Introduction to Android Pentesting
Android Pentesting refers to the process of testing the security of Android applications and devices in order to identify potential vulnerabilities that could be exploited by attackers. It involves assessing the security posture of Android apps and systems by simulating attacks and attempting to exploit weaknesses in their design, implementation, or configuration.
In this guide we will be downloading tools used to get started with Android Pentesting and solving two HTB Mobile Challenges.
The tools we will use will be:
- https://developer.android.com/studio – Android Studio (Free Resource to create Android Emulators)
- https://developer.android.com/tools/adb – Android Debug Bridge (Android Bridge to transfer files and run commands from host machine to emulator)
- https://portswigger.net/burp – Burp Suite (HTTP/S Proxy Program)
- https://frida.re/ – Dynamic instrumentation toolkit.
The HTB Challenges will be:
Let’s get started by installing the tools we will use. We will need Java and Python to be installed on the host machine to use these tools.
First let’s install Android Studio. This will allow us to create emulators for testing rather than using a physical device.
https://developer.android.com/studio
Once Android Studio is downloaded you can install it. Android Studio can be installed on Windows, MacOS, and Linux.
Next we will install Burp Suite.
https://portswigger.net/burp/communitydownload
Finally we will install Android Debug Bridge (ADB).
https://developer.android.com/tools/adb
The first program we will use is Android Studio. This will allow us to create emulators for Android Devices.
When starting Android Studio for the first time we will need to create a project.
I will name the Project Android Pentesting.
Creating a Device for testing.
Click the phone with Android Icon in the Top Right Corner.
Click on “Add a new device…”
Next select Create Virtual Device.
Feel free to experiment with this section. You can setup multiple devices with access to the Play Store and specify the API. For the purpose of this guide I will be using a Google Pixel 6 device that does not have access to the Play Store. *Note that a device with the Google Play Store cannot be rooted. Devices without the Play Store Icon are rooted devices.
The next step is to select the API Version. I will be using version 28. Feel free to experiment with the various versions of the API.
The last step for this will be naming our device. I chose Pentesting Device. You can name it whatever you prefer.
Now we can click the Play button on the right side and our emulator should display. It might take a few minutes on the first boot.
Now we have a device to do Android Testing. It is absolutely possible to do testing on a physical device. This is a cost effective approach without the fear of bricking a phone.
Next we can get Burp Suite setup. You can use either Community or Pro.
The first step to get Burp to work with Emulator (or physical device if that is what you are using) is to configure the Proxy Listener.
Click on the Proxy Menu and then click Proxy Settings.
Next click on the 127.0.0.1:8080 and click the Edit button.
Change the Bind to address to All interfaces.
Back on our phone we want to open the Settings on our Pixel device.
From the Settings we want to open Network & Internet
Next we want to select Wi-Fi.
Now click Android Wi-Fi.
Now click the pencil icon in the top right.
Click Advance Options and then Proxy.
Here we can setup our proxy. We will need to use our host machines IP Address. Mine is 192.168.0.224. You will need to gather your Internal IP Address from ipconfig/ifconfig/ip addr.
The port will be 8080. This is the Burp Default port.
Now click Save.
Back in Burp we can see traffic flowing through, but we have an issue with TLS. The next step will setup a certificate from Burp onto the Android Device. This way TLS traffic will work through our proxy and Burp.
Back in the Proxy Listeners section we can click “Import / export CA certificate”. Click on that and then Export Certificate in DER format.
Save the certificate onto your host machine. I named my burp.der.
The next step will be using Android Bridge to transfer the certificate to our device.
Using the command
adb push burp.der /sdcard/burp.crt
will send the certificate to the sdcard of our device.
We can now install the certificate on our device. Open the Settings on the device and search “Install Cert”. Click Install certificates from SD card.
Next select “Install a certificate”.
The Android Device will give you this warning. Click Install anyway on the bottom left.
You should save the burp.crt certificate.
Click on the burp.crt file and name the certificate burp.
You might be prompted to set a PIN. I kept it super simple with 1111.
You can verify if the certificate was installed by searching Trusted and clicking Trusted credentials.
Click on Trusted credentials.
Now clicking on USER will show the PortSwigger Cert.
This is when I reboot the device. When I re-launch the emulator and make sure the proxy is running on port 8080, I can verify that HTTPS traffic is now navigating through Burp Suite. This means we can now analyze and test HTTPS and HTTP with Burp just like a website.
If you are having issues please retrace your steps and try rebooting the emulator and Burp if needed.
The last tool we will need to complete this guide is Frida.
Frida can be found here.
Frida can be installed with pip (python package manager)
pip install frida-tools
Now that we have our lab setup knocked out we can move on to solving some HTB challenges to get our feet wet with Android Pentesting.
We will be tackling Pinned and Manager.
First we will download Pinned and Manager from HTB Challenges. Once downloaded you can extract the files to your workspace. I used my Desktop for quick access.
The password is hackthebox to get the files.
Now we have access to the pinned.apk file.
You can drag and drop the pinned.apk to the emulator device.
You should now see Pinned in your apps.
Opening the app should reveal this login form. We are now ready to test this Android application.
The goal of this lab is to perform a SSL Pinning Bypass.
SSL pinning refers to a security technique used to prevent man-in-the-middle (MitM) attacks when establishing secure connections over HTTPS (SSL/TLS) between a mobile app and a server. This is preventing us from viewing HTTP requests/responses in Burp.
We will use Frida to bypass the SSL Pinning for this application and allow us to see the HTTP requests and responses in Burp Suite.
The last tool we will need to download is the Frida server. This is what we will install on the Android device/emulator to have our client Frida communicate with it.
You can download it here.
We can setup frida server started by doing the following commands:
unxz frida-server-[version]-android-x86.xz (unzip file) adb push frida-server-16.1.4-android-x86 /data/local/tmp/frida-server (move frida server to /data/local/tmp/) adb shell "chmod 755 /data/local/tmp/frida-server" (change permissions) adb shell (connect to device in shell) /data/local/tmp/frida-server & (start frida server)
With Frida Server started on our emulator/device we can run a frida command to identify running processes.
frida-ps -Uai
We should see our Pinned apk running. This means we can interact with this application.
Now we need to use a Frida script to perform our SSL Pinning bypass.
We will leverage this script.
We need do one last bit of prep work. Reading the script reveals we need a certificate in order to execute this. Running without the certificate will cause the Frida script to fail and result in this error:
We can use the same cert we exported from Burp Suite, that we also stored on the emulator in /sdcard. Running:
adb shell "cp /sdcard/burp.crt /data/local/tmp/cert-der.crt" adb shell "chmod 755 /data/local/tmp/cert-der.crt" (change permissions)
This will take the burp certificate we placed there earlier and copy the certificate to what the script is looking for it.
Now to execute the Frida SSL Pinning Bypass Script. To use the script we can run:
frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.example.pinned
Our Frida script should fire off and open Pinned on our emulator.
Clicking Login should now send a request through Burp. That means for this application we have bypassed the SSL Pinning and can analyze HTTP requests.
Here in Burp we can see the POST request and the flag.
The last lab will be for Manager. The purpose of the lab is analyzing HTTP requests and finding an issue with the logic of the application through Broken Access Control.
On Hack the Box we can download the Manager.zip and unzip with hackthebox as the password. Note this challenge needs a back end server to communicate with. Make sure to turn on the instance and get the public facing IP address and port.
With the Manager.apk file we can drag it to our Android Emulator to install it.
We can now see Manager on the emulator.
Opening the application shows inputs for the IP address and port from HTB.
Inserting the IP address and port from HTB and clicking connect will reveal a Login Form.
Trying to login as test:test reveals the message “User Not Found”.
Back in Burp we can see the POST request.
Let’s try and register a user for the application. I will use test:test.
With the test user created we can test these requests to see if we find any issues.
Let’s analyze the request in Repeater.
We are able to successfully update our password. What if we were able to update another users?
We can successfully update the admin password due to a broken access control oversight.
Now we can login as admin with the password test and retrieve the flag.
That completes this introduction guide to Android Pentesting. I hope it was able to help you successfully dive into the world of Android pentesting and exploitation. More will be posted in the near future to help expand on this content.
If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!
Jarrod