Android applications is now the best way for companies to deliver their services cause almost all the people in the world are using mobile applications and the most is using android OS cause it come on mobiles with affordable price . in this article we will prepare an android penetration lab so we can try to penetrate an app to see if it can hold against hackers which they may target a banking applications to steal customer credential or using the app to reveal high confidential info about the bank .
What is mobile App penetration testing ?
Mobile app peteration testing is trying to hack the app and get valuable info , user credential , discover bugs that would lead to to crash the app or elevate to owner of the app to change the behaviour of the app , its like penetration testing the web sites and servers cause they are same a device which have an app that operate on OS and communicate with it .
Common Vulnerbilties We Must Search In Your Application .
- Insecure or unnecessary client-side data storage: Data from applications such as user
credentials(username and password), credit card information may be stored on the
device’s memory. This data, if not properly encrypted, can be accessed by a hacker
and the data stolen. Example: recent Skype vulnerability.
- Lack of data protection in transit: if the connection between the web and the device
is not secure than the transaction can be tampered with.
- Personal data leakage: browser cache, search history records, location tracking –
data, if not secured, can be accessed by the attacker.
- Failure to protect resources with strong authentication: certain applications, like
Google, have single sign-ons, which can be used by the attacker to gain access to the
- Failure to implement least privilege authorization policy: Some applications may
have been given more permissions than necessary. For example, a file requiring
READ permission is assigned READ WRITE permission.
- Client-side injection: Client side XSS and SQL injections can be performed on the
- Client-side DOS: a particular service or application is blocked for access. For example,
if the contacts list has been blocked by a DOS attack, the user will not be able to
access the list to make calls.
- Malicious third-party code: Malicious third party code installed on the device can
gain access to device resources and data.
- Client-side buffer overflow: Certain native libraries in Android are vulnerable to
client side buffer overflow attacks because of improper or insufficient input/ouput
- Failure to apply server-side controls: Any attacker can pose as the client and attempt
SQL Injection, XSS or other attacks.
Penetration Testing Scenario :
In this article we will set up our own android penetration testing lab , by using an app designed to have common flows so beginners in this field can train .
the vulnerbale app will connect to a web server we will set up in host machine , then we will use burpsuite to inspect the unencrypted traffic between the app and the webserver and try to search for some flows in the app .
the vulnerable app has this flows :
- Flawed Broadcast Receivers
- Intent Sniffing and Injection
- Weak Authorization mechanism
- Local Encryption issues
- Vulnerable Activity Components
- Root Detection and Bypass
- Insecure Content Provider access
- Insecure Webview implementation
- Weak Cryptography implementation
- Application Patching
- Sensitive Information in Memory
- Insecure Logging mechanism
- Android Pasteboard vulnerability
- Application Debuggable
- Android keyboard cache issues
- Android Backup vulnerability
- Runtime Manipulation
- Insecure SDCard storage
- Insecure HTTP connections
- Parameter Manipulation
- Hardcoded secrets
- Username Enumeration issue
- Developer Backdoors
- Weak change password implementation
Tools We Will Use In This Article :
1) GenyMotion : this tool create android virtual environment to test the applications . you can download it from here : Download
2) vulnerble app ( Goatdroid) : android app designed to have bugs in order to learn android app security : Download
3) Goatdroid Server : this is a java tool desgined to start a web server so the goatdroid app can connect to it : Download
4) Burpsuite : Burp Suite is an integrated platform for performing security testing of web applications : Download