Mobile

Static Analysis

  • jdgui http://java-decompiler.github.io/

  • apktool https://ibotpeaches.github.io/Apktool/

  • dex2jar https://github.com/pxb1988/dex2jar

  • jadx https://github.com/skylot/jadx

Dynamic Analysis

Set a proxy Install the certificate and you are ready to go

System level certificate installation

  • Export your Burp Certificate Proxy > Options > CA Certificate > Export in DER format

  • Convert it to PEM openssl x509 -inform der -in cacert.der -out burp.pem

  • Rename it with its checksum mv burp.pem $(openssl x509 -inform PEM -subject_hash_old -in burp.pem | head -1)".0"

  • Mount a writeable system adb shell "mount -o rw,remount /system"

  • Upload the certificate adb push <generated.0> /system/etc/security/cacerts/ adb push 9a5ba575.0 /system/etc/security/cacerts/

  • Reboot the vm adb reboot

Setting up proxy using ADB

Setting up a proxy

  • adb shell settings put global http_proxy <proxy ip>:<proxy port>

Flushing the proxy setting

  • adb shell settings delete global http_proxy

Currently focused activity

Focusing / Starting another activity

am start -n com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.upload.FileUploadActivity

List activities of an APK

Mobile Vulnerabilities & What to check

OWASP Top 10

  • M1 Improper Platform Usage

    • Misconfigurations in AndroidManifest.xml

  • M2 Insecure Data Storage

    • If an app storages a data on the external storage insecurely. SQL Databases, XML files, Log files, Cookie storages, Binary Data etc.

  • M3 Insecure Communication

    • Clear text communication, communication without SSL

  • M4 Insecure Authentication

    • Insecure 2FA implementations, 2FA bypass.

    • If you can access to an API without authorization.

    • OTP bypass, Client side bypasses. For example you can manipulate the response of the server and bypass the 2FA or OTP.

  • M5 Insufficient Cryptography

    • Incorrent encryption, using encoding.

  • M6 Insecure Authorization

    • IDORs

  • M7 Client Code Quality

    • Client side sql injection, buffer overflows, XSS.

  • M8 Code Tampering

    • For example, cracking a free aplication to a premium one.

  • M9 Reverse Engineering

    • Sensitive informations, strings etc.

  • M10 Extraneous Functionality

    • For example, developer forgots an external functionality on the app.

    • Leftover backdoor, debug parameter etc.

PreviousCloudNextMalware Development

Last updated