Wednesday, March 1, 2017

Mobile Pentesting with Android - Part 1 - Set-Up

Nowadays it seems people like to do "everything" on their daily lives over their phone, avoiding the use of laptops and even less desktops.  For this reason, cyber crime is shifting to a new paradigm and that is, going after mobile users infecting them with malware, stealing their credentials and even listening to their phone calls with fake apps which gives you a little more than what it promises.

Aside the whole discussion of "how can I be safer with my phone", I thought it would be better skipping that rhetoric boring subject and delve more into "how to spot if my app is actually secure" by conducting common sense and various assessments to it.  First I will go into the basics in how to determine if your app is as secure as it says and then set up an emulator so you can test them before installing them into your phone. We will change the connection settings so the connection routes to a local proxy so we can see if it transmits securely into our device.

You can also conduct other assessments but it's up to you if you decide to to break the law or not. I suggest you not to, so as a proof of concept I will use a purposely vulnerable Android app called DIVA (Damn Insecure and Vulnerable App). Ultimately, it's your duty to be responsible with the apps you use, how much and what type of information you share over the Intenret and TO INVESTIGATE AND TEST them in order to determine if it's a good trade-off for you to install and use them.

To start, I will show you how to determine what kind of information you give out before installing an application. You can also check this on an already installed application you already have on your mobile.  

In the following screenshot you can see Facebook's permissions and how to access them. 



Under "permission details" it specifies which kind of sensor activates on the phone on behalf of the installed app.  So after we see what we give out, we face the dilemma of having certain privacy traded off with the pleasure of using the app.

Now, I will show how to set up a phone emulator so you can install the application you want and test it however you please. You can also use the proxy connection steps on your own (physical) phone after you connect to your home wi-fi but I won't recommend so, since I wouldn't mix my personal phone for testing applications.

There are plenty of emulators on-line to test from but the one I highly recommend because it's easy to set-up and use, is Genymotion for Personal Use which will also help you to install the Android image you want. You can also install .apk files on the fly by using drag-drop which makes it extremely easy.

After installing it, in order for Genymotion to work, we also have to install Virtual Box.
 

Once Genymotion and Virtual Box are installed, you need to fire up Genymotion and set up the Proxy in order to use it with Burp Suite and test for vulnerabilities. But first, let's go over Genymotion's settings:

Going from back to front, leave the Misc tab as default as it is only for selecting the folder you want for screen captures. You can also opt out from Genymotion to collect usage statistics.

In the ADB tab, if you haven't installed any SDK tools package (you don't have to), use the default option. If you did so, select the folder where your SDK tools reside in.

For the "Virtual Box" tab, ensure the path is the correct one for the Virtual Devices (it's already set-up by default).

Also leave the "Network" tab blank as we set up the proxy later. For the "Account" tab, there is nothing to change/review.

For the Virtual Box Configuration, you only need to review and change (if applicable) the Network settings.

The adapter 1 should be "host only" to connect from Virtual Box to Genymotion:

The adapter 2, we should select NAT in order to use our local IP address to use with Burp Suite:




Ensure "Enable Network Adapter" in both Adapter 1 and 2 are checked. This is a common problem I have overlooked more than once.

Now, we fire up the image on Genymotion and wait until our Android image starts. You can check VirtualBox on a side to verify everything went fine. You can see the image loaded. Mine's a custom one so it might look different if you chose another Android image but it shouldn't matter.



 Finally, we set-up our proxy so we can connect to our application through Burp Suite.

The easiest way to do this is to go to Settings -> Select WiFi Network -> Hold Click on WiredSSID (network's name) and select on "modify network".


By clicking on "Show advanced options" and select "Manual" on Proxy, we input the same IP of our local machine and type port 8082 or whatever unused port of your like.


Leave the "Bypass proxy for" and "IP settings" as is and click on "Save".

Now, fire up Burp Suite and create a new blank project (temporary project). Select the defaults and wait until it completely loads.

Going to the Proxy -> Options tabs, deselect the default one (127.0.0.1:8080) and create a new proxy listener with port 8082 (or whatever port you entered on your Android wifi proxy settings) and select "all interfaces":

Click OK and Yes when it asks if you want to listen to all interfaces.

Now, in Burp Suite, go to "Intercept" (under Proxy tab) and test the connection by going on Genymotion's web browser. If it doesn't automatically go to google.com go ahead and type google.com and press enter. Burp Suite should now intercept the packet before the page loads.



And this concludes the set-up process. On the next topic, I will guide you into installing .apk and use DIVA so you can start learning/practicing your pentesting skills with no constraints or legal troubles. 

Have a good week and stay safe!

No comments:

Post a Comment

Your thoughts are a goldmine which flourishes within our ever-changing society. Please, post your ideas, constructive feedbacks and clarifications here: