Red Teaming

28 min read

A step-by-step Android penetration testing guide for beginners

Learn the fundamentals of Android penetration testing with step-by-step instructions to find vulnerabilities and improve mobile security.

bertolis avatar

bertolis,
Oct 18
2022

Mobile applications and services are essential to our everyday lives both at home and at work. This makes them prime targets for malicious actors seeking sensitive information. 

In this guide, you’ll learn basic Android penetration testing techniques when performing mobile assessments to improve security. First, we'll set up the environment in order to start testing and then examine the functionality of tools that are useful in mobile assessments.

What is Android penetration testing?

Mobile or Android penetration testing aims to detect security vulnerabilities and ensure that mobile applications are not vulnerable to attacks. 

(Android and iOS operating systems have a combined market share of 99.35 percent.)

Android applications can be analyzed either by using automated tools, or manually. During this process, the mobile penetration tester will use several techniques to simulate attacks, find security flaws in the mobile application, and gain access to sensitive data.

Why is Android penetration testing important

Modern Android applications are used for commercial purposes, healthcare, banking, learning, and more. These mobile applications, apart from holding sensitive information, also contain security vulnerabilities. Penetration testers and developers can find and fix these vulnerabilities and mitigate security risks.

In 2021, the payment application Klarna suffered an application flaw that caused users to log in to random accounts of other customers and expose sensitive personal and credit card information.   

 

ParkMobile, the company behind an app for cashless parking across the United States, is still battling a class action lawsuit from a 2021 mobile app data breach that affected 21 million users.

With new vulnerabilities surfacing every day, Android penetration testing is necessary to avoid fraud attacks, malware infections, and data leaks. This is vital for any company that wants to go live with a new app without having to worry about legal or security issues.

Mobile penetration testing can also be beneficial for evaluating the developer team’s work and checking the IT team's responsiveness, as tests can reveal vulnerabilities and misconfigurations in back-end services used by the app. (If you're new to penetration testing, start by reading our what is penetration testing post to understand the basics.) 

🎮 TEST YOUR ANDROID PENTESTING SKILLS NOW

Android package (APK) file structure explained 

An Android Package (APK), is an archive file with a .apk suffix, and it contains all the files (code and assets) that are required in order for the Android application to run.

APK files can be unpacked using the command `unzip app_name.apk` in Linux. The image below shows the unzipped structure of an APKfile: 

  • METTA-INF: Contains verification information that is generated when the app is signed.

  • MANIFEST.MF: Contains a list of names/hashes (usually SHA256 in Base64) for all the files of the APK.

  • CERT.SF: Contains a list of names/hashes of the corresponding lines in the MANIFEST.MF file.

  • CERT.RSA: This file contains the public key and the signature of CERT.SF.

  • Assets: Contains assets that developers bundle with the application, and can be retrieved by the AssetManager. These assets can be images, videos, documents, databases, etc.

  • lib: Contains native libraries with compiled code, for different device architectures.

  • res: Contains predefined application resources, like XML files that define a state list of colors, user interface layout, fonts, values, etc. 

  • AndroidManifest.xml: A manifest file that describes the application's package name, activities, resources, version, etc.

  • classes.dex:  Contains all the java classes in a dex (Dalvik Executable) file format, to be executed by the Android Runtime.

  • resources.arsc: Contains precompiled resources. It holds information that will link the code to resources.

Start with the OWASP Mobile Top Ten to find vulnerabilities

The Open Web Application Security Project (OWASP) is a nonprofit foundation that provides security tips and methodologies mainly for web applications. In 2016 OWASP created their latest list of Mobile Top 10 Vulnerabilities. It refers to the impact each vulnerability has on individuals and businesses and suggests methods of prevention.

If you’re new to Android penetration testing, these vulnerabilities are a great starting point that will help you find flaws and improve application security:

1. Improper platform usage

This category covers misuse of platform features such as Android intents, platform permissions, TouchID, Keychain, or failure to use platform security controls of the mobile operating system. In order for this vulnerability to be exploited, the organization must expose a web service or API call that is consumed by the mobile app.

Impact of vulnerability: The impact of exploiting this vulnerability ranges in severity from changing the content of the app to complete account compromise.

Prevention: Secure coding and configuration practices must be used on the server side of the mobile application.

2. Insecure data storage

Storing unencrypted data in the device's local storage is a bad practice, as there are malicious apps that may attempt to retrieve sensitive information from it. Attackers can  also retrieve data from a stolen device directly.

Impact of vulnerability: Exploiting this vulnerability can result in data loss and/or extraction of the application’s sensitive information. Business impact includes identity theft, fraud, reputation damage, external policy violation (PCI) and material loss.

Prevention: To prevent this kind of attack, you can encrypt the stored data or/and restrict access to the local data storage. As OWASP suggests, it is important to understand the information assets that the app processes and how the APIs handle those assets.

3. Insecure communication

In this type of attack, malicious actors exploit vulnerabilities to intercept sensitive data in a compromised network (e.g. monitoring the network traffic of a company). Targeted attacks are easier to perform.

Impact of vulnerability: By exploiting this flaw, attackers can expose personal data, or even fully compromise accounts and servers. For businesses, it can result in a privacy violation which in turn may result in identity theft, fraud, or reputational damage.

Prevention:

  • Use SSL/TLS protocol for secure communication.

  • Rely on strong industry-standard cipher suites with appropriate key lengths.

  • Ensure that certificates are signed by a trusted CA provider and not self signed.

  • Require SSL chain verification.

  • Apply a separate layer of encryption to any sensitive data before it is given to the SSL channel.

4. Insecure authentication

Attackers usually use available or custom automated tools to exploit this vulnerability. They try to log in using default credentials or by bypassing authentication protocols with poor implementation.

Impact of vulnerability: The impact of poor authentication can result in reputational damage, information theft, or unauthorized access to data.

Prevention:

  • Ensure all authentication requests are performed server-side.

  • Encrypt data when client-side storage is used.

  • Check that persistent authentication (Remember Me) functionality implemented within mobile applications should never store a user’s password on the device.

  • Ensure that device-specific authentication tokens must be utilized by the app.

  • Do not allow users to provide 4-digit PIN numbers for authentication passwords.

5. Insufficient cryptography

Data that has been improperly encrypted, can be reverted by attackers with physical access, or through malware applications.

Impact of vulnerability: This vulnerability will result in the unauthorized retrieval of sensitive information from the mobile device. Also, this can have a number of different business impacts like privacy violations, information theft, code theft, intellectual property theft, or reputational damage.

Prevention: To prevent this attack one should avoid storing sensitive data in the mobile device, apply cryptographic standards that will withstand the test of time for at least 10 years into the future, and follow the NIST guidelines on recommended algorithms.

6. Insecure authorization

Attackers usually use available or custom automated tools to log in to an application as a legitimate user. After logging in, they can perform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilege while the mobile app is in "offline" mode.

Impact of vulnerability: The impact of insecure authorization can result in reputational damage, fraud, or information theft.

Prevention: To prevent this attack, roles and permissions of the authenticated user must be verified using only information contained in backend systems. The backend code should also verify the identities.

7. Poor code quality

In this case, an attacker can pass untrusted inputs to method calls that are made within the mobile code. Poor code-quality issues are typically exploited via malware or phishing scams. Typical types of attacks will exploit memory leaks and buffer overflows.

Impact of vulnerability: Poor code quality issues that result in remote code execution could lead to information theft, reputational damage, intellectual property theft.

Prevention: To prevent code quality issues:

  • Maintain consistent coding patterns that everyone in the organization agrees upon.

  • Write code that is easy to read and well-documented.

  • Always validate the lengths of any incoming buffer data.

  • Identify buffer overflows and memory leaks using third-party static analysis tools.

8. Code tampering

Attackers can create malicious apps by modifying the source code of existing apps and hosting them in third-party app stores. Attackers can also deliver these modified malicious apps to the victim by using phishing techniques.

Impact of vulnerability: Code tampering can result in unauthorized new features, identity theft, fraud, revenue loss due to piracy, and reputational damage.

Prevention: To prevent such an attack, mobile apps must be able to detect at runtime that code has been added or changed. Also, since apps like these will execute within a jailbroken or rooted environment, users can check if the device is rooted or jailbroken.

9. Reverse engineering

Attackers will download an app from the app store in order to perform reverse engineering and static analysis techniques, using available tools. This allows them to understand the functionality of the app, change the code, and recompile it.

Impact of vulnerability: Attackers can then reveal information about backend servers and perform attacks, reveal cryptographic constants and ciphers, steal intellectual property. This can result in reputational damage for companies and customer identity theft. 

Prevention: Code obfuscation is key to mitigating reverse engineering vulnerabilities.

10. Extraneous functionality

Attackers will try to understand how the app works, in order to discover the functionality of the back-end system. Then, they try to exploit the back-end system directly.

Impact of vulnerability: The technical impact of this type of attack includes exposure of the backend systems functionality, and execution of unauthorized high-privileged actions, as well as reputational damage and intellectual property theft.

Prevention: Source code reviews should be performed manually in order to protect against this type of vulnerability.

Suggested tools for Android penetration testing

Below is a list of tools that can be used to conduct Android application penetration testing. Some are used for automated testing, and others for manual testing.

Automated Android penetration testing tools are good for scanning common vulnerabilities. They offer a faster and cheaper solution in comparison to manual tools and processes, which offer more depth and vulnerability insights by combining human intelligence with automated tools:

  • Android Debug Bridge (ADB): A versatile command-line tool that lets you communicate with a device.

  • Dex2jar: Converts .dex files to .class files, zipped as a jar file.

  • JD-GUI: A standalone graphical utility that displays Java sources from CLASS files.

  • JADX: Command line and GUI tools for producing Java source code from Android Dex and APK files.

  • APKTOOL:  A tool for reverse engineering 3rd party, closed, binary Android apps.

  • Burp Suite: A set of tools used for web applications penetration testing.

  • Frida: A dynamic instrumentation toolkit for developers, reverse engineers, and security researchers.

  • Objection: A runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak.

  • Ghidra: A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission.

  • Drozer: drozer (formerly Mercury) is the leading security testing framework for Android.

  • MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Setting up the pentesting environment for Android

In order to conduct assessments of Android devices and applications, we require either a real or emulated Android device. An Android Virtual Device (AVD) is provided along with the Android Studio IDE (Integrated Development Environment), and it is a good solution to start with. (Large mobile development teams may need something more robust).  

Genymotion and Corellium are also good options, as they provide a cloud-based environment and ARM-based virtualization (CPU architecture used for mobile devices). Utilizing the cloud-based environment, we can spawn and customize mobile devices using the web browser, while Corellium gives the options to root or jailbreak the Android or iPhone device accordingly.

ARM is the CPU architecture used for Android and iPhone devices today. Kernel exploitation is related to the CPU architecture. Most emulators virtualize a non-ARM CPU architecture, this makes it impossible for a pentester to work on a potential new kernel exploitation technique using a mobile emulator. Fortunately for us, Corellium and Genymotion solve this problem with ARM-based virtualization.

Installing Android Studio on Linux is really easy. All we have to do is unzip it and run the file studio.sh inside the bin/ directory. To install Android Studio on Windows or macOS, we need to follow the setup wizard. The process is pretty much the same for both operating systems.

On Windows, for example, we click on the executable and then follow the steps of the setup wizard. After the installation is complete, we just need to wait for some components to download. 

Once this is done, click Finish and then New Project.

Select Empty Activity and then click Next in the following window.

Finally, click Finish to complete the process.