Android
Android¶
- Each application runs as a unique user and possible unique group.
Penetration testing and auditing toolkit for Android apps
Dalvik deobfuscator which uses limited execution to improve semantic analysis
Deoptfuscator is a tool for deobfuscating Android applications that have been transformed using control-flow obfuscation mechanisms.
Android UI ClickJacking
DeGuard | Statistical Debofuscation for Android
Auto backdoor an APK and resign
Testing Tools:
- Mobile Exploit Framework (objection) with Frida
- drozer
- apktool
- Android Backup Extractor
- Enjarify
- [BytecodeViewer better decompile(http://bytecodeviewer.com/)
- jadx better search and find
- fsmon
- Burp Suite (Pro)
- Xposed
- Installer Framework
- Xposed APK
- JustTrustMe Module
- Frida
- Github Releases (frida-server binary, architecture/OS-specific)
- Codeshare
- Native Code Reversing Tools
- Hopper
- radare(2)
- IDA Free(limited architecture support)
Sources:
OWASP Mobile Security Testing Guide
Fuzzing
Fuzzing Android Intents
Intercept, modify, repeat and attack Android's Binder transactions using Burp Suite
https://github.com/federicodotta/Brida
ADB Commands¶
Is Device Booted
adb -s ${device.id} shell getprop sys.boot_completed
Remount the Filesystem
adb -s ${device.id} remount
Set the Android Proxy:
adb shell settings put global http_proxy $(ip addr show wlp3s0 | grep -Po 'inet \K[\d.]+'):8081
List packages:
adb shell "pm list packages"
List Users:
adb shell "pm list users"
Users:
UserInfo{0:Owner:13} running
UserInfo{10:Work profile:30} running
Identify APK location:
adb shell pm path com.android.phone
Dump Service information:
adb shell dumpsys battery
Get Architecture:
adb shell getprop | grep -Fi ro.product.cpu.abi
Changes in Android 7+¶
App directory folder have unique names:
bullhead:/data/app # ls
android.autoinstalls.config.google.nexus-hvuNFH3A12QFDitBF9T2XQ==
com.android.chrome-jvQykDcmElgGLNATtTggBQ==
com.android.vending-DRrWs_RnLT91cMzBwAwhww==
com.duosecurity.duomobile-4qR8e0ZFvYbM_fqOgtjiMA==
com.google.android.GoogleCamera-5m_DK8rrAbHe7PJHe2LvqA==
com.google.android.apps.books-6vff2XOsb97GzZEwcu-qnA==
com.google.android.apps.cloudprint-_nFkI0PxpVpNql_xMKgv8g==
com.google.android.apps.docs-hky7Vl2vrYxg1XAZHhDbwg==
com.google.android.apps.docs.editors.docs-SNaxZWwoLY62od_gea0FEg==
com.topjohnwu.magisk-C6VbD5qfFa0sIb3EsxUdHQ==
Changes in Android 8+¶
Bugs¶
Frida Crashes when trying to override functions that don't exist yet. Frida Bug report
Generating a New Certificate with shorter expiration¶
>>> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout pk.key -out certificate.crt -subj "/C=US/ST=PortSwigger/L=PortSwigger/O=PortSwigger CA/OU=PortSwigger CA/CN=PortSwigger CA"
Generating a RSA private key
..................................................................................+++++
...........................+++++
writing new private key to 'pk.key'
-----
>>> openssl pkcs12 -export -out certificate.p12 -inkey pk.key -certfile certificate.crt -in certificate.crt
Installing a CA Certificate¶
User Certificate Folder: /data/misc/user/0/cacerts-added/
Work User Certificate Folder: /data/misc/user/10/cacerts-added/
System Certificate Folder: /system/etc/security/cacerts/
#Convert CA to Correct filename and type
openssl x509 -inform DER -in burp.crt -out cacert.pem
sslhash=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1)
mv cacert.pem $sslhash.0
#Push to device
adb push $sslhash.0 /sdcard/
# Remount the File system as writable
adb shell "su -c mount -o rw,remount /system"
#/sbin/.magisk/mirror/system_root/system/
#Copy to CA dir
adb shell "su -c mv /sdcard/$sslhash.0 /system/etc/security/cacerts/"
#mv /sdcard/e6caf3c1.0 /sbin/.magisk/mirror/system_root/system/etc/security/cacerts/
#Fix permissions
adb shell "su -c chmod 644 /system/etc/security/cacerts/$sslhash.0"
adb shell "su -c chown root:root /system/etc/security/cacerts/$sslhash.0"
# Remount the File system as read only
adb shell "su -c mount -o ro,remount /system"
#Reboot the Device
adb reboot
Source
Changes in Android 9+¶
Nexus 5x does not support 9+ yet
Android Emulator¶
List Emulators:
>>> emulator -list-avds
Nexus_6_Edited_API_24
Save file changes to a emulator:
>>> cd /opt/android-sdk/emulator
>>> emulator @Nexus_6_Edited_API_24 -writable-system -no-boot-anim -no-audio -http-proxy 127.0.0.1:8080
Drozer¶
From Docker:
docker build -t fsecurelabs/drozer .
docker run -it fsecurelabs/drozer
drozer console connect --server 192.168.55.21
From Docker on Mac:
adb forward tcp:31415 tcp:31415
docker run --add-host host.docker.internal:host-gateway --rm -it fsecurelabs/drozer drozer console connect --server host.docker.internal
Connect to Drozer:
>>> adb forward tcp:31415 tcp:31415
>>> drozer console connect
Finding Vulnerable Info:
dz> run app.package.attacksurface com.cisco.webex.meetings
Attack Surface:
9 activities exported
10 broadcast receivers exported
0 content providers exported
9 services exported
dz> run app.activity.info --package com.cisco.webex.meetings
Package: com.cisco.webex.meetings
com.cisco.webex.meetings.ui.premeeting.welcome.WebExMeeting
Permission: null
com.cisco.webex.meetings.ui.integration.AssistantActivity
Permission: null
com.cisco.webex.meetings.ui.integration.DeepLinkActivity
Permission: null
com.cisco.webex.meetings.ui.integration.IntegrationActivity
Permission: null
com.cisco.webex.meetings.ui.integration.IntegrationInternalActivity
Permission: com.cisco.webex.permission.INTERNAL_BROADCAST
com.cisco.webex.meetings.ui.integration.IntegrationWrapAccountActivity
Permission: null
com.cisco.webex.meetings.ui.premeeting.ShortcutActivity
Permission: null
com.microsoft.identity.client.BrowserTabActivity
Permission: null
com.smartdevicelink.transport.USBAccessoryAttachmentActivity
Permission: null
dz> run app.broadcast.info --package com.cisco.webex.meetings
Package: com.cisco.webex.meetings
com.cisco.webex.meetings.receiver.MeetingStatusUpdater
Permission: com.cisco.webex.permission.INTERNAL_BROADCAST
com.cisco.webex.meetings.receiver.LocaleChangeReceiver
Permission: com.cisco.webex.permission.UI_BROADCAST
com.cisco.webex.meetings.receiver.SendLogStatusReceiver
Permission: com.cisco.webex.permission.UI_BROADCAST
com.cisco.webex.meetings.receiver.MeetingWidgetProvider
Permission: com.cisco.webex.permission.INTERNAL_BROADCAST
com.cisco.webex.meetings.SdlReceiver
Permission: null
com.cisco.webex.meetings.receiver.AppIndexingUpdateReceiver
Permission: com.google.android.gms.permission.APPINDEXING
com.cisco.webex.meetings.receiver.CreateShortcutReceiver
Permission: com.cisco.webex.permission.UI_BROADCAST
com.cisco.webex.meetings.receiver.MeetingAutoEndReceiver
Permission: com.cisco.webex.permission.UI_BROADCAST
com.google.firebase.iid.FirebaseInstanceIdReceiver
Permission: com.google.android.c2dm.permission.SEND
com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver
Permission: android.permission.INSTALL_PACKAGES
dz> run app.provider.info --package com.cisco.webex.meetings
Package: com.cisco.webex.meetings
No matching providers.
dz> run app.service.info --package com.cisco.webex.meetings
Package: com.cisco.webex.meetings
com.cisco.webex.meetings.SdlRouterService
Permission: null
com.cisco.webex.meetings.service.AccountAuthenticatorService
Permission: com.cisco.webex.permission.INTERNAL_BROADCAST
com.cisco.webex.meetings.service.AccountSyncAdapterService
Permission: com.cisco.webex.permission.INTERNAL_BROADCAST
com.cisco.webex.meetings.service.WBXUrlApiService
Permission: null
com.cisco.webex.meetings.service.WBXInfoService
Permission: null
com.cisco.webex.meetings.service.WBXService
Permission: null
com.cisco.webex.meetings.service.WBXUrlApiSecureService
Permission: com.cisco.webex.permission.UI_BROADCAST
com.cisco.webex.watch.adapter.PhoneWearableService
Permission: null
com.cisco.webex.notification.WbxFirebaseMessagingService
Permission: null
Frida¶
Use the update_frida.sh script to update local and Android binaries to the same version
Run Frida server:
>>> adb shell "su -c /data/local/tmp/frida-android-server-$VERSION &"
Finding all Installed Applications:
>>> python frida_helper.py
No Process specified. Enumerating Applications
com.android.cts.priv.ctsshim (com.android.cts.priv.ctsshim)
YouTube (com.google.android.youtube)
[...]
Nexus 5x¶
If wifi disconnects constantly its a 5/2.4 issue that can be fixed
Go to WiFi -> Advanced -> WiFi Frequency Band -> set to 2.4
Dumping Memory¶
Viewing a Dump:
1. /opt/android-sdk/platform-tools/hprof-conv *.hprof outfile
2. View with /opt/android-studio/jre/bin/jhat outfile
With Android-OpenDebug¶
- Make all installed applications debugable
- Use the Android ADT DDMS Perspective in Eclipse to dump the heap into a hprof file
ADB¶
Might not work if app not debugable:
1. adb shell am dumpheap [PID] /sdcard/Download/heap_dump.hprof
2. Pull file adb pull /sdcard/Download/heap_dump.hprof .
ClickJacking¶
To enable touch filtering, call setFilterTouchesWhenObscured(boolean) or set the android:filterTouchesWhenObscured layout attribute to true. For more fine-grained control over security, consider overriding the onFilterTouchEventForSecurity(MotionEvent) method to implement your own security policy. Alternatively, the application can check the ‘FLAG_WINDOW_IS_OBSCURED’ to identify situations in which a malicious application may have covered up part of its content for the purpose of misleading the user or hijacking touches. An appropriate response might be to drop the suspect touches or to take additional precautions to confirm the user's actual intent.
Certificate Pinning¶
<network-security-config xmlns:android="http://schemas.android.com/apk/res/android">
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system"/>
<certificates src="user"/>
</trust-anchors>
</base-config>
</network-security-config>