This blog was written by Kunal Garg.
The popularity of Android devices and applications makes it a target for malware and other threats. This post is the second in a short series on Android application security.
In the first article we discussed the basic android environment setup and penetration testing. In this post we will focus on some other tools and proxy techniques—Drozer, Apktool, and a “man in the middle” proxy—that will come in handy during a security review of Android applications.
Drozer allows you to interact with other applications installed on a device or emulator. It also helps in identifying the attack surface, exploiting activities, content providers, and broadcast receivers. Download the Drozer server and agent component from this site.
- Install drozer.apk on the emulator using the following command:
adb install C:/mypath/drozer.apk
- Run the .exe file and install the server component on the laptop.
- Start the Drozer APK in the emulator and tap the embedded server tab to switch it on.
- Run the following command from the command prompt to initiate the port transfer. (31415 is the default port used by Drozer.)
adb forward tcp:31415 tcp:31415
- Open another terminal window, and connect the Drozer agent to the server with the following command:
C:/Drozer> Drozer console connect
After a successful connection, the Drozer prompt (dz>) will appear, as shown in the following screen capture.
Apktool is useful when you have to modify the source code in an APK file to test issues such as SSL pinning bypass, application logic bypass, tamper checks, etc. Apktool can be downloaded and installed by following the instructions found here.
To test the security of an application, we need to install the APK file. Once the emulator is switched on, we can push the APK file using the following command:
adb install c:\yourapppath\appname.apk
The APK successfully installed.
MITM proxy with a device and Wi-Fi
In our previous post we discussed setting up a proxy (such as Burp) using an emulator. In this post we will look at how to capture the traffic using an Android device and Wi-Fi.
- Import the proxy tool’s certificate into the phone and install it, using Settings–>Wi-Fi–>Advanced–>Install certificates.
- Connect the Android device and the laptop to the same Wi-Fi network.
- Once the network is connected, go to Settings–>Wi-Fi and press and hold the network name.
- When the new menu appears, select Modify Network Config, then go to Advanced Settings and change the Proxy Settings to Manual.
- Enter the port number and IP address (of the laptop) in Proxy Hostname Field and Proxy Port, respectively.
HTTP proxy options.
- Configure the Proxy to listen on all interfaces, and on the same port as defined in the prior step. The proxy should now be able to capture the SSL traffic, unless there is SSL pinning or other restrictions, which we will discuss in future posts.
Captured HTTPS request originating from the Android device and intercepted in Burp.