System Requirements :
- Platform - Windows based system
- RAM - 4GB
- Storage - 30 GB free disk space
- Processor - Dual-core processor running at 2 GHz or higher
Mobile Device Requirements
- Platform - Android operating system required for the application to
run
- RAM - 512 or higher
- Status - Unlocked Android device (Rooting process)
Tools Used
Here, the the security testing is conducted
using open source tools.
Name
|
Version
|
Free/Paid
|
Burp Suite
|
1.6
|
Free version
|
Android Debug Bridge
|
1.0.32
|
Free
|
Sqlite3
|
3.8.6
|
Free
|
JD-Gui
|
1.0.0
|
Free
|
Wireshark
|
1.12.3
|
Free
|
AppUse
|
2.2
|
Free version
|
Drozer
|
2.3.3
|
Free
|
Eclipse
| Juno | Free |
Burp suite
Burp suite combines the tools required
for security testing of applications connecting to a web server. This testing
procedure uses Burp suite as a proxy and a repeater for analyzing the
interaction of Android mobile application with a web server or access point. It
can intercept and modify the traffic between mobile application and web server
and manipulate and resend individual requests.
Prerequisites :
Following are the prerequisites for
installing and running Burp suite:
The free version can be downloaded
from
http://portswigger.net/burp/download.html
. The suite is distributed as a standalone Java executable file. With Java
installed, we can directly invoke the tool by double clicking the JAR file.
For testing mobile applications
running on Android devices, we need to install Burp’s Certificate Authority
(CA) SSL certificate in our device trust store.Configure Burp’s proxy listener
to generate CA-signed per host certificate. Export the certificate
from Burp to the system. Transfer it to a SD card and install it on mobile
device using ‘Install from External SD card’ option in mobile device settings.
Proxy
- Ensure
that Burp is running
- Go
to Proxy Intercept tab and turn on ‘Interception’
- Launch
the mobile application and we can see the request to the server appearing in
Proxy Intercept tab.
- Analyse
the various options and headers
- Click
on Forward to send the request to server
- The
requests can be manipulated after applying Refresh
- The
HTTP History tab can be used to view all the HTTP messages passed through proxy
- The testing should include checking
session tokens, cokkie, nonce values, changing various parameter values for
unexpected results, randomness of cookies etc.
Repeater
The Repeater is used for analyzing the
application’s responses to manipulated and reissued individual HTTP requests.
- Open
the request you want to repeat in Proxy History tab
- Click
on Send to Repeater option
- Move
to Repeater tab and edit the request there
- Once
finished, click on Go and see the response on right side window
- The Burp suite is
used for hands-on testing of applications. The results of manipulated and
reissued requests can be analysed in the response window associated with each
tool.
Android debug bridge (adb)
Prerequisites :
Following are the prerequisites for installing and running
Android Debug Bridge (adb):
- Java Development Kit 7
- Android SDK tools
Download Android Studio from
https://developer.android.com/sdk/index.html
which includes the Android SDK tools and IDE.
- Install the complete Android Studio following an
easy installation procedure.
- You may install only the SDK tools if the tests
are limited
- Add adb to the system path for easy access from
command prompt
Running adb
Launch adb from command prompt. Open ‘cmd.exe’ on Windows machine to
launch a command prompt. Type the following command to launch adb console.
C:\Users\Tester> adb
1. Check version
C:\Users\Tester> adb version
2. To list the mobile devices connected to the
system
C:\Users\Tester> adb devices
3. To get access to the device shell
C:\Users\Tester> adb shell
Now you will see the android shell
To get root access, do
shell@android:/$
su
The shell will again change to
root@android:/#
4. After
getting root access, you can ‘cd’ to the application’s directory to view the
stored data
root@android:/#cd /data/data/app.package.name
5. List
the contents of file
root@device:/data/data/app.package.name# ls
6. After
locating a database, you can pull it with
C:\Users\Tester> adb pull
/data/data/app.package.name/databases/appdata.db
The contents of
pulled database can be viewed with another SDK tool described in the next
section of this report.
Sqlite3
Sqlite3 can be used for managing the
SQLite databases created by Android applications. The sqlite3 results should be properly analysed to learn how the application is storing data. Developers may assume that the attackers will not get physical access to the mobile device. But it is possible and it is easy to extract user data from an application using freely available tools. If the application is not encrypting the data before storing, attacker can simply reverse engineer the application and extract data. Security testers can use sqlite3 to view the contents of database and determine whether is stored in a secure format or not.
Prerequisites :
- Java
Development Kit 7
- Android
SDK tools
- Download Android Studio from https://developer.android.com/sdk/index.html
which includes the Android SDK tools and IDE. Install
the complete Android Studio following an easy installation procedure. You
may install only the SDK tools if the tests are limited
Running sqlite3
1.
Open a command prompt and ‘cd’ to the location
of SQLite database
2.
To access the database
C:\Users\Tester>sqlite3
appdata.db
You will get a prompt like this
sqlite>
3.
To view all the tables in the database
sqlite>select
name from sqlite_master where type=’table’;
4.
To view all the data in a table
sqlite>select
* from chosen_table_name;
JD-Gui
JD-Gui is a free Java decompiler tool
that can decompile a Java class file and produce the actual source code.
Prerequisites :
- Java
Development Kit 1.1.8 and higher
JD-Gui can be downloaded from
http://jd.benow.ca/ . It is a stand-alone Java
application.
Running
Invoke
it from command line by typing
Java –jar jdgui.jar
Some platforms will allow simply double clicking and invoking it.
1.
Launch JD-Gui application
2.
Browse a Java class file
3.
See actual souce code in the tool window
By viewing the actual souce code, we
can go through each and every methods implemented in the application and
analyse it’s functionality. This tool is mainly useful for security code reviewing.
Check to verify the encryption techniques implemented. Also verify how the
application is handling input data and passing it to the web server.
Appuse framework
AppUse is a virtual machine equipped
with the tools required to perform security testing in Android applications. A
free version as well as an advanced commercial version is available. Download the free version of AppUse
from
https://appsec-labs.com/appuse/#av_section_5
. Confugure it in a virtual machine host.
Features
The AppUse Dashboard consists of all
the tools required for security testing. In summary it is a combination of
1. Android
Emulator for loading and testing applications
2. Reversing
tools for extracting the code and manipulating parameters
3. Android
run time manipulator and Proxy tools
An Android apk file can be loaded to
the emulator from the system or download directly from App Store. Reversing
tools can be used for manual security code review. Burp tool can be used as a
proxy for analyzing the network traffic.
Drozer
Drozer is another audit and attack
framework for Android. Drozer can discover and interact with the attack surface
exposed by Android applications.
1.
PC running Windows
2.
Android device or emulator
3.
Java Development Kit 7
4.
Android SDK tools
Download the Drozer framework from
https://www.mwrinfosecurity.com/products/drozer/
and also the agent apk file to be installed in the mobile device.The drozer
installer will build a complete Python environment. Install the agent apk file
in Android device.
Running Drozer
1.
Launch drozer
C:\drozer>drozer.bat
2.
Conect the mobile device to the system using a
USB cable
3.
Establish a connection with agent app installed
C:\drozer>adb
forward tcp:31415 tcp:31415
31415 is the default port used by
drozer
4.
Launch agent app and enable server
5.
From PC, connect using drozer console
C:\drozer>drozer.bat
console connect
6.
You will get drozer console
dz>
Testing and Analysing Results
1.
Finding the application package name
dz>run
app.package.list app_name
You will get package name like this
com.app_packagedir.package
2.
Getting basic info about application
dz>run
app.package.info –a com.app_packagedir.package
It will give
information about the apk file path, directories, permissions,version,shared
libraries etc
3. Identifying
all the attack surfaces
dz>run
app.package.attacksurface com.app_packagedir.package
It will provide
the number of exported activities, content providers, services, broadcast
receivers etc. Exports means making access to other applications.
4. To
list the exported activities
dz>run app.activity.info -a com.app_packagedir.package
You will a see a
list of activities accessible to other applications. An activity is a building
block of user interface. The Home Screen or Main activity will be in the list
as it is the launching activity. All other activities in the list should be
examined since they can be launched bypassing the authentication.
5. Finding
database-backed content providers
dz>run scanner.provider.finduris -a com.app_packagedir.package
It will give a
list of accessible content URIs
6. To
find content providers vulnerable to injection and directory traversal
dz>run scanner.provider.injection -a com.app_packagedir.package
dz>run scanner.provider.traversal -a com.app_packagedir.package
