Nilesh Kumar

Recently I got a chance to do security assessment of an Android-based app. As the Internet is full of the methods of doing Android assessment, here I shall try to list down major steps to perform it. For Intercepting traffic: 1. Download the Android SDK tool from http://developer.android.com/sdk/index.html. It includes SDK and AVD (Android Virtual Device). They are necessary for creating the VM and installing emulator. 2. Once, emulator started, install the android app's .apk file on it.  3. Configure local web proxies, eg Burp, Paros to intercept the traffic by modifying the Internet setting in Android by Settings->Wirless & Network Settings-> Mobile Networks -> Access Point Names-> Proxy Name(PC's IP address) & Port. 4. Now we may perform the assessment as we do for normal web application. Code review of the app: 1. Rename the .apk file to .zip file and extract it. You'll find classes.dex file which can be converted into a jar file us...

Published in Hakin9 Extra Magazine. "Complete description of tools and their uses are out of scope of this article, we’ll be just using them for our forensics, as you may get a fair idea about them during our process. We shall be using BackTrack(BT) for our analysis. You could pretty much use any distro available as all have mostly common necessary tools. You could use any normal Linux _avors such as Fedora, RedHat, Ubuntu as well, but the advantage of using distros like BT is that they already have a fair collection of these tools, otherwise you may need to install them." Can be downloaded here .