Setting up an Android Pentesting Environment

Importance of smartphone in 21th century!

In the 21th century, People in the world is adopting the smartphone as a part of life. People are using smartphone for payment, photography, social networking, SMS, email, calling, chatting and so on. There are near about 2.4 billion smartphone subscription in the world today and that is expected to grow to near about 6.3 billion by 2020. Now a days the smartphone is become the target for hackers as it can yield a abundance of information about the individual carrying it and may prove to be a key entry point to the corporate or institutional network.

Method 1: Setting up an Android Pentesting Environment using Genymotion and Appie.

  • First we need a rooted android device or an android emulator for installing the app. There are many android emulators in the market. We will download and setup Genymotion. We have to create a user account and activate it.
  • After downloading the setup and installing on the local computer. Open setting in the Genymotion and login with your credentials which you have registers on the Genymotion site.
  • Choose Google Nexus 4.2.2 and click next. There is a reason for choosing this device with Android 4.2.2 because we will be using Cydia Susbtrate which only work up to Android 4.2.
  • Now We have an virtual android device.
  • We also need a software package called Appie. Appie contains the most of the tools necessary for android application pentesting.
  • Now we need to set adb path in Genymotion in order to use virtual device with Appie.
  • Go to Genymotion then click on settings.
  • Then in the ADB tab, select “Use Custom Android SDK Tools”
  • Then select the path of sdk folder which is located at path_to_appie/bin/adt/sdk/. If it through an error that “AAPT tool not found”. Ignore it.
  • Open the Appie and type adb devices. It will show the connected device information.
  • Now we all set with the pentesting environment. We only need to install the app which we have to test.
  • For installing the app from the Appie type adb install /path/name_of_the_apk and hit enter.
  • After successfully installing the app, we are ready to test this app.
  • We will explore the Owasp top 10 mobile attack in next blog post.

Method 2: Setting up an Android Pentesting Environment using tamer operating system.

  • Download the tamer operating system virtual box file.
  • Install the tamer operating system inside the virtual box.
  • Tamer operating system is design for mobile app pentesting. It contains all require tools for mobile app pentesting.
  • In tamer operating system we also need to create an emulator.
  • Go to Android SDK manager and install android 4.2.2.
  • Go to AVD (Android Virtual Device) Manager.
  • Create new AVD with target name Android 4.2.2.
  • Start nexus android 4.2.2 from Android Virtual Manager.
  • Go to Android Debug Bridge.
  • Type command adb devices.
  • It will show the information about the connected emulator.
  • Now we have to install the app which we would like to test.
  • Type command adb install /path/name_of_the_apk.
  • After successfully installing the app, we are ready to test this app.
  • We will explore the Owasp top 10 mobile attack in next blog post.

Vulnerable Android apps.

We will use following open source vulnerable Android apps for testing:

ADB (Android Device Bridge).

ADB lets you connect to a running Android device or emulator. You can make phone calls, send sms, list installed packages, mock gps coordinates and many more functions. The adb command line is found in the SDK platform-tools folder.

Tools:

  • APKTool
  • JD-Gui
  • Super android Analyzer
  • MobSF
  • Drozer
  • AndroBugs
  • QARK(Quick Android Review Kit)

That’s All For Today! Feel free to comment about any issues you are facing.