Sunday 9 August 2015

Android Mobile Application Security Testing using Open Source Tools

System Requirements :


  • Platform - Windows based system
  • RAM - 4GB
  • Storage - 30 GB free disk space
  • Processor - Dual-core processor running at 2 GHz or higher

Mobile Device Requirements


  • Platform - Android operating system required for the application to run
  • RAM - 512 or higher
  • Status - Unlocked Android device (Rooting process)

Tools Used

Here, the the security testing is conducted using open source tools.

Name
Version
Free/Paid
Burp Suite
1.6
Free version
Android Debug Bridge
1.0.32
Free
Sqlite3
3.8.6
Free
JD-Gui
1.0.0
Free
Wireshark
1.12.3
Free
AppUse
2.2
Free version
Drozer
2.3.3
Free
Eclipse
JunoFree

Burp suite

Burp suite combines the tools required for security testing of applications connecting to a web server. This testing procedure uses Burp suite as a proxy and a repeater for analyzing the interaction of Android mobile application with a web server or access point. It can intercept and modify the traffic between mobile application and web server and manipulate and resend individual requests.

Prerequisites :

Following are the prerequisites for installing and running Burp suite:

  •  Java 1.6 or later

The free version can be downloaded from http://portswigger.net/burp/download.html . The suite is distributed as a standalone Java executable file. With Java installed, we can directly invoke the tool by double clicking the JAR file.

For testing mobile applications running on Android devices, we need to install Burp’s Certificate Authority (CA) SSL certificate in our device trust store.Configure Burp’s proxy listener to generate CA-signed per host certificate. Export the certificate from Burp to the system. Transfer it to a SD card and install it on mobile device using ‘Install from External SD card’ option in mobile device settings.

Proxy

  1.  Ensure that Burp is running
  2. Go to Proxy Intercept tab and turn on ‘Interception’
  3.  Launch the mobile application and we can see the request to the server appearing in Proxy Intercept tab.
  4. Analyse the various options and headers
  5. Click on Forward to send the request to server
  6. The requests can be manipulated after applying Refresh
  7. The HTTP History tab can be used to view all the HTTP messages passed through proxy
  8. The testing should include checking session tokens, cokkie, nonce values, changing various parameter values for unexpected results, randomness of cookies etc.
Repeater

 The Repeater is used for analyzing the application’s responses to manipulated and reissued individual HTTP requests.

  1. Open the request you want to repeat in Proxy History tab
  2. Click on Send to Repeater option
  3. Move to Repeater tab and edit the request there
  4. Once finished, click on Go and see the response on right side window
  5. The Burp suite is used for hands-on testing of applications. The results of manipulated and reissued requests can be analysed in the response window associated with each tool.

Android debug bridge (adb)

Prerequisites :

Following are the prerequisites for installing and running Android Debug Bridge (adb):

  • Java Development Kit 7
  • Android SDK tools

Download Android Studio from https://developer.android.com/sdk/index.html which includes the Android SDK tools and IDE.

  1. Install the complete Android Studio following an easy installation procedure.
  2. You may install only the SDK tools if the tests are limited
  3. Add adb to the system path for easy access from command prompt
Running adb  

Launch adb from command prompt. Open ‘cmd.exe’ on Windows machine to launch a command prompt. Type the following command to launch adb console.
C:\Users\Tester> adb
1. Check version
C:\Users\Tester> adb version
2. To list the mobile devices connected to the system
C:\Users\Tester> adb devices
3. To get access to the device shell
C:\Users\Tester> adb shell
Now you will see the android shell
To get root access, do
shell@android:/$ su
The shell will again change to
root@android:/#
4.   After getting root access, you can ‘cd’ to the application’s directory to view the stored data
root@android:/#cd /data/data/app.package.name
5.   List the contents of file
root@device:/data/data/app.package.name# ls
6.   After locating a database, you can pull it with
C:\Users\Tester> adb pull /data/data/app.package.name/databases/appdata.db
The contents of pulled database can be viewed with another SDK tool described in the next section of this report.

Sqlite3

Sqlite3 can be used for managing the SQLite databases created by Android applications. The sqlite3 results should be properly analysed to learn how the application is storing data. Developers may assume that the attackers will not get physical access to the mobile device. But it is possible and it is easy to extract user data from an application using freely available tools. If the application is not encrypting the data before storing, attacker can simply reverse engineer the application and extract data. Security testers can use sqlite3 to view the contents of database and determine whether is stored in a secure format or not.

Prerequisites :

  • Java Development Kit 7
  • Android SDK tools
  • Download Android Studio from https://developer.android.com/sdk/index.html which includes the Android SDK tools and IDE. Install the complete Android Studio following an easy installation procedure. You may install only the SDK tools if the tests are limited

Running sqlite3

1.    Open a command prompt and ‘cd’ to the location of SQLite database
2.    To access the database
C:\Users\Tester>sqlite3 appdata.db
You will get a prompt like this
sqlite>
3.    To view all the tables in the database
sqlite>select name from sqlite_master where type=’table’;
4.    To view all the data in a table
sqlite>select * from chosen_table_name;


JD-Gui

JD-Gui is a free Java decompiler tool that can decompile a Java class file and produce the actual source code.

Prerequisites :

  • Java Development Kit 1.1.8 and higher
JD-Gui can be downloaded from http://jd.benow.ca/ . It is a stand-alone Java application.

Running

Invoke it from command line by typing

Java –jar jdgui.jar

Some platforms will allow simply double clicking and invoking it.

1.    Launch JD-Gui application
2.    Browse a Java class file
3.    See actual souce code in the tool window

By viewing the actual souce code, we can go through each and every methods implemented in the application and analyse it’s functionality. This tool is mainly useful for security code reviewing. Check to verify the encryption techniques implemented. Also verify how the application is handling input data and passing it to the web server.

Appuse framework

AppUse is a virtual machine equipped with the tools required to perform security testing in Android applications. A free version as well as an advanced commercial version is available. Download the free version of AppUse from https://appsec-labs.com/appuse/#av_section_5 . Confugure it in a virtual machine host.

Features

The AppUse Dashboard consists of all the tools required for security testing. In summary it is a combination of
1.    Android Emulator for loading and testing applications
2.    Reversing tools for extracting the code and manipulating parameters
3.    Android run time manipulator and Proxy tools

An Android apk file can be loaded to the emulator from the system or download directly from App Store. Reversing tools can be used for manual security code review. Burp tool can be used as a proxy for analyzing the network traffic.

Drozer

Drozer is another audit and attack framework for Android. Drozer can discover and interact with the attack surface exposed by Android applications.

1.    PC running Windows
2.    Android device or emulator
3.    Java Development Kit 7
4.    Android SDK tools

Download the Drozer framework from https://www.mwrinfosecurity.com/products/drozer/ and also the agent apk file to be installed in the mobile device.The drozer installer will build a complete Python environment. Install the agent apk file in Android device.

Running Drozer

1.    Launch drozer
     C:\drozer>drozer.bat
2.    Conect the mobile device to the system using a USB cable
3.    Establish a connection with agent app installed
     C:\drozer>adb forward tcp:31415 tcp:31415
     31415 is the default port used by drozer
4.    Launch agent app and enable server
5.    From PC, connect using drozer console
     C:\drozer>drozer.bat console connect
6.    You will get drozer console
     dz>

Testing and Analysing Results

1.    Finding the application package name
dz>run app.package.list app_name
 You will get package name like this
com.app_packagedir.package
2.    Getting basic info about application
dz>run app.package.info –a com.app_packagedir.package
It will give information about the apk file path, directories, permissions,version,shared libraries etc
3.    Identifying all the attack surfaces
dz>run app.package.attacksurface com.app_packagedir.package
It will provide the number of exported activities, content providers, services, broadcast receivers etc. Exports means making access to other applications.
4.    To list the exported activities
dz>run app.activity.info -a com.app_packagedir.package
You will a see a list of activities accessible to other applications. An activity is a building block of user interface. The Home Screen or Main activity will be in the list as it is the launching activity. All other activities in the list should be examined since they can be launched bypassing the authentication.
5.    Finding database-backed content providers
dz>run scanner.provider.finduris -a com.app_packagedir.package
It will give a list of accessible content URIs  
6.    To find content providers vulnerable to injection and directory traversal
dz>run scanner.provider.injection -a com.app_packagedir.package
dz>run scanner.provider.traversal -a com.app_packagedir.package
Posted by at 2 comments:
Subscribe to: Posts (Atom)