Mobile-Application-Pentesting (APK)

My personal Mobile App Pentesting Notes.

Currently this only contains resources/notes about Android applications (APK)

Feel Free to dm me with any suggestions.

Static Analysis

Automated tools:

• MobSF is a great automated framework for both static and dynamic analysis.

Manual tools:

• jadx-gui test.apk

Extract the Java code from the APK:

• apktool -s d test.apk

Hardcoded Secrets:

• https://github.com/alessandrodd/apk_api_key_extractor
• https://github.com/dwisiswant0/apkleaks
• https://github.com/m4ll0k/SecretFinder
• https://github.com/ndelphit/apkurlgrep

Interesting findings:

• Firebase API
  • check https://example.firebaseio.com/.json
  • check for the hardcoded Firebase API Key
• Google Maps API Key
  • check if the API is misconfigured on https://googlekey.blindf.com/

Janus vulnerability (CVE-2017-13156):

• This vulnerability allows attackers to inject malicious code into APK files without affecting the app's cryptographic signature
• This vulnerability could arise from only singing the APK with v1 or being installed on android API 23 >

Cryptographic Vulnerabilities:

• Pay attention to the use of Insecure hash algorithms such as MD5 and SHA-1 which are known to have collisions.
• Search for Oracle padding attack which arises from multiple misconfigurations such as:
  • Use of RSA/ECB without padding
  • Encryption with CBC with PKCS5/PKCS7
  • For more information check https://book.hacktricks.xyz/crypto-and-stego/padding-oracle-priv

Dynamic Analysis

Setting up burpsuite

• You need to import the certificate and trust it.
• In andriod API 24 and higher this is not enough. Only device trusted certificates are allowed. Follow this tutorial to set it up: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/

Setting up Frida

• sudo pip3 install frida frida-tools
• You will need to install the frida server on the andriod then run it from adb. Here is a full tutorial: https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/frida-tutorial

SSL Pinning Bypass (run frida server before you start)

• using objection (with rooted device)
  • objection -g com.example.domain explore
  • android sslpinning disable
• using objection (without root, no need to run frida server before)
  • To inject frida gadget in the MainActivity of an apk objection patchapk test.apk
  • adb install newapp.apk
  • Run newapp.apk then objection explore
  • android sslpinning disable
• using frida (root device needed)
  • frida -l -U com.example.domain -l rootandssldiable.js

Root Detection Bypass (run frida server before you start)

• using objection

  • objection -g com.example.domain explore
  • android root disable

• using frida

  • frida -l -U com.example.domain -l rootandssldiable.js