Setting up Android Lab Environment
To setup the environment for pen testing Android devices, the full Android Development Environment together with several tools are required.
- Android Studio
- Android SDK
- SUPER Android Analyzer
- MobSF (Mobile Security Framework)
- Burp Suite
- QARK(Quick Android Review Kit)
- SQLite Browser
- Vulnerable Android apps
Android Studio is the official IDE for developing Android apps. Android Studio is available for both Windows, Linux and Mac. When you have access to the source of the app you can use Android Studio to run the application. Android Studio requires Java to be installed. Android Studio can be downloaded from here
The SDK is the Software Development Kit used for developing Android apps. Once Android Studio it will take you through configuring an SDK. You will need at least one Android SDK version to test apps.
A tool for reverse engineering Android apk files. To install the
apktool follow the the this guide.
JD-GUI is a standalone graphical utility that displays Java source codes of
.class files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.
You can download it from here.
SUPER Android Analyzer
SUPER is a command-line application that can be used in Windows, Mac OS X and Linux, that analyzes .apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities. Super is available on github and the binaries can be download from here.
Once installed installed, from the terminal run the command, and
super will generate a report once its finished.
Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static, dynamic analysis and web API testing. MobSF can be downloaded from github.
Drozer is a Android Security Assessment Framework for Android. Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS. You can find Drozer on github.
Install agent apk
The drozer agent apk is included in the drozer folder. Install the apk to the device by running :
adb install agent.apk
Installing Drozer on OS X
They are binary packages for installing Drozer on Windows and Linux. On OSX the installation fails due to changes in OpenSSL bundled with the default install of OSX. Follow this guide to install Drozer on OSX.
Run drozer app
On the device find the Drozer app on the home screen. Start the app and turn it on. Once the server is running a toast will show the port to connect to.
Starting a session
Start by forwarding all tcp traffic from port 34415.
adb forward tcp:31415 tcp:31415
AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications. Android can be downloaded from github.
Burp suite is an HTTP proxy. You will need Java installed in order to run Burp. Download the installer from here. The free edition should suffice.
QARK(Quick Android Review Kit)
This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. The tool is also capable of creating “Proof-of-Concept” deployable APKs and/or ADB commands, capable of exploiting many of the vulnerabilities it finds. There is no need to root the test device, as this tool focuses on vulnerabilities that can be exploited under otherwise secure conditions.
Postman is a Chrome plugin. You can install the plugin from the extensions directory. Chrome is a REST client, you can use it to test REST APIs. You can install Postman from here
An SQLite database is made up of a single file. You can open the file using the
sqlite command line tool. You can also use a GUI like SQLite browser to view the SQLite database.
You can download the SQLite browser from here.
Vulnerable Android apps
We will the use following open source vulnerable Android apps for testing :
ADB (Android Device Bridge)
ADB lets you connect to a running Android device or emulator. You can make phone calls, send sms, list installed packages, mock gps coordinates and many more functions.
adb command line is found in the SDK
Enabling usb debugging
To perform the following tasks, the device needs to have
usb debugging enabled.
Developer Options in enabled
- Go to
- Check if there is a
Developer options is not enabled by default. Enabled usb debugging :
- Go to
- Tap on the
Build Numberthree times, then a toast will pop up and tell you press four more times.
- Go back and the
Developer Optionsmenu should now be available.
Enable USB Debugging
The steps might be slightly different depending on the device manufacturer of your phone.
- Connect the usb the computer. A dialog box should show and up, choose
adb devicesshould now show up the connected Android phone.
Listing attached devices
Connect to a specific device
You will need the device serial found from running
adb devices to connect to a specific devices. For an emulator this is usually
the emulator IP address with its port.
adb device -s <device-serial>
Getting a shell
On my machine, with multiple emulators running
$ adb devices List of devices attached 192.168.56.102:5555 device 192.168.56.101:5555 device
and then i can connect to a specific emulator with adb by running :
$ adb -s 192.168.56.102:5555 shell [email protected]:/ #
I will then be logged onto to the device as the root user.
Listing installed packages
adb pm command is used to interact with the Android package manager. The command will list the Android’s app package name.
adb shell pm list packages
Installing an apk onto the device
If you have access to the apk of the app, you can use adb to install the app with the command :
adb install <apk file location>
Copying files to the devices
adb push <file name> <location on the device>
Copying files from the device
adb pull <path on the device>
Forwarding TCP connections
You can forward tcp traffic to a specific port on the device.
adb forward tcp:<local port> tcp:<device port>
You can kill the adb server and restart it again especially if devices are not showing up.
and start the adb server
The complete adb reference is found on the here