SMT

Resource

Center

 

Coming Soon

Security Management Technology Center Develop Elearning, FAQ , New Center...

SMT BLOG

Android applications is now the best way for companies to deliver their services cause almost all the people in the world are using mobile applications and the most is using android OS cause it come on mobiles with affordable price . in this article we will prepare an android penetration lab so we can try to penetrate an app to see if it can hold against hackers which they may target a banking applications to steal customer credential or using the app to reveal high confidential info about the bank .

What is mobile App penetration testing ?

Mobile app peteration testing is trying to hack the app and get valuable info , user credential , discover bugs that would lead to to crash the app or elevate to owner of the app to change the behaviour of the app , its like penetration testing the web sites and servers cause they are same a device which have an app that operate on OS and communicate with it .

Common Vulnerbilties We Must Search In Your Application .

  • Insecure or unnecessary client-side data storage: Data from applications such as user
    credentials(username and password), credit card information may be stored on the
    device’s memory. This data, if not properly encrypted, can be accessed by a hacker
    and the data stolen. Example: recent Skype vulnerability.
  • Lack of data protection in transit: if the connection between the web and the device
    is not secure than the transaction can be tampered with.
  • Personal data leakage: browser cache, search history records, location tracking –
    data, if not secured, can be accessed by the attacker.
  • Failure to protect resources with strong authentication: certain applications, like
    Google, have single sign-ons, which can be used by the attacker to gain access to the
    account.
  • Failure to implement least privilege authorization policy: Some applications may
    have been given more permissions than necessary. For example, a file requiring
    READ permission is assigned READ WRITE permission.
  • Client-side injection: Client side XSS and SQL injections can be performed on the
    device.
  • Client-side DOS: a particular service or application is blocked for access. For example,
    if the contacts list has been blocked by a DOS attack, the user will not be able to
    access the list to make calls.
  • Malicious third-party code: Malicious third party code installed on the device can
    gain access to device resources and data.
  • Client-side buffer overflow: Certain native libraries in Android are vulnerable to
    client side buffer overflow attacks because of improper or insufficient input/ouput
    validation.
  • Failure to apply server-side controls: Any attacker can pose as the client and attempt
    SQL Injection, XSS or other attacks.

Penetration Testing Scenario :

In this article we will set up our own android penetration testing lab , by using an app designed to have common flows so beginners in this field can train .

the vulnerbale app will connect to a web server we will set up in host machine  , then we will use burpsuite to inspect the unencrypted traffic between the app and the webserver and try to search for some flows in the app .

the vulnerable app has this flows :

  • Flawed Broadcast Receivers
  • Intent Sniffing and Injection
  • Weak Authorization mechanism
  • Local Encryption issues
  • Vulnerable Activity Components
  • Root Detection and Bypass
  • Insecure Content Provider access
  • Insecure Webview implementation
  • Weak Cryptography implementation
  • Application Patching
  • Sensitive Information in Memory
  • Insecure Logging mechanism
  • Android Pasteboard vulnerability
  • Application Debuggable
  • Android keyboard cache issues
  • Android Backup vulnerability
  • Runtime Manipulation
  • Insecure SDCard storage
  • Insecure HTTP connections
  • Parameter Manipulation
  • Hardcoded secrets
  • Username Enumeration issue
  • Developer Backdoors
  • Weak change password implementation

Tools We Will Use In This Article :

1) GenyMotion : this tool create android virtual environment to test the applications .   you can download it from here : Download

3) Android Insecure Bank : this is a vulnerable app and its web server  : Download

4) Burpsuite : Burp Suite is an integrated platform for performing security testing of web applications : Download

5) Iptools : android app to get the ip address of the device so you can know which interface you will bin the server on .  Download

6) Wireshark : a great tool that will capture all the traffic out from network interface so we can analyze it later .  Download 

Now Lets Get to work : 

** Disclaimer **

Any actions and or activities related to the material contained within this Website is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.

This site contains materials that can be potentially damaging or dangerous. If you do not fully understand something on this site, then GO OUT OF HERE! Refer to the laws in your province/country before accessing, using,or in any other way utilizing these materials.These materials are for educational and research purposes only.Do not attempt to violate the law with anything contained here. If this is your intention, then LEAVE NOW! Neither administration of this server, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your actions. Neither the creator is responsible for the comments posted on this website.

Newsletter

Subscribe to our newsletter and stay updated on the latest news and special offers!
Please wait