BOOK THIS SPACE FOR AD
ARTICLE ADIntroduction
Hello Hackers..!!
Welcome to this comprehensive guide on Android pentesting, where we embark on a journey to uncover the intricacies of static analysis. In this blog, we’ll explore the fundamental concepts of Android pentesting, focusing specifically on static analysis techniques.
Throughout this blog, we’ll equip you with the tools and knowledge needed to conduct static analysis effectively in a Windows environment.
Let’s dive in!
What is Android Pentesting?
Android pentesting involves assessing the security of Android applications and devices to identify potential vulnerabilities and weaknesses that could be exploited by attackers. It encompasses various techniques and methodologies, including static analysis and dynamic analysis, to uncover security flaws and mitigate risks.
Types of Analysis in Android Pentesting:
Static analysisDynamic analysis.While dynamic analysis involves examining the behavior of an application in real-time, static analysis focuses on analyzing the application’s code and structure without executing it.
Tools Required for Static Analysis (Windows Environment):
Nox Player: Nox Player is a versatile Android emulator that allows you to test Android applications in a controlled environment. Download Nox Player from official website.JADX GUI: JADX GUI simplifies the process of decompiling APK files and analyzing their Java code. You can download JADX GUI from its GitHub repository or from sourceforge.Platform Tools (ADB): The Android Debug Bridge (ADB) is a command-line tool that facilitates various interactions with Android devices or emulators. You can download the Android SDK, which includes ADB, from the official Android Developers website.MobSF (Mobile Security Framework): MobSF is an open-source tool for automated static analysis of Android applications. It provides comprehensive insights into an application’s security posture. You can download MobSF from its GitHub repository. Install this in your kali linux vm or you can use the mobsflive.CheatDroid: CheatDroid is a powerful tool for inspecting and modifying shared preferences and SQLite databases of Android apps. You can download CheatDroid from here. Download and install it in your nox player.NOTE: Set up the emulator as root in nox.
Ok, now I will talk about my approach..
Install the application from the playstore in nox player and export the apk.Upload the apk file in mobsf and let it analyze the apk. When you get the report you can look for the following:- Hardcoded secrets(There can be juicy data encrypted using weak algorithms)
- Manifest Analysis(allowbackup, cleartexttraffic, deeplinks…)
- Application permissions(Unwanted permissions for the application)Open the apk in jadx :
- Analyse AndroidManifest.xml in resources folder.
- Analyse strings.xml in resources/resources.arsc/res/values folderstrings.xml
You can find api keys, firebase urls, credentials..in strings.xml
4. Open the command prompt in adb platform tools folder.
- Connect your android emulator to adb using the below command:
suNow navigate to /data/data/{your application folder} related to the application you are testing.
The folder will be something like in the format com.abc.def
5. In cheatdroid you can find the same information as in jadx and adb like xml files and database files.
Common Vulnerabilites that you can find in static analysis
Sensitive Information in local storageSensitive Information in adb logcatSensitive information as hardcoded valuesInsecure Android permissionsFirebase DB exploitDeep Link vulnerabilityCode ObfuscationReferences
Here’s a concise checklist I’ve put together; while it’s compact, it could prove quite handy
https://www.notion.so/Mobile-Pentesting-df4bb0f7793a4fd5a7cf092e5ddcada1
Have a look at this htb blog : https://www.hackthebox.com/blog/intro-to-mobile-pentesting
Clap for me if you feel its useful
Happy Hacking :)