Android Penetration Testing Training (Online) - 1

Contents
Abstract ......................................................................................... 3
Installation .................................................................................... 4
Exploring MobSF ............................................................................ 6
Landing Page ............................................................................... 6
Signer Certificate Analysis............................................................ 8
Application Permissions .............................................................. 8
Browsable Activities & Network Security Analysis ........................ 9
Manifest Analysis ...................................................................... 11
Code Analysis ............................................................................ 12
Related to Malware Analysis ..................................................... 13
Hardcoded secrets ..................................................................... 17
Activity Components Present ..................................................... 17
Dynamic Analyzer ...................................................................... 20
Logcat Stream ........................................................................... 24
API Monitor............................................................................... 25
Downloading Reports ................................................................ 26
www.hackingarticles.in Page | 2
Abstract
MobSF is an open-source tool developed by Ajin Abraham that is used for automated analysis of an APK.
This is a collection of tools that run under one interface, perform their own individual tasks (like Jadx,
apktool etc) and display their results under a common interface. These reports can be downloaded in a
PDF format too and give out detailed analysis with necessary screenshots as well. You can download
MobSF here. In this publication, we’ll be walking through the installation phase in Ubuntu OS and
guiding you through various options that this tool has to offer.
Installation
To install MobSF, create a directory and follow the commands:
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git

cd Mobile-Security-Framework-MobSF
We need to install dependencies before we are able to run:
apt-get install python3-venv

pip3 install -r requirements.txt
Once done, we can run the setup file to install MobSF and all the components automatically
./setup.sh
Now, to run MobSF we execute the run.sh file. As one could interpret from the screenshot below that
MobSF would be running on a local server on port 8000.
Now let’s open the link in the browser and see if MobSF was installed properly or not.
Exploring MobSF
Landing Page
Now that the MobSF is up and running, we can drag a dummy APK (in this case, I’ll take InjuredAndroid
by Kyle Benac (here) into the MobSF interface and see what happens. After waiting for a couple of
minutes we could see that static analysis of the APK is done. Now here on the landing page, we can see
that a severity score is given. The higher this score the more secure app is. Next, hashes, filename and
size of the APK are also given. In the third column in the first row, we can also see the package name,
main activity, min SDK version and the application version as well. The description of the application is
also given.
After scrolling down a little bit, here’s what all we can see:
In small cards, we see different application components
Dynamic analysis option that will help MobSF conduct run time analyses Option to view decompiled
code. This is the code that is generated by apktool. Generally, the resources file would also be decoded.
It is also possible to view smali code. It makes it easier to segregate and view source code in separate
java classes using this.
Signer Certificate Analysis
In the certificate column, we can see the signer certificate where one can find important information
about the developer, country, state, type of algo, bit size etc.
Application Permissions
Further, we can see all the permissions an application has. There are various permissions that are
categorized as dangerous or normal. It is important from a security analyst’s point of view to understand
which permissions can lead to further damage. For example, if an application has access to external
media and stores critical information on the external media it could prove to be dangerous since the
files stored on external media are globally readable and writable.
Browsable Activities & Network Security Analysis
Next, in the browsable activities section, we can see all the activities that have implemented a deep link
schema. Please refer to the article here to understand all about deep links, its implementation as well as
exploitation.
In the network security section, one can find some details about network security issues related to the
application. These issues can lead to critical attacks like MiTM sometimes. For example, in the
screenshot below, one can find that the application isn’t using the SSL pinning mechanism implemented.
Manifest Analysis
In the next section, MobSF has analysed the manifest file. One can find many folds of information from
the android manifest file like which activities are exported, if the app debuggable or not, data schemas
etc. For reference look at the screenshot below.
Code Analysis
One of the most interesting features of the MobSF tool is the code analysis section. In this section, we
can see that MobSF has analysed and compared some behaviour of the application based on industry
security standard practices like OWASP MSTG and mapped the vulnerabilities with OWASP Top 10. It is
interesting to see CWE mentioned and CVSS score being assigned here which might help various analyst
scenarios and help the creation of reports way easier.
Related to Malware Analysis
MobSF also hosts a section where an APKiD analysis is given. APKiD is an open-source tool that is very
helpful to identify various packers, compilers, obfuscators etc in android files. It is analogous to PEiD in
APK. Here one can see that it has detected an anti-vm code in the APK.
Something related to malware analysis is the domain malware check feature. Here, MobSF is extracting
all the URLs/IP addresses that are hard-coded or being used in the application and shows its malware
status as well as uses ip2location to give out its geolocation as well.
A comprehensive strings analysis is also available. People who are aware of malware analysis know
about strings in-depth but for those of you who don’t, strings are ASCII and Unicode-printable
sequences of characters embedded within a file. Extracting strings can give clues about the program
functionality and indicators associated with a suspect binary. For example, if an APK shows something as
an output so that stream would be called and hence shown in the strings. This is not the same as
strings.xml file. Many times, a third party IP address with which APK is communicating gets visible here.
This is essential from a malware analysis point of view.
One can also find hardcoded emails in MobSF. This is all done using the decompiled source code. Often a
pentester can find critical email IDs that were being used as a credential on a third party site, say, to
access the database.
Just like emails, URLs are often found hardcoded as well. One can find juicy URLs that are being used
sometimes. Oftentimes analysts find malicious URLs being accessed as well or even a C&C server.
Hardcoded secrets
Oftentimes developers have this habit of storing critical keys like AWS ID and credentials in strings.xml
and use an object as a reference in java activity. But doing this doesn’t help in any which way since
strings.xml can be decoded easily.
Activity Components Present

A list of all the activities present can also be scrolled using MobSF. This gives an insight into the skeleton
of the android APK. Also sometimes jadx replaces the real names of the class with some random letter if
the developer has applied obfuscation, MobSF can associate its real name too (doesn’t happen all the
time or in cases of strong obfuscation).
Quite similarly an analyst can also traverse services, broadcast, providers and content receivers along
with all the files present in the APK archive to create a map of all the resources present in the
application.
Dynamic Analyzer
For dynamic analysis, we’d need to fire up android VM in genymotion first. Here I’ve created an android
VM on version 7.1
When you press the dynamic analyser option present on the top navigation pane, MobSF will
automatically attach itself to VM running if MobSF and genymotion are running on the same base
machine. However, if MobSF is in another virtual machine, you might have to attach MobSF agent to
genymotion’s VM’s remote IP and port. Once it is attached, we see the following screen.
Under the analyzer status bar we can see various default frida scripts available that would check various
basic vulnerabilities like SSL Pinning bypass and Root detection checks. If you haven’t read about frida,
please do so by going here. There are other auxiliary scripts as well that lets an analyst enumerate
various classes and also capture string comparisons in real time (again helpful for malware analysts
point of view). Then simply click on start instrumentation and the selected scripts will be attached to the
application automatically. Hence, if I have selected SSL Pinning bypass script and traffic is getting
captured (visible in log or API monitor later) that would mean SSL Pinning has got bypassed.
Now further, to analyse activities for vulnerabilities one can see two buttons on the top for both
exported and non exported activities
Similarly, if one doesn’t have to make do with pre-configured Frida scripts, it is also possible that Frida
script be pasted in the text box on the right. There is also a dropdown box that would load those scripts.
You can also edit the same.
Logcat Stream
Logcat can also be viewed in MobSF’s native environment. There’s a button at the top menu that lets
one view this.
API Monitor
Just like logcat monitors device logs, APIs can also be monitored. APKs use various APIs in real-time to
perform various functions, for example, the Base64 library.
Hence, if a function is using this API and decrypting a value we can see that value here and decode that.
For example, down below you can see the return value of once such function in Base64.
Downloading Reports
Once you have done the analysis, it is possible to download the report by sliding the menu bar slider on
the left-hand side and click generate the report.
You might notice some errors while generating reports. To resolve this, you can follow the below
command and install wkhtmltopdf module:
apt-get install wkhtmltopdf
Now, once again if you click on a recent scan bar, you’ll see static and dynamic report generation
options.
The report looks something like this:
JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER
Bug Bounty Network Security

Ethical Hacking Essentials
Network Pentest
Wireless Pentest
ADVANCED
Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics
Advanced CTF
Android Pentest Metasploit
EXPERT
Red Team Operation
Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment
www.ignitetechnologies.in

Android Penetration Testing Training (Online) - 1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Android Penetration Testing Training (Online) - 1

Uploaded by

Copyright:

Available Formats

Contents

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git

We need to install dependencies before we are able to run:

apt-get install python3-venv

Activity Components Present

apt-get install wkhtmltopdf

The report looks something like this:

Bug Bounty Network Security

Burp Suite Pro Web Pro Computer

Red Team Operation

You might also like