In this blog, we are going to discuss the exploit scenarios to perform penetration testing for android mobile devices. Here we have categorized the penetrating testing process in the following parts:
It is considered as a vulnerability if the device allows the unlocking of bootloader with disabled or enabled permissions.
We can execute the commands from adb & fastboot framework for unlocking and locking the bootloader with the permissions disabled as well as enabled them to confirm the findings.
Below are the commands to disable and enable the OEM
fastboot oem unlock
fastboot oem lock
It is considered as a vulnerability if the device allows the retrieval and pushing of data from any source without any prior validation or authorization.
You can run the commands from ADB framework to fetch the data and push the data to & from the device without authorization.
Commands to pull & push the data are
adb pull <path-of-the-file>
adb push <source-path> <target-path>
Different functionalities and permission abuse in the system can be checked after deploying the custom recovery which can be leveraged to perform any customization or privilege escalation exploits.
Check for the recovery builds, but if there is no pre-built recovery, try to build custom TWRP Recovery using Android kitchen tools.
It is considered as a vulnerable scenario when the use of a custom-built TWRP or any other recovery provides the ability to tweak or perform actions which are restricted to any privileged users only.
Commands used (in sequence) to flash the custom TWRP recovery are:
adb reboot bootloader
fastboot flash recovery twrp-2.8.x.x-xxx.img
fastboot reboot
It is considered as a vulnerable scenario when the system can be compiled with superuser binaries or the root access can be gained by any illicit method known.
Following are the different tools known to root the OS, namely:
Analyze the logs generated during the sign up process of the specific application.
Check for a clear text username and password is stored during the sign up in the application.
Use the following command below to identify the same:
adb logcat
At the Initial phase, operations like binwalk, strings, hexdump etc. can be performed on each image file. The primary goal of the operation is to extract the maximum amount of information like files, certificates, keys or any sensitive information disclosures.
It is an interesting part to extract the 3rd party APK files from the firmware. The stock ROM of the mobile always uses the 3rd party APK’s for different applications. we can analyze such APK’s by extracting the respective java files.
Perform manual patch analysis to verify the security patches have been applied and implemented till date. Also, compare the last and second last android security patches to find if any unresolved vulnerability is present in the target device.
Firmware Over-The-Air (FOTA) is a Mobile Software Management (MSM) technology in which the operating firmware of a mobile device is wirelessly upgraded and updated by its manufacturer.
Every application has an AndroidManifest.xml file (with precisely that name) in its root directory. The manifest file describes essential information about your application like your package, including components of the application such as activity, services, broadcast, receivers, content providers, etc.
Perform manual analysis of the Android Manifest Files by extracting the source files of the Pre-installed applications.
It is a good idea to focus on the following flags:
If the allowed backup is set ‘True’ for any application, it can allow an attacker to retrieve sensitive information through adb
Check the hard coded values within the APK files either through the manifest files or by dumping the firmware. It may result in some secret values or codes being disclosed in cleartext.
Our focus should exploit them by performing some quick actions in terms of configuration modification or some alteration of data.
Check for different API keys within the manifest file to exploit those keys against their corresponding services.
Sometimes we can get data that is commented out within the manifest file. Although the comments won’t disclose any sensitive information, it is a good practice to not provide any comments after the release of the application.
Here we can check and analyze the algorithm used for creating certificates.
For example,
openssl pkcs7 -inform DER -print_certs -out cert.pem -in CERT.RSA
cat cert.pem
keytool -printcert -file CERT.RSA
The result shows the algorithm used:
Performing static and dynamic analysis of the targeted mobile device.
In this scenario, focus on the list of vulnerabilities and exploits available in public knowledge base. Apart from this, look for the new vulnerabilities that emerged after the release date of the mobile device for the latest security patches from Google.
https://source.android.com/security/bulletin/2019-01-01
We have discussed the test cases for mobile device penetration testing. The mobile device security testbed allows pentesters to test the mobile devices in realistic scenarios. The given testbed includes the components for penetration testing of wide-scale deployments such as mobile device bootloader, mobile device firmware/OS, pre-installed applications present in mobile devices.