Android Application Security Testing checklist

Hello! This post contains few major checklists that are collated from my experience in penetration testing android mobile applications.

This post also helps you to push in right direction to setup your android pentest environment too.

And please note that this list is non exhaustive and made for fellow pentesters to give a quick checklist for android mobile app pentesting.

I use Android virtual device(AVD) from android studio to perform business logic / functionality security test.

download latest android studio followed by SDK for the same from here :

https://developer.android.com/studio/

you can find many tutorials online on how to setup android studio. so i will skip that part.

Once done, open the apk file in android studio , and look at androidManifestFile.xml for major mis-configuration checks.

permission checklist :

  1. android.permission.WRITE_EXTERNAL_STORAGE should be false. if it is set to true, allows an application to modify/delete SD card contents .
  2. debuggable flag should be set to false in a production system. if it is set to true, sensitive information can be extracted by an attacker with physical access to mobile .
  3. android.permission.GET_TASKS should be false.  if it is set to true, application will be able to retrieve information about other currently running tasks.
  4. android.permission.WAKE_LOCK should be false in most cases unless there is a huge data sync between app and the back end service . if set to true, it Allows an application to prevent the phone to goto sleep.
  5. backup flag android:allowBackup should be explicitly set to false in the manifest file. by default , it is set to true and this results in , anyone can backup data through ADB shell. cmd : adb backup -f app_backup.ab -apk <<com.myapp>>

Decompile/reverse apk file using apktool :

cmd :

apktool d <<myapkfile.apk>>

check for any interesting library files or source files that are exposed.

check for any platform specific config files ( example : for apps developed using apache cardova  check for config.xml) and verify its permissions

for example, apps developed using cardova ,

  1. check if whitelist plugin is enabled to prevent against cross site scripting attacks(XSS)

 >> check for SSL pinning , to verify if we can intercept SSL traffic using an user generated cert.

(note : android API < 23 accepts user generated certs , for building a test environment for dynamic analysis , generate a burp CA certificate and install it on android and verify if you are able to intercept SSL traffic.)

steps to intercept SSL traffic ( API < 23 ) using user generated SSL certificate on an android device :

1 . get CA cert from burp

2. move the cacert.cer to android virtual device

3. go to settings > security > set up screen lock using pin and set up pin.

4.  go to settings > security > install certificate from SD card and install the copied certificate.

5. now setup a burp proxy to listen to on all interfaces on a specific port ( ex:  port 8081 )

6. now go to launched android virtual machine proxy setting and set the listening burp proxy . now you should be able to intercept SSL traffic from your mobile application for further dynamic analysis.

Dynamic analysis :

Every application is unique and has its own business logic. critical issues come from improper business logic , so understanding of application flow is the main key for further security analysis. here, from parameter manipulation to privilege escalations , everything is in valid scope and dependent on application logic..however,in addition to that, here are the few things to check

> check for unauthenticated API service calls and resource calls which leads to easy privilege escalations and sensitive data exposure.

> check for any juicy contents from extracting db file(if present) which may reveal credentials and other sensitive data.

(note : normally appln specific db files are stored at /data/data/apppackagename/databases/databasename.db)

once you get the database file , copy it to host system and analyse using db browser for SQLite   for  juicy info . ( adb pull <<dbfile>>.db )

(note : adb file location : Android\Sdk\platform-tools\adb.exe)

> monitor and look out for juicy debugging logs, sensitive information with the help of ADB logcat.

$ adb shell
# logcat

you can also write or log only specific logs to your application , check out android dev community for proper syntax.

And finally last but not least , you can install and  run awesome tools such as MobSF (https://github.com/MobSF/Mobile-Security-Framework-MobSF)  for automated static and dynamic analysis and neat  reports for the same.

(Note : this list is non exhaustive and I am in no way responsible for using the above information in any unlawful way. )

Hope you enjoyed the quick checklist . Thats it for today! Shubha dina! 🙂