Complete Guide to Android Pentesting: Tools and Techniques

Android devices are becoming an integral part of everyday life. From smartphones and tablets to smartwatches, the Android ecosystem is vast and diverse. As Android usage increases, so do security threats. Android pentesting plays a crucial role in identifying and mitigating potential vulnerabilities in apps that could be exploited. This guide provides an overview of setting up a pentesting lab, tools used for analyzing Android applications, and tackling advanced topics like SSL pinning.

Setting Up the Android Pentesting Lab

Before diving into pentesting, it’s essential to have a proper testing environment. Here’s a step-by-step guide to setting up your Android pentesting lab.

Emulators

Android emulators serve as a vital tool for security professionals and developers. Some popular emulators used for Android pentesting include Android Studio Emulator, Genymotion, QEMU,Memu, NOX_PlayerPlayer etc. These emulators allow you to test Android apps on virtual devices with different Android versions and configurations, making it easier to replicate real-world scenarios.

Compared to others the setp-up is easier in Memu and Nox. So, I personally prefer Memu or Nox_Player for testing. Here for demonstrating purpose I use NOX_Player

APK (Android Package Kit)

The Android Package Kit (APK) is the file format used by Android to distribute and install apps. A detailed analysis of APKs helps in understanding their structure, which consists of files such as the Manifest, resources, libraries, and more. Tools like JADX or APKTool can be used to decompile APKs for deeper static analysis.

Installing MobSF in Kali Using Docker

Mobile Security Framework (MobSF) is an open-source tool that provides a comprehensive platform for static and dynamic analysis of Android applications. It can be run easily using Docker. After installing Docker, you can pull the MobSF Docker image and run it using simple commands. Once MobSF is running, it offers decompilation, malware scanning, and vulnerability detection, making it an essential tool in pentesting.

Android Debug Bridge (ADB)

ADB is a powerful command-line tool that allows communication between a computer and an Android device. ADB is used extensively for debugging apps, pulling APKs, and installing apps on emulators or real devices. Familiarity with ADB commands is vital when performing dynamic testing.

Common ADB Commands:

• adb devices – Lists connected devices or emulators
• adb shell pm list packages – Lists all installed apps on the device
• adb pull – Extracts an APK file from the device to the computer

Burp Certificate Installation on Emulator

Burp Suite is a popular tool used in web and mobile pentesting. Setting up Burp to intercept Android app traffic requires configuring the Android emulator to trust the Burp CA certificate. Post-Android 7, apps no longer trust user-installed CA certificates, so these need to be added to the system’s trusted store. Steps include exporting the CA certificate from Burp, converting it to PEM format, pushing it to the emulator, and setting the appropriate permissions.

Configure the Burp Proxy Listener

To configure the proxy settings for Burp Suite:

1. Open Burp Suite and click Settings to open the Settings dialog.
2. Go to Tools > Proxy.
3. In Proxy Listeners, click Add.
4. In the Binding tab, set Bind to port to 8083 (or another port that is not in use).
5. Select All interfaces and click OK.
6. At the prompt, click Yes.

Configure your device to use the proxy

In your Android device, go to Settings > Network & internet.

1. Select Internet and long-press the name of your Wi-Fi network.
2. Select Modify.
3. From the Advanced options menu, select Proxy > Manual.
4. Set Proxy hostname to the IP of the computer running Burp Suite Professional.
5. Set Proxy port to the port value that you configured for the Burp Proxy listener, in this example 8083.
6. Touch Save

Install a CA certificate on your Android device

In order to interact with HTTPS traffic, you need to install a CA certificate from Burp Suite Professional on your Android device.

To download the CA certificate

1. In your Android device, Open any browser and Enter http://burp
2. Click on the CA certificate
3. cacert.der is available for download
4. rename the file as cacert.cer
5. Click on Download

To install the CA certificate

1. In your Android device, go to Settings > Network & internet.
2. Click on the 3 dots in the upper right corner and select Advanced
3. Select Install Certificates from Advanced Wi-Fi
4. Select the downloaded cacert.cer file
5. Enter a name to the certificate and click on OK
6. Certificate installed successfully.

Understanding SSL Pinning

SSL Pinning is a security mechanism used by Android applications to ensure they communicate only with trusted servers. This is done by validating the server’s SSL certificate against a predefined certificate or public key embedded within the app. This practice protects against man-in-the-middle (MITM) attacks, as it prevents the app from accepting any certificate that is not explicitly trusted, even if the user has installed a custom Certificate Authority (CA) certificate on their device.

While SSL pinning is an essential security feature, it can also pose a challenge during penetration testing, as it restricts the ability to intercept and analyze the app’s traffic. For pentesters, bypassing SSL pinning is crucial to fully evaluate the security of the app’s network communication.

Methods of SSL Pinning Implementation

SSL pinning can be implemented in the following ways:

• Certificate Pinning: The app verifies that the server’s certificate matches a trusted certificate stored in the app.
• Public Key Pinning: Instead of validating the entire certificate, the app checks whether the server’s public key matches the trusted public key stored in the app.
• Hash Pinning: The app stores a hashed version of the certificate or public key, and it checks the hash against the server’s certificate.

Detecting SSL Pinning

Pinning detection can be achieved using static or dynamic analysis.

• Static analysis: You can use tools like MobSF or JADX to inspect the app’s code and configuration files to see if SSL pinning is implemented. Look for keywords such as TrustManager, X509TrustManager, HostnameVerifier, or methods related to SSLContext that initialize SSL connections.
• Dynamic analysis: Tools like Logcat can provide runtime logs, and Burp Suite logs can show errors like certificate_unknown when trying to intercept app traffic, indicating that SSL pinning is preventing traffic capture.

Bypassing SSL Pinning Using Frida

Frida is a powerful dynamic instrumentation toolkit that allows you to inject scripts into running apps to modify their behavior. It’s widely used to bypass SSL pinning by intercepting and altering the app’s SSL verification logic at runtime.

Steps to Bypass SSL Pinning with Frida:

Identify CPU Architecture: Identify the architecture (e.g., ARM, x86) of the Android device or emulator.

adb shell getprop ro.product.cpu.abi

Download and Push Frida-Server: Download the appropriate Frida-server binary for your device’s architecture and push it to the device.

adb push frida-server /data/local/tmp/

Run Frida-Server on the Device:

adb shell chmod +x /data/local/tmp/frida-server /data/local/tmp/frida-server &

 

Next, list all the running processes of devices. We must now determine the id of our target application. Open a new terminal and type the following command:

frida-ps -U

We can find App name and PID of target app.

 

Objection (For finding package name and injection status):

After running frida-ps command we got app name, now we can use objection package to find package name of targeting app.

We can run following command to find information about ‘X’ app and status of injection

Objection –gadget “X” explore

 

SSL pinning Bypass

After that we can use frida with app package name that we found in objection.

Now run the following command :

frida –codeshare akabel/frida-multiple-unpinning –f com.twitter.android -U

We can see in screenshot Frida will start bypassing ssl pinning and in android device or emulator we can see app will start automatically.

Code link: https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/

 

Capturing the request using Burp Suite

Verify Bypass: After injecting the script, you should be able to intercept traffic from the app using Burp Suite or another interception proxy.

Now we can capture the request successfully in Burp Suite from android device or burp suite. Now we can see the request, modify the request.

Conclusion

Android pentesting involves a combination of static and dynamic analysis techniques. A properly configured lab with emulators, tools like MobSF, ADB, and Burp, is essential for testing Android applications effectively. Understanding and bypassing SSL pinning adds another layer of complexity, making pentesting more comprehensive. By mastering these tools and techniques, you can identify critical vulnerabilities and help improve the security posture of Android applications.