This post covers some more android application specific attacks and tools which may further help you in pentesting your android app.
Please note for an android application that connects to internet via Wifi or GPRS, you need to inject a proxy and perform testing similar to web application testing. In this case, all applicable web application tests would apply. Check here to set up a proxy in android emulator.
Application Process and Inter-Communication Inspection
The objective is to look for internal system calls made by your application, screen grabbing without rooting your device, local data spoofing, view processes and application state information. The utility we use here is a GUI version of adb.exe i.e. ddms.bat. The default location of this utility is C:\Program Files\Android\android-sdk\tools. Below is how you can have access to all above mentioned data:
Browse to location \Android\android-sdk\tools via command prompt
Locate and execute ddms.bat to get below screen:
Insecure Cryptographic Storage
The objective of this test is to look for hardcoded keys the application may store to perform encryption and decryption of data at rest or in transit. Application decompilation should do most of your work which is detailed in my last post. Places to look for:
Useful Tools
Below are some of the android application specific tools (apart from which I mentioned in this series) that may help you further investigate or look for more issues:
Intent Fuzzer – Supply random, invalid data to test how your application reacts to it.
Intent Sniffer – Monitor and intercept intent of your application
BusyBox – Bundle of Unix tools to test your android application
Wireshark – Most of you must be aware of its functionality. Combine it with RawCap to analyze the traffic
I hope you have found this series useful in pentesting your android applications. I await your feedback..:)
Happy Reading!!!
Please note for an android application that connects to internet via Wifi or GPRS, you need to inject a proxy and perform testing similar to web application testing. In this case, all applicable web application tests would apply. Check here to set up a proxy in android emulator.
Application Process and Inter-Communication Inspection
The objective is to look for internal system calls made by your application, screen grabbing without rooting your device, local data spoofing, view processes and application state information. The utility we use here is a GUI version of adb.exe i.e. ddms.bat. The default location of this utility is C:\Program Files\Android\android-sdk\tools. Below is how you can have access to all above mentioned data:
Browse to location \Android\android-sdk\tools via command prompt
Locate and execute ddms.bat to get below screen:
Insecure Cryptographic Storage
The objective of this test is to look for hardcoded keys the application may store to perform encryption and decryption of data at rest or in transit. Application decompilation should do most of your work which is detailed in my last post. Places to look for:
- Methods like javax.crypto.Cipher.init() in class file
- Class name should give you the direction
- Application homepage /login page may perform some encryption logic
Useful Tools
Below are some of the android application specific tools (apart from which I mentioned in this series) that may help you further investigate or look for more issues:
Intent Fuzzer – Supply random, invalid data to test how your application reacts to it.
Intent Sniffer – Monitor and intercept intent of your application
BusyBox – Bundle of Unix tools to test your android application
Wireshark – Most of you must be aware of its functionality. Combine it with RawCap to analyze the traffic
I hope you have found this series useful in pentesting your android applications. I await your feedback..:)
Happy Reading!!!
