Friday, April 20, 2012

Android Application Assessment – Part II


I hope my last post helped you to kick off android application pentest. In this post, I will cover application specific attacks/checks using adb.exe (Android Debug Bridge) from SDK toolkit.

Android Application Decompilation

I assume you already have application installable .apk file saved onto your local drive (If not, please refer to my last post). In simpler terms, decompilation is the method to view application files. Steps for application decompilation are:

  • Rename your application file from .apk to .zip or .rar
  • Extract the zipped file to view application files

Files of interest are:

  • AndroidManifest.xml - Contains application permission, configuration settings, filters, service settings. Look for application permission or any external service call. More information can be found here.
  • Classes.dex – Contains application source code i.e. class files, java files, xml files, etc. Look for business logic implementation, encryption/decryption logic, hard-coded credentials, test data.

There are high chances of AndroidManifest.xml file being encoded, so you need to decode it using a third party tool before you can actually view it. Download AXMLPrinter2.jar utility from here. Below are the steps to decode AndroidManifest.xml file:


You should now be able to view your application AndroidManifest.xml in cleartext.

Another method to inspect AndroidManifest.xml file is to download and install Manifest Explorer application on to your android device as shown:


The next step is to decompile the classes.dex file. This is the most important file to inspect from security point of view. Here’s how you can decompile it:

  • Download a third party tool named dex2jar from here
  • Below is the command to convert dex file to jar:



  • Locate the created jar file and rename it to rar or zip
  • Extract the zipped file and view class files using your favourite java decompiler

Database Inspection

The objective of this test is to look for sensitive information stored in application database. There are high chances of getting the user credentials in cleartext or sensitive information  like user financial details, SSN numbers, etc. Android stores all application-related files under /data/data folder. You can access those files from adb.exe using the below commands:

adb devices – List of connected devices will be shown
adb shell
su
cd /data/data/
ls

Look for your application folder

cd com.android.applicationname
ls

Application database files will be stored in databases folder. To view database file, we need to use sqllite3 utility which comes along with SDK toolkit. Here’s how you can view them:

sqllite3 /data/data/com.android.applicationname/databases/databasename
.table – List all database tables
select * from user_id;

I will cover more application specific attacks and tool list which are essential from pentest perspective in my next post.

Happy Reading!!!

3 comments:

  1. It is much easier with AndroChef Java Decompiler: http://www.neshkov.com/ac_decompiler.html

    ReplyDelete
  2. The various Android application model and models are accessible in the Android market for customer use.

    ReplyDelete
  3. Your article has demonstrated your diligent work and experience you have in this field.
    open source risk

    ReplyDelete