Hello Friends,
Writing this blog post for those who struggling with `Mobile Application Testing` OR those who don't know from where to start while doing mobile app sec testing.
BEFORE WE START :-
- For those who are champ in mobile app sec just cheers.
- This will take your: 15-30 mins (So if you think that you have time then only go ahead)
- This post is about
3.1 - How to setup a testing environment for mobile app sec
3.2 - Various terminologies/tools details
3.3 - Ever green findings
3.4 - Some pro tips. XD
3.3 - Ever green findings
3.4 - Some pro tips. XD
Back in time when I was doing my first mobile application assessment to be honest I was very much confused that how shall I initiate the testing/setup/findings and bla bla... And trust me that's the reason
"Beginning is always tough".
So I wrote this blog post to help those new beginner who wanted to learn about mobile application testing. As of now I have covered only `Android Platform` other platform like iOS and Windows are almost same.
Content Covered:
Case 1 :- Setting up testing environment for capturing http/https traffic
Case 2 :- What is .APK File ?
Case 3 :- What is Certificate Pinning and how to bypass ?
Case 4 :- 2 ways to test mobile application.
Case 5 :- How to install .apk file in emulator
Case 6 :- Ever Green Findings you will find during mobile app sec.
Introduction:
We live in a mobile, personal world, where nearly a billion new mobile phones ship each year. Businesses that are most efficiently adapting to today’s “app economy” are the most successful at deepening customer engagement and driving new revenues in this ever-changing world.
Hackers are increasingly aiming targets to launch attacks on high-value mobile applications across all platforms. That's where mobile application security comes into the picture.
So Lets do this.
CASE 1:- For Android Device - Capturing http/https traffic
Device Type: Android
Before we start few assumption:-
- You have been given `Mobile Device (Android)` in which the application which needs to be test is Installed.
- Application with - No SSL Pinning. Hold on If you not aware about what this term means than just move reading ahead at the end I have explained.
Step by Step Process for setting testing environment:
Step 1:
- Your Mobile Device (Android) and Laptop should be on same Wi-Fi
- If my laptop is connected to Nile$h SSID then my Mobile Device (Android) also be connected to Nile$h SSID and vice-versa.
Below screenshot represents the same.
Fig 1: Laptop connected to Nile$h SSID
Fig 2: Mobile device connected to Nile$h SSID
Note: Your both devices (Mobile Device (Android) and Laptop) Should be on same network.
Step 2:
On your mobile device Press and hold on SSID name as shown below and select Modify network
Select => Show advanced option and Under Proxy setting click on manual
Step 4:
Now In this step we have to assign our Laptop IP address to Mobile Device setting as below:
My laptop IP Address is : 192.168.0.103
In mobile device fill details as below:
Proxy hostname : 192.168.0.103 (Your Laptop IP address)
Proxy port : 8080
Save the settings
Now we have completed setting up Laptop and Mobile device.
The next step will be setting up Interception proxy and Installing its certificate in your mobile device.
But why ?
Now a days most of the android application transmits data over SSL which you cannot normally intercept using the above step. So to intercept the SSL traffic you need to import a CA certificate (of your host machine proxy which will be intercepting the android traffic) to the android keystore.
- If you are using Burp Suite for interception then install burp suite certificate in your mobile device as below:- Open your burp suite and go to Proxy=>Options=>Edit=> Select All interfaces
It looks like as below :-
Now open your Mozilla firefox browser and type:-
http://burp
Make sure your Burp intercept is on. Download the burp certificate and install in your mobile device.
2. If you are using Fiddler for interception then install fiddler certificate in your mobile device as follow:-
(Port number should be same as you have set in your mobile setting)
- Download the certificate
- If you having hard time understanding the fiddler then read this How to use Fiddler When Burp Not working . (Remember Fiddler is a savior)
NOTE:-
While installing Burp OR Fiddler Certificate to your mobile device
1] Copy the exported certificate into your mobile device, make sure you have copied that into INTERNAL STORAGE.
2] Then Go to Settings==>Security==> and select Install From internal storage
3] Pop-up window will comes up,simply click on OK.
4] Burp certificate is successfully installed on your mobile device.
At this point of time at one hand you will be having your Android phone and on other hand you will be checking burp suite or fiddler to play around.
Hey but we can use Emulator as well ?
Yes we can use emulator as well, though have you ever wonder why people use emulator to test the application.
Answer is :-
1 - If you are using rooted android device then its fine following CASE 1
2 - If you are using non - rooted device then I recommend to install .apk in emulator and test the app so that at the end of the day you can test the storage related findings :)
But which emulator should l use and how to install any idea ?
1 - Which emulator should I use - Genymotion
2 - How to Install Genymotion - Click here
So We have successfully created our test environment for testing mobile app sec. Great so lets move ahead.
Case 2: What is .APK File ?
Lets go back in time and say client gives you .apk file.
In terms of Industry Standards, before you test mobile application, testing team will provide you .apk file.
But what is APK File?
Just like Windows PC systems use a .exe file for installing software, Android does the same.
An APK file is the file format used for installing software (usually games or apps) on the Android operating system.
If your Android device lacks access to the Google Play Store, APK files may be your only option for installing apps on your device.
Some Tips:-
- Before you can install it on your phone you will need to make sure that third-party apps are allowed on your device. So do below setting.
- Go to Menu > Settings > Security > and check "Unknown Sources" to allow your phone to install apps from sources other than the Google Play Store.
- If you like, you can also download an app like ES File Explorer so you can easily find files on your Android device.(only applicable for rooted devices)
Take away:-
File extension for the different mobile flavors
- Android => .apk
- iOS => .ipa
- Windows => .xap ==> Burp Certificate to install is cacert.cer
- Feature phone (Nokia, etc) => .jar [But how to test such .jar based application Answer is here]
To know more about certificate pinning refer my article how to bypass ssl-pinning.
For those who don’t like clicking on external links, I am providing a quick description. Its an extra layer of security which helps application to be more secure.
1 - If Certificate pinning is enable the you will not able to intercept the traffic
2- In that case you need to bypass the certificate pinning
So we understood now
- How to set up test environment for testing android mobile application
- What is .apk file and Certificate Pinning
Case 4:- 2 ways to test mobile application
1] Installing .apk in your mobile and test the application (CASE 1)
- In above case you have to open application by mobile phone and test the application.
2] By using Android SDK Tool OR My all time favorite Genymotion
(If you know other let me know will love to know more about it)
Case 5:- How to install .apk file in emulator
- Install .apk file in your emulator. (Just drag and drop .apk file in your emulator.)
- Before that check if your emulator is connected or not by following below step
Step 2:- Open your cmd and type
command:-
adb devices
- Now its time to install your .apk. Type below command, but make sure you are in below directory
- C:\Program Files\Genymobile\Genymotion\tools
Command :- adb install "Path of file where your .apk is placed"
i.e. adb install C:\Users\Nilesh\Desktop\diva-beta.apk
Hey But what is "adb" ?
ADB = Android Debug Bridge
Adb is a command line tool that lets you communicate with an emulator instance or connected Android-powered device.
All adb clients use port 5037 to communicate with the adb server.
Basically It is a client-server program that includes three components:
- A client, which runs on your development machine. You can invoke a client from a shell by issuing an adb command.
- A server, which runs as a background process on your development machine. The server manages communication between the client and the adb daemon running on an emulator or device.
- A daemon, which runs as a background process on each emulator or device instance.
Below is the screenshot of above commands we have installed the DIVA.
DIVA is Damn Insecure and Vulnerable Application created by Aseem Jakhar, Payatu Labs.
It contains various vulnerabilities including flaws in input validation, access control, hardcoding issues and a bunch more.
So now we are all ready to hack the DIVA :)
Hey but how to intercept traffic OR Set up environment via emulator can you guide me ?
Sure its almost same as CASE-1 Set Up, follow simple steps:-
Step 1:- Set up burp suite
Assign your laptop wifi to burp suite with port 8080
Step 2:- Set your laptop IP address under WiredSSID
Step 3:- Installing burp certificate.
3.1 Download the burp certificate and change its extension to .crt
3.2 Move that certificate to below directory C:\Program Files\Genymobile\Genymotion\tools
Now you have to move that burp certificate in your emulator to do so run below commands.
- adb connect 192.168.56.101
- adb push cacert.crt /mnt/sdcard/cacert.crt
Where 192.168.56.101 is your emulator IP address
Step 4:-
- In the emulator go to Settings ==> Security
- In the Credential storage select “Install form SD Card”
- Now you can select the “cacert.crt” file present in the sd card
- Give the name cacert and click on ok
- It will ask you to set a lock screen click simply click ok and select a type of lock screen and confirm
Now you are all set to capture the traffic via emulator :)
So now we know all the way to setup the mobile application test bed. Now lets move and see what are different findings which we can think while testing mobile application.
Case 6:- List of "Ever Green" Findings you will be finding in android application
List of evergreen findings in "Android Application"
- Decompiling the apk file into source code to check for `Code Obfuscation` finding.
- Sensitive information in clear text inside the `Local Storage`
- Sensitive information in clear text inside the `Logs`
- Anti debugging set to TRUE - In Android manifest file:- (Decompile the .apk file and check the manifest file)
- allowBackup is set to TRUE - In Android manifest file:- (Decompile the .apk file and check the manifest file)
- Application has set insecure permissions [App can read/write to External Storage] - In Android manifest file:- (Decompile the .apk file and check the manifest file)
OWASP - Mobile Top 10 2016-Top 10
If you not sure how to test "Storage related findings" then refer my another blog How to test storage related findings
Now we will see how to find those findings describe above.
1 - Reverse Engineering an android application OR Decompiling the apk file into source code
We can reverse engineer given .apk file to view the source code and add +1 finding code is not obfuscated if it is. Follow below simple steps
Step 1:- convert .apk to .zip file.
Step 2:- Extract .zip file content.
Step 3:- You will find classes.dex file in that folder.
Step 4:- Download dex2jar and unzip it (Android applications are written using the java code.)
Step 5:- Put that classes.dex file in dex2jar folder.
Step 5:- Open command window at dex2jar location i.e. in my case C:\Users\Nilesh\Desktop\M_Tools\New folder\dex2jar-2.0>
Step 6:- Run this command
> d2j-dex2jar.bat classes.dex
Step 7:- At this point of time classes-dex2jar.jar file will be created in your folder (dex2jar-2.0)
Step 8:- Download jd-gui and open that classes-dex2jar.jar file
Now you can play around with java code. And you have one finding to add in your sheet if developer miss to obfuscate the code ;)
2 Sensitive information in clear text inside the storage
Step 1:- Download the plugin for firefox - Sqlite-manager - It is firefox extension.
After the installation you can find it in your browser under
Tools ==> SQLite Manager
Step 2:- Now you need to decompile the .apk file. To do this download apk tool or Appie.
then run the command
apktool d "apkfile.apk"
Step 3:- After de-compiling you will find many a files then check for the .db file and open
that with Sqlite-manager
Note:-
If you do not have "rooted device" or any "emulator" then you might not able to see the local storage of the device to deal with such situation you need to first take the entire device backup and then look for the findings related to storage.
Reference Link 1 and Link 2
If mobile device is rooted then you can follow above steps OR Download an app like ES File Explorer so that you can easily see internal storage related findings
To get above describe findings right away in one click you can use MOBSF security framework.
OR
Below some of the checklist of different attacks which you need to keep in mind when you are about to perform a Mobile penetration test:-
• API assessment
• Flawed Broadcast Receivers
• Intent Sniffing and Injection
• Weak Authorization mechanism
• Local Encryption issues
• Vulnerable Activity Components
• Root Detection and Bypass
• Insecure Content Provider access
• Insecure Webview implementation
• Weak Cryptography implementation
• Application Patching
• Sensitive Information in Memory
• Insecure Logging mechanism
• Android Pasteboard vulnerability
• Application Debuggable
• Android keyboard cache issues
• Android Backup vulnerability
• Runtime Manipulation
• Insecure SDCard storage
• Insecure HTTP connections
• Parameter Manipulation
• Hardcoded secrets
• Username Enumeration issue
• Developer Backdoors
• Weak change password implementation
• Weak Pseudo Random Implementation
• Path Traversal
• Local SQL Injection
• Intent based Denial-Of-Service - SMS
• LockScreen Bypass
• Location Spoofing
• Dead Code
Below some of the checklist of different attacks which you need to keep in mind when you are about to perform a Mobile penetration test:-
• API assessment
• Flawed Broadcast Receivers
• Intent Sniffing and Injection
• Weak Authorization mechanism
• Local Encryption issues
• Vulnerable Activity Components
• Root Detection and Bypass
• Insecure Content Provider access
• Insecure Webview implementation
• Weak Cryptography implementation
• Application Patching
• Sensitive Information in Memory
• Insecure Logging mechanism
• Android Pasteboard vulnerability
• Application Debuggable
• Android keyboard cache issues
• Android Backup vulnerability
• Runtime Manipulation
• Insecure SDCard storage
• Insecure HTTP connections
• Parameter Manipulation
• Hardcoded secrets
• Username Enumeration issue
• Developer Backdoors
• Weak change password implementation
• Weak Pseudo Random Implementation
• Path Traversal
• Local SQL Injection
• Intent based Denial-Of-Service - SMS
• LockScreen Bypass
• Location Spoofing
• Dead Code
FAQ:-
1] Which is best emulator in which I can install my .apk if I don't want to load/Install app in my android device ?
- My all time Favorite Genymotion.
- Apart from this you can try AVD Manager - which can run on Windows OS
- You can run .apk in VM Machine :- VM- MobileSec and Download link
2] Which are different tools which I might require to do Android testing ?
- Simply use Appie – Android Pentesting Portable Integrated Environment.Its all in one.
- There are many but I recommend you to try DIVA Android (Damn Insecure and vulnerable App) for Android by Aseem Jakhar
- Yes. Pentesting Android Apps (http://pentesteracademy.com/course?id=25) - DIVA by Aditya Gupta (@adi1391)
- Yes you should refer Mobile-Security-Framework-MobSF and its documentation by Ajin Abraham
- MobileApp-Pentest-Cheatsheet Link ; If you want to deep dive into mobile application penetration testing.
Last but not least :-
I hope you guys learn something new. If you have any suggestions or If you feel I missed out any points then do let me know OR DM. I'd love to add them to the post.
At the end of the day we all are `learner`.
+ I would like to thank my friends who taught me and helped me out to learn mobile app sec. They all know what I mean :)
Happy Mobile Hacking.
