Andorid Security Assessment

Recently I got a chance to do security assessment of an Android-based app. As the Internet is full of the methods of doing Android assessment, here I shall try to list down major steps to perform it.
For Intercepting traffic:
1. Download the Android SDK tool from http://developer.android.com/sdk/index.html. It includes SDK and AVD (Android Virtual Device). They are necessary for creating the VM and installing emulator.
2. Once, emulator started, install the android app's .apk file on it. 
3. Configure local web proxies, eg Burp, Paros to intercept the traffic by modifying the Internet setting in Android by Settings->Wirless & Network Settings-> Mobile Networks -> Access Point Names-> Proxy Name(PC's IP address) & Port.
4. Now we may perform the assessment as we do for normal web application.

Code review of the app:
1. Rename the .apk file to .zip file and extract it. You'll find classes.dex file which can be converted into a jar file using a tool called dex2jar. 
2 Now use JD-GUI to convert the jar file to Java source code. Now source code is human readable and a code review can be done on it.

Reviewing the AndroidManifest file for permissions:
1. The AndroidManifest.xml resides into the same folder where classes.dex is available.
2. You need to convert the xml file into a readable text file using a tool called AXMLPrinter2.jar. Go to http://developer.android.com/guide/topics/manifest/manifest-intro.html for info on reviewing permissions contained in AndroidManifest.xml file.

Android app sign check:
1. To check if the application is signed or not you may use a java tool, found in the bin directory of Java installation, called jarsigner:
$ jarsigner -verify my_signed.apk
If the .apk is signed properly, Jarsigner prints "jar verified"
2. To see the certificate information, run the following tool found in the same bin directory:
keytool -printcert -file VScert.cer >> CertDetails.txt

There might be other aspects of Android App assessment as well, that may vary depending on the application,  but these are the few major and necessary methods.

Comments

Popular posts from this blog

SQL Injection in search field

File Upload through Null Byte Injection