Android testing

Identify compilers, packers, obfuscators

# https://github.com/rednaga/APKiD

apkid --scan-depth 0 -r <apk_filename>.apk

Automatic Static Tests

# https://github.com/mindedsecurity/semgrep-rules-android-security

# 1. Decompile apk
jadx <apk_filename>.apk
# 2. Use semgrep
semgrep -c <path>/rules/ <path>/target_src/sources

SSL Pinning

Missing SSL pinning
Bypass with objection

# 1. Get package
adb shell pm list packages

# 2. Objection 
objection --gadget <com.package.app> explore --startup-command "android sslpinning disable"

Bypass with frida

# 1. Get package
adb shell pm list packages

# 2. Frida
frida -U --codeshare akabe1/frida-multiple-unpinning -f <com.package.app>
frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f <com.package.app>

Replacing hard-Coded Sha256 hash

# Detection
# 1. Decompile apk
# 2. Open jadx-gui
# 3. Search "sha256/"

# Replace Burp Suite certificate hash
# 4. Export Certificate in DER format from Burp
# 5. Convert DER to PEM certificate
openssl x509 -inform DER -in cacert.cer -out cacert.crt
# 6. Get Hash
openssl x509 -in cacert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Intercept network traffic using remote debugging

This allow you to intercpet the traffic in the webview. It's especially useful in cordova-based apps.

See WebView - Debug

Tip: if you can't use remote debugging, recompile the app and enable it.

Root Detection

Missing root detection
Bypass with frida

frida --codeshare dzonerzy/fridantiroot -f <com.package.app> -U

Identify RASP
- Analyze source code
- apkid --scan-depth 0 -r <apk_filename>.apk
Bypass protection analyzing the code and/or with frida
- If the app return an error message (ex: "Your device appears to be rooted..."), search this string inside the code

Emulator Detection

Missing emulator detection
Bypass protection analyzing the code and/or with frida

Sensitive data

Logs

adb logcat | grep "$(adb shell ps | grep <package-name> | awk '{print $2}')"

Local Storage

# Print out applications Files, Caches and other directories
objection -g <package_name> run env

# Data app location folder
/data/data/<package_name>

Check for sensitive information/data store on Shared Preferences or not
Check if sensitive information/data is stored in the local storage database using strong encryption on or not

Application Memory

Example: after login see how long the app keeps the password in memory

# Start objection
objection -g 'exampleapp' explore

# Search a specific string
memory search <input_string> --string

# Dump all and then extract strings
memory dump all appMemoryDump
strings appMemoryDump > appMemoryDump.txt

Backup

Check android:allowBackup="true" in the AndroidManifest.xml

# Backup one application with its apk
adb backup -apk <package_name> -f <backup_name>.adb

# Restore backup
adb restore <backup_name>.ab

Debuggable

Check android:debuggable="true" in the AndroidManifest.xml

If it is enable you can read and extract without root privileges all files inside the app internal storage.

adb exec-out run-as <package_name> tar c . > output.tar

WebView - Debug

Requirements:

setWebContentsDebuggingEnabled is set to true
OR android:debuggable="true" (setWebContentsDebuggingEnabled is enabled automatically if the app is declared) More info: https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)

Note: the Apache Cordova application automatically gets attached to Chrome’s debugger. (org.apache.cordova.SystemWebEngine)

Open the application on your phone
Open chrome on your machine chrome://inspect/#devices
In the “Remote Target” section, you will find the device and the app. Click on inspect.
Now you can look for Application Storage, Network traffic, etc.

Deep link

Types of links

Scheme URL

App developers customize any schemes and URIs for their app without any restriction

Ex: fb://profile, geo://

<activity android:name=".MyMapActivity" android:exported="true"...>
    <intent-filter>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:scheme="geo" />
    </intent-filter>
</activity>

When the user clicks a deep link, a disambiguation dialog might appear. This dialog allows the user to select one of multiple apps, including your app, that can handle the given deep link

Web links

Web links are deep links that use the HTTP and HTTPS schemes.

Note: On Android 12 and higher, clicking a web link (not an Android App Link) opens it in a web browser. On earlier Android versions, users may see a disambiguation dialog if multiple apps can handle the web link.

<intent-filter>
    <action android:name="android.intent.action.VIEW" />
    <category android:name="android.intent.category.DEFAULT" />
    <category android:name="android.intent.category.BROWSABLE" />
    <data android:scheme="http" />
    <data android:host="myownpersonaldomain.com" />
</intent-filter>

Android App Links

Android App Links, available on Android 6.0 (API level 23) and higher, are web links with the autoVerify attribute. This lets your app become the default handler for the link type, so when a user clicks an Android App Link, your app opens immediately if installed, without a disambiguation dialog.

<intent-filter android:autoVerify="true">
    <action android:name="android.intent.action.VIEW" />
    <category android:name="android.intent.category.DEFAULT" />
    <category android:name="android.intent.category.BROWSABLE" />
    <data android:scheme="http" />
    <data android:scheme="https" />
    <data android:host="myownpersonaldomain.com" />
</intent-filter>

In this case Android attempt to access the Digital Asset Links file in order to verify the App Links. A deep link can be considered an App Link only if the verification is successful.

Why this is a security issue?

Because of Link Hijacking. This happen when a malicious app registers an URI that belongs to the victim app. If mobile OS redirects the user to the malicious app, it can lead to phishing (e.g., the malicious app displays forged UI to lure user passwords) or data leakage (e.g., the deep link may carry sensitive data in the URL parameters such as session IDs).

Suppose that:

The victim user have malicious app installed
Both apps (victim and malicious) manage geo:// , https://google.com

Android

Victim App installed

Link supported

URI

Behavior

Start an intent

adb shell am start -W -a android.intent.action.VIEW -d "geo://"

Testing

Testing Scheme URI: Check if there are any scheme URL. These types of deep links are not secure.
Testing Web Links: Check if there are any Web Links. If the app can be installed on Android < 12, then they are not secure.
Testing App Links: Check if there are any App Links. If the app can be installed on Android < 12, then proceed with testing.
- Check for missing
  - Digital Asset Links file: https://myownpersonaldomain.com/.well-known/assetlinks.json , https://digitalassetlinks.googleapis.com/v1/statements:list?source.web.site=myownpersonaldomain.com
- Misconfigured
  - If the OS prompts you to choose between Browser and one or more apps, then the app link Verification process is not correctly implemented.

Task Hijacking

Task hijacking is a vulnerability that affects Android applications due to the configuration of Task Control features in the AndroidManifest.xml file. This flaw can allow an attacker or a malicious app to take over legitimate apps, potentially leading to information theft.

Scenario

Security implication (this scenario)

When the back button is pressed on Bank-Main-Activity, the user will go to the Mal-Activity 2 .

Note:

There are many other scenarios, in this case we focus only on this one. For more details on other scenarios: https://www.youtube.com/watch?v=lLBeoufO_Bc. Slides: https://www.slideshare.net/slideshow/android-task-hijacking/76515201
The only real remediation is update to android:minSdkVersion="28".

Requirements:

The app can be installed on Android SDK version < 28 (Android 9). Check android:minSdkVersion is < 28 in AndroidManifest.xml
- This vulnerability is patched from Android SDK version 28. https://developer.android.com/privacy-and-security/risks/strandhogg
android:launchMode="singleTask" in AndroidManifest.xml (necessary for this scenario)

Testing

You can use malware apk by ivan sincek. https://github.com/ivan-sincek/malware-apk

To hijack a task, modify the task affinity in AndroidManifest.xml of malware.apk under MainActivity. Set it to PackageNameVictim and rebuild the APK.

Example:

<! -- AndroidManifest.xml victim.apk -->
<manifest ... package="com.victim.bank" ...>

<! -- AndroidManifest.xml malware.apk -->
<activity android:name="com.kira.malware.activities.MainActivity" android:exported="true" android:taskAffinity="com.victim.bank" ...>

Tapjacking

Tapjacking is the Android-app equivalent of the clickjacking web vulnerability: a malicious app tricks the user into clicking a security-relevant control (confirmation button etc.) by obscuring the UI with an overlay or by other means.

More info: https://developer.android.com/privacy-and-security/risks/tapjacking

Testing

You can use the apk created by carlospolop: https://github.com/carlospolop/Tapjacking-ExportedActivity

Open the project in Android studio and go to app/src/main/java/com/tapjacking/demo/OverlayService.kt and change [PACKAGE NAME] for the package name vulnerable activity and [ACTIVITY NAME] for the name of the exported activity you want to launch

Last updated 1 month ago