# Android Pentesting Checklist

## Android Security Architecture

[Official Android Security Documentation](https://source.android.com/security/overview/app-security)

**Android Overview:**

* Solely based on the Linux OS
  * Commands such as ls, cd, rm, mkdir are all functional within android
  * Keep the Linux file permission in mind during testing
* Has to support multiple CPU types such as SoC, ARM and also 32/64 bit versions of each

**Android Runtime (ART)**

* Translation layer from bytecode to instructions
* Every app is sandboxed as its own VM
* Applications are isolated by creating a unique new user for the account

**Android Identity and Access Management (IAM)**

* This also follows the UID structure as designed in Linux
* Android must be rooted to access certain directories for testing

User Profiles

* **Primary User** is created the first time the phone starts, always running and can only be removed by factory reset
* **Secondary user** can be added to the device and can be deleted by the primary user
* **Guest User** is only allowed one account on device
* **Kids Mode** this is often found on Google Kids Spaces devices(currently tablets only)

**Hardware Abstraction Layer (HAL)**

* Allows apps to access various hardware component on the device
* HALs include technologies such as Apple Car Play, Android Auto, IoT Devices, Smart watches

#### Test Environment setup

[Install Java](https://www.java.com/en/download/manual.jsp) for your testing OS (if not installed already)

* Debian-Based Distro - Run command `sudo apt-get install default-jdk -y`

Install Dex to Java decompiler:

* [JADX-GUI for Windows](https://github.com/skylot/jadx/releases) .exe (Add .exe to C:\\\Windows for CLI)
* For Mac run the command `brew install jadx`
* Debian-based distro - Run command `sudo apt-get install jadx`

ADB Install - Download [SDK Platform-Tools](https://developer.android.com/tools/releases/platform-tools) for your host OS

* This is the shell for accessing the Android

Install [Apktool](https://ibotpeaches.github.io/Apktool/install/) for the testing OS

* For Mac run the command `brew install apktool`
* Debian Based Distro - `sudo apt-get install apktool -y`

Download [Android Studio](https://developer.android.com/studio), [GenyMotion](https://www.genymotion.com/download/), or [Visual Studio Emulator for Android](https://visualstudio.microsoft.com/vs/msft-android-emulator/) for the testing OS

Enable Developer Mode on device

* For physical device enable USB Debugging as well

**How to start ADB with port open on host machine:**

* `adb -a nodaemon server`

(if you receive an error that the port is already in use, kill the adb process - this will vary per your Operating System)

* `taskkill /f /t /im adb.exe`
* then run: `adb -a nodaemon server`

From the networked machine, or VM run the following command to connect to the emulator via the newly opened port:

`adb -H <host_machine_IP> -P 5037 shell`

\
**Android Manifest.xml**

* Present in every Android App
* It is also where the basic of the application are defined such as permissions, Content Providers, Activities, and minSDKVersion

\
**Information Gathering:**

Find information about the company via Google Play store

* Read app reviews and app announcements
* Enumerate the creator of the application
* Enumerate versions and patch notes
* Enumerate other apps that belong to the company

`TargetSdkversion`\
OS version an app was designed for\
\
`< package= com.vulnerableapp.test>`\
`Describes package/app name`\
\
`<uses-sdk android:minSdkVersion="17" android:minSdkVersion="21"/>`\
`App minimum and maximum supported versions(range)`

\
[APKLeaks](https://github.com/dwisiswant0/apkleaks) - analyze compiled APK file

#### Pulling an APK

1. Download app from google play store on the android device OR an .apk file will be provided by client
2. Run the following commands in a terminal:
   1. `abd shell` (this drops you into a shell on your emulator or physical phone)
   2. `pm list packages | grep <Identifier>` (this will display the name of the package installed on the phone, in our case we did grep injured, copy result for step 5 below)
   3. `pm path <packagename>` (list the file path of the package, copy the file path for step 7 below)
   4. Exit the adb shell with: `exit`
   5. `adb pull <PathToPackage> <NameOfNewFile>.apk` (this will pull the apk from the file path on the phone and save it to whatever file name we want

**APK from phone to computer:** To get apk from the phone to your computer use the following commands

* [ ] adb shell pm list packages (this will list all packages) or adb shell pm list packages | grep \<identifier>
* [ ] adb pm path (domain.com)
* [ ] adb pull \<copied file path> OR adb pull \<copied file path> \<newname>.apk (second command renames the base apk)

#### Testing Methodology

Source: <https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05b-basic-security_testing>

1. Open android studio
2. Plug in phone and make sure it connects to android studio
3. Run the following to make a connection over usb to get traffic from the phone through burp. (physical phone)
   * [ ] adb revserse tcp:\<port from burp i.e 8082> tcp:\<same port i.e 8082>
4. Pull the APK or install the APK
5. Throw the APK in mobsf for static analysis (mobsf will look through all the files and pull out data for you)
   * [ ] Check mobsf findings (url's, harded coded keys, etc)
   * [ ] Check out the manifest.xml (where some important things can be stored)
6. Use apktool to pull files from the phone to do a more manual static analysis
   * [ ] apktool d \<example.apk>
   * [ ] Manuel click through of the files
7. Can also use jadx-gui to search files manually
   * [ ] jadx-gui
   * [ ] Pick apk file to drop in
   * [ ] Look at manifest.xml file
   * [ ] Check resrources.arsc for strings, xml, json i. Resrouces.ars -> res -> values
   * [ ] Can also use the search to look through all the files i. i.e password, api\_key, etc
8. Open the APP on phone or emulator
9. Make sure traffic is being proxied through burp
10. Run objection
    * [ ] objection --gadget explore
11. Disable sslpinning if the app is preventing from exploring
    * [ ] a. android sslpinning disable --quiet
12. Check android keystore for any credentials
    * [ ] a. android keystore list
13. Run Drozer and the following commands
    * [ ] Check attack surface
      * [ ] run app.package.attacksurface \<com.app.android>
    * [ ] Check activity info
      * [ ] run app.activity.info -a \<com.app.android>
    * [ ] Check package info
      * [ ] run app.package.info -a \<com.app.android>
    * [ ] Check Broadcasts
      * [ ] run app.broadcast.info -a \<com.app.android>
    * [ ] Scan URI's
      * [ ] run scanner.provider.finduris -a \<com.app.android>
    * [ ] Directory traversal
      * [ ] run scanner.provider.traversal -a \<com.app.android>
    * [ ] SQL Injection
      * [ ] Run scanner.provider.injection -a \<com.app.android>
14. if there is a firebase url navigate to the url and add the following json check to see if its vulnerable
    * [ ] a. <https://example-mobile.firebaseio.com/.json>
    * [ ] b. If this is denied you can try and fuzz an endpoint i. i.e <https://example-mobile.firebaseio.com/FUZZ/.json>
15. In android studio check the /data/data/\<com.example.android>
    * [ ] Check xml files, strings, .json files, DB's
16. Copy db to sdcard
    * [ ] adb shell "su -c cp /data/data/\<com.exampleapp.android>/databases/ /sdcard/Dwonload"
17. Pull dbs to local machine
    * [ ] adb pull /sdcard/Download/
18. View dbs in db browser sqlite
19. Do a manual click through and generate some traffic with burp
20. Run a burp scan
21. Test app like it’s a web app. (XSS, SQL injection, login bypass etc)
22. Check logs in android studio to see if any sensitive data is passed through.
    * [ ] a. Can also use the command line tool to check the logs or you can use android studio to view the logs
    * [ ] b. adb logcat