Configuring the AVD

Drozer is a tool used for automated Android app assessments. The following are the steps to get Drozer up and running.

According to their official GitHub page, QARK is an easy-to-use tool capable of finding common security vulnerabilities in Android applications. Unlike commercial products, it is 100% free to use. QARK features educational information allowing security reviewers to locate precise, in-depth explanations of vulnerabilities. QARK automates the use of multiple decompilers, leveraging their combined outputs to produce superior results when decompiling APKs.

QARK uses static analysis techniques to find vulnerabilities in Android apps and source code.

Getting ready

As of writing this, QARK only supports Linux and Mac:

1. QARK can be downloaded from the following link:

   https://github.com/linkedin/qark/

2. Extract QARK's contents, as shown here:
   

   Tip

   Make sure that you have all the dependencies mentioned in the GitHub page to run QARK.

3. Navigate to the QARK directory and type in the following command:

   python qark.py
   

This will launch an interactive QARK console, shown in the following screenshot:

Advanced REST Client is an add-on for Chrome. This is useful for penetration testing REST APIs, which are often a part of mobile applications:

Most of the time in this book, we will use command line tools to explore the Android filesystem, pulling/pushing data from/to the device. If you are a GUI lover, you will appreciate using Droid Explorer, a GUI tool to explore the Android filesystem on rooted devices.

Droid Explorer can be downloaded from the following link:

http://de.codeplex.com

Introspy is a blackbox tool which helps us to understand what an Android application is doing at runtime, and enables us to identify potential security issues.

Introspy Android consists of two modules:

Follow this process to set up Introspy:

You should see the following icons if the installation was successful:

We often come across SQLite databases when dealing with Android applications. SQLite browser is a tool that can be used to connect to SQLite databases. It allows us to perform database operations using some eye candy:

Frida is a framework developed for the dynamic instrumentation of apps on various platforms, which includes support for Android, iOS, Windows and Mac. This tool helps us hook into the apps and performs runtime manipulation.

Some important links are as follows:

https://github.com/frida/frida

http://www.frida.re/docs/android/

The following section shows how to set up Frida. We have used a Mac in this example.

Prerequisites:

$ sudo pip install frida
Password:
Downloading/unpacking frida
  Downloading frida-5.0.10.zip
  Running setup.py (path:/private/tmp/pip_build_root/frida/setup.py) egg_info for package frida
    
Downloading/unpacking colorama>=0.2.7 (from frida)
  Downloading colorama-0.3.3.tar.gz
  Running setup.py (path:/private/tmp/pip_build_root/colorama/setup.py) egg_info for package colorama
    
Downloading/unpacking prompt-toolkit>=0.38 (from frida)
  Downloading prompt_toolkit-0.53-py2-none-any.whl (188kB): 188kB downloaded
Downloading/unpacking pygments>=2.0.2 (from frida)
  Downloading Pygments-2.0.2-py2-none-any.whl (672kB): 672kB downloaded
Requirement already satisfied (use --upgrade to upgrade): six>=1.9.0 in /Library/Python/2.7/site-packages/six-1.9.0-py2.7.egg (from prompt-toolkit>=0.38->frida)
Downloading/unpacking wcwidth (from prompt-toolkit>=0.38->frida)
  Downloading wcwidth-0.1.5-py2.py3-none-any.whl
Installing collected packages: frida, colorama, prompt-toolkit, pygments, wcwidth
  Running setup.py install for frida
    downloading prebuilt extension from https://pypi.python.org/packages/2.7/f/frida/frida-5.0.10-py2.7-macosx-10.11-intel.egg
    extracting prebuilt extension
    
    Installing frida-ls-devices script to /usr/local/bin
    Installing frida script to /usr/local/bin
    Installing frida-ps script to /usr/local/bin
    Installing frida-trace script to /usr/local/bin
    Installing frida-discover script to /usr/local/bin
  Running setup.py install for colorama
    
Successfully installed frida colorama prompt-toolkit pygments wcwidth
Cleaning up...
$

$ adb forward tcp:27042 tcp:27042
$ adb forward tcp:27043 tcp:27043

$ frida-ps --help
Usage: frida-ps [options]

Options:
  --version           show program's version number and exit
  -h, --help          show this help message and exit
  -D ID, --device=ID  connect to device with the given ID
  -U, --usb           connect to USB device
  -R, --remote        connect to remote device
  -a, --applications  list only applications
  -i, --installed     include all installed applications
$

$ frida-ps -R
  PID  Name
-----  ----------------------------------------
  177  ATFWD-daemon
  233  adbd
 4722  android.process.media
  174  cnd
  663  com.android.phone
 4430  com.android.settings
  757  com.android.smspush
  512  com.android.systemui
  .
  .
  .
  .
  .
  .
  138  vold
  2533  wpa_supplicant
  158  zygote
$

We will be using various vulnerable Android applications to showcase typical attacks on Android apps. These provide a safe and legal environment for readers to learn about Android security:

Kali Linux is a penetration testing distribution often used by security professionals to perform various security tests.

It is suggested that readers install a copy of Kali Linux in VirtualBox or VMware to prepare for network-level attacks on Android devices. Kali Linux can be downloaded from the following link:

https://www.kali.org/downloads/