I’ve had to go to the four corners of the internet to find out this information, and I’d quite like to keep it in one place so I can refer back to it one day or hope that it serves someone well during their adventures.
Android App Testing is a massive subject. Many ways to the perform the same methodology, and many tools to do that same job, however, with no strict formula, how can you be sure you are performing a thorough test?
With any test, there’s always a tried an tested methodology to follow. More akin to guidelines, and mobile security testing is no stranger to the clutches. In a vast world, it’s a welcomed breath of fresh air to follow a methodology as it helps you cover all the aspects of the test.
Mobile App Testing Methodology – OWASP
Tools for the job
This is the fun part. Downloading all your tools, and getting them set up. Actually, no, it’s not the cool part, and please reserve several hours to get this out the way, especially if you plan to test from a MAC. Kali Linux seems to be pretty well set up for app testing, so if that is your preference, do carry on. The tools I find most useful are as follows:
- Xposed Framework
This list is as tight as I’d like to make it. I’ve gone through various tools so far, however, these work well for my setup. I’ll try to explain in my own words what the above tools do to clear things up from all the noise.
I usually use this to decompile the APK once I’ve downloaded it from the phone. Using the below command will certainly help out with that.
apktool d file.apk
Android Debug Bridge is probably the most important tool you’ll use. It’s the workhorse of how you interact with the device. From installing apps directly from your PC, to pushing and pulling files to the sdcard, ADB has so many features that are useful to any tester or programmer. Typical command to install an app to the device:
adb install file.apk
A tool I only started using, and with good effect. Mainly used by myself to search through APK files for useful information. For example:
aapt d strings file.apk | grep “root”
The Mobile Security Testing Framework is used for static code analysis. Quite a good tool with a web interface. you drag and drop the APK file into the web interface and let it do it’s thing. A well presented interface is produced where you can investigate the findings. In my experience, it’s best to do further review of the findings, however it does help.
It can be difficult to review the source code on an Android APK, however, if you rename the APK file to a .ZIP file, decompress the resultant file and open the folder you will see a classes.dex file. This the source code, however, using dex2jar will convert the classes.dex file to a useable jar file for JD-GUI.
A java based program that allows you to load up your converted classes-dex.jar file to view the source code. This is where you can review the classes, methods and functions for the application. In my experience, a lot of the source code can be obfuscated and become difficult to read. It varies from vendor to vendor as to the level of obfuscation.
Developed by MWR, drozer is a piece of software that has client/agent interaction. The client sits on your PC, and the agent/server runs on the device you are testing. You can test all manor of exploitability from information disclosure to SQL Injection. Very good angle of attack and can be fun to interact with the application on the phone. On MAC it’s a pain to install.
This shows a list of installed apps that are active using the USB to debug.
Probably the most powerful tool I’ve seen used on a mobile device. I haven’t touched the entire subset of functionality, however, it’s mainly used for hooking into applications to control their operation. One amazing hack I seen was giving yourself more coins for games or making any work score points in Words with Friends. An extremely powerful tool that rewards time spent learning Java coding.
I do believe that there’s a method to successful testing of android apps. Follow a strict method of checking and investigation, and you’ll find what you need. Sometimes apps are just secure, however, dig deeper and there’s loot to be had, from passwords, API keys and functions to hook into. Get lots of practice by using apps from Bug Bounties or write your own. MWR have an app to test on called Sieve, so that’s worth checking out.
Part 2 should look into the process of obtaining the APK, and decompiling to then viewing in JD-GUI.