Capt. Meelo

An infosec guy who's constantly seeking for knowledge.

Lesser-known Tools for Android Application PenTesting

30 Dec 2019 » mobile

Introduction

In the past few months, I’ve been doing a lot of android application security assessments. Over time, I became familiar with the different tools, popular or not, that helped me in my assessments. In this post, I’ll list down these not-so-popular tools (in my opinion based on the different sources and blogs that I have read where these tools were not mentioned) that I’m using during my engagements.

Note: There’s nothing fancy in this post. Just some tools that I found useful.

Magisk

While Magisk is a very popular framework and shouldn’t be considered as one of the “lesser-known” tools, it’s important that I mention it here since some of the tools included in this post are either a feature of Magisk or a module that you can install with Magisk.

So if you don’t have Magisk on your testing device, make sure to install it now!

Magisk Hide

Magisk Hide is the first tool that will be discussed since it has saved me a lot of time when bypassing an application’s root detection mechanism. Magisk Hide is one of the features of Magisk, and bypassing root detection is as simple as toggling the switch ON.

As an example, let’s try bypassing the root detection mechanism of the PS4 Remote Play app. When running this application on a rooted device, the following error shows up: Error on Root

To bypass the root detection of this application, open Magisk Manager, tap the menu icon (top left corner) and select Magisk Hide. Magisk Hide Option

Select the target application (“PS4 Remote Play” in this case) from the list of applications. Hide Root

Run the app again and we should now be able to launch the PS4 Remote Play without the error. Run on Root

If root detection was still not bypassed after adding the application in the Magiks Hide list, try hiding the Magisk Manager app itself. To do this, open Magisk Manager, tap the menu icon (top left corner) and select Setting. Then tap the Hide Magisk Manager option. Hiding Magisk Manager

This repackages the Magisk Manager app with a random package name and changes the app name from Magisk Manager to just Manager. Random Package Name New App Name

Move Certificate

Starting with Android Nougat (API Level 24), applications, by default, no longer trust user-added certificate for secure connections. This results in the following errors when capturing HTTPS traffic from an application running on Android Nougat and above. SSL Errors

One method to resolve this issue is to add user-installed certificates to the system certificate store. This can be done manually or automatically using the Magisk module Move Certificate. Of course, I prefer the Magisk way! After installing the module, all user-installed certificate will be added automatically to the system certificate store. System Cert

Root Certificate Manager

If you’re using an old device and/or you don’t have Magisk, the other tool that could be used to ease up the process of adding a certificate to the system store is by using Root Certificate Manager.

Root Cert Manager

DisableFlagSecure

Sensitive applications, such as mobile bankings, password managers, 2FA apps, etc., do not allow screenshots to be taken for security purposes. As an example, when taking a screenshot of the Aegis Authenticator 2FA app, the following error shows: Screenshot Not Allowed

When testing this kind of applications, taking evidence for findings which require showing the app or its screens is a bit of a hassle. Before, what I would do is to have another phone with me and take a photo of my testing device. Taking Photo

This method annoys me because I have to make sure that the photo I’m taking is focused and clear. Plus, it doesn’t look great as evidence in a pentest report. Then I discovered the Xposed module DisableFlagSecure.

This module disables the FLAG_SECURE window flag system-wide. FLAG_SECURE is is responsible for preventing screenshots to be taken.

After installing DisableFlagSecure from Xposed and rebooting the device, screenshots can now be taken. Screenshot Taken

Smali Patcher

If you want to disable FLAG_SECURE “systemless-ly”, this can be done through Magisk with the help of Smali Patcher.

After running SmaliPatcher.exe for the first time, it will download the necessary binaries and tools that it needs and will store them in the bin and tmp folders. Folders

Before clicking the ADB PATCH button, ensure the following are met:

  • USB Debugging is enabled
  • Device is attached to the PC
  • USB Debugging connection is authorized
  • Desired patch is ticked (Secure flag in this case)

SmaliPatcher Ready

Once SmaliPatcher is done running, a zip file will be created on the working directory. Just flash this zip file through Magisk, reboot, and the patch (disabling FLAG_SECURE in this case) will be applied. Patched

SmaliPatcher also supports other patches as seen from the “Patch Options” section of the tool. It’s up to the reader to discover these patches.

ADB Manager

If you’re like me who has several testing devices but has only one cable available for connecting these devices into the computer, or you just hate cables, I found ADB Manager to be very useful. This application allows you to establish an ADB shell via Wi-Fi.

Upon opening ADB Manager, just click the Start Network ADB button. Starting ADB Manager

To establish an ADB shell to the testing device (make sure USB Debugging is enabled), just type the following commands:

adb connect <ip-addr-shown-in-ADB-Manager>:<port-shown-in-ADB-Manager>
adb shell

ADB Shell

ProxyDroid

When intercepting traffic from a device, you’ll observe a lot of traffic coming from applications other than the target application. Normal Proxy

Some of this traffic comes from background services running on the phone, and these unwanted data fill up the proxy history. This causes confusion as to whether a certain HTTP request came from the target application or not. To filter out these unwanted data, the simplest solution is to add the list of target hosts under the proxy’s target scope setting. However, I find this method to be repetitive since I have to do this for every engagement. Also, what if I just wanted to analyze a particular app and I don’t have an idea about the hosts the app is making requests to?

Here comes ProxyDroid! Using its Individual Proxy option, you can select specific app or apps which you want to proxy. Individual Proxy

Under the Individual Proxy setting, just tick the app or apps you want to proxy, then switch ON ProxyDroid and everything should be good. Proxydroid

pidcat

Some applications write sensitive data, in plain-text format, in the system log. The system log can be viewed using Android’s Logcat utility. By simply running the command adb logcat, it prints out a lot of unnecessary data which makes the analysis very hard and confusing. Logcat Output

To remove these unnecessary logs, we can filter Logcat’s output based on the target application using the following one-liner command:

adb logcat | grep "$(adb shell ps | grep <target-app-package-name> | awk '{print $2}')"

Filtered Logcat

While the above command cleans up the messy Logcat’s default output, my preferred method is by using pidcat. To show log entries for processes from a specific application, just run this simple command:

pidcat <target-app-package-name>

Pidcat Output

Aside from the simplicity of running the command, you also have a nice colorful output.

resize

When typing long commands in an ADB shell, you’ll notice that the terminal size is limited. Limited Terminal Size

This is annoying especially when I’m viewing and analysing a file’s contents. Thankfully, BusyBox’s resize binary exists. Just run the command resize and you can now enjoy the full size of your terminal. Resized

If you’re testing on a physical device, you can install BusyBox via Playstore or do it “systemless-ly” via Magisk

In an emulator which does not have the Google Playstore app, you can install BusyBox with the following commands:

wget --no-parent --no-host-directories --cut-dirs 3 -r https://busybox.net/downloads/binaries/1.30.0-i686/ -P /tmp/busybox
adb push /tmp/busybox /data/data/busybox
adb shell "mount -o rw,remount /system && mv /data/data/busybox /system/bin/busybox && chmod 755 /system/bin/busybox/busybox && /system/bin/busybox/busybox --install /system/bin"

scrcpy

When performing an assessment, I always look back and forth between my phone (to play around with the app I’m testing) and my monitors (to see what’s going on while piddling with the app, etc.). I find it annoying and it hurts my neck when looking at my phone for a long period since it is sitting on my desk.

Good thing scrcpy exists, which allowed me to view and control my device from my PC. To use it, just run the command scrcpy and you’re good to go.

Using scrcpy

frida-android-helper

frida-android-helper is a very handy tool for someone (like me) who doesn’t like typing long commands or a series of commands just to do one thing. For example, if you’re using adb to take a screenshot, you would have to type the following commands to take a screenshot and pull it from your phone to your pc.

# adb shell screencap -p /sdcard/screencap.png
# adb pull /sdcard/screencap.png

But with frida-android-helper, this can be done with a simple command; fah screen. FAH Screenshot

Another feature I liked is how easy it is to manage (starting, stopping, updating, etc.) Frida. No need to run multiple commands. For example, to update Frida, just execute fah server update then it will fetch and install the latest version of frida-server.

┌──(venv)(root💀kali)-[~]
└─# fah server update
⚡ Updating frida-server
📲 Device: LenovoTB-8703F_A9 (192.168.1.14:5555)
⚡ Downloading frida-server-15.1.17-android-arm64.xz...
⚡ Extracting frida-server-15.1.17-android-arm64.xz...
⚡ Writing frida-server-15.1.17-android-arm64.xz...

Conclusion

That’s all. Thanks for reading!