Download the mobile application (APK)
Browser plugins
Websites
Useful tools
Tools to root Android devices
Static code analysis
Decompile APK and look for clear text passwords.
- Review application permissions and search in source code using Mobile Security Framework (MobSF).
- JADX – Command line and GUI tools for producing Java source code from Android Dex and Apk files
- smali – tools already in Kali
APKtool
sudo apt install apktool
apktool d <filename>.apk # Decompile the APK
Developer option on Samsung phones (hidden)
Gaining access to developer options is a step you might need to root a Samsung phone.
- Go in the phone settings -> about phone
- Click on the software information tab
- Click on build number seven times
- You should have a new folders with a few built-in tools under about phone
dex2jar
Installation
sudo apt install dex2jar
Convert .apk to .zip
d2j-std-apk <filename>.apk -o <filename>.zip
Convert .dex to .jar
d2j-dex2jar classes.dex
Extract .jar file
unzip <filename>.jar
Read .class files
Use JD-GUI. Refer to Java Cheat Sheet.
Run APK files
See Anbox.
Android Studio
Requires a lot of space. Do some cleanup first…
Download Android Studio. Click Download Android Studio Ladybug (or any other version).
mv ~/Downloads/android-studio-2024.2.1.11-linux.tar.gz ~/
tar -xvzf android-studio-2024.2.1.11-linux.tar.gz
rm android-studio-2024.2.1.11-linux.tar.gz
cd android-studio/bin
./studio.sh
Follow instructions to complete installation.
To run an APK file:
- Create a new empty project.
- Click on File->Profile or Debug APK.
- Choose your .apk file.
- Click on the Run icon.
Real-time analysis
Analyze and interact with the mobile application while executing it.
- Android Debug Bridge (adb) – Android Debugger (need to connect to mobile)
- Dexcalibur
Drozer
Drozer (deprecated) is a security testing framework for Android. There is an agent on the device, which uses a reverse shell to the computer. See available commands.
drozer console connect
list
SSL Certificate Pinning
Some mobile applications use SSL certificate pinning. Certificate pinning is the process of associating a host with their expected X.509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or ‘pinned’ to the host.
Use Magisk for virtualizing and unifying the system store and user store in one unique certificate store; it works for apps trusting custom CA, but not for those using certificate pinning.
Network security configuration is often in the manifest. Or else is validated at execution time.
Hooking: inject code at execution time.
Technique 1 (preferred) : once for all APK
Use this procedure when the app uses certificate pinning and send requests to Burp Suite.
Test on device, use objection. There is an option within objection to bypass cert pinning at runtime. How to : Patching Android Applications
Install objection on the machine
#apt install python3-pip
pip3 install objection
Install Frida on the mobile device
to confirm
Technique 2: to be done for each APK
Decompile, modify certs, recompile, sign, test locally. Use SDK WITHOUT Play Store. How to: Configuring Burp Suite With Android Nougat
- apktool – a tool in Kali for reengineering Android apk files
Find secrets in Android Keystroke
- Mobile device must be rooted first. Requires a Frida server on the mobile device.
- Download the script tracer-cipher.js (GitHub).
Extract secrets from keystroke
frida -U -f com.<SOME PACKAGE> -l tracer-cipher.js