Learning Pentesting for Android Devices (2014)

Preface

Android is one of the most popular smartphone operating systems of the present day, accounting for more than half of the entire smartphone market. It has got a huge consumer base, as well as great support from the developer community resulting in over a million applications in the official Play Store.

From the time of launch to the public in 2005, it has gained a lot of popularity in the last few years. Android, not just limited to smartphones, can now be found in a wide variety of devices such as e-book readers, TVs, and other embedded devices. With the growing number of users adopting Android-based devices, a lot of questions have been raised on its security. Smartphones contain a lot more sensitive information than computers in most of the cases, including information about contacts, sensitive corporate documents, pictures, and so on.

Apart from the security issues in the Android platform itself, a lot more vulnerabilities exist in the Android application, which could lead to a breach of private data from smartphones. This book will give the reader an insight into these security flaws, and will provide a walkthrough of how to find and fix them.

What this book covers

Chapter 1, Getting Started with Android Security, teaches readers the basics of Android security architecture. It will discuss Permission Models and how permissions are enforced in applications. It will also talk about Dalvik Virtual Environment and the application APK basics.

Chapter 2, Preparing the Battlefield, provides the reader with a step-by-step process to set up a penetration testing environment to perform Android pentesting. It will also talk about Android Debug Bridge, as well as some of the important tools required for pentesting Android.

Chapter 3, Reversing and Auditing Android Apps, covers some of the methods and techniques that are used to reverse the Android applications. It will also discuss different tools, which could help a penetration tester in Android application auditing. Also, it will list the various kinds of vulnerabilities existing in Android applications, (the ones that put the user's data at risk).

Chapter 4, Traffic Analysis for Android Devices, covers the interception of traffic in applications on the Android device. It explains both the active and passive ways of intercepting the traffic, as well as intercepting both HTTP and HTTPS network traffic. It will also look at how to capture traffic and analyze its services as one of the most useful steps for application auditing on the Android platform.

Chapter 5, Android Forensics, starts with a basic walkthrough of Android Forensics, and takes the reader through various techniques of data extraction on Android-based smartphones. It will cover both logical and physical acquisition of forensic data, as well as the tools that could ease the process of data extraction.

Chapter 6, Playing with SQLite, helps the reader to gain an in-depth knowledge of the SQLite databases used by Android to store data. Often, due to the mistakes made by developers, the SQLite query accepts unsanitized input, or is not used without proper permissions, which leads to injection attacks.

Chapter 7, Lesser-known Android Attacks, covers various lesser-known techniques helpful in Android penetration testing. It will include topics such as WebView vulnerabilities and exploitation, infecting legitimate applications, and cross application scripting.

Chapter 8, ARM Exploitation, allows readers to gain introductory exploitation knowledge about the ARM platform on which most smartphones run today. Readers will learn about ARM assembly, as well as exploiting Buffer Overflows, Ret2Libc, and ROP.

Chapter 9, Writing the Pentest Report, provides a short walkthrough on how to write reports to audit an Android application. It takes the reader through various components of a pentesting report one-by-one, and finally helps them build a penetration testing report.

What you need for this book

In order to follow this book, you will need to have the following software tools in your computer. Also, a step-by-step walkthrough of how to download and install the tools will be provided in the chapter, wherever required.

The following is a list of the software applications required for this book:

· Android SDK: http://developer.android.com/sdk/index.html#download

· APKTool: https://code.google.com/p/android-apktool/downloads/list

· JD-GUI: http://jd.benow.ca/

· Dex2Jar: https://code.google.com/p/dex2jar/downloads/list

· Burp Proxy: http://portswigger.net/burp/download.html

· Andriller: http://android.saz.lt/cgi-bin/download.py

· Python 3.0: http://python.org/download/releases/3.0/

· AFLogical: https://github.com/viaforensics/android-forensics

· SQLite Browser: http://sourceforge.net/projects/sqlitebrowser/

· Drozer: https://www.mwrinfosecurity.com/products/drozer/community-edition/

Who this book is for

This book is for you if you are a security professional who is interested in entering into Android security, and getting an introduction and hands-on experience of various tools and methods in order to perform Android penetration testing.

Also, this book will be useful for Android application developers, as well as anyone inclined towards Android security.

Conventions

In this book, you will find a number of styles of text that distinguish between different kinds of information. The following are some examples of these styles, and an explanation of their meaning:

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows:

"Now, just like we saw in the earlier section, the application will store its data in the location /data/data/[package name]."

A block of code is set as follows:

shell@android:/data # cd /data/system

shell@android:/data/system # rm gesture.key

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

</permission>

Any command-line input or output is written as follows:

$ unzip testing.apk

$ cd META-INF

New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like the following:

"You could set up your own pattern by navigating to Settings | Security | Screen Lock."

Note

Warnings or important notes appear in a box like this.

Tip

Tips and tricks appear like this.