Pentesting Android Cheatsheet

This post contains a collection of instructions useful for pentesting an Android app I found on the Internet. Basically, It is my Android cheatsheet and it’s here so that it will be easily accessible in the future from me or anyone else that has to assess Android devices and apps.

Compile for Android with Android NDK

Download the Android NDK from the google site. Decompress NDK wherever suits you.

/opt/android/android-ndk-r9d/ndk-build

Create the following directories in your project root folder:

$ mkdir {inj,libs,obj}

Then place your C program in inj/ along wih the Android.mk make file.

The following is an example of Android.mk file:

$ cat Android.mk
# A simple test for the minimal standard C++ library
#

LOCAL_PATH := $(call my-dir)

include $(CLEAR_VARS)
LOCAL_MODULE := dump_android_memory
LOCAL_SRC_FILES := dump_android_memory.c
include $(BUILD_EXECUTABLE)

To compile your program:

$ cd inj/
$ /opt/android/android-ndk-r9d/ndk-build
[armeabi] Compile thumb : dump_android_memory <= dump_android_memory.c
[armeabi] Executable : dump_android_memory
[armeabi] Install : dump_android_memory => libs/armeabi/dump_android_memory

The output should look like the above.

 

Decompile .apk to smali

The purpose of decompile to smali is to obtain Dalvik bytecode. The difference between having the Dalvik bytecode and the java files, is that with the first one we can perform unauthorised code modification and reassemble/recompile the apk package which subsequently we can install on the Android device.

To decompile the apk to smali we simply need to download and use the apktool utility.

$ cd /apktool/
$ java -jar apktool.jar d juicyapp.apk juicyapp_smali
$ ls juicyap_smali
AndroidManifest.xml apktool.yml assets res smali

 

Code Modification and Recompiling from Dalvik bytecode to .apk

Refer to “wp-defeating-ssl-cert-validation.pdf” of Naveen Rudrappa from McAfee.

 

Decompile classes.dex to Jar and Java

Download dex2jar.

Rename you app.apk to app.zip and extract (unzip) it. From the unzipped folder retrieve the classes.dex file. Copy this file in you /var/tmp/ as:


$ cp <unzipped_folder>/classes.dex /var/tmp/classes.dex

Run dex2jar on classes.dex as follows:

$ cd /var/tmp
$ /opt/dex2jar/d2j-dex2jar.sh classes.dex -o juicyapp_src
$ ls
juicyapp_src.src.zip
$ unzip -d juicyapp_src juicyapp_src.src.zip && ls juicyapp_src
android au com

DONE. You will find your Android app .java files in “au” and “com” subdirectories.

 

Memory Dump on Android

Here is the program along with the source that can be used to dump the device’s memory.

 

Use the emulator

I have tried the emulator and It turns out to be super super super slow. My advice is to avoid the emulator and install Android OS for Virtual Box. However, if you know what you are doing the following are the commands to execute the emulator.

First you need to create the android AVD.

I can never remember where all the binaries are. LOL. Let’s search for the android utility:

$ find /opt/adt-bundle-linux-x86_64-20140321/ -iname android -type f
/opt/adt-bundle-linux-x86_64-20140321/sdk/tools/android

Sweet! Now the command to create an Android AVD is:

$ android create avd -n <name>

Which in my case, It translates as follows:

$ /opt/adt-bundle-linux-x86_64-20140321/sdk/tools/android create avd -n robot

Then run the emulator:

$/opt/adt-bundle-linux-x86_64-20140321/sdk/tools/emulator @robot -gpu on -verbose -memory 1024 -cpu-delay 0 -http-proxy 10.1.1.5:8080

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s