Android Pentesting

Introduction Dynamic analysis of Android applications has become an essential discipline for those who develop or audit their own mobile projects. Instrumenting an app in real time allows us to fully understand how it behaves, which code paths are involved in each operation, and how our defensive mechanisms respond to different scenarios. Among the tools that facilitate this process stand out Frida and Objection. To explore these concepts in a controlled way, we will use the application Android SSL Pinning Demo by httptoolkit, an open-source project designed to experiment with various methods of certificate pinning. We will also make use of the scripts published by the same team to analyze the internal workings of TLS verification. This lab is ideal because it offers a secure environment in which it is possible to test instrumentation techniques without impacting third-party software. ...

Introduction️ There are additional protections related to the requirement for a specific TLS certificate (pinning). There is also the possibility of encrypting network communications over the HTTP protocol. In the case of symmetric encryption, the application will obtain the key from the server or obtain it from the application’s own source code, statically (stored in a variable), or dynamically, where several obfuscated methods will be executed to create the key to use. ...

Introduction️ Various applications related to banking environments or public administrations contain restrictions that prevent their execution on Android mobile devices that have been altered, for example, after installing Magisk and obtaining super administrator permissions, unlocking the boot loader, or if they are running in emulators and not on real devices, all of this to avoid analysis.️ In an example application, we will have to remove those restrictions from the source code of the application. One option will be to unpack the application and modify the .smali code, which is a type of low-level non-binary bytecode that can be read. For this, we will first extract the corresponding APK file for the application and decompile the source code of the application using the tool JADX.️ ...

Introduction️ One of the phases of dynamic analysis of Android applications is the interception of connections made by the application to remote servers. In the case that they use the HTTP protocol can be easily intercepted and manipulated with a proxy server since the protocol does not use encryption. But in the case that it uses the HTTPS protocol we will need to install an SSL certificate from a Certification Authority on our device since the connection will be encrypted with this one. Additionally, some applications use the technique of SSL Pinning, which consists in trusting only certain embedded certificates in the application.️ ...

Introduction️ To perform a security audit of an Android application, it is necessary to create a customized environment, which can be based on a physical device or an emulator. For most cases, an emulator will suffice. In this article we will create a virtual machine for Android in x86_64 architecture, and modify it by installing Magisk, to obtain superuser permissions and install modules, and install some applications.️ Installing the Android Emulator For the Android emulator, we have chosen the official Android IDE, Android Studio, which includes support for Android Virtual Devices (AVD). To install the IDE, simply go to its official website and download the installer by accepting the license terms. During the installation process, when selecting the components to install, we will deselect the option Android Virtual Device, as we will configure it later. In this case, we will install the IDE in our Documents directory.️ ...