Hi everyone, hope doing well, I am back with another interesting post. In this post we are going to discuss about android app pentesting. As we know in android app pentesting there are two types which every tester focused on, one is static and another one is dynamic.
In static testing tester focused on source code analysis, reverse engineering .apk file, and checking for the quality of code also checking for sensitive data which may be hardcoded into the code in plain text.
Example: If an android application contains a hardcoded key for unlocking premium features like user gets the same key from the developer of the application and put it into the application to access the premium features of an application.
An attacker does reverse engineering the same application and found that hardcoded key then that attacker found a really easy bypass to get all premium features of that application, which obviously going to impact the business of that product.
In this post, we are going to see some of the popular tools which help in static testing and how to use it in android application security testing (static testing).
The image given below talked about engineering and reverse engineering of a .apk file.
Apktool
It is one the most popular tool used for reverse engineering a .apk file. using this tool can simply decompile a .apk as well as also be able to build/compile .apk file after some modification.
to install and use apktool follow the instructions given below.
apt install apktool
apktool d appname.apk
The directory is created the same as the name of an apk file, now what the tester do is simply check files for sensitive data.
For example – the androidmainfest.xml file contains all information about activities, intent filters, private server URL, and many more things, this information may help in dynamic testing.
For example – a string may contain some sensitive value like apikey or password or maybe the URL of a database like a firebase. a tester can simply use the following command to check that sensitive data or else open and check that file in a very usual manner.
cat res/values/strings.xml | grep api
also able to grep multiple strings, if tester finds out firebase check for reading and write permission. If you don’t know how to do it? check the video given below.
Dex2Jar
It is another tool that helps reverse engineer an apk file, converts the file into java code, and with the help jd-gui which is another fantastic tool tester able to dig into the .jar file.
apt install dex2jar
d2j-dex2jar appname.apk
analyze the jar file into jd-gui
apt install jd-gui
open jd-gui and open the jar file into it.
In the above example of hacker101 flag got using this technique, in another case may contain some sensitive hard-coded data or also able to check the quality of the code.
jadx
This is one of the easiest tool available for reverse engineering an apk file, it converts the dex file to a java file and also gives other stuff like androidmainfest.xml, strings.xml, etc. It’s available in both GUI and CLI mode.
User GUI mode of it which is a simple drag and drop thing and after that can easily analyze the code,
to download follow this link https://github.com/skylot/jadx/releases/ make sure that download with jre option.
There are other tools that also can use according to the convenience like can use Mobile Security Framework – Mobsf for automatic static testing. Also can read more about reverse engineering from owasp https://owasp.org/www-project-mobile-top-10/2016-risks/m9-reverse-engineering
If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!
