Prerequisites and tools before Beginning!

Prerequisites knowledge

Before diving into Android exploitation, it’s crucial to have a strong foundation and here Moataz Osama explain very well everything that you need in the following topics:

1. Android Architecture: Understanding the Android OS stack, including the Linux kernel, native libraries, Android runtime (ART), and framework. (Read his article on Android Architecture.)

2. Android Components: A deep dive into the four core Android components: activities, services, broadcast receivers, and content providers. (Check out his article on Android components.)

3. Android Hacking Series (Part 1): Understanding APK Structure & Smali Code.(Check out his article on Android Hacking Series (Part 1))

4. Android Hacking Series (Part 2): Reverse Engineering & Static Analysis. (Check out his article on Android Hacking Series (Part 2))

These fundamentals are essential for understanding how Android applications work and how attackers exploit vulnerabilities within them.

Tools

Default Tools

• Android Debug Bridge (ADB) is a development tool that facilitates communication between an Android device and a personal computer.

• Emulator to make it easier to run and test mobile applicatoin instade of using your physical mobile (LDPlayer, Andriod Stuidio emulator, Genymotion,...)

Reverse Engineering and Static Analysis tools

• Jadx - Dex to Java decompiler: Command line and GUI tools for produce Java source code from Android Dex and Apk files.

• APKTool - A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications.

  • Disassembling Android apk file

    • apktool d <apk file>

  • Rebuilding decoded resources back to binary APK/JAR with certificate signing

    • apktool b <modified folder>

    • keytool -genkey -v -keystore keys/test.keystore -alias Test -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 10000

    • jarsigner -keystore keys/test.keystore dist/test.apk -sigalg SHA1withRSA -digestalg SHA1 Test

Dynamic and Runtime Analysis Tools

• Frida - The toolkit works using a client-server model and lets you inject in to running processes not just on Android, but also on iOS, Windows and Mac.

• Drozer - Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.

  • Starting a session

    • adb forward tcp:31415 tcp:31415

    • drozer console connect

  • Retrieving package information

    • run app.package.list -f <app name>

    • run app.package.info -a <package name>

  • Identifying the attack surface

    • run app.package.attacksurface <package name>

  • Exploiting Activities

    • run app.activity.info -a <package name> -u

    • run app.activity.start --component <package name> <component name>

  • Exploiting Content Provider

    • run app.provider.info -a <package name>

    • run scanner.provider.finduris -a <package name>

    • run app.provider.query <uri>

    • run app.provider.update <uri> --selection <conditions> <selection arg> <column> <data>

    • run scanner.provider.sqltables -a <package name>

    • run scanner.provider.injection -a <package name>

    • run scanner.provider.traversal -a <package name>

  • Exploiting Broadcast Receivers

    • run app.broadcast.info -a <package name>

    • run app.broadcast.send --component <package name> <component name> --extra <type> <key> <value>

    • run app.broadcast.sniff --action <action>

  • Exploiting Service

    • run app.service.info -a <package name>

    • run app.service.start --action <action> --component <package name> <component name>

    • run app.service.send <package name> <component name> --msg <what> <arg1> <arg2> --extra <type> <key> <value> --bundle-as-obj

Steps for How to set up your Android Environment

Mobile Application Penetration Testing Cheat Sheet