Basic Android Security Testing lab — 1

Hi Everyone, Actually, I was creating a new Android application testing lab for myself and thought to document the whole process. There is nothing extraordinary in this post just a simple lab setup up guide.

Why using Genymotion, not a physical device?

I generally prefer the physical device over Genymotion but Genymotion have Android version flexibility advantage and Genymotion will also cover most of the researchers that’s why using it to document the process.

Summary

  1. Downloading all the things
  2. Downloading Devices in Genymotion
  3. Common Genymotion Configuration issue.
  4. Installing Google Play Services
  5. Configuring Device with Burp Suite.
  6. Downloading and installing Applications
  7. Common Android Debug Bridge (ADB) uses.
  8. Basic SSL Pinning Bypass setup

1. Downloading all the things.

Genymotion: Download Genymotion Personal Edition.

Account Login - Genymotion Android Emulator
_We are using cookies to provide statistics that help us give you the best experience of our site. By continuing to use…_www.genymotion.com

Virtual Box: Download virtual-box.

Burp Suite: You can use the Free version but Pro is recommended.

  • [**Web Application Security, Testing, & Scanning PortSwigger** ](https://portswigger.net “https://portswigger.net”)

Android Platform Tools: Installing ADB and other android tools.

A. Install Homebrew

Sahils-MacBook-Pro:~ sahil$ ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”

B. Install Android Platform tools.

Sahils-MacBook-Pro:~ sahil$ brew install android-platform-tools

C. Verify Installation.

Sahils-MacBook-Pro:~ sahil$ adb devices

2. Downloading Device in Genymotion

I use multiple versions of android devices according to requirements and need.

Select the device you want to install. Select the device you want to install.Verify the configuration- You can always change them from Virtual Box. Verify the configuration- You can always change them from Virtual Box.

3. Common Genymotion Configuration issue.

ADB connection issue.

Downloading and and installing.

Android SDK — https://developer.android.com/studio/

Find your Android SDK tools location and change the settings to use custom Android SDK tools in Genymotion.

file location for my machine. /Users/sahil/Library/Android/sdk

External APK not installing/ARM installation issue.

Download and flash the Genymotion-ARM-Translation.

Download it from My Dropbox link: https://www.dropbox.com/s/k57l9uvyjy8gzxt/Genymotion-ARM-Translation_v1.1.zip?dl=0

After install ARM Translation:

4. Install Google Play Services.

After boot-up see the upper right corner and select “Open Gapps”

That will automatically install all the Google Application required including Play store.

See play store is installed in the virtual Device. See play store is installed in the virtual Device.

5. Configuring Device with Burp Suite

Add a proxy in Burp Suite to listen.

Address: 192.168.56.1 & Port: 1337

Choose All Interfaces option.

Adding listener in Android device.

Setting → Wifi →WiredSSID (Long press)

Choose Modify network → Check Advance options.

Select Proxy to the manual

Testing connection over http and https using devices browser.

  1. http:// (working) tested — http://ehsahil.com

2. https:// certificate error — https://google.com

Installing burp certificate in android device.

Download burp certificate. — Use your desktop machine to download the certificate.

https://burp

Click on CA certificate download the certificate.

The downloaded certificate is in cacert.der extension and android 5.* does not recongnize it as certificate file.

You can download the cacert file using your desktop machine and rename it from cacart.der to cacert.crt and drop it on android device and certificate will be automatically added into file:///sd_card/downloads.

Installing the downloaded certificate.

Settings →Security →Install certificate from SD cards

Now, goto: sdcard →Downloads → Select cacrt.crt

Now, Name it as anything “portswigger”

You also need to setup the PIN before adding certificate. Verifying the installed certificate using trusted certificates.

Trusted certificates →Users

After installing Certificate SSL endpoints also working fine tested using → https://google.com

6. Downloading and Installing Applications

You can use play store available in the device as well as the external services to download applications to play with.

For Downloading Application Externally, I generally use.

[**APK Downloader [Latest] Download Directly Chrome Extension v3 (Evozi Official)** ](https://apps.evozi.com/apk-downloader/ “https://apps.evozi.com/apk-downloader/”)

Add your testing Google account in Google Play Store to download apps.

Download applications and start testing. (No Certificate pinning apps)

Ola Lite application Ola Lite application

7. Common Android Debug Bridge (ADB) uses.

Connecting ADB with Genymotion device.

Sahils-MacBook-Pro:~ sahil$ adb connect 192.168.56.101:5555

Device address can be found on the top right corner of the device.

Installing APK files using ADB.

Sahils-MacBook-Pro:~ sahil$ adb install <you-apk-file-path/file.apk>

Getting Shell on the device for manual analyses.

Sahils-MacBook-Pro:~ sahil$ adb shell

Manual analysis of the installed application.

You will find all the installed applications in /data/data folder.

[email protected]:/ # cd /data/data

8. Basic SSL Pinning Bypass setup

Common Tools

Frida

Sahils-MacBook-Pro:~ sahil$ sudo pip install frida-tools

Objection- Objection uses the Frida and automate the process to bypass the certificate pinning.

Sahils-MacBook-Pro:~ sahil$ sudo pip3 install objection

Application with SSL Pinning

Taking the example of Twitter Application. This setup is not able to intercept the request for Twitter application.

When I tried to log in with intercept ON.

Got an Error “An error occurred when logging in. Please try again later

Burp Alert logs giving back the following error.

The client failed to negotiate an SSL connection to api.twitter.com:443: Received fatal alert_certificate_unknown

Burp Suite is not able to intercept the twitter applications request because twitter using SSL pinning to not allow someone to intercept the request.

We have to bypass the SSL Pinning to intercept the twitter applications traffic.

Bypassing SSL Pinning using Objection tool.

Objection is a great tool, which automates most of the process to bypass the SSL Pinning.

  1. Downloading Twitter APK from Google Play Store or External providers.
  2. Objection command to bypass SSL Pinning.

Sahils-MacBook-Pro:Downloads sahil$ sudo objection patchapk -s com.twitter.android.apk

3. Installing objection output APK com.twitter.android.objection.apk to the device using ADB.

PS: This method/tool doesn’t work on all the android applications*

Interesting resources to follow.

If you like my blog posts and my work, Please consider checking out my “Buy me a coffee” page

Part-2 — I will include most of the available certificate pinning bypasses. Until next time.

Written on August 3, 2018