A Comprehensive Guide to Android App Pentesting for Bug Bounty Hunter

Hi, My name is Pankaj Kr Yadav a Security Researcher,Ethical Hacker and a Bug bounty hunter. This is going to be my first writeup on this medium account , where I am going to give you an overview and an idea of bug hunting on Android apps instead of web applications, if you are a beginner on Android app pentesting just read the writeup till end you will learn something new.

Pentesting (penetration testing) an Android app is a methodical approach designed to uncover and exploit potential vulnerabilities. This guide provides a comprehensive methodology to help bug bounty hunters identify and report security issues within Android applications.

Tools Installation: Start by installing the necessary tools:

Android SDK: For accessing essential Android development tools.

ADB (Android Debug Bridge): For device management and interaction.

APKTool: For disassembling and reassembling APK files.

JADX: For decompiling APK files into readable Java code.

Frida: For dynamic instrumentation.

Burp Suite: For intercepting and analyzing network traffic.

MobSF (Mobile Security Framework): For automated security analysis.

Genymotion: For creating and managing Android emulators.

Device Setup: Use either a rooted Android device or an emulator. Enable developer options and USB debugging to facilitate the testing process.

Collect basic information about the app from the Google Play Store, the developer’s website, or directly from the APK file. This includes the app version, developer details, permissions requested, and user reviews that might hint at potential vulnerabilities.If the APK is not available, you can download it using online APK downloader sites or extract it from a device using ADB with the command:

adb pull /data/app/<package-name>

Decompile the APK: Use tools like JADX or APKTool to decompile the APK. JADX provides a readable Java code output, while APKTool disassembles it into Smali code for more granular analysis.

Code Review: Manually review the decompiled code for hardcoded sensitive information such as API keys and credentials. Look for insecure coding practices and potential vulnerabilities like SQL injection or improper input validation.Examine the AndroidManifest.xml file for misconfigurations, exposed components (activities, services, content providers, broadcast receivers), and insecure permissions.

Install the app on your device or emulator. Explore its functionalities to understand how it works.Set up Burp Suite or another proxy tool to intercept and analyze network traffic. Install the Burp CA certificate on the device to capture HTTPS traffic. And use tools like Frida or Xposed Framework to hook into the app at runtime and manipulate its behavior.Logging and Debugging: Monitor the app’s logs using Logcat with the command:

adb logcat

Intercept and Analyze Traffic: Capture and analyze all network requests and responses. Look for unencrypted data, sensitive information, and potential vulnerabilities in API endpoints.Test if the app uses certificate pinning. Try to bypass it using tools like Objection or Frida.

Examine the app’s file system located at /data/data/<package-name> for insecurely stored sensitive data. Check databases, shared preferences, and cache files. look for SQLite databases that might contain sensitive information. Use tools like sqlitebrowser to analyze their contents. Also Analyze shared preferences files for plaintext storage of sensitive information.

Use tools like Hopper, IDA Pro, or Radare2 to analyze the app’s native binaries. Look for vulnerabilities such as buffer overflows or insecure native code. Modify the app (e.g., by injecting malicious code) and repackage it using APKTool. Test if the app detects tampering.

Analyze intents for insecure data transmission between app components or other apps. Use tools like Drozer to test for insecure intent handling. Test content providers for SQL injection and unauthorized data access.

Analyze how the app handles user authentication. Test for vulnerabilities like weak password policies, lack of two-factor authentication, and session fixation. Check how session tokens are stored and managed. Ensure tokens are not stored insecurely and that they expire appropriately.

Verify if ProGuard is used for code obfuscation. Lack of obfuscation can make reverse engineering easier. Review the network security configuration file (network_security_config.xml) for potential misconfigurations.

Test the app’s business logic for flaws that could be exploited, such as bypassing payment gateways or modifying transactions. Look for ways to abuse legitimate functionalities to perform unintended action

Aggregate all findings, classify them based on severity, and prioritize them for remediation. Then Write a detailed report explaining each vulnerability, the steps to reproduce, the potential impact, and recommended fixes. Include screenshots, logs, and any other supporting evidence.

By following this comprehensive methodology, you can systematically identify and exploit vulnerabilities in Android applications during bug bounty hunting. This approach ensures thorough coverage and helps you uncover a wide range of security issues that could compromise the integrity and security of the application.

I hope you enjoyed this writeup, consider following me and smash the clap button, more writeup on bugbounty hunting writeups to come…on future. Keep Hacking and learning everyday always remember consistency is the key in BugBounty Hunting.