Android applications are now an integral part of our lives, thanks to the excessive use of mobile phones. However, many users are unaware of their device’s protection. If we do not know the design of our applications and how they are penetration tested, which makes you believe that you are safe and secure. You can try to mitigate this risk by performing an android penetration testing static analysis approach to ensure that mobile applications are checked thoroughly for security flaws.
Before we get to dive into the main topic, let’s discuss some of the basic concepts.
Fig: Sandbox Theory
Now we can get into our main topic.
The static analysis of the android application is the process of source code review of the apk (android application) file. Several reverse engineering tools complete this procedure.
Reverse Engineering: Reverse Engineering decompiles the apk file using different tools like apktool, dex2jar, jd-GUI, and other automation tools like mobSF.
Let us know briefly about one such reverse engineering tool.
APKTOOL: It is a command-line tool used to reverse engineering 3rd party, closed, binary Android apps. It can modify and make changes to the decode resources to the nearly original form and rebuild it.
The command used to decompile the apk file is:
apktool d <example.apk>
The outcome of the above command is mentioned below,
Fig 1.1: Output of apktool
Fig 1.2: Output of apktool
The output of the apktool includes Manifest file, Dexfiles, Smali files, etc., which are not human-readable formats. However, tools like dex2jar and JD-GUI can help to convert those files to human-readable formats.
Android Manifest File: It is an XML file that contains application package names and the main elements of the application like broadcast receivers, services, and content providers. The android manifest file will give us the necessary information about the Android operating system and app store. It also assists in declaring the permissions to other apps that they can access the data.
Fig 1.3: AndroidManifest File
To declare manifest file is mandatory:
From the above manifest file, the package name of the diva application is “package=jakhar.aseem.diva”
Now, let us know some basic information about each android component.
Activity: An activity can be described as the screen’s performance action, or you can say it is a representation of a single screen with a user interface.It is like web pages in web applications. For example, an e-commerce application might have one activity that shows a list of orders, another activity to add products to the cart, and a different activity for Wishlist the products.
Activities in the manifest file are declared as follows,
Fig 1.4: Declaration of activities in the manifest file
Any application in the phone/device can launch the activity if the access to an exported Activity is not restricted. Through this, an attacker can gain complete authorization to the sensitive information of the application. Furthermore, they can even modify the application’s internal state or trick the user into interacting with the victim application.
Services: A service usually runs in the backend to carry out operations that don’t provide user provide. For example, a service is playing music in the background while using a different application.
Services in the manifest files are declared as follows,
Fig 1.5: Declaration of services in the manifest file
Any application in the phone/device that can start is bound to the service if access to an exported Service is not restricted. Thus, it allows an attacker/malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the victim’s application.
Broadcast Receivers: Broadcast Receiver is another android component that responds to broadcast messages from another application or the same system. It also can deliver broadcasts to applications that are not running. For example – low battery notification is provided to the user. The android developers can use broadcast messages in the application or outside the usual flow.
Broadcast Receivers in the manifest file are declared as follows,
Fig 1.6: Declaration of broadcast receivers in the manifest file
Content Providers: It’s a component that will allow an application to share data among multiple applications. It hides the details of the database, which is used to read and write private data of the application that is not shared. Therefore, it isn’t easy to access the data from other applications without content providers.
For example, consider looking for contact details in the contact list or want photos from the gallery provided by Content Provider.
Malicious apps can access sensitive data if the access to Content Provider is not restricted to only limited applications.
All the android components will have an attribute called “android: exported = true/false,” and the default value is “false”.
android: exported=true: This element will decide what application, activity/service/content provider will be launched by components of different applications. It can be invoked using the ADB tool.
Fig 1.7: exported=true (content provider)
Fig 1.8: exported=true (service)
Fig 1.9: exported=true (receiver)
To invoke the activity (which means that we can be able to launch the exported activities without login to the application), we can use the following command:
Command: adb shell am <package name>/. activity name
Fig 1.10: Invoke the activity
Fig 1.11: Invoke the activity
android: exported=false: It means with the same user ID, you can launch the android elements by components of the same applications.
iii. The permissions: The app needs to access protected parts of the system or other applications. It can also declare any permissions that other applications must have if they want to access content from the application. The permissions may include access to the internet, contacts, access to the camera, etc.
Permissions in the manifest file are declared as follows,
Fig 1.12: Declaration of Permissions in the manifest file
We need to check if the application is having dangerous permissions enabled like WRITE and READ External Storage.
Fig 1.13: Potentially Dangerous Permissions Enabled
Among all these, there are two essential flags which we need to know in the manifest file, and those are Allow Backup and Debug flags, and the default value of those flags is set to false.
android: allowBackup=”true”
Backup allows applications to be backed up to the external storage or another device. It means, if a user replaces or wipes their phone, they can restore app settings and application data (sensitive data) though, the attacker can extract backup information directly from an application sandbox without rooting the device.
Fig 1.14: android: allowBackup=”true”
android: debuggable=”true”
In case the setting of this flag is true, an attacker can inject their code to carry out this procedure in the backdrop of a vulnerable application process, and the application’s sensitive data can be extracted from the application.
Fig 1.15: android: debuggable=”true”
minSDK version: The minSDK version of any android application must be greater than 18. Any application with a value below 18 is insecure and vulnerable to many security flaws, thus impacting the security of the running applications.
As a pentester, we need to check the following security loopholes in the manifest file:
2.DEX2JAR:
Dex2Jar is a command-line reverse engineering tool that can be used to covert dex files to jar files. The output of the apktoolresults in “classes.dex” files which are not human-readable or understandable. The classes.dex file is a Dalvik Executable file, and each android application must have this file.In addition, this file contains the Java libraries which the application can use.
Command: d2j-dex2jar classes.dex
Fig 2.0: Converting dex files to jar files using dex2jar tool
Fig 2.1: Classes.dex file is converted to classes-dex2jar
3.JD-GUI: JD-GUI is a standalone graphical utility tool that displays the Java source code of “.class” files. For immediate access to fields and methods, we will have to search for reconstructed code with JD-GUI. We can check any sensitive information (access tokens, api keys, subscription keys, usernames, passwords, etc.) stored in the java files.
Fig 3.0: Output of JD-GUI
Fig 3.1: User Credentials and API Key in Source Code
Fig 3.2: User credentials are storing in the database
It was a detailed overview of the static analysis of an android application and the tools used for reverse-engineering the application.
Get to know various mobile security and application security services that can help in protecting your private data.
Author,
Vamshi Krishna
Attack & PenTest Team
Varutra Consulting Pvt. Ltd.
Introduction In the era of digitalization, data security has become a paramount concern. Every day,…
I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…
I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…