Hacking Android: Explore every nook and cranny of the Android OS to modify your device and guard it against security threats

What do you get with Print?

Instant access to your digital copy whilst your Print order is Shipped

Paperback book shipped to your preferred address

Redeem a companion digital copy on all Print orders

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Hacking Android

Chapter 1. Setting Up the Lab

In this chapter, we will set up a lab with all the tools that are required for the rest of the book. This first chapter is an essential part of the book for those who are new to Android security. It will help us to have an arsenal of tools required for Android security in one place. These are some of the major topics that we will discuss in this chapter:

Setting up the Android environment
Installing the tools required for app assessments
Installing the tools required for assessing the security of the mobile backend
Installing vulnerable apps
An introduction to Android Debug Bridge (adb)

Android Studio

The next tool to be installed is Android Studio. Android Studio is the official IDE for Android application development, based on IntelliJ IDEA. Eclipse used to be the IDE for Android Application development before Android Studio was introduced. Android Studio was in early access preview stage, starting with version 0.1 in May 2013, and then entered beta stage starting with version 0.8, which was released in June 2014. The first stable build was released in December 2014, starting with version 1.0.

Download and install Android Studio from the following link:

https://developer.android.com/sdk/index.html

Download Android Studio and run the installer:
Click Next till the following window appears:
This window shows us the options for the tools to be installed. It is suggested you check all of them to install Android SDK, Android Virtual Device, and Intel@HAXM, which is used for hardware acceleration and necessary to run x86-based emulators with Android Studio.
Agree to the License Agreement and proceed with the installation:
Choose the installation location for Android Studio and the Android SDK. If you don't have any specific choices, leave them to the default values. Please keep a note of the location of your Android SDK to add it to your system environment variables, so that we can access tools such as adb, sqlite3 client, and so on from anywhere on the command prompt:
Allocate the RAM based on your available system memory; however, a minimum of 2 GB is recommended:
The following step allows us to choose the name for Android Studio in the start menu. Again, you can leave it to the default value if you don't have any specific choice:
Continue the installation by clicking Next till the following screen appears. This finishes our Android Studio installation:
When you click Finish in the preceding window, the following screen will be shown. If you have installed an older version of Android Studio, choose its location to import your previous settings. If this is a fresh installation on this machine, choose I do not have a previous version of Studio or I do not want to import my settings:
Clicking the OK button will start Android Studio, as shown here:
Once it is loaded, we will be greeted with a window, where we need to choose the UI theme. Select one of the themes and click Next.
Clicking Next in the previous window will download the latest SDK components and the emulator, as shown in the following screenshot:
Finally, click Finish and you should be greeted with the following window. This completes our installation:
To create a new sample application, click Start a new Android Studio project:
Choose a name for your app under Application name. Let's name it HelloWorld. Also choose a sample company domain name. Let's name it test.com. Leave the other options to their defaults and click Next:
The following screen shows the Minimum SDK version for our app. We choose to make it API Level 15, as it supports a higher number of devices:
Select a Blank Activity, as shown here, and click Next:
You can choose a name for your activity if you wish. We will leave the options to their defaults:
Finally, click Finish to complete the setup. It will take some time to initialize the emulator and build our first Hello World app:

Wait for all initialization to finish when you see the previous screen. In future chapters, we will see how this app is compiled and run in an emulator.

Setting up an AVD

To get hands-on experience of most of the concepts in this book, readers must have an emulator or a real Android device (preferably a rooted device) up and running. So, let's see how to create an emulator using the setup we have from the previous installation:

Click the AVD Manager icon at the top of the Android Studio interface, shown in the following image:
This will open the following window. There is one emulator by default, which was created during Android Studio's installation process:
Click the Create Virtual Device button in the bottom-left corner of the previous window. This will display the following window:
Now, choose your device. I chose a device with the following specs, to create an emulator of a small size:
Click Next and you will see the following window. If you check Show downloadable system Images, you will see more options for your system images. We can leave it to the default of x86 for now.
Note
SDK Manager helps us to manage all system images and SDKs installed on the system.
Finally, give your AVD a name and click Finish. In our case, we named it Lab Device:
Once you are done with the previous steps, you should see an additional virtual device, shown here:
Select the emulator of your choice and click the Play button to start the emulator:

When it's ready, you should see an emulator, as shown here:

Real device

It is recommended you have a real device along with an emulator to follow some of the concepts shown in this book.

The authors have used the following device for some of their demonstrations with real devices: Sony Xperia model c1504, rooted:

Apktool

Apktool is one of the most important tools that must be included in an Android penetration tester's arsenal. We will use this tool later for Android application reverse engineering, and for creating malware by infecting legitimate apps.

Download the latest version of Apktool from the following link (please download Apktool 2.0.2 or later to avoid some issues that exist in older versions):

http://ibotpeaches.github.io/Apktool/

We downloaded and saved it in the C:\APKTOOL directory, as shown in the following screenshot:

Now, we can go ahead and launch Apktool, using the following command to see the available options:

java –jar apktool_2.0.2.jar  --help

This completes the setup of Apktool. We will explore Apktool further in future chapters.

Dex2jar/JD-GUI

Dex2jar and JD-GUI are two different tools that are often used for reverse engineering Android apps. Dex2jar converts .dex files to .jar. JD-GUI is a Java decompiler that can decompile .jar files to the original Java source.

Download both the tools from the links provided. No installation is required for these tools, as they are executables:

http://sourceforge.net/projects/dex2jar/

http://jd.benow.ca

Burp Suite

Burp Suite is without a doubt one of the most important tools for any penetration testing engagement. Android apps are not an exemption. This section shows how we can set up Burp Suite to view the HTTP traffic from an emulator:

Download the latest version of Burp Suite from the official website:
http://portswigger.net/burp/download.html
To launch Burp Suite, double-click on the downloaded file, or simply run the following command, assuming that the downloaded file is in the current working directory:
The preceding command launches Burp Suite and you should see the following screen:
Now we need to configure Burp by navigating to Proxy | Options. The default configuration looks like this:
We have to click the Edit button to check the Invisible option. We can do this by clicking the Edit button, navigating to Request handling and then checking Support invisible proxying (enable only if needed). This is shown in the following figure:
Now, let's start our emulator in order to configure it to send its traffic through Burp Suite.

Configuring the AVD

Now the AVD has to be configured in such a way that traffic from the device goes through the proxy:

Navigate to Home | Menu | Settings | Wireless & networks | Mobile Networks |Access Point Names.
Here we will configure the following proxy settings:
- Proxy
- Port
The following figure shows the IP address of the workstation. This is required to configure the AVD:
Enter the IP address of the system here:
After entering the IP address of the system, enter the port number, 8080, as shown here:

Once this is done, all the HTTP traffic from the device will be sent via the Burp proxy on your machine. We will make use of this setup extensively when we discuss weak server-side controls.

Drozer

Drozer is a tool used for automated Android app assessments. The following are the steps to get Drozer up and running.

Prerequisites

Following are the requirements for setting up:

A workstation (in my case Windows 7) with the following:
- JRE or JDK
- Android SDK
An Android device or emulator running Android 2.1 or later.

First, grab a copy of the Drozer installer and Agent.apk from the following link:
https://www.mwrinfosecurity.com/products/drozer/community-edition/
Download the appropriate version of Drozer if you are working with a different setup than what we are using in this book.
After downloading, run the Drozer installer. Installation uses the usual Windows installation wizard, as shown here:
Click Next and choose the destination location for Drozer installation:
As shown in the preceding screenshot, the default location is C:\drozer. It is recommended you use the default location if you would like to configure your system identical to ours. Follow the wizard's instructions to complete the installation. The installation window is shown in the following screenshot for your reference:
Click Finish to complete the process:

The preceding installation process automatically installs all the required Python dependencies and sets up a complete Python environment.

To check the validity of the installation, perform the following steps:

Start a new command prompt and run the drozer.bat file, as shown in the following screenshot:
Now, install the agent.apk file we downloaded earlier onto your emulator. We can install .apk files using the adb command:
```
adb install agent.apk
```
To start working with Drozer for your assessments, we need to connect the Drozer console on the workstation to the agent on the emulator. To do this, start the agent on your emulator and run the following command to port forward. Make sure you are running the embedded server when launching the agent.
```
adb forward tcp:31415 tcp:31415
```
As we can see, the command completed successfully without any errors:
Now, we can simply run the following command to connect to the agent from the workstation:
```
[path to drozer dir]\drozer.bat console connect
```
We should now be presented with the Drozer console, as shown here:

QARK (No support for windows)

According to their official GitHub page, QARK is an easy-to-use tool capable of finding common security vulnerabilities in Android applications. Unlike commercial products, it is 100% free to use. QARK features educational information allowing security reviewers to locate precise, in-depth explanations of vulnerabilities. QARK automates the use of multiple decompilers, leveraging their combined outputs to produce superior results when decompiling APKs.

QARK uses static analysis techniques to find vulnerabilities in Android apps and source code.

Getting ready

As of writing this, QARK only supports Linux and Mac:

QARK can be downloaded from the following link:
https://github.com/linkedin/qark/
Extract QARK's contents, as shown here:
Tip
Make sure that you have all the dependencies mentioned in the GitHub page to run QARK.
Navigate to the QARK directory and type in the following command:
```
python qark.py
```

This will launch an interactive QARK console, shown in the following screenshot:

Advanced REST Client for Chrome

Advanced REST Client is an add-on for Chrome. This is useful for penetration testing REST APIs, which are often a part of mobile applications:

Install the Google Chrome browser.
Open the following URL:
https://chrome.google.com/webstore/category/apps
Search for Advanced REST client. You should see the following Chrome extension. Click the ADD TO CHROME button to add it to your browser:
It will prompt you for your confirmation, as shown in the following screenshot:
Once you are done adding this extension to Google Chrome, you should have the add-on available, as shown here:

Droid Explorer

Most of the time in this book, we will use command line tools to explore the Android filesystem, pulling/pushing data from/to the device. If you are a GUI lover, you will appreciate using Droid Explorer, a GUI tool to explore the Android filesystem on rooted devices.

Droid Explorer can be downloaded from the following link:

http://de.codeplex.com

Cydia Substrate and Introspy

Introspy is a blackbox tool which helps us to understand what an Android application is doing at runtime, and enables us to identify potential security issues.

Introspy Android consists of two modules:

Tracer: the GUI interface. It lets us select the target application(s) and the kinds of test we want to perform.
- Cydia Substrate Extension (core): This is the core engine of the tool and is used to hook the applications; it lets us analyze the application at runtime to identify vulnerabilities.
Analyser: This tool helps us to analyze the database saved by Tracer to create reports for our further analysis.

Follow this process to set up Introspy:

Download Introspy Tracer from the following link:
https://github.com/iSECPartners/Introspy-Android
Download Introspy Analyzer from the following link:
https://github.com/iSECPartners/Introspy-Analyzer
Installing Cydia Substrate for Android is a requirement in order to successfully install Introspy. Let's download it from the Android Play Store and install it:
Now, install Introspy-Android Config.apk and Introspy-Android Core.apk, which we downloaded in step 1. These are the commands to install them using adb:
```
adb install Introspy-Android Config.apk
adb install Introspy-Android Core.apk
```

You should see the following icons if the installation was successful:

SQLite browser

We often come across SQLite databases when dealing with Android applications. SQLite browser is a tool that can be used to connect to SQLite databases. It allows us to perform database operations using some eye candy:

SQLite browser can be downloaded from the following link:
http://sqlitebrowser.org
Run the installer and continue with the setup (it is straightforward):
Once finished with the installation, you should see the following interface:

Frida

Frida is a framework developed for the dynamic instrumentation of apps on various platforms, which includes support for Android, iOS, Windows and Mac. This tool helps us hook into the apps and performs runtime manipulation.

Some important links are as follows:

https://github.com/frida/frida

http://www.frida.re/docs/android/

The following section shows how to set up Frida. We have used a Mac in this example.

Prerequisites:

Frida client: This will be running on the workstation
Frida server: This will be running on the device

Setting up Frida server

Download Frida server onto your local machine using the following command:

curl -O http://build.frida.re/frida/android/arm/bin/frida-server


$ curl -O http://build.frida.re/frida/android/arm/bin/frida-server
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12.0M  100 12.0M    0     0   232k      0  0:00:53  0:00:53 --:--:--  166k
$

This step should download the frida-server binary to the workstation and into the current directory.

Give Frida server execute permissions using the following command:
```
chmod +x frida-server
```
Push the frida-server binary to the device using adb push, as shown here:
```
$ adb push frida-server /data/local/tmp/
```

Now, get a shell on the device with root privileges and run frida-server as shown here:

$ adb shell
shell@android:/ $ su
root@android:/ # cd /data/local/tmp
root@android:/data/local/tmp # ./frida-server & 
[1] 5376
root@android:/data/local/tmp #

Setting up frida-client

Installing frida-client is as simple as issuing the following command:

$ sudo pip install frida
Password:
Downloading/unpacking frida
  Downloading frida-5.0.10.zip
  Running setup.py (path:/private/tmp/pip_build_root/frida/setup.py) egg_info for package frida
    
Downloading/unpacking colorama>=0.2.7 (from frida)
  Downloading colorama-0.3.3.tar.gz
  Running setup.py (path:/private/tmp/pip_build_root/colorama/setup.py) egg_info for package colorama
    
Downloading/unpacking prompt-toolkit>=0.38 (from frida)
  Downloading prompt_toolkit-0.53-py2-none-any.whl (188kB): 188kB downloaded
Downloading/unpacking pygments>=2.0.2 (from frida)
  Downloading Pygments-2.0.2-py2-none-any.whl (672kB): 672kB downloaded
Requirement already satisfied (use --upgrade to upgrade): six>=1.9.0 in /Library/Python/2.7/site-packages/six-1.9.0-py2.7.egg (from prompt-toolkit>=0.38->frida)
Downloading/unpacking wcwidth (from prompt-toolkit>=0.38->frida)
  Downloading wcwidth-0.1.5-py2.py3-none-any.whl
Installing collected packages: frida, colorama, prompt-toolkit, pygments, wcwidth
  Running setup.py install for frida
    downloading prebuilt extension from https://pypi.python.org/packages/2.7/f/frida/frida-5.0.10-py2.7-macosx-10.11-intel.egg
    extracting prebuilt extension
    
    Installing frida-ls-devices script to /usr/local/bin
    Installing frida script to /usr/local/bin
    Installing frida-ps script to /usr/local/bin
    Installing frida-trace script to /usr/local/bin
    Installing frida-discover script to /usr/local/bin
  Running setup.py install for colorama
    
Successfully installed frida colorama prompt-toolkit pygments wcwidth
Cleaning up...
$

Testing the setup

Now the client and server are ready. We need to configure port forward with adb before we can start using them. Use the following commands to enable port forwarding:

$ adb forward tcp:27042 tcp:27042
$ adb forward tcp:27043 tcp:27043

Now, type in —help to check the Frida client options:

$ frida-ps --help
Usage: frida-ps [options]

Options:
  --version           show program's version number and exit
  -h, --help          show this help message and exit
  -D ID, --device=ID  connect to device with the given ID
  -U, --usb           connect to USB device
  -R, --remote        connect to remote device
  -a, --applications  list only applications
  -i, --installed     include all installed applications
$

As we can see in the preceding output, we can use –R to connect to the remote device. This acts as a basic test for testing our setup:

$ frida-ps -R
  PID  Name
-----  ----------------------------------------
  177  ATFWD-daemon
  233  adbd
 4722  android.process.media
  174  cnd
  663  com.android.phone
 4430  com.android.settings
  757  com.android.smspush
  512  com.android.systemui
  .
  .
  .
  .
  .
  .
  138  vold
  2533  wpa_supplicant
  158  zygote
$

As we can see, a list of running processes has been listed down.

Vulnerable apps

We will be using various vulnerable Android applications to showcase typical attacks on Android apps. These provide a safe and legal environment for readers to learn about Android security:

GoatDroid:
https://github.com/jackMannino/OWASP-GoatDroid-Project
SSHDroid:
https://play.google.com/store/apps/details?id=berserker.android.apps.sshdroid&hl=en
FTP Server:
https://play.google.com/store/apps/details?id=com.theolivetree.ftpserver&hl=en

Kali Linux

Kali Linux is a penetration testing distribution often used by security professionals to perform various security tests.

It is suggested that readers install a copy of Kali Linux in VirtualBox or VMware to prepare for network-level attacks on Android devices. Kali Linux can be downloaded from the following link:

https://www.kali.org/downloads/

ADB Primer

adb is an essential tool for penetration testing Android apps. We will use this utility in multiple scenarios during our journey through this book. This tool comes preinstalled with the Android SDK and it is located in the "platform-tools" directory of the Android SDK. We added its path to the environment variables during the SDK installation process. Let us see some of the applications of this utility.

Checking for connected devices

We can use adb to list the devices that are connected to the workstation using the following command:

adb devices

As we can see in the preceding screenshot, there is an emulator running on the laptop.

Note

Note: If you have connected your phone to the workstation, and if adb is not listing your phone, please check the following:

USB debugging is enabled on your phone
Appropriate drivers for your device are installed on the workstation

Getting a shell

We can use adb to get a shell on the emulator or device using the following command:

adb shell

The preceding command will get a shell for the connected device.

The command to get a shell for an emulator when a real device and emulator are connected is as follows:

adb –e shell

The command to get a shell for a real device when a real device and emulator are connected is as follows:

adb –d shell

The command to get a shell for a specific target when multiple devices/emulators are connected is as follows:

adb –s [name of the device]

Listing the packages

When you have access to a shell on an Android device using adb, you can interact with the device using tools available via the shell. "Listing the installed packages" is one such example that uses pm, which stands for package manager.

We can use the following command to list all the packages installed on the device:

pm list packages

Pushing files to the device

We can push data from the workstation to the device using the following syntax:

adb push [file on the local machine] [location on the device]

Let's see this in action. At the moment, I have a file called test.txt in my current directory:

Let's move the test.txt file to the emulator. Type in the following command:

adb push test.txt /data/local/tmp

Note

Note: /data/local/tmp is one of the writable directories on Android devices.

Pulling files from the device

We can also use adb to pull files/data from the device to our workstation using the following syntax:

adb pull [file on the device]

Let us first delete the test.txt file from the current directory:

Now, type in the following command to pull the file located at /data/local/tmp directory to the device:

adb pull /data/local/tmp/test.txt

Installing apps using adb

As we have seen in one of the previous sections of this chapter, we can also install apps using the following syntax:

adb install [filename.apk]

Let's install the Drozer agent app using the following command:

As we can see, we have successfully installed this app.

Note

Note: If we install an app that is already installed on the target device/emulator, adb throws a failure error as shown following. The existing app has to be deleted before we proceed to install the app again.

Troubleshooting adb connections

It is often the case that adb does not recognize your emulator, even if it's up and running. To troubleshoot this, we can run the following command to get a the list of devices attached to your machine.

The following command kills the adb daemon on the device and restarts it for us:

adb kill-server

Key benefits

Understand and counteract against offensive security threats to your applications

*Maximize your device’s power and potential to suit your needs and curiosity

See exactly how your smartphone’s OS is put together (and where the seams are)

Description

With the mass explosion of Android mobile phones in the world, mobile devices have become an integral part of our everyday lives. Security of Android devices is a broad subject that should be part of our everyday lives to defend against ever-growing smartphone attacks. Everyone, starting with end users all the way up to developers and security professionals should care about android security. Hacking Android is a step-by-step guide that will get you started with Android security. You’ll begin your journey at the absolute basics, and then will slowly gear up to the concepts of Android rooting, application security assessments, malware, infecting APK files, and fuzzing. On this journey you’ll get to grips with various tools and techniques that can be used in your everyday pentests. You’ll gain the skills necessary to perform Android application vulnerability assessment and penetration testing and will create an Android pentesting lab.

What you will learn

* Acquaint yourself with the fundamental building blocks of Android Apps in the right way

* Pentest Android apps and perform various attacks in the real world using real case studies

* Take a look at how your personal data can be stolen by malicious attackers

* Understand the offensive maneuvers that hackers use

* Discover how to defend against threats

* Get to know the basic concepts of Android rooting

* See how developers make mistakes that allow attackers to steal data from phones

* Grasp ways to secure your Android apps and devices

* Find out how remote attacks are possible on Android devices

What do you get with Print?

Instant access to your digital copy whilst your Print order is Shipped

Paperback book shipped to your preferred address

Redeem a companion digital copy on all Print orders

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Frequently bought together

Android Application Development Cookbook

$48.99

$54.99

$48.99

Total $ 152.97

Alejandro Caceres Jan 12, 2018

I really enjoyed this book! It was a quick read and more for the beginner-intermediate level hacker looking to hack around on android. If you're a pro with mobile hacking you'll probably just be bored reading this :). It goes through permissions schemes, the various directories where stuff is stored and how to look for vulnerabilities. It was a super fast read, the author explains himself very clearly and concisely while still making it enjoyable. It was just a cool book.

Amazon Verified review

Putfoo Sep 16, 2016

Got a chance to read this book and I must say this is one of the best books in the recent past on hacking android apps. The book covers most of the latest attacks and also has details on how to playaround with various tools available for android pen testing. The best part about the book is that the language is simple and the content is easy to understand even for non english speakers. Also, worth mentioning the point that techies who are not good with Android Pen testing can also read the book and get an idea about most of the vulenrabilities. I would definitely love to recommend this book to everyone who works on android applications.Value for money 5/5Content in the book 4/5Language used by the author 4.5/5Examples given in the book 4.5/5Tools given in the book 4/5

AP Nov 09, 2016

I'm really glad I've found and purchased this book it gave me valuable insight into hacking Android application. The book is concise but filled with practical knowledge. It was fun to read (In each chapter I found something interesting). If you're looking for hands-on reversing of Android applications this is the book you should read. Thank you authors! awesome job!

AP Nov 02, 2016

Phil Rossini Jan 15, 2018

This is one of the most frustrating books I have read on security! I'm spending more time trying to debug why the tools are not running correctly than I am running exercises on cracking mobile devices!! The guidance on how to set up the testing lab is very basic and does not go into detail or troubleshooting options should you encounter errors. If you are new to pen testing I don't think you will get much out of this book and in many ways may inhibit your learning!

Hacking Android: Explore every nook and cranny of the Android OS to modify your device and guard it against security threats

What do you get with Print?

Contact Details

Shipping Address

Billing Address

Java

Note

Prerequisites

Getting ready

Tip

Setting up Frida server

Setting up frida-client

Testing the setup

Key benefits

Description

Who is this book for?

What you will learn

Product Details

What do you get with Print?

Contact Details

Shipping Address

Billing Address

Product Details

Packt Subscriptions

Frequently bought together

Table of Contents

Recommendations for you

Customer reviews

People who bought this also bought

About the authors

FAQs

Create a Free Account To Continue Reading

Sign in to activate your 7-day free access