Archive

Archive for October 18th, 2011

Android Penetration Testing (PenTesting Android Apps)

October 18th, 2011 No comments

A report by McAfee for last quarter states that the
‘Count of new Android-specific malware moved to number one, with J2ME (Java Micro Edition), coming in second while suffering only a third as many malware.’ In simple words if you own a Android phone, the chances of it being compromised is 2.5 times more than any other platform.

With industry reporting so many new android exploits and malwares, it is becoming a tedious job for developers to secure their applicaitons. With nearly all IT companies having expertise in Web penetration Testing solutions, they have started building solutions for Mobile Penetration testing. But whats the need of creating a different solution for mobile apps testing? Isn’t it same as web applicaiton testing? If you consider ‘Thin client’ mobile apps, the answer is yes. For thin client mobile apps, penetration testing is almost same as that of Web application testing. But If you consider ‘Thick Client’ or ‘Native Mobile Apps’ which gets installed into the device, the penetration testers have to add some more test cases and the testing environment needs a bit of tweak.
If we compare Web penetration Testing and Mobile PT, what exactly is the difference?? One of the major difference is that the user in the case of Web applicaitons do not have access to the files of application (php,asp,jsp files) whereas in the case of mobile, user has access to the application as it is installed in the device itself. All of the platforms provide some kind of databases for those applicaitons to store data(SqlLite3 in Andoid). In case of web, applicaitons only have privilages to store data temporarily using cookies or cache. One more major drawback with mobile apps is that they can be reversed very easily, whether it’s a dex(android), jar/jad(j2me) or a sis(Symbian).
For Penetration testing of Android Application we have to mainly consider the following things ;-

* Settings up the PT lab/Environment.
In this you will learn about how to setup the test environment using emulator,proxy tools. Using these proxy tools you can force emulator to pass the traffic via a proxy. But this setting only works for browser inside the emulator. For apps to work with proxy you need some different environment setting which is discussed in detail. Click here to read more..

* Using debugging tools like ADB,DDMS.
Using debugging tool like ADB you can run commands on emulator and device itself to perform any kind on action. You can get the shell,view the files stored, databases,install new apps, uninstall apps,pull and push files from the device. DDMS in just a GUI version of ADB. To get more detail about all this click here.

* Reversing Apps.
One of the major drawbacks with Mobile apps is that they can be Reversed. We have many opensource tools for reversing android apps like apktool,baksmali,dex2jar. Click here to read more about this.

Thanks for Watching.. Next article will be on “Deep Dive into Android Malwares”
Njoy!!

Using Adb and DDMS for Android Penetration Testing

October 18th, 2011 No comments

Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. It is a client-server program that includes three components:

* A client, which runs on your development machine. You can invoke a client from a shell by issuing an adb command. Other Android tools such as the ADT plugin and DDMS also create adb clients.
* A server, which runs as a background process on your development machine. The server manages communication between the client and the adb daemon running on an emulator or device.
* A daemon, which runs as a background process on each emulator or device instance.
Source: developers.android.com
To view the Best available description about ADB visit http://developer.android.com/guide/developing/tools/adb.html.
To see how adb can be helpful for Penetration testing of Android apps watch the video embedded below.

Reversing and Spoofing Android Applications

October 18th, 2011 No comments

One of the major drawbacks with Mobile apps is that they can be Reversed. If we look at the Android app architecture, it contains a source code which is developed by user. That source code is compiled and finally created as a ‘.dex’ file which is the dalvik executable. This ‘.dex’ file can be compared with ‘.jar’ file of java. Dex file clubbed with the resources files are archived to become a APK file. So this apk file is just a archive file similar to a zip file whose contents can be extracted using any archive explorer tool like winzip or 7-zip. After extracting files from an apk file you’ll get a ‘classes.dex’ file which contains the actual code of the application. This dex file can be reversed using my opensource tools like Baksmali(click here to download), dex2jar , apktool.
The video attached below will show you how we can use baksmali tool to decompile and compile the application again. The one thing which gets eliminated by this process is the Application signature. After compiling the application we need to add signature to it so that it can be installed on a device or emulator.

.
.

.
.

Hope you enjoyed it!!
We’ll upload some more tutorials for dex2jar and apktool pretty soon!!

Switch to our mobile site