I

Recently, I was engaged in testing an android application. The customer generously provided me his new Samsung 750 Tablet with the application installed on it. The application does not interact with any remote server which meant all application data, database schema and files had to be stored locally. From the tutorials and my learning I was expected to find an android installation file (.apk file), install it on a google android emulator and start testing. Unfortunately, the first step itself didn’t meet my expectations.

I shall be releasing the series of android application testing; so this post is focused on setting up an environment, common challenges and confirming all is well before we proceed

Challenge 1:

Extract android application installable file (.apk file) from tablet. The application is running in tablet but not sure whether installation files are removed or hidden by the developer.

Solution:

After searching and testing few apps/tricks found by Google results, I finally decided to go with Astro File Manager application. The application is less complicated and fulfils my expectation. Below are the steps to get the .apk file:

1. Download and install Astro File Manager on your android tablet or phone
2. Locate and open Astro File Manager
3. Browse to Application Backup menu
4. Locate your application from Installed Apps list and select the app (extreme right)
5. Hit “Backup” button
6. Check and confirm your application backup in Backup Apps list

Now, we have the backup of our application. Next steps:

1. Exit Astro File Manager application
2. Browse to Home Screen and go to My Files folder
3. Look for backups folder and you will find your .apk file there

Once you have your application .apk file, there are multiple ways to get it onto your PC. I installed a Dropbox application on tablet and then downloaded it onto my PC. Other alternatives are as below:

• Attach file to your inbox (< 5MB)
• Install Samsung windows driver from here and transfer it via USB.

Next step is to install the application on Android emulator. You can download it from here and installation steps are listed here. Once setup is done, you will have similar running emulator as below:

Installing Assessment Application on Emulator 

Post successful SDK toolkit installation; add below strings to your PATH environmental variables (Right click My Computer-->Properties-->Advanced-->Environment Variables):

C:\Program Files\Android\android-sdk\tools;C:\Program Files\Android\android-sdk\platform-tools
 

We are now ready to install application on android emulator from any location (of course a valid one). The utility to interact with emulator is adb.exe and it can be found under C:\Program Files\Android\android-sdk\platform-tools. Steps are as below:

Open AVD Manager from All Programs and click on Start to run Emulator
Open command prompt and browse till path where you have saved your application apk file
Issue command: adb devices to ensure your emulator is working properly
To install app: adb install app_name.apk
Here's a screenshot of above steps:

Happy Reading!!!