Mobile device penetration Testing

In this blog, we are going to discuss the exploit scenarios to perform penetration testing for android mobile devices. Here we have categorized the penetrating testing process in the following parts:

• Mobile device hardware penetration testing
• Mobile device OS/Image reverse engineering 
• Analysis of Pre-installed application in mobile 
• Latest patches and known vulnerabilities 

Mobile device hardware penetration testing

Unlocking the bootloader 

It is considered as a vulnerability if the device allows the unlocking of bootloader with disabled or enabled permissions.

We can execute the commands from adb & fastboot framework for unlocking and locking the bootloader with the permissions disabled as well as enabled them to confirm the findings.

Below are the commands to disable and enable the OEM

fastboot oem unlock  

fastboot oem lock 

Pushing & pulling data via adb 

It is considered as a vulnerability if the device allows the retrieval and pushing of data from any source without any prior validation or authorization.  

You can run the commands from ADB framework to fetch the data and push the data to & from the device without authorization.

Commands to pull & push the data are

adb pull <path-of-the-file>

adb push <source-path> <target-path>

Installing custom recovery 

Different functionalities and permission abuse in the system can be checked after deploying the custom recovery which can be leveraged to perform any customization or privilege escalation exploits. 

Check for the recovery builds, but if there is no pre-built recovery, try to build custom TWRP Recovery using Android kitchen tools.  

It is considered as a vulnerable scenario when the use of a custom-built TWRP or any other recovery provides the ability to tweak or perform actions which are restricted to any privileged users only. 

Commands used (in sequence) to flash the custom TWRP recovery are: 

adb reboot bootloader

fastboot flash recovery twrp-2.8.x.x-xxx.img

 fastboot reboot

Rooting the device 

It is considered as a vulnerable scenario when the system can be compiled with superuser binaries or the root access can be gained by any illicit method known. 

Following are the different tools known to root the OS, namely: 

• Magisk
• SuperSU
• One Tap Root Method like using the app KingoRoot. 

Vulnerabilities with ADB 

Analyze the logs generated during the sign up process of the specific application. 

Check for a clear text username and password is stored during the sign up in the application. 

Use the following command  below to identify the same:

adb logcat 

Firmware/OS reversing 

Reverse engineering of image files 

At the Initial phase, operations like binwalk, strings, hexdump etc. can be performed on each image file. The primary goal of the operation is to extract the maximum amount of information like files, certificates, keys or any sensitive information disclosures. 

Analysis of 3rd party APK’s 

It is an interesting part to extract the 3rd party APK files from the firmware. The stock ROM of the mobile always uses the 3rd party APK’s for different applications. we can analyze such APK’s by extracting the respective java files. 

Security patch analysis

Perform manual patch analysis to verify the security patches have been applied and implemented till date. Also, compare the last and second last android security patches to find if any unresolved vulnerability is present in the target device. 

Analysis of FOTA

Firmware Over-The-Air (FOTA) is a Mobile Software Management (MSM) technology in which the operating firmware of a mobile device is wirelessly upgraded and updated by its manufacturer. 

Analysis of pre-installed applications 

Manual analysis of android manifest files 

Every application has an AndroidManifest.xml file (with precisely that name) in its root directory. The manifest file describes essential information about your application like your package, including components of the application such as activity, services, broadcast, receivers, content providers, etc. 

Perform manual analysis of the Android Manifest Files by extracting the source files of the Pre-installed applications.

It is a good idea to focus on the following flags: 

• Broadcast 
• Backup 
• Intent 
• Export 
• Permission 
• Content provider 

If the allowed backup is set ‘True’ for any application, it can allow an attacker to retrieve sensitive information through adb

The Hard-Coded values 

Check the hard coded values within the APK files either through the manifest files or by dumping the firmware. It may result in some secret values or codes being disclosed in cleartext. 

Our focus should exploit them by performing some quick actions in terms of configuration modification or some alteration of data.  

Check for different API keys within the manifest file to exploit those keys against their corresponding services. 

Sometimes we can get data that is commented out within the manifest file. Although the comments won’t disclose any sensitive information, it is a good practice to not provide any comments after the release of the application. 

The signature algorithms

Here we can check and analyze the algorithm used for creating certificates.

For example,

1. Hashing Algorithm
2. The key size of the Algorithm
3. Validation of the Certificates 

• Check for the key length of different algorithms used for both encryption and hashing. The key length should be strong enough to avoid any brute force attack. 
• Check the validation of the certificate by checking if it has a valid CA.  
• Make use of openssl tool to analyze the certificate and the algorithms used, using the following commands: 

openssl pkcs7 -inform DER -print_certs -out cert.pem -in CERT.RSA  

cat cert.pem 

keytool -printcert -file CERT.RSA 

The result shows the algorithm used:

Analysis of the latest security patches and known vulnerabilities

Performing static and dynamic analysis of the targeted mobile device. 

 In this scenario, focus on the list of vulnerabilities and exploits available in public knowledge base. Apart from this, look for the new vulnerabilities that emerged after the release date of the mobile device for the latest security patches from Google. 

• You can check the upcoming updates and patched vulnerabilities of the android version of target device from the below URL.

https://source.android.com/security/bulletin/2019-01-01

• Analyze the exploits released for specific vulnerable features for example fingerprint lock, face unlock etc.

Conclusion

We have discussed the test cases for mobile device penetration testing. The mobile device security testbed allows pentesters to test the mobile devices in realistic scenarios. The given testbed includes the components for penetration testing of wide-scale deployments such as mobile device bootloader, mobile device firmware/OS, pre-installed applications present in mobile devices.