Android is a mobile operating system developed by Google, designed mainly for the touchscreen devices like smartphones and tablets. Android operating system was originally released on 23rd September 2008. There are total 11 version of android operating system available till date from Gingerbread to Pie. The number of mobile users are also increasing day by day. The android application market Google Play store holds more than 26 lacs of application.
Requirement for Mobile Application Penetration Testing:
- Operating System (Kali or Windows)
- Emulator or Device (must be rooted)
- Objection (Download)
- Drozer (Download)
- Adb (Download)
- Burp Suite(Download)
- Apktool (Download)
- JD-GUI (Download)
- Dex2jar (Download)
- MobSF (Download)
Mobile Application Penetration Testing Checklist: Click Here
Static Analysis
It can also be referred as the reverse engineering the android application. By reverse engineering the android application we can see the source code that was used to build the application. The source of the application can also tell lots of vulnerabilities in the application.
The static analysis of the application is dissecting the android application part by parts. Let’s first decompile the apk file using the tool “apktool”
“Command: apktool d apk_file.apk”
We can see a list of directories inside the package name of the application. Moving on to “AndroidManifest.xml” file in the application. Androidmanifest.xml file is the configuration file of the android application. It is also required for many things which includes:-
- The app’s package name, which usually matches your code’s namespace. The Android build tools use this to determine the location of code entities when building your project.
- The components of the app, which include all activities, services, broadcast receivers, and content providers.
- The permissions that the app needs in order to access protected parts of the system or other apps. It also declares any permissions that other apps must have if they want to access content from this app.
- The hardware and software features the app requires, which affects which devices can install the app from Google Play.
Following things to check in the “androidmanifest.xml” file in the android application.
- Permissions in required for the android application
- Application debug flag must be disabled
- Application activates must have exported set to false.
- AllowBackup flag set to false
The other folders can also be used to check for any sensitive file stored in the clear text format. We can use the tool “dex2jar” file to extract the jar file to get the java files from the android application.
“Command: dex2jar apk_file.apk“
Once the “apk_file.jar” file is extracted, by the use of “jd-gui” tool we can view the source code of the application. We need to manually analyze the source code file by file.
Following things to look in the source code of the application:-
- Check for hard coded username and password using grep command like, grep -ir “password”
- Check for any weak ciphers like md5, SHA1 and etc.
- Check for SSL certificate used in the communication
- Check for raw sQL query with sanitization
- Check for any sensitive data stored with encryption
- Check for unprotected web views
- Check for unprotected intent or activity
- Check for any obfuscation used to hide the source code
- Check for root detection capability in the application
For more detail analysis we can use the MobSF, android application scanner to give us more in depth analysis of the android application.
Dynamic Analysis
Once done with the static analysis, which is more related to the source code review. In dynamic analysis the main focus is to test the application when it runs in an actual environment. For this we require an actual device or emulator (rooted). The main question that arises here is, the need for the rooted device in penetration testing. If we have device or emulator rooted we can access the system files of the android os, which gives us more flexibility in doing the penetration testing. The android application files which includes databases, preferences files, and etc. can be found in the location “/data/data/<application_package_name>/”. If the device or emulator is not rooted then you don’t have any access to the above location and you can miss something important.
The main points to look in the above location is the access to any configuration regarding the application, sensitive information stored by the application which is not encrypted.
Drozer is a great tool to check for bypassing an activity to another. It can be used to check access control in the application, like bypassing the login of the application and accessing any sensitive information. It also scans for the injection point in the application.
Sometimes, the application have partial SSL certificate information embedded into the application. Then the traffic from the mobile application cannot be intercept for testing in burpsuite. To disable the SSL pinning implemented in the application, we use the tool objection.
“Command: android sslpinning disable”
Following points to look in the dynamic analysis:-
- Proper access control must be implemented in the android application
- User input must be sanitized properly before sending to the server
- Any sensitive information leakage in logs
- Proper session management in the application
- Business logic flaws
For web application penetration testing we can use Burp Suite, to intercept the traffic from the mobile application and server, to check for any flaws. The checklist for this will be similar to OWASP category, which can be found here.
The OWASP category for testing the web application can be found below:-
- A1:2017-Injection
- A2:2017-Broken Authentication
- A3:2017-Sensitive Data Exposure
- A4:2017-XML External Entities (XXE)
- A5:2017-Broken Access Control
- A6:2017-Security Misconfiguration
- A7:2017-Cross-Site Scripting (XSS)
- A8:2017-Insecure Deserialization
- A9:2017-Using Components with Known Vulnerabilities
- A10:2017-Insufficient Logging & Monitoring
The penetration testing for mobile application includes all the aspects from static, dynamic and web application penetration testing. The vulnerability in mobile application can make a huge impact on the organization. A proper guidelines must be followed by developing the android application.