Introduction to Android Pentesting

Android Pentesting refers to the process of testing the security of Android applications and devices in order to identify potential vulnerabilities that could be exploited by attackers.

It involves assessing the security posture of Android applications and systems by simulating attacks and attempting to exploit weaknesses in their design, implementation or configuration.

android pentesting new

In this guide we will download the tools used to start Android Pentesting and solve two HTB Mobile Challenges.

The tools we will use will be the following:

The HTB challenges will be:

  • Pinned – We will perform an SSL Pinning Bypass.
  • Manager  Hack app using Burp Suite.

Let's start by installing the tools we'll be using. To use these tools, we need to have Java and Python installed on the host computer.

First let's install Android Studio. This will allow us to create emulators for testing instead of using a physical device.

htb

Once you've downloaded Android Studio, you can install it. Android Studio can be installed on Windows, MacOS and Linux.

Next we will install Burp Suite.

https://portswigger.net/burp/communitydownload

Finally, we will install the Android Debugging Bridge (ADB).

https://developer.android.com/tools/adb

The first program we will use is Android Studio. This will allow us to create emulators for Android devices.

When we start Android Studio for the first time we need to create a project.

htb1

I will name the project Android Pentesting.

htb2

Create a device for testing.

Click on the phone with the Android icon in the upper right corner.

htb3

Click on “Add new device…”

htb4

Then select Create Virtual Device.

htb5

Feel free to experiment with this section. You can set up multiple devices with access to the Play Store and specify the API. For the purposes of this guide I will be using a Google Pixel 6 device that does not have access to the Play Store.

*Note that a device with access to the Google Play Store cannot be rooted. Devices without the Play Store icon are rooted devices.

htb6

The next step is to select the API version. I will use version 28. You can experiment with the different versions of the API.

htb7

The last step for this will be naming our device. I chose Pentesting Device. You can name it as you prefer.

Now we can click the Play button on the right side and our emulator should appear. It may take a few minutes on first startup.

htb8

Now we have a device to do Android testing. It is perfectly possible to test on a physical device. This is a cost-effective approach without the fear of bricking a phone.

Next we can set up Burp Suite. You can use either Community or Pro.

htb9

The first step to getting Burp to work with the emulator (or physical device, if that's what you're using) is to set up the proxy listener.

Click the Proxy menu, and then click Proxy Settings.

htb10

Then click on 127.0.0.1:8080 and click Edit.

Change the Bind to address to All interfaces.

htb11

Going back to our phone, we want to open Settings on our Pixel device.

htb12

From Settings we want to open Network & Internet

htb13

Next we want to select Wi-Fi.

htb14

Now click on Android Wi-Fi.

htb15

Now click on the pencil icon on the top right.

htb16

Click Advance Options and then Proxy.

htb17

Here we can set up our proxy. We should use our host's IP address. Mine is 192.168.0.224. You should gather your internal IP address from ipconfig/ifconfig/ip addr.

The port will be 8080. This is the default Burp port.

htb18

Now click the Save button.

Back in Burp we see the traffic going through, but we have a problem with TLS. In the next step we will set up a certificate from Burp on the Android device. This way TLS traffic will work through the proxy and Burp.

htb19

Returning to the Proxy Listeners section we can click on the “Import / export CA certificate” option. Click on it and then click on “Export certificate to DER format”.

htb20

Save the certificate on your host machine. I named mine burp.der.

htb21

The next step will be to use Android Bridge to transfer the certificate to our device.

Using the command

adb push burp.der /sdcard/burp.crt

it will send the certificate to our device's sdcard.

htb22

We can now install the certificate on our device. Open Settings on the device and look for “Install Cert” option. Click Install certificates from SD card.

htb23

Then select “Install Certificate”.

Android device will give you this warning. Click the Install anyway button at the bottom left.

htb25

You should save the burp.crt certificate.

htb26

Click on the file burp.crt and name the certificate burp.

htb27

You may be asked to set a PIN. I kept it very simple with 1111.

htb29

You can verify if the certificate was installed by searching for Trusted and clicking Trusted credentials.

htb30

Click on Trusted credentials.

htb31

Now clicking on USER will bring up the PortSwigger Cert.

htb32

This happens when I restart the device. When I restart the emulator and make sure the proxy is running on port 8080, I can verify that HTTPS traffic is now being routed through Burp Suite. This means we can now parse and test HTTPS and HTTP with Burp just like a web page.

htb33

If you have problems, retrace your steps and try restarting the emulator and Burp if necessary.

The last tool we will need to complete this guide is Frida.

Frida can be found here.

Frida can be installed with pip (python package manager)

pip install frida-tools

Now that we have our lab setup ready, we can move on to solving some HTB challenges to meet Android Pentesting.

htb34

We will deal with it Pinned and Manager.

First we will download Pinned and Manager from HTB Challenges. Once downloaded, you can extract the files to your workspace. I used my desktop for quick access.

htb35

The password is hackthebox to get the files.

htb36

Now we have access to the pinned.apk file.

htb37

You can drag and drop the pinned.apk onto the emulator device.

htb38

You should now see Pinned in your apps.

htb39

Opening the app should display this login form. We are now ready to test this Android app.

htb40

The goal of this lab is to perform an SSL Pinning Bypass.

SSL pinning refers to a security technique used to prevent man-in-the-middle (MitM) attacks when establishing secure connections over HTTPS (SSL/TLS) between a mobile application and a server. This prevents us from seeing the HTTP requests/responses in Burp.

We will use Frida to bypass SSL Pinning for this application and allow us to see the HTTP requests and responses in the Burp suite.

The last tool we will need to download is the Frida server. This is what we will install on the Android device/emulator for our Frida client to communicate with.

You can download it here.

We can install the frida server by starting with the following commands:

unxz frida-server-[version]-android-x86.xz (unzip file) adb push frida-server-16.1.4-android-x86 /data/local/tmp/frida-server (move frida server to /data/local /tmp/) adb shell “chmod 755 /data/local/tmp/frida-server” (change permissions) adb shell (connect to device in shell) /data/local/tmp/frida-server & (start frida server)

With Frida Server started on our emulator/device, we can run a frida command to detect the running processes.

frida-ps -Uai

We should see our Pinned apk running. This means we can interact with this application.

htb41

Now we need to use a Frida script to perform the SSL Pinning bypass.

We will take advantage of this script.

htb42

We have to make one final preparation. Reading the script reveals that we need a certificate to run it. Running without the certificate will cause the Frida script to fail and result in this error:

htb43

We can use the same cert we extracted from Burp Suite, which we also saved in the emulator to /sdcard. Implementation:

adb shell “cp /sdcard/burp.crt /data/local/tmp/cert-der.crt” adb shell “chmod 755 /data/local/tmp/cert-der.crt” (change permissions)

This will take the burp certificate we placed there earlier and copy the certificate to the one the script is looking for.

Now to run the Frida SSL Pinning Bypass script. To use the script we can execute:

frida -U –codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.example.pinned

Our Frida script should fire up and open Pinned in our emulator.

htb44

Clicking Login should now send a request through Burp. This means that for this application we have bypassed SSL Pinning and can parse HTTP requests.

htb45

Here in Burp we can see the POST request and the flag.

htb46

The last workshop will be for the Manager. The purpose of the lab is to analyze HTTP requests and find a problem in the application logic through Broken Access Control.

In Hack the Box we can download Manager.zip and unzip it with hackthebox code. Note that this challenge needs a server back end to communicate. Make sure you enable the case and get the public IP address and port.

thb47

With the Manager.apk file we can drag it to the Android emulator to install it.

htb48

We can now see the Manager in the emulator.

htb49

Opening the application shows entries for the IP address and port from the HTB.

htb50

Entering the IP address and port from HTB and clicking connect will bring up a login form.

htb51

Attempting to log in as test:test displays the message “User Not Found”.

Back in Burp we can see the POST request.

htb52

Let's try to register a user for the application. I will use test:test.

htb53

With the test user created, we can test these requests to see if we find any issues.

htb54

Let's analyze the request in the Repeater.

htb55

We can successfully update our password. What if we could inform another user?

htb56

We can successfully update the admin password due to breach of access control supervision.

htb57

Now we can log in as admin with the password test and retrieve the flag.

htb58

 

That concludes this introductory guide to Android Pentesting.

 

 

 

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).