Noobs approach to Android Pentesting- Nullcon Xtreme Android Hacking Training Experience

Hey folks, my name is Prateek Thakare, recently I attended Nullcon Xtreme Android Hacking Training by Ankur Bhargava. I am writing this blog to share my experience with you all.

I am very fond of quotes and this keeps me motivated to learn new things and overcome challenges. Here’s one :)

Trainer Introduction

Ankur Bhargava is leading the Application Security team at Cure.Fit. With many years of experience in this field, Mobile and REST API Security became his forte. He is also well versed in different flavors of Security such as Application, Network, and API testing. He has been speaking at many conferences in India, viz. Cocon, Ground Zero, and Nullcon on topics like ‘PDF Exploitation’, ‘Mobile Automation Framework’, ‘Android Security’.

Moving on to the training experience, I will try to brief out the path and knowledge delivered day-wise.

Day 1

As we all know the importance of basics. The very first day of the training started with the basics of Android. Understanding the architecture of an operating system helps you in getting connected with its roots.

Below is the architecture diagram of the Android

Android Architecture Diagram

The detailed information of every section can be found in Android Developer’s Guide.

Below is an overview of android application building process:

Now after getting some knowledge of architecture we moved on to the folder structure. This step is very useful in understanding the application very well. Whenever you decompile any apk or make a new project you will find a structure similar to this.

Android Application Folder Structure

So let’s have a quick review of what these files contain:

  • AndroidManifest.xml: Contains project-related information such as intents, permissions, activities, author information.
  • Java: This folder contains all the java source code files of the application.
  • Java (generated): This folder contains the classes and libraries used to build the project.
  • Res: This is the resources folder. It contains drawable, layout, mipmap, values, etc.
  • Build.gradle (Module): This specifies module-specific build configurations.
  • Build.gradle(Project): This defines build configurations that apply to all modules.
  • Proguard: ProGuard is an open-source command-line tool that shrinks, optimizes, and obfuscates Java code.

Then we moved onto understanding the apk signing process. Following flow from Android documentation shows the way apks are signed and verified. This process helps developers to identify the author of the application and release updates without any hassle.

APK signing process

When doing pentesting, there are cases when you need to decompile the apk, make some changes and recompile it again. So to sign the apk we can use jarsigner using the default keystore of android studio. More details about the jarsigner and its usage can be found here.

The next important part is to understand the Application Components. Android application has the following major components:

  1. Activity: The Activity class is a crucial component of an Android app and serves as the entry point, similar to that of main() function in the programming paradigm.
  2. Services: These are background processes. For example Music player running in the background.
  3. Broadcast and Receivers: Example receivers in-app listen for the broadcast of internet connectivity status sent by the android system
  4. Content Providers: Content providers can help an application manage access to data stored by itself, stored by other apps, and provide a way to share data with other apps.
  5. Intents: Intents are the abstracts of operation to be performed and facilitate the runtime binding of the components.

One more important topic covered on Day1 was Android Activity Lifecycle.

The diagram below gives an overview of the Android Activity Lifecycle. Understanding the Android Activity Lifecycle gives us an idea about the flow of code, entry point of execution, etc.

Android Activity Lifecycle

Last but not least was ADB — Android Debug Bridge.

Android Debug Bridge (ADB) is the bridge between the user and the shell on the device. It lets you run various commands on shell, access the device via command line, install, uninstall, debug and run applications, start and stop activities using activity manager, etc. You can read more about it here.

This was all for the first day.

Day 2

The second day of the training started with the introduction to the Activity Manager (am) and Package Manager (PM).

Activity Manager (AM): Inside an ADB shell, am can be used to control activities. You can start and stop activities, broadcast intents, etc. For example,

am start <exported activity name w/o proper access controls>

Package Manager (PM): PM can be used in ADB shell to query packages installed on the device connected. To list all packages installed on the device

pm list packages

When you have an apk to test, you need to decompile it and go through the source code. There might also be cases when you need to modify something and recompile it back, sign it and install it in the application. The signing process can be done with the jarsigner.

jarsigner -verbose -keystore [path-of-keystore] [apkfilepath] alias

To decompile and recompile the application you can use apktool.

ApkTool is a reverse engineering tool for Android apps. When the android application is built into apk, files and resources are encoded. When you unzip the apk and try to read it, the files are not in human-readable form. So apktool decodes them for you and encodes them again when you rebuild the apk.

The next topic was SSL pinning bypass. To avoid MiTM attacks, developers pin the hosts with a public key certificate. When performing a dynamic analysis of the android code we need to bypass these restrictions. A tool named, Frida can be used to bypass the SSL pinning restrictions. Here’s a good blog on configuring Frida.

In Frida with -l flag and this file as a parameter to it, you try various methods of SSL pinning bypass.

When installing CACert on your android device, you can install it in two ways:

  1. Using the naive approach. This process installs the certificate in the user cert section.
  2. The second one is directly installing the certificate in system certificates via the command line. Refer to this for more info.

Starting with Android Nougat, Google has imposed restrictions on trusting certificates by the application. In this case, you need to decompile the apk make changes in the application to trust the certificate, and then rebuild it again. Here’s the reference on how to do it.

Day 3

We covered some of the OWASP Mobile Top 10 on day 2 and the rest on day3.

  • M1: Improper Platform Usage: Android as a platform has many features and each feature is peculiar about its functionality. This can sometimes lead to serious vulnerabilities like misuse of intents, activities, debuggable set to true, missing proper security controls, etc.
  • M2: Insecure Data Storage: Data is the new oil as we all know. Storing the data securely must be the primary aim of any application to avoid leaks and unauthorized access. Data can be stored in shared preferences, logs, SQL database, and application memory.
  • M3: Insecure Communication: Communication with the server (if needed) is the key aspect for the functioning of an application and its security is likely important.
  • M4: Insecure Authentication: This class of vulnerability is one with which we are familiar.
  • M5: Insufficient Cryptography: This category of issues arises when developers implement cryptography but it becomes easy for an attacker to decrypt the cipher. For example, keys used to encrypt the text are hardcoded.
  • M6: Insecure Authorization: Failure to properly authorize the user leads to such issues. These issues give birth to issues such as privilege escalation.
  • M7: Client Code Quality: Code-level problems fall under this category. Issues such as buffer overflow, client-side bypasses, etc.
  • M8: Code Tampering: Distributing tampered applications can give rise to various issues. Proper server-side logging of code changes must be enforced to avoid such issues.
  • M9: Reverse Engineering: Reverse engineering the application can allow an attacker to review code and help in finding loopholes.
  • M10: Extraneous Functionality: Certain functionalities such as logging, ease of access to source code, etc. are enabled by the developers to ease development. These open backdoor for attackers.

This github repository by B3nac, contains a list of HackerOne reports for android with resources.

We also pentested vulnerable applications like InsecureBankV2. Its a great vulnerable application to get your hands dirty.

Day 4

The last day of the training was all about CTF and pentesting applications.

The CTF was simple and revolved around all the concepts learned. A custom built vulnerable application was given for the CTF. Some of the key learnings from the CTF are:

  1. Start by decompiling the application and looking at the source code. After you have the decompiled apk head straight towards “AndroidManifest.xml”.
  2. Look for hardcoded credentials, secrets, hidden paths, etc.
  3. Try to bypass the root checker functionality by editing the function responsible for root check and rebuilding the apk.
  4. Understand the application flow.
  5. If you are not able to proxy your traffic through burp, try installing cert in system certs.
  6. Understand the code which is responsible for encrypting and decrypting some important text. Use cyberchef to decrypt and encrypt things. You can also create a java class locally, replicate the function and encrypt or decrypt the data.

The overall experience of the training was great. In these four days, I learned a lot. The quality of content can be judged easily from above. This training has given me some confidence to get started with Android pentesting.

This was all about my learning from the training, hope this article helps you to get started in Android Hacking. I haven’t penned down everything in detail, but will surely write more after exploring more.

References:

  1. Nullcon Xtreme Android Hacking Training
  2. https://www.appsealing.com/owasp-mobile-top-10-a-comprehensive-guide-for-mobile-developers-to-counter-risks/
  3. https://developer.android.com/guide
  4. https://owasp.org/www-project-mobile-top-10/

Connect me on:

LinkedIn: https://www.linkedin.com/in/prateek-thakare/

Twitter: @thakare_prateek

noob | leaner