Hi Guys ,
This is an endeavor to share my knowledge on android application security and my learning from it. Comments are invited to collaborate our knowledge and learn.
To begin with it you would need few things:
1) A physical mobile device ( ROOTED ) or Android studio installed
2) ADB (this comes per-installed with Android studio)
That's pretty much it :)
These two things are enough to get started with most android apps security assessments.
Steps to begin assessment :
Firstly get the .apk file from the developer . If you don't have .apk file then install the app from play store and extract the .apk to begin with the assessment
The assessment can be majorly divided into two parts :
Static Analysis and Dynamic Analysis
1) Static Analysis :
2) Dynamic Analysis:
- Analyzing request response using proxy tool ( Burp Suite)
- Understanding all functionalities of the app and then performing scenario based assessment
Business logic vulnerability
- User account compromise of another user
- Admin account compromise from user account
- Brute force authentication/otp/other services
- Check for server side validation
- Check for root detection method / bypass it
Transport layer security
- Older version of SSL used
- SSL pinning bypass
- Weak SSL ciphers and other SSL related vulnerabilities (sslscan, sslyze, osaft etc.)
Server side checks
- Check for SQL injection
- CAPTCHA implementation flaws & bypass
- Check for all HTTP methods (PUT, DELETE etc. Use burp intruder using HTTP verb tampering)
- Check for client side injection (XSS)
- Username enumeration
- Other user's sensitive details enumeration
- User detail's enumeration using IDOR
- Malicious file upload
- Server side flaws (IIS, APACHE, TOMCAT etc.)
- Run nikto, dirb on web content URL
- Check for session management (cookie flaws, session overriding, session fixation etc.)
This is an endeavor to share my knowledge on android application security and my learning from it. Comments are invited to collaborate our knowledge and learn.
To begin with it you would need few things:
1) A physical mobile device ( ROOTED ) or Android studio installed
2) ADB (this comes per-installed with Android studio)
That's pretty much it :)
These two things are enough to get started with most android apps security assessments.
Steps to begin assessment :
Firstly get the .apk file from the developer . If you don't have .apk file then install the app from play store and extract the .apk to begin with the assessment
The assessment can be majorly divided into two parts :
Static Analysis and Dynamic Analysis
1) Static Analysis :
- Analyzing manifest file
- Sensitive information found in logs
- Sensitive information found in cache
- Sensitive information found in installed application folder
- Sensitive information stored in SQLite database in clear text
- Check if sensitive information remains there even after log out
- Sensitive information stored in shared preference files
- Sensitive information found in cache
- Sensitive information found in installed application folder
- Sensitive information stored in SQLite database in clear text
- Check if sensitive information remains there even after log out
- Sensitive information stored in shared preference files
2) Dynamic Analysis:
- Analyzing request response using proxy tool ( Burp Suite)
- Understanding all functionalities of the app and then performing scenario based assessment
Business logic vulnerability
- User account compromise of another user
- Admin account compromise from user account
- Brute force authentication/otp/other services
- Check for server side validation
- Check for root detection method / bypass it
Transport layer security
- Older version of SSL used
- SSL pinning bypass
- Weak SSL ciphers and other SSL related vulnerabilities (sslscan, sslyze, osaft etc.)
Server side checks
- Check for SQL injection
- CAPTCHA implementation flaws & bypass
- Check for all HTTP methods (PUT, DELETE etc. Use burp intruder using HTTP verb tampering)
- Check for client side injection (XSS)
- Username enumeration
- Other user's sensitive details enumeration
- User detail's enumeration using IDOR
- Malicious file upload
- Server side flaws (IIS, APACHE, TOMCAT etc.)
- Run nikto, dirb on web content URL
- Check for session management (cookie flaws, session overriding, session fixation etc.)