Setting up Android Lab Environment

Tools

To setup the environment for pen testing Android devices, the full Android Development Environment together with several tools are required.

Android Studio

Android Studio is the official IDE for developing Android apps. Android Studio is available for both Windows, Linux and Mac. When you have access to the source of the app you can use Android Studio to run the application. Android Studio requires Java to be installed. Android Studio can be downloaded from here

Android SDK

The SDK is the Software Development Kit used for developing Android apps. Once Android Studio it will take you through configuring an SDK. You will need at least one Android SDK version to test apps.

APKTool

A tool for reverse engineering Android apk files. To install the apktool follow the the this guide.

JD-Gui

JD-GUI is a standalone graphical utility that displays Java source codes of .class files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. You can download it from here.

SUPER Android Analyzer

SUPER is a command-line application that can be used in Windows, Mac OS X and Linux, that analyzes .apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities. Super is available on github and the binaries can be download from here.

Using super

Once installed installed, from the terminal run the command, and super will generate a report once its finished.

super diva-beta.apk

MobSF

Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static, dynamic analysis and web API testing. MobSF can be downloaded from github.

Drozer

Drozer is a Android Security Assessment Framework for Android. Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS. You can find Drozer on github.

Install agent apk

The drozer agent apk is included in the drozer folder. Install the apk to the device by running :

adb install agent.apk

Installing Drozer on OS X

They are binary packages for installing Drozer on Windows and Linux. On OSX the installation fails due to changes in OpenSSL bundled with the default install of OSX. Follow this guide to install Drozer on OSX.

Run drozer app

On the device find the Drozer app on the home screen. Start the app and turn it on. Once the server is running a toast will show the port to connect to.

Starting a session

Start by forwarding all tcp traffic from port 34415.

adb forward tcp:31415 tcp:31415

AndroBugs

AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications. Android can be downloaded from github.

Burp Proxy

Burp suite is an HTTP proxy. You will need Java installed in order to run Burp. Download the installer from here. The free edition should suffice.

QARK(Quick Android Review Kit)

This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. The tool is also capable of creating “Proof-of-Concept” deployable APKs and/or ADB commands, capable of exploiting many of the vulnerabilities it finds. There is no need to root the test device, as this tool focuses on vulnerabilities that can be exploited under otherwise secure conditions.

Postman

Postman is a Chrome plugin. You can install the plugin from the extensions directory. Chrome is a REST client, you can use it to test REST APIs. You can install Postman from here

SQLite Browser

An SQLite database is made up of a single file. You can open the file using the sqlite command line tool. You can also use a GUI like SQLite browser to view the SQLite database. You can download the SQLite browser from here.

Vulnerable Android apps

We will the use following open source vulnerable Android apps for testing :

ADB (Android Device Bridge)

ADB lets you connect to a running Android device or emulator. You can make phone calls, send sms, list installed packages, mock gps coordinates and many more functions. The adb command line is found in the SDK platform-tools folder.

Enabling usb debugging

To perform the following tasks, the device needs to have usb debugging enabled.

Check if Developer Options in enabled

  • Go to Settings
  • Check if there is a Developer options category

By default Developer options is not enabled by default. Enabled usb debugging :

  • Go to Settings
  • Choose About Phone
  • Tap on the Build Number three times, then a toast will pop up and tell you press four more times.
  • Go back and the Developer Options menu should now be available.
  • Choose Enable USB Debugging

Note

The steps might be slightly different depending on the device manufacturer of your phone.

  • Connect the usb the computer. A dialog box should show and up, choose Always trust
  • Running adb devices should now show up the connected Android phone.

Listing attached devices

adb devices

Connect to a specific device

You will need the device serial found from running adb devices to connect to a specific devices. For an emulator this is usually the emulator IP address with its port.

adb device -s <device-serial>

Getting a shell

On my machine, with multiple emulators running

$ adb devices
List of devices attached
192.168.56.102:5555	device
192.168.56.101:5555	device

and then i can connect to a specific emulator with adb by running :

$ adb -s 192.168.56.102:5555 shell
root@android:/ #

I will then be logged onto to the device as the root user.

Listing installed packages

The adb pm command is used to interact with the Android package manager. The command will list the Android’s app package name.

adb shell pm list packages

Installing an apk onto the device

If you have access to the apk of the app, you can use adb to install the app with the command :

 adb install <apk file location>

Copying files to the devices

adb push <file name> <location on the device>

Copying files from the device

adb pull <path on the device>

Forwarding TCP connections

You can forward tcp traffic to a specific port on the device.

adb forward tcp:<local port> tcp:<device port>

Troubleshooting adb

You can kill the adb server and restart it again especially if devices are not showing up.

adb kill-server

and start the adb server

adb start-server

adb reference

The complete adb reference is found on the here