Android Application Assessment – Part III

September 20, 2018
Mobile pentests

This post covers some more android application specific attacks and tools which may further help you in pentesting your android app.

Please note for an android application that connects to internet via Wifi or GPRS, you need to inject a proxy and perform testing similar to web application testing. In this case, all applicable web application tests would apply. Check here to set up a proxy in android emulator.


Application Process and Inter-Communication Inspection

The objective is to look for internal system calls made by your application, screen grabbing without rooting your device, local data spoofing, view processes and application state information. The utility we use here is a GUI version of adb.exe i.e. ddms.bat. The default location of this utility is C:\Program Files\Android\android-sdk\tools. Below is how you can have access to all above mentioned data:

Browse to location \Android\android-sdk\tools via command prompt

Locate and execute ddms.bat to get below screen:

Insecure Cryptographic Storage

The objective of this test is to look for hardcoded keys the application may store to perform encryption and decryption of data at rest or in transit. Application decompilation should do most of your work which is detailed in my last post. Places to look for:

  • Methods like javax.crypto.Cipher.init() in class file
  • Class name should give you the direction
  • Application homepage /login page may perform some encryption logic

Useful Tools

Below are some of the android application specific tools (apart from which I mentioned in this series) that may help you further investigate or look for more issues:

Intent Fuzzer – Supply random, invalid data to test how your application reacts to it.

Intent Sniffer – Monitor and intercept intent of your application

BusyBox – Bundle of Unix tools to test your android application

Wireshark – Most of you must be aware of its functionality. Combine it with RawCap to analyze the traffic

I hope you have found this series useful in pentesting your android applications.


Happy Reading!!

Share this post
Wordpress Security
Malware Analysis
Tools & Techniques
Pentests
PTaaS
Cyber Security
Technology
Subscribe to our newsletter

Join our newsletter today and enhance your knowledge with valuable insights. It's quick, easy, and free!

Be a Team Player
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Latest blogs

Latest updates in cybersecurity services

View All
Blacklock Blog Image
Wordpress CMS Security
Managing Wordpress and Joomla Security
June 9, 2016
Wordpress CMS Security
Pentests
Data Validation Framework – HDIV at a Glance
July 12, 2013
Pentests
Tools & Techniques
Automating NMAP Capabilities
August 8, 2014
Tools & Techniques