Monday, May 28, 2012

Android Application Assessment – Part III

This post covers some more android application specific attacks and tools which may further help you in pentesting your android app.

Please note for an android application that connects to internet via Wifi or GPRS, you need to inject a proxy and perform testing similar to web application testing. In this case, all applicable web application tests would apply. Check here to set up a proxy in android emulator.

Application Process and Inter-Communication Inspection

The objective is to look for internal system calls made by your application, screen grabbing without rooting your device, local data spoofing, view processes and application state information. The utility we use here is a GUI version of adb.exe i.e. ddms.bat. The default location of this utility is C:\Program Files\Android\android-sdk\tools. Below is how you can have access to all above mentioned data:

Browse to location \Android\android-sdk\tools via command prompt

Locate and execute ddms.bat to get below screen:



Insecure Cryptographic Storage

The objective of this test is to look for hardcoded keys the application may store to perform encryption and decryption of data at rest or in transit. Application decompilation should do most of your work which is detailed in my last post. Places to look for:

  • Methods like javax.crypto.Cipher.init() in class file
  • Class name should give you the direction
  • Application homepage /login page may perform some encryption logic

Useful Tools

Below are some of the android application specific tools (apart from which I mentioned in this series) that may help you further investigate or look for more issues:

Intent Fuzzer – Supply random, invalid data to test how your application reacts to it.

Intent Sniffer – Monitor and intercept intent of your application

BusyBox – Bundle of Unix tools to test your android application

Wireshark – Most of you must be aware of its functionality. Combine it with RawCap to analyze the traffic

I hope you have found this series useful in pentesting your android applications. I await your feedback..:)

Happy Reading!!!

1 comment: