Zero to Hero - Mobile Application Testing - Android Platform



Hello Friends,

Writing this blog post for those who struggling with `Mobile Application Testing` OR those who don't know from where to start while doing mobile app sec testing.

BEFORE WE START :-

  1. For those who are champ in mobile app sec just cheers.
  2. This will take your: 15-30 mins (So if you think that you have time then only go ahead)
  3. This post is about  

              3.1 - How to setup a testing environment for mobile app sec 
              3.2 - Various terminologies/tools details
              3.3 - Ever green findings
              3.4 - Some pro tips. XD


Back in time when I was doing my first mobile application assessment to be honest I was very much confused that how shall I initiate the testing/setup/findings and bla bla... And trust me that's the reason
"Beginning is always tough".

So I wrote this blog post to help those new beginner who wanted to learn about mobile application testing. As of now I have covered only `Android Platform` other platform like iOS and Windows are almost same.

Content Covered: 

Case 1 :- Setting up testing environment for capturing http/https traffic
Case 2 :- What is .APK File ?
Case 3 :- What is Certificate Pinning and how to bypass ?
Case 4 :- 2 ways to test mobile application.
Case 5 :- How to install .apk file in emulator
Case 6 :- Ever Green Findings you will find during mobile app sec.

Introduction: 

We live in a mobile, personal world, where nearly a billion new mobile phones ship each year. Businesses that are most efficiently adapting to today’s “app economy” are the most successful at deepening customer engagement and driving new revenues in this ever-changing world.

Hackers are increasingly aiming targets to launch attacks on high-value mobile applications across all platforms. That's where mobile application security comes into the picture.

So Lets do this.

CASE 1:- For Android Device - Capturing http/https traffic


Device Type: Android

Requirement: Smart phone(Android),WiFi Connection, Laptop,Burp suite or Fiddler (Interception)

Before we start few assumption:-

  1. You have been given `Mobile Device (Android)` in which the application which needs to be test is Installed.
  2. Application with - No SSL Pinning.  Hold on If you not aware about what this term means than just move reading ahead at the end I have explained. 

Step by Step Process for setting testing environment:

Step 1: 

  • Your Mobile Device (Android) and Laptop should be on same Wi-Fi
  • If my laptop is connected to Nile$h SSID then my Mobile Device (Android) also be connected to Nile$h SSID and vice-versa.

Below screenshot represents the same.

Fig 1: Laptop connected to Nile$h SSID 

Fig 2: Mobile device connected to Nile$h SSID 

Note: Your both devices (Mobile Device (Android) and Laptop) Should be on same network.


Step 2: 

On your mobile device Press and hold on SSID name as shown below and select Modify network   

      


Step 3:   

Select => Show advanced option and Under Proxy setting click on manual


    




Step 4:

Now In this step we have to assign our Laptop IP address to Mobile Device setting as below:

My laptop IP Address is : 192.168.0.103


In mobile device fill details as below:
Proxy hostname : 192.168.0.103 (Your Laptop IP address)
Proxy port : 8080

Save the settings



Now we have completed setting up Laptop and Mobile device. 

The next step will be setting up Interception proxy and Installing its certificate in your mobile device. 

But why ? 

Now a days most of the android application transmits data over SSL which you cannot normally intercept using the above step. So to intercept the SSL traffic you need to import a CA certificate (of your host machine proxy which will be intercepting the android traffic) to the android keystore.
  1. If you are using Burp Suite for interception then install burp suite certificate in your mobile device as below:-                                                                                                                             Open your burp suite and go to Proxy=>Options=>Edit=> Select  All interfaces 



It looks like as below :- 



Now open your Mozilla firefox browser and type:- 
http://burp
Make sure your Burp intercept is on. Download the burp certificate and install in your mobile device.


2.  If you are using Fiddler for interception then install fiddler certificate in your mobile device as follow:- 

- Go to mobile browser and type http://ipv4.fiddler:8888  in your browser
(Port number should be same as you have set in your mobile setting)
- Download the certificate
- If you having hard time understanding the fiddler then read this How to use Fiddler When Burp Not working . (Remember Fiddler is a savior)


NOTE:- 

While installing Burp OR Fiddler Certificate to your mobile device 

Importing certificate into your mobile device:-

1]  Copy the exported certificate into your mobile device, make sure you have copied that into  INTERNAL STORAGE.

2] Then Go to Settings==>Security==> and select Install From internal storage



3] Pop-up window will comes up,simply click on OK.

4]  Burp certificate is successfully installed on your mobile device.

At this point of time at one hand you will be having your Android phone and on other hand you will be checking burp suite or fiddler to play around.

Hey but we can use Emulator as well ? 

Yes we can use emulator as well, though have you ever wonder why people use emulator to test the application.

Answer is :-

1 - If you are using rooted android device then its fine following CASE 1
2 - If you are using non - rooted device then I recommend to install .apk in emulator and test the app so that at the end of the day you can test the storage related findings :)

But which emulator should l use and how to install any idea ? 

1 - Which emulator should I use - Genymotion
2 - How to Install Genymotion - Click here

So We have successfully created our test environment for testing mobile app sec. Great so lets move ahead.


Case 2:  What is .APK File ?

Lets go back in time and say client gives you .apk file. 

In terms of Industry Standards, before you test mobile application, testing team will provide you .apk file.

But what is APK File? 

Just like Windows PC systems use a .exe file for installing software, Android does the same.
An APK file is the file format used for installing software (usually games or apps) on the Android operating system.

If your Android device lacks access to the Google Play Store, APK files may be your only option for installing apps on your device.

Some Tips:-
  1. Before you can install it on your phone you will need to make sure that third-party apps are allowed on your device. So do below setting. 
  2. Go to Menu > Settings > Security > and check "Unknown Sources" to allow your phone to install apps from sources other than the Google Play Store. 
  3. If you like, you can also download an app like ES File Explorer so you can easily find files on your Android device.(only applicable for rooted devices) 
Take away:-

File extension for the different mobile flavors 
  1. Android    => .apk
  2. iOS           =>  .ipa
  3. Windows  =>  .xap   ==> Burp Certificate to install is cacert.cer 
  4. Feature phone (Nokia, etc) =>  .jar  [But how to test such .jar based application Answer is here]

Case 3:-  What is Certificate Pinning and how to bypass?

To know more about certificate pinning refer my article how to bypass ssl-pinning.

For those who don’t like clicking on external links, I am providing a quick description. Its an extra layer of security which helps application to be more secure.

1 - If Certificate pinning is enable the you will not able to intercept the traffic
2- In that case you need to bypass the certificate pinning

So we understood now
  • How to set up test environment for testing android mobile application
  • What is .apk file and Certificate Pinning 
Now lets move ahead.


Case 4:-   2 ways to test mobile application 

1] Installing .apk in your mobile and test the application (CASE 1)
- In above case you have to open application by mobile phone and test the application.

2] By using Android SDK Tool OR My all time favorite Genymotion

(If you know other let me know will love to know more about it)


Case 5:-  How to install .apk file in emulator
  • Install  .apk file in your emulator. (Just drag and drop .apk file in your emulator.)
OR
  • Before that check if your emulator is connected or not by following below step
     Step 1:-  Go to C:\Program Files\Genymobile\Genymotion\tools

     Step 2:-  Open your cmd and type
                   command:-
                   adb devices



  • Now its time to install your .apk. Type below command, but make sure you are in below directory
  • C:\Program Files\Genymobile\Genymotion\tools

Command :-  adb install  "Path of file where your .apk is placed"
i.e.                   adb install   C:\Users\Nilesh\Desktop\diva-beta.apk



Hey But what is "adb" ? 

ADB = Android Debug Bridge

Adb is a command line tool that lets you communicate with an emulator instance or connected Android-powered device.

All adb clients use port 5037 to communicate with the adb server.

Basically It is a client-server program that includes three components:

  1. A client, which runs on your development machine. You can invoke a client from a shell by issuing an adb command.
  2. A server, which runs as a background process on your development machine. The server manages communication between the client and the adb daemon running on an emulator or device.
  3. A daemon, which runs as a background process on each emulator or device instance.
If you want to deep dive in it check this reference links hold on.. but after finishing this article so that you be in sync.

Below is the screenshot of above commands we have installed the DIVA.

DIVA is Damn Insecure and Vulnerable Application created by Aseem Jakhar, Payatu Labs.

It contains various vulnerabilities including flaws in input validation, access control, hardcoding issues and a bunch more.








So now we are all ready to hack the DIVA :)

Hey but how to intercept traffic OR Set up environment via emulator can you guide me ?

Sure its almost same as CASE-1 Set Up, follow simple steps:-

Step 1:- Set up burp suite
Assign your laptop wifi to burp suite with port 8080



Step 2:-  Set your laptop IP address under WiredSSID



Step 3:-  Installing burp certificate.

3.1 Download the burp certificate and change its extension to .crt
3.2 Move that certificate to below directory C:\Program Files\Genymobile\Genymotion\tools

Now you have to move that burp certificate in your emulator to do so run below commands.

  • adb connect 192.168.56.101
  • adb push cacert.crt /mnt/sdcard/cacert.crt

Where 192.168.56.101 is your emulator IP address



Step 4:-
  • In the emulator go to Settings ==> Security
  • In the Credential storage select “Install form SD Card” 
  • Now you can select the “cacert.crt” file present in the sd card 
  • Give the name cacert and click on ok
  • It will ask you to set a lock screen click simply click ok and select a type of lock screen and confirm








Now you are all set to capture the traffic via emulator :)

So now we know all the way to setup the mobile application test bed. Now lets move and see what are different findings which we can think while testing mobile application.

Below is the list of "Ever Green" Findings you will find during the assessment of Android application


Case 6:- List of "Ever Green" Findings you will be finding in android application 

List of evergreen findings in "Android Application"

  1. Decompiling the apk file into source code to check for `Code Obfuscation` finding.
  2. Sensitive information in clear text inside the `Local Storage`
  3. Sensitive information in clear text inside the `Logs`
  4. Anti debugging set to TRUE - In Android manifest file:- (Decompile the .apk file and check the manifest file) 
  5. allowBackup is set to TRUE - In Android manifest file:- (Decompile the .apk file and check the manifest file) 
  6. Application has set insecure permissions  [App can read/write to External Storage] - In Android manifest file:- (Decompile the .apk file and check the manifest file) 
For more in-depth detail of various bugs which you can find under mobile app sec refer :-
OWASP - Mobile Top 10 2016-Top 10

If you not sure how to test "Storage related findings" then refer my another blog How to test storage related findings

Now we will see how to find those findings describe above.

1 - Reverse Engineering an android application OR Decompiling the apk file into source code

We can reverse engineer given .apk file to view the source code and add +1 finding code is not obfuscated if it is. Follow below simple steps

Step 1:- convert .apk to .zip file.
Step 2:- Extract .zip file content.
Step 3:- You will find  classes.dex file in that folder.
Step 4:- Download dex2jar and unzip it (Android applications are written using the java code.)
Step 5:- Put that classes.dex file in dex2jar folder.
Step 5:- Open command window at dex2jar location i.e. in my case C:\Users\Nilesh\Desktop\M_Tools\New folder\dex2jar-2.0>
Step 6:- Run this command
             > d2j-dex2jar.bat classes.dex
Step 7:- At this point of time classes-dex2jar.jar file will be created in your folder  (dex2jar-2.0)
Step 8:- Download jd-gui and open that classes-dex2jar.jar file

Now you can play around with java code. And you have one finding to add in your sheet if developer miss to obfuscate the code ;)

2  Sensitive information in clear text inside the storage

Step 1:-  Download the plugin for firefox - Sqlite-manager - It is firefox extension.
              After the installation  you can find it in your browser under  
              Tools ==> SQLite Manager

Step 2:-  Now you need to decompile the .apk file. To do this download apk tool or Appie.
              then run the command
              apktool d "apkfile.apk"

Step 3:-  After de-compiling you will find many a files then check for the .db file and open
              that with Sqlite-manager

Note:-
If you do not have "rooted device" or any "emulator" then you might not able to see the local storage of the device to deal with such situation you need to first take the entire device backup and then look for the findings related to storage.
Reference Link 1 and Link 2

If mobile device is rooted then you can follow above steps OR  Download an app like ES File Explorer so that you can easily see internal storage related findings

To get above describe findings right away in one click you can use MOBSF security framework.

OR

Below some of the checklist of different attacks which you need to keep in mind when you are about to perform a Mobile penetration test:-

API assessment
Flawed Broadcast Receivers
Intent Sniffing and Injection
Weak Authorization mechanism
Local Encryption issues
Vulnerable Activity Components
Root Detection and Bypass
Insecure Content Provider access
Insecure Webview implementation
Weak Cryptography implementation
Application Patching
Sensitive Information in Memory
Insecure Logging mechanism
Android Pasteboard vulnerability
Application Debuggable
Android keyboard cache issues
Android Backup vulnerability
Runtime Manipulation
Insecure SDCard storage
Insecure HTTP connections
Parameter Manipulation
Hardcoded secrets
Username Enumeration issue
Developer Backdoors
Weak change password implementation
Weak Pseudo Random Implementation
Path Traversal
Local SQL Injection
Intent based Denial-Of-Service - SMS
LockScreen Bypass
Location Spoofing
Dead Code


FAQ:- 


1] Which is best emulator in which I can install my .apk  if I don't want to load/Install app in my android device ?
Though go with Genymotion. Its savior ;)

2] Which are different tools which I might require to do Android testing ?
  •  Simply use Appie – Android Pentesting Portable Integrated Environment.Its all in one.
3] Any demo application to test mobile app sec ?
4] Any Solution available for DIVA ? As I am new in mobile app sec.
  •      Yes. Pentesting Android Apps (http://pentesteracademy.com/course?id=25) - DIVA by Aditya Gupta (@adi1391)
5] Any scanning sort of tool or framework available which can automate the mobile app sec testing .
  •  Yes you should refer Mobile-Security-Framework-MobSF and its documentation by Ajin Abraham
6] Any MobileApp-Pentest-Cheatsheet Link.
  • MobileApp-Pentest-Cheatsheet Link ; If you want to deep dive into mobile application penetration testing.
7] Good read -  Introduction to the OWASP Mobile Security Testing Guide


Last but not least :- 
I hope you guys learn something new. If you have any suggestions or If you feel I missed out any points then do let me know OR DM.  I'd love to add them to the post.

At the end of the day we all are `learner`.

+ I would like to thank my friends who taught me and helped me out to learn mobile app sec. They all know what I mean :)

Happy Mobile Hacking.

Share this

Related Posts

Previous
Next Post »

12 comments

Write comments
19 February 2017 at 00:36 delete

Very good article..This is one of best I found on Internet.

Reply
avatar
19 February 2017 at 01:08 delete

Waiting for this from three month, Great post ! (You know what, this will the first step towards my mobile penetration)
Cheers,

Reply
avatar
19 February 2017 at 01:23 delete

First of all sorry to keep you that long waiting, but I wanted to cover all the points hence it took a bit longer. I hope you will enjoy hacking mobile app sec..Thank you :)

Reply
avatar
19 February 2017 at 01:24 delete

Thanks this comment will surely motivate me to write more and more :) Cheers!!

Reply
avatar
19 February 2017 at 01:24 delete

I will sure give it a try ✌️👍

Reply
avatar
19 February 2017 at 08:18 delete

Great man! You rock.. a concise yet powerful article in a nutshell..

Reply
avatar
19 February 2017 at 08:29 delete

Thanks a lot bro :) Still a very long way to go...

Reply
avatar
20 February 2017 at 01:10 delete

So Happy to visit this blog. Great one. Keep going bro. Thanks a lot Nilesh Sapariya for this article

Reply
avatar
26 August 2017 at 09:53 delete

Good explanation nilesh. Really its a zero to hero. Would love to have mentors like you. :P. Post something for web including owasp

Reply
avatar
26 August 2017 at 23:13 delete

Thanks for the kind words. Surely will try :)

Reply
avatar