Android testing
Identify compilers, packers, obfuscators
Automatic Static Tests
SSL Pinning
Missing SSL pinning
Bypass with objection
Bypass with frida
Replacing hard-Coded Sha256 hash
Intercept network traffic using remote debugging
This allow you to intercpet the traffic in the webview. It's especially useful in cordova-based apps.
See WebView - Debug
Tip: if you can't use remote debugging, recompile the app and enable it.
Root Detection
Missing root detection
Bypass with frida
Identify RASP
Analyze source code
apkid --scan-depth 0 -r <apk_filename>.apk
Bypass protection analyzing the code and/or with frida
If the app return an error message (ex: "Your device appears to be rooted..."), search this string inside the code
Emulator Detection
Missing emulator detection
Bypass protection analyzing the code and/or with frida
Sensitive data
Logs
Local Storage
Check for sensitive information/data store on Shared Preferences or not
Check if sensitive information/data is stored in the local storage database using strong encryption on or not
Application Memory
Example: after login see how long the app keeps the password in memory
Backup
Check android:allowBackup="true"
in the AndroidManifest.xml
Debuggable
Check android:debuggable="true"
in the AndroidManifest.xml
If it is enable you can read and extract without root privileges all files inside the app internal storage.
WebView - Debug
Requirements:
setWebContentsDebuggingEnabled
is set to trueOR
android:debuggable="true"
(setWebContentsDebuggingEnabled
is enabled automatically if the app is declared) More info: https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)
Note: the Apache Cordova application automatically gets attached to Chrome’s debugger. (org.apache.cordova.SystemWebEngine)
Open the application on your phone
Open chrome on your machine
chrome://inspect/#devices
In the “Remote Target” section, you will find the device and the app. Click on
inspect
.Now you can look for Application Storage, Network traffic, etc.
Deep link
Why this is a security issue?
Because of Link Hijacking. This happen when a malicious app registers an URI that belongs to the victim app. If mobile OS redirects the user to the malicious app, it can lead to phishing (e.g., the malicious app displays forged UI to lure user passwords) or data leakage (e.g., the deep link may carry sensitive data in the URL parameters such as session IDs).
Suppose that:
The victim user have malicious app installed
Both apps (victim and malicious) manage
geo://
,https://google.com
Start an intent
Testing
Testing Scheme URI: Check if there are any scheme URL. These types of deep links are not secure.
Testing Web Links: Check if there are any Web Links. If the app can be installed on
Android < 12
, then they are not secure.Testing App Links: Check if there are any App Links. If the app can be installed on
Android < 12
, then proceed with testing.Check for missing
Digital Asset Links file:
https://myownpersonaldomain.com/.well-known/assetlinks.json
,https://digitalassetlinks.googleapis.com/v1/statements:list?source.web.site=myownpersonaldomain.com
Misconfigured
If the OS prompts you to choose between Browser and one or more apps, then the app link Verification process is not correctly implemented.
Task Hijacking
Task hijacking is a vulnerability that affects Android applications due to the configuration of Task Control features in the AndroidManifest.xml
file. This flaw can allow an attacker or a malicious app to take over legitimate apps, potentially leading to information theft.
Scenario
Security implication (this scenario)
When the back button is pressed on Bank-Main-Activity
, the user will go to the Mal-Activity 2
.
Note:
There are many other scenarios, in this case we focus only on this one. For more details on other scenarios: https://www.youtube.com/watch?v=lLBeoufO_Bc. Slides: https://www.slideshare.net/slideshow/android-task-hijacking/76515201
The only real remediation is update to
android:minSdkVersion="28"
.
Requirements:
The app can be installed on Android SDK version < 28 (Android 9). Check
android:minSdkVersion
is < 28 inAndroidManifest.xml
This vulnerability is patched from Android SDK version 28. https://developer.android.com/privacy-and-security/risks/strandhogg
android:launchMode="singleTask"
inAndroidManifest.xml
(necessary for this scenario)
Testing
You can use malware apk by ivan sincek. https://github.com/ivan-sincek/malware-apk
To hijack a task, modify the task affinity in AndroidManifest.xml
of malware.apk
under MainActivity
. Set it to PackageNameVictim
and rebuild the APK.
Example:
Tapjacking
Tapjacking is the Android-app equivalent of the clickjacking web vulnerability: a malicious app tricks the user into clicking a security-relevant control (confirmation button etc.) by obscuring the UI with an overlay or by other means.
More info: https://developer.android.com/privacy-and-security/risks/tapjacking
Testing
You can use the apk created by carlospolop: https://github.com/carlospolop/Tapjacking-ExportedActivity
Open the project in Android studio and go to app/src/main/java/com/tapjacking/demo/OverlayService.kt
and change [PACKAGE NAME]
for the package name vulnerable activity and [ACTIVITY NAME]
for the name of the exported activity you want to launch
Last updated