Android Hacking
Android pentesting with APK involves assessing the security of Android applications by analyzing their APK (Android Application Package) files. APK files are the package file format used by the Android operating system for distribution and installation of mobile applications.
Here's a general process for Android pentesting with APK:
Static Analysis: This involves examining the APK file without executing it. Techniques include: - Decompilation: Decompiling the APK file to its source code using tools like JADX, jadx, or APKTool. - Code Review: Reviewing the decompiled source code for vulnerabilities such as insecure data storage, hardcoded credentials, improper input validation, etc. - Manifest Analysis: Reviewing the AndroidManifest.xml file for permissions, services, activities, and other components declared by the application.
Dynamic Analysis: This involves executing the application in a controlled environment (emulator or device) and observing its behavior. Techniques include: - Runtime Analysis: Monitoring the application's behavior for suspicious activities such as network traffic, file system access, inter-component communication, etc. - Traffic Interception: Capturing and analyzing network traffic generated by the application using tools like Burp Suite or Wireshark to identify potential vulnerabilities like insecure communication, data leakage, etc. - Fuzzing: Sending malformed inputs to the application to trigger unexpected behavior and identify vulnerabilities like buffer overflows, SQL injection, etc.
Exploitation: Once vulnerabilities are identified, attempts can be made to exploit them to gain unauthorized access or perform other malicious actions. This may involve crafting payloads, leveraging known exploits, or developing custom exploits.
Tools
- Android Studio ---> Virtualization of phone (Google Play & API)
- Emulator ---> Emulate phone outside of Android Studio
- Jadx ---> De-compile application and static Analysis
- APKtool ---> Compile and De-compile application
- ADB ---> Get Shell, pull resources on Phone
- Objection & Frida ---> Used for SSL pinning & Sign app
Static Analysis
- Threat Vector:
- Login bypass
- URL's Exposed
- API Keys
- Fireabase
Step 1: Pull apk from Google play store
# Launch virtual phone in Android Studio
# Download the desired application on the phone
- adb shell
- pm list packages | grep -i "application"
- pm path PACKAGE-NAME.apk
- adb pull FULL-PATH/PACKAGE-NAME.apk NEW-FILE-NAME.apk
- exit
Step 2: Decompile the application
-
Decompile the application
- apktool -d application.apk
-
Run inside Jadx (No need to manually decompile)
Step 3: Static Analysis via Jadx
- Files to check
- Manifest.xml (Inside Ressources)
- Check Permission
- check Version phone
- Check Activities
- Strings.xml (Inside Ressources)
- resources.arsc/res/values
- xmls.xml
- strings.xml
- ...
- resources.arsc/res/values
- Searching for Activities
- exported="True" ---> Looking for this, mean we can replay this
- Explore strings (Search icon)
- Search for the following
- http
- https
- api
- secret
- key
- exported="True"
- firebase
- aws
- SQL
- .db (databse)
- ...
- Search for the following
- Automated Analysis using MobSF (Check MobSF for more information)
- Drop the apk file
- analyse and search the same things described before
- Manifest.xml (Inside Ressources)
Step 4: Enumerate API keys (If found)
- AWS
- Cloudenum ---> Check Cloud Folder for more information
- Firebase
- FirebaseEnum ---> Check Cloud Folder for more information
Dynamic Analysis
- Threat Vector:
- Monitoring the application's behavior
- Network traffic
- File system access, inter-component communication, etc.
- Traffic Interception
- Fuzzing
Step 1: Pull apk from Google play store
# Launch virtual phone in Android Studio
# Download the desired application on the phone
- adb shell
- pm list packages | grep -i "application"
- pm path PACKAGE-NAME.apk
- adb pull FULL-PATH/PACKAGE-NAME.apk NEW-FILE-NAME.apk
- exit
Step 2: Things to try
-
SSLpinning
- Automatic patching (Don't always work)
- pip3 install frida-tools
- pip3 install objection
emulator -list-avds
&emulator -avd EMULATOR_PHONE -writable-system -no-snapshot
Objection patchapk --source APPLICATION.apk
- CMD C:\Users\18199\AppData\Local\Android\Sdk\build-tools\34.0.0> `objection patchapk --source "C:\Users<user>\Downloads\base.apk"
- IF MULTIPLES APKS --->
- CMD C:\Users\18199\AppData\Local\Android\Sdk\build-tools\34.0.0>
objection patchapk --source "C:\Users\<user>\Downloads\base.apk" --use-aapt2
- If does not work, try disabling antivirus
adb install-multiple files.apk...
- CMD C:\Users\18199\AppData\Local\Android\Sdk\build-tools\34.0.0>
- Manual patching
- apktool d -r APPLICATION.apk (Don't de-compile the resources)
- Find source of infrastructure (ex: X86_64, ...)
- Download Frida gadget (Select the right infrastructure)
- https://github.com/frida/frida/releases (opens in a new tab)
- Rename the file 'libfrida-gadget.so' and paste inside /lib/INFRASTRUCTURE
- Find an activity that is launched early in the application (Ex: MainActivity.smali)
- Paste the following
const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
- Rebuild the apk
apktool b -o application.apk -o new-application.apk
- Sign the application (Can differ if the apk is subdivised)
keytool -genkey -v -keystore custom.keystore -alias mykeyaliasname -keyalg RSA -keysize 2048 -validity 10000
jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore mycustom.keystore -storepass mystorepass repackaged.apk mykeyaliasname
jarsigner -verify repackaged.apk
zipalign 4 repackaged.apk repackaged-final.apk
- Add the new application to the phone
- Launch the application (on phone)
- Launch objection in cmd
objection explore
- Disable SSLpinning
android sslpinning disable
- Analise the traffic
- More info: https://koz.io/using-frida-on-android-without-root/ (opens in a new tab)
- Automatic patching (Don't always work)
-
Traffic Analysis (Burp or mitmproxy)
- Set Proxy
- Set Certificate
- Try SSLpinning
-
Dynamic analysis with MobSF
- Launch emulator (from cmd) - Without Google play installed
emulator -list-avds
&emulator -avd EMULATOR_PHONE -writable-system -no-snapshot
- Start MobSF
- Run Dynamic Analysis