In the 2020s, the vast majority of internet traffic comes from mobile devices. However, most pentesters learn app security in the context of traditional, desktop web apps. While attacking the browser matters for offensive security (in particular bug bounty hunting), a lot of new and exciting security work occurs in the mobile sphere. Best yet, since fewer hackers know how to work with mobile, finding bugs often needs less skill! So if you want to hunt bugs in the medium of the present while finding profitable low-hanging fruit, Android pentesting is what you want.
Why Android? A few reasons spring to mind:
- Android holds a wider marketshare worldwide than any other mobile OS.
- iOS is a less open platform that’s harder to jump into as a hacker.
- It’s free and has a better ecosystem of hacking tools.
Who could ask for better traits in a pentesting target? Note that this guide will merely expose you to the world of Android pentesting. To become a true Android hacker, you’ll need to explore the resources we link to at the end.
API pentesting
Wait, APIs? Are you surprised? Well, think about it – when a mobile app interacts through the internet, it usually does so via an API. Which means that a big part of Android pentesting just needs your normal web security knowledge.
Here’s an example of Burp proxy intercepting a mobile request:
Pretty familiar, right? One thing to be aware of – setting up Burp (and other API security tools) to work through mobile requires a few extra steps. Often, you’ll also need a rooted device.
For a full guide to setting up Burp for Android, check out PortSwigger’s official docs.
Since mobile APIs tend to receive much less scrutiny, bugs are way easier to find. So crack open Burp and check to see that the API of your favorite small app even uses auth or not!
Static analysis
The phrase static analysis really just means looking through the code for vulns, instead of the live app as it runs. There are two usual ways to do this:
- Finding the source on Github (if it’s open source), or
- Unpacking the .apk and reverse engineering the app.
In either case, it helps a lot to have a deep knowledge of Android dev. Of course, classic techniques like looking for secrets in the Git commit history will still work! In reality, an Android .apk file is just a Java JAR archive with some extra Android files added in. Learning Java and Kotlin can seem like a huge obstacle when you’re new to Android, but it pays off in the end.
Exploring app data
Luckily, poking around an Android app (and system, for that matter!) is easy thanks to ADB, aka the Android Debug Bridge. If you have used GDB, the popular debugger for C on Linux, then ADB should be pretty familiar. Here’s how you use it.
First, download and then install Android Studio on your system. Then, use the adb shell command to open an ADB console. You’ll have to connect your Android phone to your computer via USB to debug via the shell.
With ADB running, you can install apps, debug them, and generally administer your system much more easily. To test if you have it running successfully, try running:
$ adb shell ls /system/bin
You should get a list of executable commands that you can use within Android. Want to see what else you can do? Check out the official Android dev docs section on ADB for a full guide: https://developer.android.com/tools/adb.
Android pentesting frameworks
When it comes to Android pentesting, one framework stands head and shoulders above the others: drozer.
According to the developers of Drozer:
drozer allows you to assume the role of an Android app and interact with other apps. It can do anything that an installed application can do, such as make use of Android’s Inter-Process Communication (IPC) mechanism and interact with the underlying operating system.
https://labs.withsecure.com/tools/drozer
Basically, drozer makes it easy to automate pentesting tasks, such as running small Java scriptlets on a device. Oh, by the way, it’s free and open source, so no need to worry about buying a fancy enterprise license just to use it. Since it’s a cross platform tool, you an also use it on either of the three “main” operating systems (Linux, MacOS, or Windows) with no problem.
Using drozer combines all of the topics we talked about earlier in this article. The tool will help you test mobile APIs, or interact with some tricky data. Furthermore, it’s built using ADB under the hood. In fact, drozer uses a CLI similar in many respects to drozer’s.
Selecting ebe9fcc0c47b28da (Google sdk_gphone64_x86_64 12)
.. ..:.
..o.. .r..
..a.. . ....... . ..nd
ro..idsnemesisand..pr
.otectorandroidsneme.
.,sisandprotectorandroids+.
..nemesisandprotectorandroidsn:.
.emesisandprotectorandroidsnemes..
..isandp,..,rotecyayandro,..,idsnem.
.isisandp..rotectorandroid..snemisis.
,andprotectorandroidsnemisisandprotec.
.torandroidsnemesisandprotectorandroid.
.snemisisandprotectorandroidsnemesisan:
.dprotectorandroidsnemesisandprotector.
drozer Console (v3.0.0)
dz>
Learn more about Android pentesting
The first step towards learning offensive security on Android is to learn Android app dev. Here are some resources which can help you towards that goal:
Once you’ve finished these courses, you should move on to some training which specifically teaches you Android security. Two really good examples are:
- INE Security’s Mobile Application Penetration Tester (eMAPT) certification
- TCM Security’s Mobile Application Penetration Testing course
Theory is great and all, but after all that coursework, you’ll probably want to get your hands dirty a bit in the real world. Therefore, your next step should be trying your skills in realistic CTF games. Lucky for us mobile security addicts, a vast array of CTFs exist that focus on Android hacking.
A few links to Android CTFs are listed on this Github Awesome List: https://github.com/xtiankisutsa/awesome-mobile-CTF. You can learn from CTFs by reading writeups, in addition to actually playing. For example, check out this absolutely fantastic Android CTF writeup from a legendary mobile hacker: https://www.spght.dev/articles/07-08-2021/pico-ctf-droids.
Since it’s open source but also a bit niche, Android is one of the coziest hacking platforms for a beginner. Especially when you compare it to the saturated world of web hacking, or the lofty Urbit security scene. Be patient and never stop learning, and you will be one of the best in no time flat. Happy hacking!
Leave a Reply