Mobile Hacking CHEAT SHEET

ASSESSING MOBILE APPLICATIONS V1.0

MAIN STEPS OWASP MOBILE SECURITY PROJECTS TOOLS
• Decompile / Disassemble the APK Mobile Security Testing Guide • adb
• Review the codebase • https://github.com/OWASP/owasp-mstg • apktool
• Run the app Mobile Application Security Verification Standard • jadx
• Dynamic instrumentation • https://github.com/OWASP/owasp-masvs • Frida
• Analyze network communications Mobile Security Checklist • BurpSuite
• https://github.com/OWASP/owasp-mstg/tree/master/Checklists

APK Structure Application Signing

META-INF One-liner to create your own keystore
• Files related to the signature scheme (v1 scheme only) # keytool -genkeypair -dname "cn=John Doe, ou=Security, o=Randorisec, c=FR" -alias <alias_name>
lib -keystore <keystore_name> -storepass <keystore_password> -validity <days> -keyalg RSA -keysize 2048
• Folder containing native compiled code (ARM, MIPS, x86, x64) -sigalg SHA1withRSA
assets Signing with jarsigner (Only supports v1 signature scheme)
• Folder containing application specific files # jarsigner -verbose -keystore <keystore_name> -storepass <keystore_password> <APK_file>
res <alias_name>
• Folder containing all the resources (layouts, strings, etc.) of the app Signing with apksigner (Official tool from Android SDK which supports all signature schemes)
classes.dex [classes2.dex] … # apksigner sign --ks <keystore_name> --ks-pass pass:<keystore_password> <APK_file>
• Dalvik bytecode of the app
AndroidManifest.xml Code Tampering
• Manifest describing essential information about the app (permissions, components, etc.)
1. Disassemble and save the smali code into output directory
Package Name # apktool d <APK_file> -o <directory_output>
2. Modify the app (smali code or resource files)
The package name represents the app’s unique identifier (e.g. for YouTube): 3. Build the modified APK
com.google.android.youtube # apktool b <directory_output> -o <APK_file>
4. Sign the APK (see Application Signing)
Data Storage 5. (Optional) Uses zipalign to provide optimization to the Android APK
User applications # zipalign -fv 4 <input_APK> <output_APK>
# /data/data/<package-name>/
Shared Preferences Files
Content Provider
# /data/data/<package-name>/shared_prefs/ Query a Content Provider
SQLite Databases # adb shell content query --uri content://<provider_authority_name>/<table_name>
# /data/data/<package-name>/databases/ Insert an element on a Content Provider
Internal Storage # adb shell content insert --uri content://<provider_authority_name>/<table_name>
# /data/data/<package-name>/files/ --bind <param_name>:<param_type>:<param_value>
Delete a row on a Content Provider
Package Manager # adb shell content delete --uri content://<provider_authority_name>/<table_name>
List all packages on the device --where “<param_name>=‘<param_value>’”
# adb shell pm list packages
Find the path where the APK is stored for the selected package
Activity Manager
# adb shell pm path <package-name> Start an Activity with the specified Intent
List only installed apps (not system apps) and the associated path # adb shell am start -n <package_name/activity_name> -a <intent_action>
# adb shell pm list packages -f -3 Start an Activity with the specified Intent and extra parameters
List packages having the specified pattern # adb shell am start -n <package_name/activity_name> -a <intent_action> --es <param_name>
# adb shell pm list packages -f -3 [pattern] <string_value> --ez <param_name> <boolean_value> --ei <param_name> <int_value> …

CC BY-SA 4.0 • contact@randorisec.fr • https://www.randorisec.fr The OWASP brand is the property of the OWASP Foundation. OWASP does not endorse any product, services or tools.
Version 1.0 • Updated: 2021-08 Template: https://rstudio.com/resources/cheatsheets/how-to-contribute-a-cheatsheet/ Background psd created by rawpixel.com – https://www.freepik.com
Mobile Hacking CHEAT SHEET
ASSESSING MOBILE APPLICATIONS V1.0
MAIN STEPS OWASP MOBILE SECURITY PROJECTS TOOLS
• Decompile / Disassemble the APK Mobile Security Testing Guide •• adb
adb
• Review the codebase • https://github.com/OWASP/owasp-mstg •• apktool
apktool
• Run the app Mobile Application Security Verification Standard •• jadx
jadx
• Dynamic instrumentation • https://github.com/OWASP/owasp-masvs •• Frida
Frida
• Analyze network communications Mobile Security Checklist •• BurpSuite
BurpSuite
• https://github.com/OWASP/owasp-mstg/tree/master/Checklists

SSL/TLS Interception with BurpSuite - Before Android 7 adb

1. Launch Burp and modify Proxy settings in order to listen on “All interfaces” (or a specific Connect through USB Copy local file to device
interface) # adb -d shell # adb push <local> <device>
2. Edit the Wireless network settings in your device or the emulator proxy settings Connect through TCP/IP Copy file from device
3. Export the CA certificate from Burp and save it with “.cer” extension # adb -e shell # adb pull <remote> <local>
4. Push the exported certificate on the device with adb (into the SD card) Get a shell or execute the specified command Install APK on the device
5. Go to “Settings->Security” and select “Install from device storage” # adb shell [cmd] # adb install <APK_file>
6. Select for “Credentials use” select “VPN and apps” List processes Install an App Bundle
# adb shell ps # adb install-multiple <APK_file_1> <APK_file_2>
SSL/TLS Interception with BurpSuite - After Android 7 List Android devices connected [APK_file_3] …
1. Install BurpSuite certificate on your device (see Before Android 7) # adb devices Set-up port forwarding using TCP protocol from
2. Disassemble the APK with apktool Dump the log messages from Android host to Android device
3. Tamper the network_security_config.xml file by replacing the <pin-set> tag by the following # adb logcat # adb forward tcp:<local_port> tcp:<remote_port>
<trust-anchors>
<certificates src="system" />
Frida – Installation
<certificates src="user" /> Install Frida on your system with Python bindings
</trust-anchors> # pip install frida frida-tools
4. Build and sign the APK (see Code Tampering and Application Signing) Download the Frida server binary (check your architecture): https://github.com/frida/frida/releases)
# adb shell getprop ro.product.cpu.abi
Bypass SSL Pinning using Frida Upload and execute the Frida server binary (adb service should run with root privileges)
1. Install Burp certificate on your device (see SSL/TLS Interception with BurpSuite) # adb root
2. Install Frida (Frida – Installation) # adb push <frida-server-binary> /data/local/tmp/frida
3. Use “Universal Android SSL Pinning Bypass with Frida” as follow: # adb shell “chmod 755 /data/local/tmp/frida”
# frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f <package_name> # adb shell “/data/local/tmp/frida”

Objection - Inject Frida Gadget (non rooted device) Frida – Tools

Steps to inject the Frida Gadget library inside an app: List running processes (emulators or devices connected through USB)
1. Disassemble the app with apktool (see Code Tampering) # frida-ps -U
2. Add the lib-gadget library (https://github.com/frida/frida/releases) inside the app (lib folder) List only installed applications
3. Modify the smali code to load the lib-gadget (usually on the Main Activity # frida-ps -U -i
const-string v0, "frida-gadget" Attach Frida to the specified application
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V # frida -U <package_name>
4. Add the INTERNET permission on the AndroidManifest.xml Spawn the specified application without any pause
5. Rebuild the app with apktool and sign it (see Code Tampering and Application Signing) # frida -U -f <package_name> --no-pause
Load a script
Inject Frida Gadget using Objection # frida -U -l <script_file> <package_name>
# objection patchapk –srouce <APK_file> -V <frida_version> --architecture <arch>

CC BY-SA 4.0 • contact@randorisec.fr • https://www.randorisec.fr The OWASP brand is the property of the OWASP Foundation. OWASP does not endorse any product, services or tools.
Version 1.0 • Updated: 2021-08 Template: https://rstudio.com/resources/cheatsheets/how-to-contribute-a-cheatsheet/ Background psd created by rawpixel.com – https://www.freepik.com