Android Pentesting refers to the process of testing the security of Android applications and devices in order to identify potential vulnerabilities that could be exploited by attackers.
It involves assessing the security posture of Android applications and systems by simulating attacks and attempting to exploit weaknesses in their design, implementation or configuration.
In this guide we will download the tools used to start Android Pentesting and solve two HTB Mobile Challenges.
The tools we will use will be the following:
- https://developer.android.com/studio – Android Studio (Free resource for building Android emulators)
- https://developer.android.com/tools/adb – Android Debug Bridge (Android Bridge for transferring files and executing commands from the host machine to the emulator)
- https://portswigger.net/burp – Burp Suite (HTTP/S Proxy Program)
- https://frida.re/ – Dynamic instrumentation toolkit.
The HTB challenges will be:
Let's start by installing the tools we'll be using. To use these tools, we need to have Java and Python installed on the host computer.
First let's install Android Studio. This will allow us to create emulators for testing instead of using a physical device.
Once you've downloaded Android Studio, you can install it. Android Studio can be installed on Windows, MacOS and Linux.
Next we will install Burp Suite.
https://portswigger.net/burp/communitydownload
Finally, we will install the Android Debugging Bridge (ADB).
https://developer.android.com/tools/adb
The first program we will use is Android Studio. This will allow us to create emulators for Android devices.
When we start Android Studio for the first time we need to create a project.
I will name the project Android Pentesting.
Create a device for testing.
Click on the phone with the Android icon in the upper right corner.
Click on “Add new device…”
Then select Create Virtual Device.
Feel free to experiment with this section. You can set up multiple devices with access to the Play Store and specify the API. For the purposes of this guide I will be using a Google Pixel 6 device that does not have access to the Play Store.
*Note that a device with access to the Google Play Store cannot be rooted. Devices without the Play Store icon are rooted devices.
The next step is to select the API version. I will use version 28. You can experiment with the different versions of the API.
The last step for this will be naming our device. I chose Pentesting Device. You can name it as you prefer.
Now we can click the Play button on the right side and our emulator should appear. It may take a few minutes on first startup.
Now we have a device to do Android testing. It is perfectly possible to test on a physical device. This is a cost-effective approach without the fear of bricking a phone.
Next we can set up Burp Suite. You can use either Community or Pro.
The first step to getting Burp to work with the emulator (or physical device, if that's what you're using) is to set up the proxy listener.
Click the Proxy menu, and then click Proxy Settings.
Then click on 127.0.0.1:8080 and click Edit.
Change the Bind to address to All interfaces.
Going back to our phone, we want to open Settings on our Pixel device.
From Settings we want to open Network & Internet
Next we want to select Wi-Fi.
Now click on Android Wi-Fi.
Now click on the pencil icon on the top right.
Click Advance Options and then Proxy.
Here we can set up our proxy. We should use our host's IP address. Mine is 192.168.0.224. You should gather your internal IP address from ipconfig/ifconfig/ip addr.
The port will be 8080. This is the default Burp port.
Now click the Save button.
Back in Burp we see the traffic going through, but we have a problem with TLS. In the next step we will set up a certificate from Burp on the Android device. This way TLS traffic will work through the proxy and Burp.
Returning to the Proxy Listeners section we can click on the “Import / export CA certificate” option. Click on it and then click on “Export certificate to DER format”.
Save the certificate on your host machine. I named mine burp.der.
The next step will be to use Android Bridge to transfer the certificate to our device.
Using the command
adb push burp.der /sdcard/burp.crt
it will send the certificate to our device's sdcard.
We can now install the certificate on our device. Open Settings on the device and look for “Install Cert” option. Click Install certificates from SD card.
Then select “Install Certificate”.
Android device will give you this warning. Click the Install anyway button at the bottom left.
You should save the burp.crt certificate.
Click on the file burp.crt and name the certificate burp.
You may be asked to set a PIN. I kept it very simple with 1111.
You can verify if the certificate was installed by searching for Trusted and clicking Trusted credentials.
Click on Trusted credentials.
Now clicking on USER will bring up the PortSwigger Cert.
This happens when I restart the device. When I restart the emulator and make sure the proxy is running on port 8080, I can verify that HTTPS traffic is now being routed through Burp Suite. This means we can now parse and test HTTPS and HTTP with Burp just like a web page.
If you have problems, retrace your steps and try restarting the emulator and Burp if necessary.
The last tool we will need to complete this guide is Frida.
Frida can be found here.
Frida can be installed with pip (python package manager)
pip install frida-tools
Now that we have our lab setup ready, we can move on to solving some HTB challenges to meet Android Pentesting.
We will deal with it Pinned and Manager.
First we will download Pinned and Manager from HTB Challenges. Once downloaded, you can extract the files to your workspace. I used my desktop for quick access.
The password is hackthebox to get the files.
Now we have access to the pinned.apk file.
You can drag and drop the pinned.apk onto the emulator device.
You should now see Pinned in your apps.
Opening the app should display this login form. We are now ready to test this Android app.
The goal of this lab is to perform an SSL Pinning Bypass.
SSL pinning refers to a security technique used to prevent man-in-the-middle (MitM) attacks when establishing secure connections over HTTPS (SSL/TLS) between a mobile application and a server. This prevents us from seeing the HTTP requests/responses in Burp.
We will use Frida to bypass SSL Pinning for this application and allow us to see the HTTP requests and responses in the Burp suite.
The last tool we will need to download is the Frida server. This is what we will install on the Android device/emulator for our Frida client to communicate with.
You can download it here.
We can install the frida server by starting with the following commands:
unxz frida-server-[version]-android-x86.xz (unzip file) adb push frida-server-16.1.4-android-x86 /data/local/tmp/frida-server (move frida server to /data/local /tmp/) adb shell “chmod 755 /data/local/tmp/frida-server” (change permissions) adb shell (connect to device in shell) /data/local/tmp/frida-server & (start frida server)
With Frida Server started on our emulator/device, we can run a frida command to detect the running processes.
frida-ps -Uai
We should see our Pinned apk running. This means we can interact with this application.
Now we need to use a Frida script to perform the SSL Pinning bypass.
We will take advantage of this script.
We have to make one final preparation. Reading the script reveals that we need a certificate to run it. Running without the certificate will cause the Frida script to fail and result in this error:
We can use the same cert we extracted from Burp Suite, which we also saved in the emulator to /sdcard. Implementation:
adb shell “cp /sdcard/burp.crt /data/local/tmp/cert-der.crt” adb shell “chmod 755 /data/local/tmp/cert-der.crt” (change permissions)
This will take the burp certificate we placed there earlier and copy the certificate to the one the script is looking for.
Now to run the Frida SSL Pinning Bypass script. To use the script we can execute:
frida -U –codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.example.pinned
Our Frida script should fire up and open Pinned in our emulator.
Clicking Login should now send a request through Burp. This means that for this application we have bypassed SSL Pinning and can parse HTTP requests.
Here in Burp we can see the POST request and the flag.
The last workshop will be for the Manager. The purpose of the lab is to analyze HTTP requests and find a problem in the application logic through Broken Access Control.
In Hack the Box we can download Manager.zip and unzip it with hackthebox code. Note that this challenge needs a server back end to communicate. Make sure you enable the case and get the public IP address and port.
With the Manager.apk file we can drag it to the Android emulator to install it.
We can now see the Manager in the emulator.
Opening the application shows entries for the IP address and port from the HTB.
Entering the IP address and port from HTB and clicking connect will bring up a login form.
Attempting to log in as test:test displays the message “User Not Found”.
Back in Burp we can see the POST request.
Let's try to register a user for the application. I will use test:test.
With the test user created, we can test these requests to see if we find any issues.
Let's analyze the request in the Repeater.
We can successfully update our password. What if we could inform another user?
We can successfully update the admin password due to breach of access control supervision.
Now we can log in as admin with the password test and retrieve the flag.
That concludes this introductory guide to Android Pentesting.