Continuing with the Mobile Pentesting 101 series, this article gives an idea about how your Android pentesting environment should look like. What tools should I use? Do I really need a physical device? Do I need a rooted device to pentest an application? I will try to answer all these questions and others in the following lines.
There’s a huge debate on the Internet regarding what a pentester should use: physical or emulated device. I won’t say that you should stick with only one option because it is not always the case. You might encounter some situations where an emulator is useless and some cases where a physical device could not simply do the job. I will give you some pros and cons for each, and you can choose afterward what suits you best.
Pros
Cons
Pros
Cons
As most of the following are applicable to both physical and emulated devices, I will present only the aspects used for an emulated device. So, when it comes to emulators, there are plenty of free options when setting up your Android environment. The most common are Android Virtual Device (AVD), Genymotion, and NoxPlayer. Genymotion is rooted by default, NoxPlayer has the option to enable root, and with AVD, root can be obtained easily.
Let’s start by creating a new virtual device using Android Studio. Here are some remarks that need to be made:
Now, if you use an emulator without the Google APIs installed, you can skip this part.
Thanks to the XDA community, we now have a script that instantly roots your AVD and installs Magisk on your emulator. The tool is called rootAVD and can be found on GitHub.
The next command is the one that I used to root my AVD and it works every single time, so you should give it a try.
./rootAVD.sh ~/Android/Sdk/system-images/android-31/google_apis/x86_64/ramdisk.img
You can download Genymotion from their official site. Once you do that, in order to create the emulators, you will need to create an account. With an account created and logged in, the next step is to create the device, again, I am using the Google Pixel 3.
As I mentioned earlier, the Genymotion emulator is rooted by default, thus you won’t have to do it by yourself.
Regardless of the type of device you are using, you need some tools installed on your device to exploit the applications and discover vulnerabilities. Two of the most important are Drozer and Frida.
Drozer is a good tool for simulating a rogue application. F-Secure stopped its development, but it still can be used in your penetration test without any problems. From their GitHub page, there is an APK that should be installed on the device. The command is
$ adb install drozer-agent-2.3.4.apk
Frida is a dynamic instrumentation toolkit for developers, reverse engineers, and security researchers. The following steps can be followed to install the Frida server on the device:
$ xz -d ~/Downloads/frida-server-16.0.2-android-x86.xz
$ adb push frida-server-16.0.2-android-x86 /data/local/tmp/frida-server
$ adb shell chmod +x /data/local/tmp/frida-server
$ adb shell su /data/local/tmp/frida-server
What’s interesting about Frida is that you don’t need a rooted device to run it. You can easily patch the application to include the Frida-gadget library and install the new signed application on the device. There’s an interesting article that shows you two methods to attach the gadget to an application. There’s also a third solution: objection patchapk. It is a command that basically wraps around several other system commands, automating the patching process as far as possible.
To be able to intercept the traffic the application is sending to the backend servers, you need to install the Burp certificate on the device and use a proxy server. There are plenty of resources out there that offer you a solution, but I recommend following PortSwigger’s documentation found here.
SafetyNet provides a set of services and APIs that help protect your app against security threats, including device tampering, bad URLs, potentially harmful apps, and fake users. It sounds like the tampered device era comes to an end, but as with any other client-side validation, with enough time, you can finally bypass it. There is a Magisk module available, developed by kdrag0n, and can be found on his GitHub page.
When it comes to setting up your pentesting environment, it can be difficult sometimes to install all the required tools due to different issues. To solve that problem, the Enciphers guys developed a virtual machine that contains all the necessary tools and can be immediately used without any trouble. You can find more details here.
If you still need only a couple of tools installed on your pentest station, I will give you a brief introduction to the topmost tools that I use in almost all engagements that I have. All the tools and installation methods described below are for Ubuntu, but you can find the Windows details in their documentation.
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis, and security assessment framework capable of performing static and dynamic analysis. More details can be found on their GitHub page, but an easy installation on Ubuntu contains the following 3 steps:
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh
Is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to almost their original form and rebuild them after making some modifications. You can find more details here, but the installation is as easy as
wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool
wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.7.0.jar -O apktool.jar
mv apktool /usr/local/bin/
mv apktool.jar /usr/local/bin/
chmod +x /usr/local/bin/apktool
chmod +x /usr/local/bin/apktool.jar
apktool -v
Command-line and GUI tools for producing Java source code from Android Dex and apk files. Decompile Dalvik bytecode to java classes from APK, dex, aar, aab, and zip files. Decode AndroidManifest.xml and other resources. Deobfuscator included. More details can be found on the application’s GitHub here.
Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints, and the underlying OS. Even though it is decommissioned and out of development, I still use it as a go-to tool when it comes to mobile pentesting. More details can be found on their GitHub.
wget https://github.com/WithSecureLabs/drozer/releases/download/2.4.4/drozer_2.4.4.deb
sudo dpkg -i drozer-2.4.4.deb
As mentioned earlier, Frida is the must-have tool every pentester should use in their day-to-day mobile pentesting methodology. It helps you perform dynamic analysis at its best, injecting JavaScript scripts that communicate with the operating system. As per their documentation, we find that Frida can hook any function, spy on crypto APIs, or trace private application code. You can also edit, hit save, and instantly see the results without compilation steps or program restarts. You can easily install Frida using:
python3 -m pip install frida-tools
Once you installed Frida on your hacking station, you can easily search for already crafted scripts on https://codeshare.frida.re/, or you can create your own. Furthermore, you can use the scripts using either of the following commands:
frida -U -f com.android.example -l Frida_Scripts/bypass_ssl_pinning_various_methods.js
frida -U -f com.android.example --codeshare sowdust/universal-android-ssl-pinning-bypass-2
Objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak. It can help you bypass fingerprint, SSL pinning, and many more.
You can install it using python’s pip as easily as:
python3 -m pip install objection
I wrote an entire article dedicated to this tool, so you should check it out here. To install it, just use the following:
npm install -g rms-runtime-mobile-security
I hope this article helped you create your mobile pentesting environment or refine your existing one. With the industry changing that fast, some tools might be decommissioned, and some new tools might pop up, but the methodology does not change. Stay tuned for the next article: Mobile Pentesting 101 – How to set up your iOS Environment.