Android Checklist:
Extract Manifest and Data from the apk:
- aapt l -a target.apk
- aapt dump permissions target.apk // Read permissions
- aapt dump badging target.apk // Read version code
- aapt list target.apk //The 'list' command shows the contents of the package
- aapt list -v target.apk //the -v option is just like 'unzip -l -v'
Note: AAPT allows you to view, create, and update ZIP-compatible archives (ZIP, JAR, and APK). It can also compile resources into binary assets. It is the base builder for Android applications.
References:
Get the USB Android devices (Assumes USB debug enabled):
- sudo apt-get install android-tools-adb android-tools-fastboot // Install adb tools
- adb devices //list devices
- adb -s <device> command //execute command over a specific device
- adb shell // Get shell on device
- adb root // Get root access - Not always
Log activity using adb logcat
Drozer exploit lis tPull APK packaged from the emulator/device
- adb logcat ActivityManager:I com.app.dev.app_nam:D *:S
Drozer exploit lis tPull APK packaged from the emulator/device
- adb shell pm list packages // Get package list
- adb shell pm path com.example.someapp // Get app path
- adb pull /data/app/com.example.someapp-2.apk path/to/desired/destination // package
Get system info (adb derived shell):
- shell@android:/ $ getprop //get system properties
- shell@android:/ $ dumpsys //dump status of all system information and services
- shell@android:/ $ service list //List services
Note: Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.
Set system proxy (with adb reverse keyword):
- adb reverse tcp:7777 tcp:8080 // Sends 7777 traffic to 8080
- adb reverse remove tcp:7777 // Remove proxy
- adb reverse remove --all // Remove all proxies
This sets up a reverse port forward on your phone, tablet, emulator, development device of choice, etc. Any request sent to port 7777 on your phone is forwarded over the USB cable to port 8080 of your development machcom.android.service
ine. The 7777 is the port number on your phone that you want to use. You can use any number you like as long as
ine. The 7777 is the port number on your phone that you want to use. You can use any number you like as long as
- it's anything from 1024 to 65536
- it's not already in use by another app
Note: If you get the response "error: cannot bind to socket" try a different number.
Get the current SDK version:
- adb shell grep ro.build.version.sdk= system/build.propro.build.version.sdk=25
Install Drozer Agent/Start Console USB mode:
- adb forward tcp:31415 tcp:31415 // Setup port forwarding for Drozer
- adb install /usr/lib/python2.7/dist-packages/drozer/lib/standard-agent.apk
- drozer console connect
Start Console Infra mode:
- drozer server start // infra mode
- drozer console connect 768bcc409d0a0188 --server 0.0.0.0:31415
Note: Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.
Get info from Drozer:
- run app.package.list -f target app // Find your target app
- run app.package.info -a <package name> // Get package info
- run app.package.manifest <package name> // Get manifest to check permissions
- run app.package.attacksurface <package name> // Check attack surface
- run app.activity.info -a <package name> // Check activity info
- run app.activity.start --component <package name> .ViewStatement // Test access control for activities
- run app.package.list -p android.permission.READ_SMS // search for applications that requested an specific permission
- run app.provider.finduri <package name> //find query paths of Content Providers of an APP
Get attack surface:
- run app.package.attacksurface <package>
- adb shell am start -n <package>.LoginActivity // Start activity
Removing secrurity packages from the phone:
To Query content providers (file system):
- adb shell pm uninstall -k --user 0 com.android.service
- adb shell pm uninstall --user 0 com.android.service
- adb uninstall com.android.service
To Query content providers (file system):
- run app.provider.read content://<package>.FileBackupProvider/etc/hosts
- run app.provider.download content://<package>.FileBackupProvider/data
To Query content providers (inject path traversal):
Note1: Fragment Injection: All exported activities that extend PreferenceActivity and are running on Android 4.3 or prior are vulnerable. This attack was mitigated by Android in versions 4.4 onward by providing a new method in the PreferenceActivity class named isValidFragment() to allow developers to override it and validate which fragments can be loaded inside the activity. Performing poor validation on the fragment name supplied to this method or simply returning true in this method without performing any checks would still result in fragment injection attacks being possible.
- run scanner.provider.traversal -a <package>
- run scanner.provider.injection -a <package>
- run app.provider.insert content://<package name>.TrackUserContentProvider/trackerusers/ --integer id 2 --string name n3k
- run app.provider.insert content://<package name>.DBContentProvider/Passwords --integer _id 3 --string service Facebook --string username test --string password zA76WR9m --string email test@gmail.com
Note2: Content providers were the only application component that was exported by default on Android, but this situation has since been amended in API version 17. Note that the default behavior is still to export a content provider if the android:targetSdkVersion is set to a value smaller than 17, and so these issues are still prevalent.
SQLmap Fuzzing content providers:
List applications sharing that UID
- run use auxiliary.webcontentresolver
- sqlpmap -u localhost
List applications sharing that UID
- run app.package.shareduid -u 10005
Auditing the whole application set:
- run app.package.backup //looks for what applications allow to do backups of their data
Remote Loading of Code:
- DexClassLoader (String dexPath, String dexOutputDir, String libPath, ClassLoader parent)
Find pre-installed applications that allow to install new packages:
- run app.package.list -p android.permission.INSTALL_PACKAGES
Unprotected broadcast receivers
- run app.broadcast.send --component <package>
Note: Applications can make use of the sendBroadcast()method and send broadcasts whose impact is determined completely by what code is run in the onReceive()method of the broadcast receivers that receive the sent intent. This applies in exactly the same way for broadcast receivers that have been registered at runtime using the registerReceiver()method. To discover broadcast receivers that have been registered at runtime you must search through the code of the application; drozer will not find them using the app .broadcast.info module.
Intent Sniffing
Intent sniffing is when a broadcast receiver can register to receive broadcasts that may have been intended for other applications. This is possible because some applications broadcast intents and do not define a required permission that a broadcast receiver must hold in order to receive the intent or do not provide a destination package for the intent.
Drozer exploits:
Drozer exploits:
- drozer exploit list
Drozer modules search:
Editing APK packages:
Search for content:
Searching for certificate pinning
grep -r "pinning" apk_decoded folder
Signing the apk with your Self-Signed Certificate
Extracted certificate:
Generate using open ssl your *.ks file
Using this guide: https://blogs.oracle.com/blogbypuneeth/steps-to-create-a-self-signed-certificate-using-openssl
Use apksigner to sign and verify the apk file
apksigner sign --ks keystore.jks app-name.apk
Certificate Pinning Way (Android 6 <)
If the application we’re trying to MITM targets Android 6.0 or lower, we can simply add our CA to the user-added CA store. When the application validates the trust chain for our custom certificate, it will find our custom CA in the trust store and our certificate will be trusted. If the application targets Android versions later than 6.0, however, it won’t trust the user-added CA store. To get around this, we can edit the application’s manifest and force it to target Android 6.0. The targeted API level is specified in the ‘platformBuildVersionCode’ attribute of the ‘manifest’ element in the AndroidManifest.xml file.
- module search <module name>
- module install <module name>
Editing APK packages:
- Download Linux wrapper script (Right click, Save Link As apktool)
- Download apktool-2 (find newest here)
- Rename downloaded jar to apktool.jar
- Move both files (apktool.jar & apktool) to /usr/local/bin (root needed)
- Make sure both files are executable (chmod +x)
Decode apk:
- apktool d target.apk
Note: Backup AndroidManifesto.xml
Search for content:
- Search for URL(s): grep -r "http://"
- Search for URL(s): grep -r "https://"
- Search for URL(s): grep http ./st3.txt | sed 's/http/\nhttp/g' | grep ^http | sed 's/\(^http[^ <]*\)\(.*\)/\1/g' | grep IWANTthis | sort -u
- grep -oE '\b(https?|ftp|file)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]'
- Search for SSL Context: grep -r "SSL"
- Search for Pinning: grep -r "pinning"
- Search for Username: grep -r "username"
- Search for Passwords: grep -r "password"
- Search for Passwords: grep -r "tamper"
Load your APK to Bytecode app: http://www.java2s.com/Code/Jar/b/Downloadbytecode181jar.htm , then go Plugins Show all strings and search for usernames and passwords.
Edit/Encode apk:
Edit/Encode apk:
- apktool b target.apk -o out.apk // No troubleshooting
- apktool -p empty_dir b target.apk -o out.apk
- zipalign apktool -p empty --use-aapt2 b out patchd.apk //When you get W: invalid resource directory name:
Searching for certificate pinning
grep -r "pinning" apk_decoded folder
Signing the apk with your Self-Signed Certificate
- Open and remove the folder META-INF
- Change the extension to .apk
- Use the jarsigner and zipalign with your new keystore.
- Rename traget.apk to target.zip
- Do grep -r CERT.RSA
- Run openssl pkcs7 -in CERT.RSA -inform DER -print_certs -out cert.pem
Extracted certificate:
Generate using open ssl your *.ks file
Using this guide: https://blogs.oracle.com/blogbypuneeth/steps-to-create-a-self-signed-certificate-using-openssl
Use apksigner to sign and verify the apk file
apksigner sign --ks keystore.jks app-name.apk
Certificate Pinning Way (Android 6 <)
If the application we’re trying to MITM targets Android 6.0 or lower, we can simply add our CA to the user-added CA store. When the application validates the trust chain for our custom certificate, it will find our custom CA in the trust store and our certificate will be trusted. If the application targets Android versions later than 6.0, however, it won’t trust the user-added CA store. To get around this, we can edit the application’s manifest and force it to target Android 6.0. The targeted API level is specified in the ‘platformBuildVersionCode’ attribute of the ‘manifest’ element in the AndroidManifest.xml file.
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.test.app" platformBuildVersionCode="25" platformBuildVersionName="7.1.1">
The above manifest element targets ‘platformBuildVersionCode=25’, we need to change that to 23.<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.test.app" platformBuildVersionCode="23" platformBuildVersionName="6.0">
When the application is repackaged with this updated manifest, it will trust the user-added CA store.
Certificate Pinning Way (Android 7 > )
With the release of Android Nougat (Android 7) came a new security feature called Network Security Configuration.
This new feature arrived with the intention of allowing developers to customise their network security settings without modifying app code. Additional modification was also included in the default configuration for connections to SSL/TLS services; if the application targets an SDK higher or equal to 24, only the system certificates are trusted.
All of the above has an impact in the way an Android mobile application assessment is performed. If the HTTPS traffic needs to be intercepted, then a proxy certificate must be installed, but it is going to be installed in the ‘user certificates’ container, which is not trusted by default.
To modify the default configuration, an XML file that specifies the custom configuration has to be created on the resources directory. The piece of code below shows an example of a configuration file that uses the user certificates container for all HTTPS connections made by the application.
Additionally, the file has to be referenced from the Android Manifest file, which introduces the key android:networkSecurityConfig on the application tag, as shown here:
https://omespino.com/tutorial-universal-android-ssl-pinning-in-10-minutes-with-frida/
https://github.com/iSECPartners/Android-SSL-TrustKiller/releases/
https://cooltrickshome.blogspot.com/2018/11/ssl-pinning-bypass-on-android-emulator.html?spref=tw
http://www.security-assessment.com/files/documents/whitepapers/Bypassing%20SSL%20Pinning%20on%20Android%20via%20Reverse%20Engineering.pdf
https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/
References
With the release of Android Nougat (Android 7) came a new security feature called Network Security Configuration.
This new feature arrived with the intention of allowing developers to customise their network security settings without modifying app code. Additional modification was also included in the default configuration for connections to SSL/TLS services; if the application targets an SDK higher or equal to 24, only the system certificates are trusted.
All of the above has an impact in the way an Android mobile application assessment is performed. If the HTTPS traffic needs to be intercepted, then a proxy certificate must be installed, but it is going to be installed in the ‘user certificates’ container, which is not trusted by default.
To modify the default configuration, an XML file that specifies the custom configuration has to be created on the resources directory. The piece of code below shows an example of a configuration file that uses the user certificates container for all HTTPS connections made by the application.
<?xml version="1.0" encoding="utf-8"?> <network-security-config> <base-config> <trust-anchors> <certificates src="system"/> <certificates src="user"/> </trust-anchors> </base-config>
</network-security-config>
Additionally, the file has to be referenced from the Android Manifest file, which introduces the key android:networkSecurityConfig on the application tag, as shown here:
<?xml version="1.0" encoding="utf-8"?> <manifest ... > <application android:networkSecurityConfig="@xml/network_security_config" ... > ... </application> </manifest>Certificate Pinning Other Resources
https://omespino.com/tutorial-universal-android-ssl-pinning-in-10-minutes-with-frida/
https://github.com/iSECPartners/Android-SSL-TrustKiller/releases/
https://cooltrickshome.blogspot.com/2018/11/ssl-pinning-bypass-on-android-emulator.html?spref=tw
http://www.security-assessment.com/files/documents/whitepapers/Bypassing%20SSL%20Pinning%20on%20Android%20via%20Reverse%20Engineering.pdf
https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/
References
- https://serializethoughts.com/2016/09/10/905/
- https://warroom.securestate.com/android-7-intercepting-app-traffic/
- https://www.nowsecure.com/blog/2017/06/15/certificate-pinning-for-android-and-ios-mobile-man-in-the-middle-attack-prevention/
- https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/bypassing-androids-network-security-configuration/
- https://sensepost.com/blog/2018/tip-toeing-past-android-7s-network-security-configuration/
- https://medium.com/@ved_wayal/hail-frida-the-universal-ssl-pinning-bypass-for-android-e9e1d733d29