Book Image

Learning Pentesting for Android Devices

By : Aditya Gupta
Book Image

Learning Pentesting for Android Devices

By: Aditya Gupta

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Learning Pentesting for Android Devices
Aditya Gupta
Mar, 2014 | 154 pages
No titles found
Table of Contents (18 chapters)
Learning Pentesting for Android Devices
Learning Pentesting for Android Devices
Credits
Credits
Foreword
Foreword
About the Author
About the Author
Acknowledgments
Acknowledgments
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Getting Started with Android Security
Getting Started with Android Security
Introduction to Android
Digging deeper into Android
Sandboxing and the permission model
Application signing
Android startup process
Summary
2
Preparing the Battlefield
Preparing the Battlefield
Setting up the development environment
Useful utilities for Android Pentest
Summary
3
Reversing and Auditing Android Apps
Reversing and Auditing Android Apps
Android application teardown
Reversing an Android application
Using Apktool to reverse an Android application
Auditing Android applications
Content provider leakage
Insecure file storage
OWASP top 10 vulnerabilities for mobiles
Summary
4
Traffic Analysis for Android Devices
Traffic Analysis for Android Devices
Android traffic interception
Ways to analyze Android traffic
HTTPS Proxy interception
Extracting sensitive files with packet capture
Summary
5
Android Forensics
Android Forensics
Types of forensics
Filesystems
Using dd to extract data
Using Andriller to extract an application's data
Using AFLogical to extract contacts, calls, and text messages
Dumping application databases manually
Logging the logcat
Using backup to extract an application's data
Summary
6
Playing with SQLite
Playing with SQLite
Understanding SQLite in depth
Security vulnerability
Summary
7
Lesser-known Android Attacks
Lesser-known Android Attacks
Android WebView vulnerability
Infecting legitimate APKs
Vulnerabilities in ad libraries
Cross-Application Scripting in Android
Summary
8
ARM Exploitation
ARM Exploitation
Introduction to ARM architecture
Setting up the environment
Simple stack-based buffer overflow
Return-oriented programming
Android root exploits
Summary
9
Writing the Pentest Report
Writing the Pentest Report
Basics of a penetration testing report
Writing the pentest report
Summary
Security Audit of
Table of Contents
1.
2. Auditing and Methodology
3. Conclusions
Index
Index

2. Auditing and Methodology

2.1 Tools Used

Following are some of the tools used for the entire application auditing and penetration testing process:

  • Test Platform: Ubuntu Linux Desktop v12.04

  • Device: Nexus 4 running Android v4.4.2

  • The Android SDK

  • APKTool 1.5.2: To decompile the Android application into Smali source files

  • Dex2Jar 0.0.9.15.48: To decompile the Android application source to Java

  • JD-GUI 0.3.3: To read the Java source files

  • Burp Proxy 1.5: The proxy tool

  • Drozer 2.3.3: The Android Application Assessment Framework

  • NMAP 6.40: To scan web services

2.2 Vulnerabilities

Issue #1: Injection vulnerabilities in the Android application

Description: An injection vulnerability was found in the Android application in the DatabaseConnector.java file. The parameters account_id and account_name were passed to the SQLite query inside the application, making it vulnerable to SQLite injection.

Risk Level: Critical

Remediation: The user input should be properly sanitized before passing into the database commands...

Previous Section
End of Section 8
Next Section