Android - Documentation

Link to this headingAndroid

Each application runs as a unique user and possible unique group.

Penetration testing and auditing toolkit for Android apps
Dalvik deobfuscator which uses limited execution to improve semantic analysis
Deoptfuscator is a tool for deobfuscating Android applications that have been transformed using control-flow obfuscation mechanisms.
Android UI ClickJacking
DeGuard | Statistical Debofuscation for Android
Auto backdoor an APK and resign

Testing Tools:

Mobile Exploit Framework (objection) with Frida
drozer
apktool
Android Backup Extractor
Enjarify
[BytecodeViewer better decompile(http://bytecodeviewer.com/)
jadx better search and find
fsmon
Burp Suite (Pro)
Xposed
Frida
- Github Releases (frida-server binary, architecture/OS-specific)
- Codeshare
Native Code Reversing Tools
- Hopper
- radare(2)
- IDA Free(limited architecture support)

Sources:
OWASP Mobile Security Testing Guide

Fuzzing
Fuzzing Android Intents
Intercept, modify, repeat and attack Android’s Binder transactions using Burp Suite
The new bridge between Burp Suite and Frida!

Link to this headingADB Commands

Is Device Booted

adb -s ${device.id} shell getprop sys.boot_completed

Remount the Filesystem

adb -s ${device.id} remount

Set the Android Proxy:

adb shell settings put global http_proxy $(ip addr show wlp3s0 | grep -Po 'inet \K[\d.]+'):8081

List packages:

adb shell "pm list packages"

List Users:

>>> adb shell "pm list users" Users: UserInfo{0:Owner:13} running UserInfo{10:Work profile:30} running

Identify APK location:

adb shell pm path com.android.phone

Dump Service information:

adb shell dumpsys battery

Get Architecture:

adb shell getprop | grep -Fi ro.product.cpu.abi

Link to this headingChanges in Android 7+

App directory folder have unique names:

bullhead:/data/app # ls android.autoinstalls.config.google.nexus-hvuNFH3A12QFDitBF9T2XQ== com.android.chrome-jvQykDcmElgGLNATtTggBQ== com.android.vending-DRrWs_RnLT91cMzBwAwhww== com.duosecurity.duomobile-4qR8e0ZFvYbM_fqOgtjiMA== com.google.android.GoogleCamera-5m_DK8rrAbHe7PJHe2LvqA== com.google.android.apps.books-6vff2XOsb97GzZEwcu-qnA== com.google.android.apps.cloudprint-_nFkI0PxpVpNql_xMKgv8g== com.google.android.apps.docs-hky7Vl2vrYxg1XAZHhDbwg== com.google.android.apps.docs.editors.docs-SNaxZWwoLY62od_gea0FEg== com.topjohnwu.magisk-C6VbD5qfFa0sIb3EsxUdHQ==

Link to this headingChanges in Android 8+

Link to this headingBugs

Frida Crashes when trying to override functions that don’t exist yet. Frida Bug report

Link to this headingGenerating a New Certificate with shorter expiration

Source

>>> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout pk.key -out certificate.crt -subj "/C=US/ST=PortSwigger/L=PortSwigger/O=PortSwigger CA/OU=PortSwigger CA/CN=PortSwigger CA" Generating a RSA private key ..................................................................................+++++ ...........................+++++ writing new private key to 'pk.key' ----- >>> openssl pkcs12 -export -out certificate.p12 -inkey pk.key -certfile certificate.crt -in certificate.crt

Link to this headingInstalling a CA Certificate

Source

User Certificate Folder: /data/misc/user/0/cacerts-added/
Work User Certificate Folder: /data/misc/user/10/cacerts-added/

System Certificate Folder: /system/etc/security/cacerts/

#Convert CA to Correct filename and type openssl x509 -inform DER -in burp.crt -out cacert.pem sslhash=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1) mv cacert.pem $sslhash.0 #Push to device adb push $sslhash.0 /sdcard/ # Remount the File system as writable adb shell "su -c mount -o rw,remount /system" #/sbin/.magisk/mirror/system_root/system/ #Copy to CA dir adb shell "su -c mv /sdcard/$sslhash.0 /system/etc/security/cacerts/" #mv /sdcard/e6caf3c1.0 /sbin/.magisk/mirror/system_root/system/etc/security/cacerts/ #Fix permissions adb shell "su -c chmod 644 /system/etc/security/cacerts/$sslhash.0" adb shell "su -c chown root:root /system/etc/security/cacerts/$sslhash.0" # Remount the File system as read only adb shell "su -c mount -o ro,remount /system" #Reboot the Device adb reboot

Source

Link to this headingChanges in Android 9+

Nexus 5x does not support 9+ yet

Link to this headingAndroid Emulator

List Emulators:

>>> emulator -list-avds Nexus_6_Edited_API_24

Save file changes to a emulator:

>>> cd /opt/android-sdk/emulator >>> emulator @Nexus_6_Edited_API_24 -writable-system -no-boot-anim -no-audio -http-proxy 127.0.0.1:8080

Link to this headingDrozer

From Docker

From Docker:

docker build -t fsecurelabs/drozer . docker run -it fsecurelabs/drozer drozer console connect --server 192.168.55.21

From Docker on Mac:

adb forward tcp:31415 tcp:31415 docker run --add-host host.docker.internal:host-gateway --rm -it fsecurelabs/drozer drozer console connect --server host.docker.internal

Connect to Drozer:

>>> adb forward tcp:31415 tcp:31415 >>> drozer console connect

Finding Vulnerable Info:

dz> run app.package.attacksurface com.cisco.webex.meetings Attack Surface: 9 activities exported 10 broadcast receivers exported 0 content providers exported 9 services exported dz> run app.activity.info --package com.cisco.webex.meetings Package: com.cisco.webex.meetings com.cisco.webex.meetings.ui.premeeting.welcome.WebExMeeting Permission: null com.cisco.webex.meetings.ui.integration.AssistantActivity Permission: null com.cisco.webex.meetings.ui.integration.DeepLinkActivity Permission: null com.cisco.webex.meetings.ui.integration.IntegrationActivity Permission: null com.cisco.webex.meetings.ui.integration.IntegrationInternalActivity Permission: com.cisco.webex.permission.INTERNAL_BROADCAST com.cisco.webex.meetings.ui.integration.IntegrationWrapAccountActivity Permission: null com.cisco.webex.meetings.ui.premeeting.ShortcutActivity Permission: null com.microsoft.identity.client.BrowserTabActivity Permission: null com.smartdevicelink.transport.USBAccessoryAttachmentActivity Permission: null dz> run app.broadcast.info --package com.cisco.webex.meetings Package: com.cisco.webex.meetings com.cisco.webex.meetings.receiver.MeetingStatusUpdater Permission: com.cisco.webex.permission.INTERNAL_BROADCAST com.cisco.webex.meetings.receiver.LocaleChangeReceiver Permission: com.cisco.webex.permission.UI_BROADCAST com.cisco.webex.meetings.receiver.SendLogStatusReceiver Permission: com.cisco.webex.permission.UI_BROADCAST com.cisco.webex.meetings.receiver.MeetingWidgetProvider Permission: com.cisco.webex.permission.INTERNAL_BROADCAST com.cisco.webex.meetings.SdlReceiver Permission: null com.cisco.webex.meetings.receiver.AppIndexingUpdateReceiver Permission: com.google.android.gms.permission.APPINDEXING com.cisco.webex.meetings.receiver.CreateShortcutReceiver Permission: com.cisco.webex.permission.UI_BROADCAST com.cisco.webex.meetings.receiver.MeetingAutoEndReceiver Permission: com.cisco.webex.permission.UI_BROADCAST com.google.firebase.iid.FirebaseInstanceIdReceiver Permission: com.google.android.c2dm.permission.SEND com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver Permission: android.permission.INSTALL_PACKAGES dz> run app.provider.info --package com.cisco.webex.meetings Package: com.cisco.webex.meetings No matching providers. dz> run app.service.info --package com.cisco.webex.meetings Package: com.cisco.webex.meetings com.cisco.webex.meetings.SdlRouterService Permission: null com.cisco.webex.meetings.service.AccountAuthenticatorService Permission: com.cisco.webex.permission.INTERNAL_BROADCAST com.cisco.webex.meetings.service.AccountSyncAdapterService Permission: com.cisco.webex.permission.INTERNAL_BROADCAST com.cisco.webex.meetings.service.WBXUrlApiService Permission: null com.cisco.webex.meetings.service.WBXInfoService Permission: null com.cisco.webex.meetings.service.WBXService Permission: null com.cisco.webex.meetings.service.WBXUrlApiSecureService Permission: com.cisco.webex.permission.UI_BROADCAST com.cisco.webex.watch.adapter.PhoneWearableService Permission: null com.cisco.webex.notification.WbxFirebaseMessagingService Permission: null

Link to this headingFrida

Use the update_frida.sh script to update local and Android binaries to the same version

Run Frida server:

>>> adb shell "su -c /data/local/tmp/frida-android-server-$VERSION &"

Finding all Installed Applications:

>>> python frida_helper.py No Process specified. Enumerating Applications com.android.cts.priv.ctsshim (com.android.cts.priv.ctsshim) YouTube (com.google.android.youtube) [...]

Link to this headingNexus 5x

If wifi disconnects constantly its a 5/2.4 issue that can be fixed
Go to WiFi -> Advanced -> WiFi Frequency Band -> set to 2.4

Link to this headingDumping Memory

Viewing a Dump:

/opt/android-sdk/platform-tools/hprof-conv *.hprof outfile
View with /opt/android-studio/jre/bin/jhat outfile

Source

Link to this headingWith Android-OpenDebug

Make all installed applications debugable
Use the Android ADT DDMS Perspective in Eclipse to dump the heap into a hprof file

Link to this headingADB

Might not work if app not debugable:

adb shell am dumpheap [PID] /sdcard/Download/heap_dump.hprof
Pull file adb pull /sdcard/Download/heap_dump.hprof .

Link to this headingClickJacking

To enable touch filtering, call setFilterTouchesWhenObscured(boolean) or set the android:filterTouchesWhenObscured layout attribute to true. For more fine-grained control over security, consider overriding the onFilterTouchEventForSecurity(MotionEvent) method to implement your own security policy. Alternatively, the application can check the ‘FLAG_WINDOW_IS_OBSCURED’ to identify situations in which a malicious application may have covered up part of its content for the purpose of misleading the user or hijacking touches. An appropriate response might be to drop the suspect touches or to take additional precautions to confirm the user’s actual intent.

Link to this headingCertificate Pinning

<network-security-config xmlns:android="http://schemas.android.com/apk/res/android"> <base-config cleartextTrafficPermitted="false"> <trust-anchors> <certificates src="system"/> <certificates src="user"/> </trust-anchors> </base-config> </network-security-config>