The availability of the Internet, lower data rates, and the easy use of mobile devices such as Android phones have been used more effectively for availing E-commerce, and mobile applications (Apps) for purchasing the daily necessities. It seems that a new Android model arises every couple of days, and Android phones are extremely popular. As Android apps grew to incredible numbers, they brought with them a slew of vulnerabilities that attackers gladly exploited.
stem for mobile devices like smartphones and tablets, Android was Introduced. It was developed by Open Handset Alliance (OAH) and managed by Google and other companies. The Android uses a Java application and Java core libraries running on Dalvik virtual machine and JIT compilation to run Java applications on a Java-based, object-oriented application framework.
Android operating system runs on top of Linux. There are a number of components required to run any operating system. Android consists of a number of components, which are divided into five sections and four main layers, as shown in the following architecture diagram. The Linux Kernel is one of the components that provide basic operating system functions for smartphones. A platform for Android applications is provided by the Dalvik Virtual Machine (DVM).
It is the top-most layer of the Android architecture. This layer consists of native Android apps as well as apps installed by third parties. The Android package contains all the applications to be installed such as contacts, games, settings, and messages, which are all written in this layer. messages. These applications run within the Android runtime, using the classes and services provided by the application framework.
In addition to the Android OS, the Android framework exposes the underlying libraries and features of the device through a Java API. Application Framework includes several classes used to create the Android application. Also, it provides a generic abstraction to Hardware resources and helps in managing the user interface with application resources. Application Framework provides different types of services like Activity Manager, window manager, content provider, location manager and some others.
Android Runtime is responsible for running the android application. Android Runtime consists of two different components called core libraries and Dalvik Virtual Machine ( DVM ). The android application relies on the core libraries to power its framework and uses the core libraries to power the android application. Running Android applications is actually done by the Dalvik Virtual Machine ( DVM ).
Linux kernel is the core of the android architecture. The Linux kernel is responsible for allocating hardware resources to the android application. It also contains the drivers required by android applications so the management of drivers is also done by the Linux Kernel.
Android is known for its open-source, versatility, and customization capacity because of the many applications it includes. As a security measure, the Android security model provides a secure environment Android is known for its open-source, versatility, and customization capacity because of the many applications it includes. As a security measure, the Android security model provides a secure environment for android applications. As we know, Android runs on top of Linux. So the Android security model builds with two different security models which are the Linux security model and the Application security model. Android Security model runs these two models parallelly in Order to provide security to android applications.
To isolate the resources the Android uses a Linux user-based permission model, this process is called sandboxing. Sandboxing prevents external programs from interfering with protected applications. The sandboxing mechanism also protects the operating system components, so vulnerabilities exposed by an application cannot be exploited to gain access to the outside system. Starting with android 5.0, android has built-in protection against accessing protected apps.
The Linux Security Model is based on the Privilege Control Model. Linux’s privilege control model ensures that each and every application running on Android has its own unique process ID. Each application also has its own UserID. User IDs are used to manage Application Access Control so that no other application can access the data of any other application.
In the Android operating system, the user’s privacy is protected by implementing the Application Security Model which is basically a permission control model. Users must give their consent before Android applications can perform actions that may affect other applications, the system or the user himself. The permissions asked by the android application are declared in AndroidManifest.xml file. Mainly android security protection levels are categorised into three levels.
Android applications are mainly written in java and it contains some resources all these resources are compiled and packaged by the AAPT (Android Asset Packaging Tool) in the file called r.java. For the interprocess communication between the client and the services, the application needs the .aidl (Android Interface Definition Language) file which defines the programming interface for them. The java compiler combines these files and processes them into the .class file later on which will be passed to the dex compiler. Dex compiler converts this .class file into the .dex format. Android applications are nothing but Dalvik executable files. Dalvik Bytecode files have a .dex extension. Then all Dalvik executable files are zipped into the .apk.
<activity android:exported="false" android:launchMode="singleTask" android:name="net.openid.appauth.AuthorizationManagementActivity" android:theme="@android:style/Theme.Translucent.NoTitleBar"/> <activity android:exported="true" android:name="net.openid.appauth.RedirectUriReceiverActivity">
<intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="gettactic"/> </intent-filter>
<service android:directBootAware="false" android:enabled="@bool/enable_system_alarm_service_default" android:exported="false" android:name="androidx.work.impl.background.systemalarm.SystemAlarmService"/>
<provider android:authorities="com.tactic.android.workmanager-init" android:directBootAware="false" android:exported="false" android:multiprocess="true" android:name="androidx.work.impl.WorkManagerInitializer"/>
<receiver android:directBootAware="false" android:enabled="true" android:exported="false" android:name="androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver"/>
Android application is nothing but a collection of multiple files which are zipped into a single .apk file. To access the content of the .apk file you need to extract the file. An important thing to understand here is that extracting the file doesn’t mean decompiling the application. Decompilation is another process, which we will see later. As per the Operating System, there are different processes for extracting the .apk file we will see for Windows and Linux.
unzip -d <dirname> <.apk_file>
Here dirname is where extracted files will be saved. E.g
unzip -d save demo.apk
Following are the types of files you will receive after unzipping the .apk file.
The important thing here is that all these files are in compiled form, which means the content inside these files is not human readable. In order to read the content of these files, we need to decompile these files.
The Android application can be decompiled using a variety of tools. We will cover apk-tool and jdax in this section. We’ll take a look at apk-tool and jdax in this section.
You can download and find the installation steps of the apk-tool for both Linux and Windows here. Open the terminal, navigate to the folder where the .apk file is located, and run the following command.
apktool -d <yourapk>
Here -d is for decompiling.
The APK tool decompiles the source code of the applications into a human-readable format called Smali.
Jdax is a Java to dex decompiler. Installing JDax on Windows and Linux can be found here. Jdax has both command line as well as GUI versions. We will cover the command line version in this blog. In order to decompile the application, move your .apk file to /jadx/bin location. Launch the terminal and go to the /jadx/bin directory. Execute the following command.
./jdax -d <dirname> <your_apk>
Here -d is for decompiling. dirname is the directory name where extracted files will be saved. your_apk is the name .apk file.
Rooting is the process of gaining ‘root user’ or ‘system level’ access to an android device. In contrast to Linux, the Android operating system developer has designed an operating system in a way that does not provide users with this level of access. For this reason, Rooting is used to gain access to root privileges. It basically means breaking it down into your own device, in order to give you more control over how it is customized.
Some data in the system can only be observed by those with root access, in this condition a Security tester may need root privileges to see that data. For example, viewing data stored in private files. A comprehensive understanding of security implications must be done before rooting a device.
Emulators are always a great option if you don’t want to root the physical device, Emulators provide the functionality of rooted devices. In a subsequent section, you will learn how to set up a Genymotion emulator for testing Android devices.
Dalvik Virtual Machine does not use Java bytecode, which is one of its most impressive features. In its place, a homegrown format called DEX was developed, and its bytecode instructions are entirely different from the Java instructions. The Android programs are first compiled into .dex files, then zipped into a .apk file on the device. The Java programming language can automatically translate compiled applications into .dex files.
The Dex file contains a lot of information which is extremely useful for security testers. The Java programming language can automatically translate compiled applications into .dex files. In order to analyze the .dex files, they need to be converted into human-readable format. There are some tools like 010 editor and dex2jar which are used to analyse dex files.
Once the .apk file has been unzipped, the classes.dex file will appear. Open a terminal, navigate to the location of classes.dex, and execute the following command.
It converts your classes.dex file to the Java file format. The converted files can be viewed by using the JD-GUI.
These steps apply both to emulators and physical devices. An Android device can be set up in an emulator for testing fairly easily. You can find the reference here. It is necessary to set up your wifi network with a proxy setting in order to intercept the traffic. The first thing you will need is the IP address of your base system. Using the ipconfig/ifconfig command on the terminal will bring up the IP address. Open the device’s WiFi setting and select Modify Settings. You will see the Proxy option there. Set it to Manual. Enter the IP address of the base system in the Proxy Hostname field. Additionally, provide the port 8080/8081. Save the settings. You can use any port number here.
Note:- If you want to intercept web traffic as well as Android traffic then you must use different port numbers (8080/8081).
Now run Burp Suite and move to the options in Proxy Tab. Enter the port number in the ADD option and from a specific IP address, choose your base machine’s address. Save the settings.
The trust certificate is necessary in order to intercept the traffic. To download the certificate open any browser on the android device and go to http://burp. You will find a CA Certificate option at the top right corner of your screen. Click it and the certificate will be downloaded automatically.
Rename the certificate with .cer extension. In order to install the certificate open the settings of an android device and go to the Install From SD option in the Security Section. And select the certificate with .cer extension.
Now you are ready to intercept the traffic. Just to check, open the browser on the device and enter any URL, Make sure that your intercept is on. Check that the HTTPS request is intercepted by Burp Suite.
If the application to be tested has a minimum API level >= 24 then the system level CA certificate needs to be installed. This is a little bit different process from the previous one. Android stores these certificates on /system/etc/security/cacerts location. We can drop the certificates there if you are having root privileges.
Run the burp suite and navigate to the options section in the proxy tab. Export the certificate in DER format by clicking on Import / Export CA Certificate.
Android expects the certificate’s filename to be the subject_hash_old value appended with .0. The certificate should be in PEM format. Then convert DER to PEM using openssl( Installation steps for openssl can be found here ) and rename the resultant file subject_hash_old.
The certificate can be copied over with adb, but you’ll have to remount it as writable since it’s going into the /system filesystem. And move the certificate into the /sdcard
adb root adb remount adb push <certname.0> /sdcard
Now, move the certificate into /system/etc/security/cacerts, Give read write access using chmod.
mv /sdcard/<certname.0> /system/etc/security/cacerts/ chmod 644 /system/etc/security/cacerts/<certname.0>
Reboot the device, and verify the installation by visiting Settings -> Security -> Trusted Credentials, “Portswigger CA” should be displayed as a system trusted CA.
This article provides more references.
To Secure android devices, android has deployed some security features. let’s understand one by one.
A number of biometric methods are supported by the Android framework, including face and fingerprint recognition. Android can be customized to support other biometric methods (such as Iris). The success of biometric integration will, however, be dependent on biometric security, not modality. This Biometric authentication is integrated by using BiometricPrompt API.
Whenever an Android application is released, the developers must authenticate it with an upload key before uploading it to Google Play Store. Understanding this process must help security researchers to develop an exploit. The app signing process contains generating an upload key then the developer needs to sign the application with the upload key after that needs to configure with the play store. The detailed steps can be found here.
Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. Despite sharing the same hardware and operating system, Trusty runs on a different processor and is physically isolated from the rest of the system.
Android uses dm-crypt for low-level encryption, which is the standard disk encryption system included in the Linux kernel. Many Linux distributions leverage the same technology. Encryption does not require a PIN or password on Android 5.1 and above, but creating one is highly recommended since not having one would compromise the security.
That’s all about the basics, which are required to perform penetration testing on an android application. So, it’s a three series blog, in the next one we will be covering the concepts of Static analysis of android applications it’s nothing but a process of source code review of the apk file, in the next one will do a deep dive into the Dynamic analysis in that we will be covering some tools and techniques which will surely upgrade your knowledge and skills.
So, it’s a lot of knowledge and information you are getting in this series of blogs, STAY TUNED!