[A]ndroid [A]pplication [P]entest [G]uide
  • AAPG
  • 1. MANUAL STATIC ANALYSIS
    • 1.1 Decompile APK
    • 1.2 Check certificate
    • 1.3 Analyze AndroidManifest.xml
    • 1.4 Source Code Analysis
  • 2. AUTOMATED STATIC ANALYSIS
  • 3. MANUAL DYNAMIC ANALYSIS
    • 3.1 Install application & use it
    • 3.2 Bypass detections
    • 3.3 Analyze local storage
    • 3.4 Attack surface
      • 3.4.1 Activities
      • 3.4.2 ContentProvider
      • 3.4.3 Services
    • 3.5 Log analysis
    • 3.6 More HOW and WHAT! (still work in progress)
  • 4. APK TAMPERING
    • 4.1 DIY - Simple Reverse Meterpreter (Non-Xamarin)
    • 4.2 Quick Proof-of-Concept (Meterpreter)
Powered by GitBook
On this page
  • PROXY SETUP
  • AVD || rooted devices
  • Additional tools
  • Do they work?
  • PROXY-AWARE APPS - SETUP
  • Xamarin
  • Traffic routing (remotely sniff via netcat)
  • Man-in-the-Middle w/ bettercap
  • Redirect with iptables
  • WHY?

Was this helpful?

3. MANUAL DYNAMIC ANALYSIS

Previous2. AUTOMATED STATIC ANALYSISNext3.1 Install application & use it

Last updated 5 years ago

Was this helpful?

PROXY SETUP

  • Install (recommended)

AVD || rooted devices

  • Cert installation:

  • Proxy setup:

Additional tools

    • adb might be located @ Android/Sdk/platform-tools/ (Linux)

Do they work?

adb

list devices:

adb devices

port forwarding for drozer client:

adb forward tcp:31415 tcp:31415

drozer

list available drozer clients

drozer console devices

connect to drozer client and end up in drozer-shell: "dr>":

drozer console connect

PROXY-AWARE APPS - SETUP

Xamarin

add the following code in the OnCreate or Main method

WebRequest.DefaultWebProxy = new WebProxy("<Proxy-IP>", <Proxy-Port>);

Traffic routing (remotely sniff via netcat)

tcpdump -i <interface: wlan0> -s0 -w - | nc -l -p 11111
adb forward tcp:11111 tcp:11111
nc localhost 11111 | wireshark -k -S -i -

Downside - if HTTPS, you are not able to see any request bodies

Man-in-the-Middle w/ bettercap

(command may defer due to bettercap version)

sudo bettercap -eval "set arp.spoof.targets <TARGER-IP>; arps.spoof on; set arp.spoof.internal true; set arp.spoof.fullduplex true;"

Redirect with iptables

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination <PROXY-IP>:8080

verify iptables settings

iptables -t nat -L

iptables config:

iptables -t nat -F

WHY?

  • In case of XAMARIN (ignores system proxy - not always! give it a try before you cry)

  • Other protocols are used (XMPP or other non-HTTP)

  • To intercept push notifications

  • The app itself verifies the connection and refuse

Burp-Suite
BEFORE Android 7 (Nougat)
Android 7 or higher
Virtual device
Physical phone
Install drozer on host & phone
Android SDK