Android

Download the mobile application (APK)

Browser plugins

• APK Downloader: Chrome | Firefox

Websites

• APKmonk

Useful tools

• Burp Suite

Tools to root Android devices

• KingRoot
• Magisk Manager

Static code analysis

Decompile APK and look for clear text passwords.

• Review application permissions and search in source code using Mobile Security Framework (MobSF).
• JADX – Command line and GUI tools for producing Java source code from Android Dex and Apk files
• smali – tools already in Kali

Developer option on Samsung phones (hidden)

Gaining access to developer options is a step you might need to root a Samsung phone.

• Go in the phone settings -> about phone
• Click on the software information tab
• Click on build number seven times
• You should have a new folders with a few built-in tools under about phone

dex2jar

Installation

sudo apt install dex2jar

Convert .apk to .zip

d2j-std-apk <filename>.apk -o <filename>.zip

Convert .dex to .jar

d2j-dex2jar classes.dex

Extract .jar file

unzip <filename>.jar

Read .class files

Use JD-GUI. Refer to Java Cheat Sheet.

Run APK files

See Anbox.

Real-time analysis

Analyze and interact with the mobile application while executing it.

• Android Debug Bridge (adb) – Android Debugger (need to connect to mobile)
• Dexcalibur

Drozer

Drozer (deprecated) is a security testing framework for Android. There is an agent on the device, which uses a reverse shell to the computer. See available commands.

drozer console connect
list

SSL Certificate Pinning

Some mobile applications use SSL certificate pinning. Certificate pinning is the process of associating a host with their expected X.509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or ‘pinned’ to the host.

Use Magisk for virtualizing and unifying the system store and user store in one unique certificate store; it works for apps trusting custom CA, but not for those using certificate pinning.

Network security configuration is often in the manifest. Or else is validated at execution time.

Hooking: inject code at execution time.

Technique 1 (preferred) : once for all APK

Use this procedure when the app uses certificate pinning and send requests to Burp Suite.

Test on device, use objection. There is an option within objection to bypass cert pinning at runtime. How to : Patching Android Applications

Install objection on the machine

#apt install python3-pip
pip3 install objection

Install Frida on the mobile device

Brida, Burp to Frida bridge

to confirm

Technique 2: to be done for each APK

Decompile, modify certs, recompile, sign, test locally. Use SDK WITHOUT Play Store. How to: Configuring Burp Suite With Android Nougat

• apktool – a tool in Kali for reengineering Android apk files

Find secrets in Android Keystroke

• Mobile device must be rooted first. Requires a Frida server on the mobile device.
• Download the script tracer-cipher.js (GitHub).

Extract secrets from keystroke

frida -U -f com.<SOME PACKAGE> -l tracer-cipher.js