Unveiling the Secrets of Mobile Penetration Testing I (Drozer)

Unveiling the Secrets of Mobile Penetration Testing: Where to Begin

---

Enumeration

This is the way to look at where to start with Android apps, the first task is to know the correct access required by the app, in this case, Insecure Bankv2:

We can try to use all the features the app provides us:

It’s essential to check the HTTP connections, in our case the login is vulnerable to an Insecure HTTP connection:

Identify possible target

At this point, the idea is to provide the necessary mindset to identify the next step, and in other posts, we will be exploiting the other vulnerabilities. To identify targets Drozer is a good tool that helps us to know the attack surface, after installed drozer we need to list the package to identify our target:

run app.package.list -f bank
com.android.insecurebankv2 (InsecureBankv2)

We need to get the information related to our target:

run app.package.info -a com.android.insecurebankv2
Package: com.android.insecurebankv2
  Application Label: InsecureBankv2
  Process Name: com.android.insecurebankv2
  Version: 1.0
  Data Directory: /data/user/0/com.android.insecurebankv2
  APK Path: /data/app/~~UVEaSzy_xxfNt1zlSRG6ug==/com.android.insecurebankv2-t3869NLICXxUlJQTiGUewA==/base.apk
  UID: 10090
  GID: [3003]
  Shared Libraries: [/system/framework/android.test.base.jar, /system/framework/org.apache.http.legacy.jar]
  Shared User ID: null
  Uses Permissions:  
  - android.permission.INTERNET
  - android.permission.WRITE_EXTERNAL_STORAGE
  - android.permission.SEND_SMS
  - android.permission.USE_CREDENTIALS
  - android.permission.GET_ACCOUNTS
  - android.permission.READ_PROFILE
  - android.permission.READ_CONTACTS
  - android.permission.READ_PHONE_STATE
  - android.permission.READ_CALL_LOG
  - android.permission.ACCESS_NETWORK_STATE
  - android.permission.ACCESS_COARSE_LOCATION
  - android.permission.READ_EXTERNAL_STORAGE
  - android.permission.ACCESS_BACKGROUND_LOCATION
  - android.permission.ACCESS_MEDIA_LOCATION
  Defines Permissions:
  - None

Now, we have the surface of the app components:

dz> run app.package.attacksurface com.android.insecurebankv2
Attack Surface:
  5 activities exported
  1 broadcast receivers exported
  1 content providers exported
  0 services exported
    is debuggable1

The app has 5 activities:

dz> run app.activity.info -a com.android.insecurebankv2
Package: com.android.insecurebankv2
  com.android.insecurebankv2.LoginActivity
    Permission: null
  com.android.insecurebankv2.PostLogin
    Permission: null
  com.android.insecurebankv2.DoTransfer
    Permission: null
  com.android.insecurebankv2.ViewStatement
    Permission: null
  com.android.insecurebankv2.ChangePassword
    Permission: null

Having this we already have multiple ways where we can start searching, in the next post we will go more in-depth with this application.

• mobile-pentesting