The Mobile Hacking CheatSheet

The Mobile Hacking CheatSheet is an attempt to summarise a few interesting basics info regarding tools and commands needed to assess the security of Android and iOS mobile applications.

PDF versions:

• Mobile Hacking Android CheatSheet
• Mobile Hacking iOS CheatSheet

Main Steps

1. Review the codebase
2. Run the app
3. Dynamic instrumentation
4. Analyze network communications

OWASP Mobile Security Testing Project

OWASP Mobile Application Security Testing Guide

https://github.com/OWASP/owasp-mastg

Mobile Application Security Verification Standard

https://github.com/OWASP/owasp-masvs

Android CheatSheet

APK Structure

• META-INF: Files related to the signature scheme (v1 scheme only)
• lib: Folder containing native libraries (ARM, MIPS, x86, x64)
• assets: Folder containing application specific files
• res: Folder containing all the resources files (layouts, strings, etc.) of the application
• classes.dex [classes2.dex] ...: Dalvik bytecode of the application
• AndroidManifest.xml: Manifest file describing essential information about the app (permissions, components, etc.)

Package Name

The package name represents the app’s unique identifier (e.g. for YouTube):

com.google.android.youtube

Data Storage

User applications

/data/data/<package-name>/

Shared Preferences Files

/data/data/<package-name>/shared_prefs/

SQLite Databases

/data/data/<package-name>/databases/

Internal Storage

/data/data/<package-name>/files/

adb

Connect throug USB

adb -d shell

Connect through TCP/IP

adb -e shell

Get a shell or execute the specified command

adb shell [cmd]

List processes

adb shell ps

List Android devices connected to your machine

adb devices

Dump the log messages from Android system

adb logcat

Copy local file to Android device

adb push <local> <device>

Copy file from the Android device

adb pull <remote> <local>

Install APK file on the Android device

adb install <APK_file>

Install an App Bundle

adb install-multiple <APK_file1> <APK_file2> <APK_file3> ...

Set-up port forwarding using TCP protocol from host to Android device

adb forward tcp:<local_port> tcp:remote_port

List all packages on the device

adb shell pm list packages

Find the path where the APK is stored for the selected package name

adb shell pm path <package-name>

List only installed apps (not system apps) and the associated path

adb shell pm list packages -f -3

List packages names matching the specified pattern

adb shell pm list packages -f -3 [pattern]

Application Signing

For signing your APK file, you have 2 options

• jarsigner: Only supports v1 signature scheme (JAR signature)

  jarsigner -verbose -keystore <keystore_name> -storepass <keystore_password> <APK_file> <alias_name>
  

• apksigner: Official tool from Android SDK (since version 24.0.3), which supports all the signature schemes (from v1 to v4)

  apksigner sign --ks <keystore_name> --ks-pass pass:<keystore_password> <APK_file> 
  

To create your own keystore, the following one-liner can be used:

keytool -genkeypair -dname "cn=John Doe, ou=Security, o=Randorisec, c=FR" -alias <alias_name> 
-keystore <keystore_name> -storepass <keystore_password> -validity <days> -keyalg RSA -keysize 2048 -sigalg SHA1withRSA

Code Tampering

To tamper an APK file, the foolowing steps should be performed:

1. Disassemble the app with apktool and save the smali code into output directory

   apktool d <APK_file> -o <directory_output>
   

2. Modify the smali code of your app (or the resource files if needed)

3. Build the modified APK with apktool

   apktool b <directory_output> -o <new_APK_file> 
   

4. Sign the APK (see Application Signing)

5. (Optional) Use zipalign to provide optimization to the APK file

   zipalign -fv 4 <input_APK> <output_APK>
   

Frida

Installation

Install Frida and Python bindings on your system using pip

pip install frida frida-tools

Download the Frida server binary matching the targeted architecture and your Frida version

VER=`frida --version`
ABI=`adb shell getprop ro.product.cpu.abi`
wget https://github.com/frida/frida/releases/download/$VER/frida-server-$VER-android-$ABI.xz
xz -d frida-server-$VER-android-$ABI.xz

Upload and execute the Frida server binary on your Android device (root privileges are needed)

VER=`frida --version`
ABI=`adb shell getprop ro.product.cpu.abi`
adb root
adb push frida-server-$VER-android-$ABI /data/local/tmp/frida
adb shell "chmod 755 /data/local/tmp/frida" 
adb shell "/data/local/tmp/frida"

Tools

List running processes (emulators or devices connected through USB)

frida-ps -U 

List only installed applications

frida-ps -U  -i

Attach Frida client to the specified application (emulator or device connected through USB)

frida -U <package_name>

Spawn the specified application (emulator or device connected through USB)

frida -U -f <package_name> 

Spawn the specified application without any pause at the beginning (emulator or device connected through USB)

frida -U -f <package_name> --no-pause

Load a Frida script when attaching to the specified application

frida -U -l <script_file> <package_name>

Objection

Inject Frida Gadget library inside an APK file by specifying the targeted architecture (if emulator not running or device not connected)

objection patchapk --source <APK_file> -V <frida_version> --architecture <arch>

Inject Frida Gadget library inside an APK file using lastest Frida version available on Github (if emulator running or device connected to the device)

objection patchapk --source <APK_file>

SSL/TLS Interception with BurpSuite

Before Android 7

1. Launch BurpSuite and modify Proxy settings in order to listen on "All interfaces" (or a specific interface)
2. Edit the Wireless network settings in your device or the emulator proxy settings (Android Studio)
3. Export the CA certificate from Burp and save it with ".cer" extension
4. Push the exported certificate on the device with adb (into the SD card)
5. Go to "Settings->Security" and select "Install from device storage"
6. Select for "Credentials use" select "VPN and apps"

References:

• Configuring an Android device to work with Burp
• Installing BurpSuite's CA certificate in an Android device

After Android 7

From Android 7, the Android system no longer trusts the user supplied CA certificates. To be able to intercept SSL/TLS communication, you have 3 options:

1. Use an older version of Android
2. Use a rooted device and install the BurpSuite CA certificate inside the sytem store certificate
3. Tamper the targeted application in order to re-enable the user store certificate

In order to tamper the targeted Android application, we are going to add or modify the network security configuration file. This file on recent Android versions allows to force the application to trust the user supplied CA certificates. The following steps should be performed:

1. Install the Burpsuite's CA certificate on your Android device (see Before Android 7)

2. Disassemble the targeted app (APK file) with apktool

3. Add or modify the network_security_config.xml file (usually on res/xml/ folder). The content of the file should be:

   <?xml version="1.0" encoding="utf-8"?>
   <network-security-config>
     <base-config>
       <trust-anchors>
         <certificates src="system" />
         <certificates src="user" />
       </trust-anchors>
     </base-config>
   </network-security-config>
   
   

4. If the network_security_config.xml file is not present on your app, the AndroidManifest.xmlalso need to be modified by adding the networkSecurityConfig tag as follow:

   <application android:name="AppName" android:networkSecurityConfig="@xml/network_security_config">
   

5. Build the modified app with apktool and then sign the newly created APK file (see Application Signing)

Content Provider

Query a Content Provider

adb shell content query --uri content://<provider_authority_name>/<table_name>

Insert an element on a Content Provider

adb shell content insert --uri content://<provider_authority_name>/<table_name> 
--bind <param_name>:<param_type>:<param_value>

Delete a row on a Content Provider

adb shell content delete --uri content://<provider_authority_name>/<table_name> 
--where "<param_name>='<param_value>'"

Activity Manager

Start an Activity with the specified Intent

adb shell am start -n <package_name/activity_name> -a <intent_action>

Start an Activity with the specified Intent and extra parameters

adb shell am start -n <package_name/activity_name> -a <intent_action> --es <param_name> <string_value> --