Book Image

Hacking Android

By : Srinivasa Rao Kotipalli
Book Image

Hacking Android

By: Srinivasa Rao Kotipalli

Overview of this book

With the mass explosion of Android mobile phones in the world, mobile devices have become an integral part of our everyday lives. Security of Android devices is a broad subject that should be part of our everyday lives to defend against ever-growing smartphone attacks. Everyone, starting with end users all the way up to developers and security professionals should care about android security. Hacking Android is a step-by-step guide that will get you started with Android security. You’ll begin your journey at the absolute basics, and then will slowly gear up to the concepts of Android rooting, application security assessments, malware, infecting APK files, and fuzzing. On this journey you’ll get to grips with various tools and techniques that can be used in your everyday pentests. You’ll gain the skills necessary to perform Android application vulnerability assessment and penetration testing and will create an Android pentesting lab.
Table of Contents (17 chapters)
Hacking Android
Credits
About the Authors
About the Reviewer
www.PacktPub.com
Preface
Index

Configuring the AVD


Now the AVD has to be configured in such a way that traffic from the device goes through the proxy:

  1. Navigate to Home | Menu | Settings | Wireless & networks | Mobile Networks |Access Point Names.

  2. Here we will configure the following proxy settings:

    • Proxy

    • Port

    The following figure shows the IP address of the workstation. This is required to configure the AVD:

  3. Enter the IP address of the system here:

  4. After entering the IP address of the system, enter the port number, 8080, as shown here:

Once this is done, all the HTTP traffic from the device will be sent via the Burp proxy on your machine. We will make use of this setup extensively when we discuss weak server-side controls.

Drozer

Drozer is a tool used for automated Android app assessments. The following are the steps to get Drozer up and running.

Prerequisites

Following are the requirements for setting up:

  • A workstation (in my case Windows 7) with the following:

    • JRE or JDK

    • Android SDK

  • An Android device or emulator running Android 2.1 or later.

  1. First, grab a copy of the Drozer installer and Agent.apk from the following link:

    https://www.mwrinfosecurity.com/products/drozer/community-edition/

  2. Download the appropriate version of Drozer if you are working with a different setup than what we are using in this book.

  3. After downloading, run the Drozer installer. Installation uses the usual Windows installation wizard, as shown here:

  4. Click Next and choose the destination location for Drozer installation:

  5. As shown in the preceding screenshot, the default location is C:\drozer. It is recommended you use the default location if you would like to configure your system identical to ours. Follow the wizard's instructions to complete the installation. The installation window is shown in the following screenshot for your reference:

  6. Click Finish to complete the process:

The preceding installation process automatically installs all the required Python dependencies and sets up a complete Python environment.

To check the validity of the installation, perform the following steps:

  1. Start a new command prompt and run the drozer.bat file, as shown in the following screenshot:

  2. Now, install the agent.apk file we downloaded earlier onto your emulator. We can install .apk files using the adb command:

    adb install agent.apk
    
  3. To start working with Drozer for your assessments, we need to connect the Drozer console on the workstation to the agent on the emulator. To do this, start the agent on your emulator and run the following command to port forward. Make sure you are running the embedded server when launching the agent.

    adb forward tcp:31415 tcp:31415
    

    As we can see, the command completed successfully without any errors:

  4. Now, we can simply run the following command to connect to the agent from the workstation:

    [path to drozer dir]\drozer.bat console connect
    

    We should now be presented with the Drozer console, as shown here:

QARK (No support for windows)

According to their official GitHub page, QARK is an easy-to-use tool capable of finding common security vulnerabilities in Android applications. Unlike commercial products, it is 100% free to use. QARK features educational information allowing security reviewers to locate precise, in-depth explanations of vulnerabilities. QARK automates the use of multiple decompilers, leveraging their combined outputs to produce superior results when decompiling APKs.

QARK uses static analysis techniques to find vulnerabilities in Android apps and source code.

Getting ready

As of writing this, QARK only supports Linux and Mac:

  1. QARK can be downloaded from the following link:

    https://github.com/linkedin/qark/

  2. Extract QARK's contents, as shown here:

    Tip

    Make sure that you have all the dependencies mentioned in the GitHub page to run QARK.

  3. Navigate to the QARK directory and type in the following command:

    python qark.py
    

This will launch an interactive QARK console, shown in the following screenshot:

Advanced REST Client for Chrome

Advanced REST Client is an add-on for Chrome. This is useful for penetration testing REST APIs, which are often a part of mobile applications:

  1. Install the Google Chrome browser.

  2. Open the following URL:

    https://chrome.google.com/webstore/category/apps

  3. Search for Advanced REST client. You should see the following Chrome extension. Click the ADD TO CHROME button to add it to your browser:

  4. It will prompt you for your confirmation, as shown in the following screenshot:

  5. Once you are done adding this extension to Google Chrome, you should have the add-on available, as shown here:

Droid Explorer

Most of the time in this book, we will use command line tools to explore the Android filesystem, pulling/pushing data from/to the device. If you are a GUI lover, you will appreciate using Droid Explorer, a GUI tool to explore the Android filesystem on rooted devices.

Droid Explorer can be downloaded from the following link:

http://de.codeplex.com

Cydia Substrate and Introspy

Introspy is a blackbox tool which helps us to understand what an Android application is doing at runtime, and enables us to identify potential security issues.

Introspy Android consists of two modules:

  • Tracer: the GUI interface. It lets us select the target application(s) and the kinds of test we want to perform.

    • Cydia Substrate Extension (core): This is the core engine of the tool and is used to hook the applications; it lets us analyze the application at runtime to identify vulnerabilities.

  • Analyser: This tool helps us to analyze the database saved by Tracer to create reports for our further analysis.

Follow this process to set up Introspy:

  1. Download Introspy Tracer from the following link:

    https://github.com/iSECPartners/Introspy-Android

  2. Download Introspy Analyzer from the following link:

    https://github.com/iSECPartners/Introspy-Analyzer

  3. Installing Cydia Substrate for Android is a requirement in order to successfully install Introspy. Let's download it from the Android Play Store and install it:

  4. Now, install Introspy-Android Config.apk and Introspy-Android Core.apk, which we downloaded in step 1. These are the commands to install them using adb:

    adb install Introspy-Android Config.apk
    adb install Introspy-Android Core.apk
    

You should see the following icons if the installation was successful:

SQLite browser

We often come across SQLite databases when dealing with Android applications. SQLite browser is a tool that can be used to connect to SQLite databases. It allows us to perform database operations using some eye candy:

  1. SQLite browser can be downloaded from the following link:

    http://sqlitebrowser.org

  2. Run the installer and continue with the setup (it is straightforward):

  3. Once finished with the installation, you should see the following interface:

Frida

Frida is a framework developed for the dynamic instrumentation of apps on various platforms, which includes support for Android, iOS, Windows and Mac. This tool helps us hook into the apps and performs runtime manipulation.

Some important links are as follows:

https://github.com/frida/frida

http://www.frida.re/docs/android/

The following section shows how to set up Frida. We have used a Mac in this example.

Prerequisites:

  • Frida client: This will be running on the workstation

  • Frida server: This will be running on the device

Setting up Frida server

  1. Download Frida server onto your local machine using the following command:

    curl -O http://build.frida.re/frida/android/arm/bin/frida-server
    
    
    $ curl -O http://build.frida.re/frida/android/arm/bin/frida-server
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 12.0M  100 12.0M    0     0   232k      0  0:00:53  0:00:53 --:--:--  166k
    $
    

    This step should download the frida-server binary to the workstation and into the current directory.

  2. Give Frida server execute permissions using the following command:

    chmod +x frida-server
    
  3. Push the frida-server binary to the device using adb push, as shown here:

    $ adb push frida-server /data/local/tmp/
    
  4. Now, get a shell on the device with root privileges and run frida-server as shown here:

    $ adb shell
    shell@android:/ $ su
    root@android:/ # cd /data/local/tmp
    root@android:/data/local/tmp # ./frida-server & 
    [1] 5376
    root@android:/data/local/tmp #
    

Setting up frida-client

Installing frida-client is as simple as issuing the following command:

$ sudo pip install frida
Password:
Downloading/unpacking frida
  Downloading frida-5.0.10.zip
  Running setup.py (path:/private/tmp/pip_build_root/frida/setup.py) egg_info for package frida
    
Downloading/unpacking colorama>=0.2.7 (from frida)
  Downloading colorama-0.3.3.tar.gz
  Running setup.py (path:/private/tmp/pip_build_root/colorama/setup.py) egg_info for package colorama
    
Downloading/unpacking prompt-toolkit>=0.38 (from frida)
  Downloading prompt_toolkit-0.53-py2-none-any.whl (188kB): 188kB downloaded
Downloading/unpacking pygments>=2.0.2 (from frida)
  Downloading Pygments-2.0.2-py2-none-any.whl (672kB): 672kB downloaded
Requirement already satisfied (use --upgrade to upgrade): six>=1.9.0 in /Library/Python/2.7/site-packages/six-1.9.0-py2.7.egg (from prompt-toolkit>=0.38->frida)
Downloading/unpacking wcwidth (from prompt-toolkit>=0.38->frida)
  Downloading wcwidth-0.1.5-py2.py3-none-any.whl
Installing collected packages: frida, colorama, prompt-toolkit, pygments, wcwidth
  Running setup.py install for frida
    downloading prebuilt extension from https://pypi.python.org/packages/2.7/f/frida/frida-5.0.10-py2.7-macosx-10.11-intel.egg
    extracting prebuilt extension
    
    Installing frida-ls-devices script to /usr/local/bin
    Installing frida script to /usr/local/bin
    Installing frida-ps script to /usr/local/bin
    Installing frida-trace script to /usr/local/bin
    Installing frida-discover script to /usr/local/bin
  Running setup.py install for colorama
    
Successfully installed frida colorama prompt-toolkit pygments wcwidth
Cleaning up...
$
Testing the setup

Now the client and server are ready. We need to configure port forward with adb before we can start using them. Use the following commands to enable port forwarding:

$ adb forward tcp:27042 tcp:27042
$ adb forward tcp:27043 tcp:27043

Now, type in —help to check the Frida client options:

$ frida-ps --help
Usage: frida-ps [options]

Options:
  --version           show program's version number and exit
  -h, --help          show this help message and exit
  -D ID, --device=ID  connect to device with the given ID
  -U, --usb           connect to USB device
  -R, --remote        connect to remote device
  -a, --applications  list only applications
  -i, --installed     include all installed applications
$

As we can see in the preceding output, we can use –R to connect to the remote device. This acts as a basic test for testing our setup:

$ frida-ps -R
  PID  Name
-----  ----------------------------------------
  177  ATFWD-daemon
  233  adbd
 4722  android.process.media
  174  cnd
  663  com.android.phone
 4430  com.android.settings
  757  com.android.smspush
  512  com.android.systemui
  .
  .
  .
  .
  .
  .
  138  vold
  2533  wpa_supplicant
  158  zygote
$

As we can see, a list of running processes has been listed down.

Vulnerable apps

We will be using various vulnerable Android applications to showcase typical attacks on Android apps. These provide a safe and legal environment for readers to learn about Android security:

  • GoatDroid:

    https://github.com/jackMannino/OWASP-GoatDroid-Project

  • SSHDroid:

    https://play.google.com/store/apps/details?id=berserker.android.apps.sshdroid&hl=en

  • FTP Server:

    https://play.google.com/store/apps/details?id=com.theolivetree.ftpserver&hl=en

Kali Linux

Kali Linux is a penetration testing distribution often used by security professionals to perform various security tests.

It is suggested that readers install a copy of Kali Linux in VirtualBox or VMware to prepare for network-level attacks on Android devices. Kali Linux can be downloaded from the following link:

https://www.kali.org/downloads/