Tips & Tricks

16 min read

Introduction to mobile pentesting

Hack The Box Innovation Engineer Grigorios Papoutsis offers a comprehensive guide for pentesters to start testing mobile devices with Android.

bertolis,
Oct 22
2021

Mobile applications and services have become an integral part of our everyday lives, both at home and at work. Our cell phones hold sensitive information that malicious actors may try to obtain. As a result, when it comes to application development, mobile security is critical.

As seen in the graph below, the Android and iOS operating systems have a combined market share of 99 percent.

Figures based on the Statcounter publication “Mobile Operating System Market Share Worldwide”.

In this post we are going to explore some basic techniques when performing mobile assessments. First, we'll set up the environment in order to start testing, examine the functionality of some tools that are useful in mobile assessments.

Setting up the Testing Environment for Android

In order to conduct assessments of Android devices and applications, we require either a real or emulated Android device. An Android Virtual Device (AVD) is provided along with the Android Studio IDE (Integrated Development Environment), and it is a good solution to start with.

Genymotion and Corellium are also good options, as they provide a cloud-based environment and an ARM-based virtualization. Utilizing the cloud-based environment, we can spawn and customize mobile devices using the web browser, while Corellium gives the options to to root or jailbreak the Android or iPhone device accordingly. On the other hand, ARM is the cpu architecture that is used for both Android and iPhone devices today. Kernel exploitation is related to the cpu architecture, and most of the emulators virtualize a non-ARM cpu architecture. This makes it impossible for a pentester to work on a potential new kernel exploitation technique using a mobile emulator. Corellium and Genymotion on the other hand, give the solution to this problem.

Installing Android Studio on Linux is really easy. All we have to do is unzip it and run the file `studio.sh` inside the `bin/` directory. In order to install Android Studio on Windows or MacOS, we need to follow the setup wizard. The process is pretty much the same for both the operating systems. On Windows for example, we click on the executable and then follow the steps of the setup wizard. After the installation has completed, we just need to wait for some components to be downloaded. 

Once this is done, click `Finish` and then `New Project`.

Select `Empty Activity` and then click `Next` in the following window.

Finally, click `Finish` to complete the process.

Now that we have created a new project, we just need to wait for some more files to be downloaded automatically from the IDE. When that's done, click on the top centre of the IDE (as below) and select AVD Manager.