Android Testing Environment Cheatsheet (Part 2)

This part will cover installing Android testing tools on the Kali VM and their basic usage.

Configuring Burp

Burp is already installed on the Kali VM. The following changes are needed:

Configure Burp on Kali
Choose the Proxy -> Options tab.
Choose Edit
In the Binding tab, select listen on all interfaces (or the address of Kali VM vbox network)

Configure proxy settings in Genymotion
Choose Settings -> Wi-Fi.
Hold down WiredSSID and choose Modify.
In Advanced Options, choose Manual proxy.
Enter the Kali VM address for the Proxy hostname e.g. 192.168.56.101.
Enter Burp’s port number for the Proxy port e.g. 8080.

Install Burp’s cert in Genymotion
Install Chrome e.g. $ sudo apt-get install chromium
In the Kali VM Chrome browser: Settings -> Network -> Network proxy.
Add 127.0.0.1, port 8080 in for the Manual proxy settings.
If your burp is not listening on all interfaces, change your burp listener to listen on 127.0.0.1 temporarily.
Visit http://burp.
Download the portswigger cert from the CA Certificate link.
Rename the downloaded cert to cacert.cer.

Copy the cert onto Genymotion’s sdcard:
Connect to Genymotion using adb as shown in Part 1, then:
$ adb push cacert.cer /sdcard/cacert.cer

In Genymotion, Settings -> Security -> Install from SD card.
Choose the cacert.cer at the bottom of the list and install.
Name the cert portswigger.

Finally, if your burp is not listening on all interfaces, change your burp listener back to listen on the address of your Kali VM vbox network.

Test your setup by visiting a web page in Genymotion and verifying that the traffic can be seen in Burp on the Kali VM.

Obtaining and installing android apps for testing

Install a plugin for chrome which allows downloading of APKs from the Google Play store e.g. APK Downloader Appsofto
Create a test google account for logging into the play store.
When visiting the play store, just click on the app’s icon and paste in the name of the package to download.
Of course, make sure to download apps which are compatible with your target Genymotion device.

Installing an APK onto Genymotion
To install your downloaded APK from the app store onto Genymotion, run the following command in the Kali VM:
$ adb install appname.apk

The installed app should now be in the Genymotion menu.

Install testing tools on Kali VM

Install Chrome browser
$ sudo apt-get install chromium

Install Drozer
Download Drozer.
Download drozer.apk agent.

Install Drozer server on Kali VM:
$ sudo apt-get install python-protobuf
$ sudo apt-get -f install (to install deps for python-protobuf)
$ sudo dpkg -i drozer.deb

Install Drozer agent on GenyMotion:
Connect to Genymotion using adb as shown in Part 1, then:
$ adb install drozer.apk

In Genymotion:
Open the drozer agent app on Genymotion and turn ON the server.

In Kali:
$ adb forward tcp:31415 tcp:31415
$ drozer console connect

Install APKtool
Download the apktool.
Download the apktool wrapper.
$ mv apktool-ver-number.jar apktool.jar
$ sudo cp apktool.jar /usr/local/bin
$ sudo cp apktool /usr/local/bin
$ sudo chmod u+x /usr/local/bin/apktool*

You should now be able to run the apktool against your target APK and browse the resulting directory to review the manifest file etc:
$ apktool d appname.apk

Install dex2jar
dex2jar: convert an APK file into a JAR file.

Download dex2jar.
Unzip and add the dex2jar script to your PATH/.profile:
$ unzip dex2jar-ver-num.zip
$ PATH="$PATH:/home/android/tools/dex2jar-ver-num/"

You should now be able to run the dex2jar tool against your target APK to create a jar file for browsing with jd-gui tool.
$ dex2jar-ver-num appname.apk

Install jd-gui
jd-ui: browse a JAR file and save source files as .java.

Download the jd-gui jar file.
Create a file name jd-gui with the following command tailored for your location:
java -jar /home/android/tools/jd-ui-ver-num.jar

Make the file executable and add to your PATH/.profile:
$ chmod u+x jd-gui
$ PATH="$PATH:/home/android/tools/"

You should now be able to run the jd-gui tool and open your newly created jar file from dex2jar, and browse the reconstructed Java source:
$ jd-gui

Install jdax
jdax: converts an APK file into Java source code (also useful if dex2jar doesn’t work).

Download jadx and unzip.
Add to your PATH/.profile:
$ PATH="$PATH:/home/android/tools/jadx-vernum/bin/"

Run jadx-gui and select your target APK or JAR file to browse:
$ jadx-gui

Install FindBugs & FindSecurityBugs
These plugins will work with Android Studio and can be used to scan source code for potential security issues.

Install FindBug:
Open Android Studio, File -> Settings -> Plugins.
Search for “FindBugs”, install and restart Android Studio.

Install FindSecurityBugs:
Download FindSecurityBugs plugin for Android Studio.
In Android Studio, File -> Settings -> Plugins -> Install plugin form disk.
Select the plugin zip file and restart Android Studio.

Android Testing Environment Cheatsheet (Part 1)

Environment

Genymotion and Android emulators cannot run within a VM.
Instead, this setup can help contain all the tools you need:
– Install Genymotion on your host OS.
– Install your android tools on a Kali VM to keep it portable.
– Connect to your android apps running in Genymotion from the Kali VM.

Note:
– Using an Ubuntu host here.
– Using Virtualbox here to create Kali VM but could be any VM platform.
– Genymotion requires Virtualbox to be installed for its emulation.
– Genymotion must be run natively on your host.
– If you prefer not to use a VM to store all your tools, just install everything on your host instead.

Configure the Kali VM

Install Virtualbox:
$ sudo apt-get install virtualbox

For the following steps, it is assumed Kali is installed in a Virtualbox VM. Tip: pressing the right control keyboard button releases your mouse from Virtualbox.

Install Virtualbox guest addons
apt-get update
apt-get install -y virtualbox-guest-x11
reboot

Create android test user
useradd -m android
passwd android
usermod -a -G sudo android
chsh -s /bin/bash android
logout

Install Android Studio
Download from android.com.
Unpack:
unzip android-studio-ide-*.zip
Run first time to install:
~/tools/android-studio/bin/studio.sh

Add Android Studio to your PATH/.profile:
$ PATH="$PATH:/home/android/tools/android-studio

Note: The command line android SDK tools (e.g. adb) are stored in:
~/Android/Sdk/platform-tools

Add Android SDK tools to your PATH/.profile:
$PATH="$PATH:/home/android/Android/Sdk/tools/:/home/android/Android/Sdk/platform-tools/:/home/android/Android/Sdk/build-tools/2.4.0.3/"

Configure network interfaces
In the Virtualbox network settings for the Kali VM, for Adapter 1, choose Host-only Adapter (vboxnet0).
This will allow the VM and the Genymotion VM to talk to each other over ADB.
In the same network settings window, enable Adapter 2 for NAT
Adapter 1 will allow connections to Genymotion, while Adapter 2 will allow internet.
Reboot the Kali VM and run
$ sudo ifconfig
If the second adapter does not have an IP address run:
$ dhclient -r eth1
$ dhclient eth1

You should now have an internet connection on your Kali VM.

Install Genymotion on host

Create a Genymotion account at genymotion.com.
Download Genymotion.
If your host is Windows, download Genymotion & Virtualbox as a package.
If your host is Linux/Mac, ensure you have Virtualbox installed already.

Install Genymotion
chmod u+x genymotion-*.bin
./genymotion-2.8.0-linux_x64.bin
The installer will ask you to setup a virtual device.
Sign in using your created Genymotion account to complete this step.
Select your target device e.g. Google Nexus 4.
Once the download has completed and installed, the new virtual device will be listed.

Configuring Genymotion

In Genymotion Settings, ADB tab, deselect the Genymotion Android tools (default), just choose custom Android SDR tools and leave it blank (this avoids the device is “offline” errors when connecting with adb from a VM).
Choose Start to launch the virtual device.
The network settings for Genymotion can be left as default (these are configured in the Virtualbox settings rather than in the Genymotion settings and should be left as Host-only Adapter vboxnet0).
In the same network settings window, enable Adapter 2 for NAT
Adapter 1 will allow connections from the Kali VM, while Adapter 2 will allow internet in Genymotion.
If you have Virtualbox installed on your host the device should start.
Click “No” for the question “Do you want to specify the Android SDK location?”.

Connecting to Genymotion

Here, we will connect to Genymotion from our Kali VM:
$ adb devices
$ adb connect 192.168.56.101 (the IP of your Genymotion emulator, when you mouse over it it should be in title of the window)
$ adb devices (should now see the listed connected device)
$ adb shell

Now your Kali VM is ready to install all the essential android testing tools and can connect to a Genymotion emulator. Having all your android testing tools in a VM allows moving of the VM to different computers, backing up and can save lots of setup time.

Android Pentesting Command Cheatsheet

Useful tools
Android SDK
Android Studio
GenyMotion emulator
BusyBox
apktool
dex2jar
enjarify
jd-gui
MWR’s Drozer testing framework
Fino

Useful Linux file paths
android/adt-bundle-linux-ver-number/sdk/platform-tools: adb tool
android/adt-bundle-linux-ver-number/sdk/tools: emulator, android tools
~/.android/avd/<emulator-device-name>.avd/: emulator config files

Useful Windows file paths
C:\Users\username\AppData\Local\Android\sdk

Useful Android paths
/data/app: location of app on android device
/data/data/[packagename]/*: app data files
/data/Dalvik-cache: Classes.dex for all installed apps

Useful configuration settings
Enable hardware keyboard in emulator:
Add: hw.keyboard=yes to the config file:
~/.android/avd/<emulator-device-name>.avd/config.ini

Install test environment
Install Android SDR only
https://developer.android.com/studio/releases/platforms.html
OR
Install Android Studio
https://developer.android.com
OR
Install GenyMotion
https://www.genymotion.com

Install APIs
$ android
and choose API version to install with gui

List available Android targets
$ android list targets

Create an Android image for a target
$ android create avd -n test -t 3
$ android create avd -n test -t 3 –abi default/x86

Start emulator
Start the emulator for the created image @test:
emulator @test
$ adb shell

Install BusyBox
$ adb push busybox /data/local
$ adb shell
$ su
# mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
# mkdir /system/xbin
# cat /data/local/busybox > /system/xbin/busybox
# chmod 755 /system/xbin/busybox
# busybox --install /system/xbin
# mount -o ro,remount -t yaffs2 /dev/block/mtdblock3 /system
# sync
# reboot

Install Burp cert on emulator
Create an sdcard for the emulator:
$ mksdcard -l pisd 1G /tmp/sdcard

Launch emulator with -sdcard option:
$ emulator-x86 -sdcard /tmp/sdcard -avd test -qemu -m 1024 -enable-kvm -http-proxy "http://192.168.1.2:8080"

Get Portswigger cert from visiting a page in browser, export and save as Portswigger.crt
Note: must have .crt extension for android to recognise it on sdcard

Copy the cert onto the device:
$ adb push Portswigger.crt /mnt/sdcard
Next, go to “Settings” and install from sdcard

Installing Drozer
Install drozer app on test device and run it.
From your laptop, connect to the app:
$ adb forward tcp:31415 tcp:31415
$ drozer console connect
$ drozer console --server 10.0.2.15:31415 connect

Copy an APK off device
Installed APKs are located in /data/app on the device
$ adb pull /data/app/AppName-1.apk .

Extracting Java code from an APK
Extract the APK using APKTool. Run: apktool d AppName.apk
Extract the classes.dex file found in the APK file. Run: jar xvf classes.dex
Extract the classes from classes.dex file. Run: dex2jar classes.dex
Extract the classes.dex.dex2jar.jar. Run: jar xvf classes.dex.dex2jar.jar
Browse Java code: Open the extracted jar file in jd-gui

Check the manifest file
First, unpack the apk using unzip
$ unzip AppName.apk
$ axmlprinter AndroidManifest.xml

Check package information
Using Drozer:
dz> run app.package.list
dz> run app.package.attacksurface com.targetpackage
dz> run app.provider.info -a com.targetpackage

Check for the debug flag
Using Drozer:
dz> run app.package.debuggable
OR
Check manifest file.

Check for SQL injection
Using Drozer:
dz> run scanner.provider.injection -a com.targetpackage

Check for path traversal
Using Drozer:
dz> run scanner.provider.traversal -a com.targetpackage

Check the Content Providers
Content providers provide access to structured data.
Can be affected by: SQLi, directory traversal

Useful Drozer commands for working with content providers:
dz> run app.provider.info -a com.targetpackage
dz> run app.provider.finduri com.targetpackage
dz> run scanner.provider.finduris -a com.targetpackage
dz> run scanner.provider.traversal -a com.targetpackage
dz> run scanner.provider.injection -a com.targetpackage
dz> run app.provider.query content://com.targetpackage...
dz> run app.provider.query content://com.targetpackage... --vertical --selection "'"
dz> run app.provider.query content://com.targetpackage... --projection "* FROM SQLITE_MASTER WHERE type='table';--"
dz> run app.provider.query content://com.targetpackage... --projection "* FROM Key;--"
dz> run app.provider.read content://com.targetpackage...
dz> run app.provider.read content://com.targetpackage../etc/hosts
dz> run app.provider.download content://com.targetpackage../data/data/com.targetpackage]/databases/database.db

Check the Activities
Activities provide user facing components.
Can be affected by UI redressing attacks e.g. tap jacking etc

Useful Drozer commands for working with activities:
dz> run app.activity.info -a com.targetpackage
dz> run app.activity.start --component com.targetpackage com.targetpackage.ActivityName

Check the Services
Useful Drozer commands for working with services:
dz> run app.service.info -a com.targetpackage
dz> run app.service.send com.targetpackage com.targetpackage.ServiceName

Check the Intents
Intents can be implicit or explicit.
Check Manifest file for public intents, e.g.
<receiver android:name="my.special.receiver">
<intent-filter>
<action android:name="my.intent.action" />
</intent-filter>
</receiver>

Instead, intents should use the exported flag or made private e.g.
<receiver android:name="my.special.receiver"
android:exported=false>
...
</receiver>

OR
<receiver android:name="my.special.receiver"
android:exported=false>
android:permission="my.own.permission"
...
</receiver>

Check the Broadcast Receivers
Broadcast receivers handle implicit intent messages or system wide events

Useful Drozer commands for working with broadcast receivers:
dz> run app.broadcast.info -a com.PackageName.AppName
dz> run app.broadcast.send --action [name of action from manifest file] --component com.PackageName.AppName com.PackageName.AppName.push.GCMPushReceiver
dz> run app.broadcast.send --action [name of action from manifest file] --component com.PackageName.AppName.push.GCMPushReceiver --extra string paramName paramValue --extra sting paramName2 paramValue2

Check for Sticky broadcasts
<uses-permission android:name="android.permission.BROADCAST_STICKY"/>

Check the files stored on the device
Grep for:
http, https, ://, user, pass, hmac, login

Check for insecure data storage on the device
Perform a search for files relating to package name:
root@android:/ # find / -name com.PackageName -print

Check the SD Card:
/mnt/sdcard
/mnt/sdcard/Android/data/com.PackageName

Check the data directory:
/data/data/com.PackageName

Check the database files on the device:
sqlite> select * from StoredProperties;
429482317|OPEN_SESAME|pTpkKAqfa9ly2oLqmivPIMKZDhTVlPOMLC9Ogi3c8Z0fkXL+H8u66ytJ0aFh+QY4N4rX9Iq5qVuKnCon0a+lirekLJD3/6uoh/e5vaNptxI=

Save the database files off the device:
/data/data/packagename
cp name.db /mnt/sdcard
$ adb pull /mnt/sdcard/name.db . (otherwise won’t have perms to copy)

Check the log files:
logcat -b events
/data/anr
/data/dontpanic
/data/tombstones
dmesg

Check the device memory
Check memory stats:
$ adb shell dumpsys meminfo > mem.txt
$ adb shell dumpsys meminfo 'com.PackageName'

Dump the memory:
$ adb shell dumpsys > mem.txt
$ adb shell dumpstate > mem.txt (can show params passed to intents etc.)

Checking memory and logcat together:
$ adb shell bugreport > bugreport.txt

Check for bad code patterns
http://domain.com/api/save.php?t=" + paramString1 + "&u=" + paramString2);
reflection
etc.

Check for WebViews
Search the decompiled folder for:

addJavascriptInterface
grep -r -n -i --include=*.java addJavascriptInterface *
grep -r -i --include=*.java \@JavascriptInterface *

shouldOverrideUrlLoading
grep -r -n -i --include=*.java shouldOverrideUrlLoading *

Use Drozer module:
run ex.scanner.jsifenum -a com.targetpackage

Check the transport security
Use the emulator to dump traffic to a pcap flle with the option:
-tcpdump

Use the emulator to proxy traffic with the option:
-http-proxy

Intercept with burp.