Mobile Penetration Testing

by | Aug 16, 2022 | VAPT | 0 comments

mobile PT

This article introduces the Android file system and a way to interact with connected Android devices, their installed applications, and their structure.

Mobile application PT

AOSP

Google maintains the Android open-source project. Android was created for touchscreen devices and is based on the Linux kernel.

Android has managed to remain the best-selling OS for smartphones since 2011. Nowadays, the Android OS can also be found on tablets, smartwatches, and TVs.

ASOP

Android File system

Since Android is based on the Linux operating system, the file structure is very similar. The system partitions and files are protected and inaccessible unless the user roots the device.

Contrary to Windows, the physical partitions, such as the SD card, don’t have a drive letter and will appear under the /root/folder. Typically, on Linux, all users have at least read permissions for /root/ but not on Android.

android file system

Sdcard

The /sdcard/ partition serves as the primary storage location for user files and data and the application data settings. A /sdcard/ partition exists even if no external storage or SD card is installed.

When an Android smartphone is linked to a computer via USB, the default directory appears in the /sdcard/ partition. On some devices, access to /sdcard/ is done through a symlink to /storage/emulated/0/.

Browsing the folders

Using a file manager can be done by browsing the local folders of an android device. Some devices come with pre-installed file managers, and others must be installed from the Play Store.

Alternatively, for people who are more used to the use of the CLI, a terminal emulator such as Termux can be installed.

folders

Main Partitions

The Android file system uses a few main portions besides /sdcard/, but those are not physical patriots on the device.

The actual partitions are listed within /proc/partitions and are named mmcblk0 through mmcblk8.

PARTITIONDESCRIPTION
/boot/As the name suggests, this partition hosts all the files related to the boot process of the phone. With the partition, the device will not be able to boot.
/system/This partition contains the entire operating system of the phone except for the kernel, which is also stored in /boot/
/recovery/This alternative boot partition is typically used if there is any error while booting the system when flushing a new system image.
/cache/As the name suggests, this is the cache partition used for frequently asked data.

Introduction to ADB

ADB is a command-line utility for communicating with Android devices. The primary purpose of ADB is to help developers debug and test their applications efficiently.

ADB provides the ability to control an Android device from a computer and can copy files back and forth. ADB can also run shell commands on the device, install and uninstall apps, take screenshots, and more.

intro to ADB

Installing ADB

ADB runs as a client-server program and needs to be installed on both the desktop machine and active on the android device.

ADB driver can be downloaded from developers.android.com. Alternatively, when installing Android Studio, it automatically installs the ADB drivers on the system.

In windows the installation will be in C:\Users\[user]\appData\Local\Sdk\platform-tools.

installing ADB

Activating ADB

Active ADB on Android devices can be done through the settings and int the About menu. Tapping build number 7 times will popup a message saying, “You are now a Developer.”

Afterward, a Developer Options menu will be added to the main settings page. In the Developer options, ADB debugging can be enabled.

Activating ADB

Using ADB

To list all connected devices, the command adb devices can be used to list all connected devices. If the ADB server is not running, the command will initiate it.

To connect to the device and start adb shell is used, and if root permission is needed, adb root can be run. File transfer is done using adb push [file path] [android path] and adb pull [android path] [file path].

Using ADB

Rooting

The process of granting users of Android devices privilege authority over the Android subsystem is known as rooting.

Rooting is frequently used to circumvent limitations that carriers and hardware manufacturers impose on specific devices.

A rooted device allows you to read and change the system applications, edit some advice settings, and after the Android subsystem files. Root access can be compared to jailbreaking an IOS device.

Root advantages

Root access allows complete kernel control, such as overclocking and under-clocking the CPU or GPU.

Rooted devices also have full application control, including the ability to backup, restore, and edit programs.

The custom automated system-level process can be added through the use of 3rd party applications and modules after rotting is possible to install custom firmware or ROMs.

Android applications

Android applications will be saved as APK files regardless of the programming language.

Java: Due to the need for compatibility with different chipsets and devices, Java is chosen as the main programming language for Android applications. The applications themselves are then packed into an APK file.

JAVA

Kotlin: Kotlin is an alternative language for Android programming applications. It addresses Java security and programming issues and is generally considered more programming-friendly.

Kotlin

Dalvik Android VM

Dalvik is a virtual computer developed exclusively for Android. It was designed to address battery life, memory management, and computing power issues.

A virtual machine is necessary for the application to run the same on different devices, which might have other hardware and chipsets.

Dalvik was developed in such a way that a device may effectively run several virtual machines, and each virtual machine executes files in the DEX format, which is intended to require as little RAM as feasible when functioning.

Every application is running on a separate virtual machine instance. Dalvik is open-source software, originally written by Dan Bornstein, who named it after the fishing village of Dalvik.

Dalvik VM machine

Dalvik Compilation

Dalvik is built on “Just in time” compilation, which implies that when an application is run, the code required for its execution is converted into machine code at that time.

While the application is moving through activities, additional code is going to be compiled and cached so that the system can reuse the code while the app is running.

It compiles only part of the code, has a smaller memory footprint, and uses less physical space on the device. A piece of software utilizes or refers to the amount of primary memory while executing its memory footprint.

Android Runtime

The Android Runtime is replacing the Dalvik (Virtual machine) used by Android, and it will become more popular on newer Android versions.

It performs the translation of the applications from bytecode into native instructions that are later executed by the device runtime environment.

ART introduces the use of “Ahead-of-time” compilation by compiling the entire application into native machine code upon its installation.

Application Structure

Extracting Applications

Every installed program on the device can be retrieved and decompiled.

The commands pm list packages and pm path [app name] can be run from within the shell to find the application. The source code of an application is stored inside the .dex files in the Android package.

extracting applications

Reverting DEX to JAR

.dex files can be decompiled to readable code using tools like ‘dex2jar’ from GitHub.

Converting the.dex file is done using the appropriate script d2j-dex2jar.bat -o [jar file] [dex file]. ‘Dex2jar’ supports other conversion operations such as jar to dex and dex to small.

Reverting DEX to JAR

Decompile Android applications

After reverting the .dex file to JAR, it needs to be decompiled in the Java de-compiler.

“JD-GUI” is a de-compiler that allows you to read Java files very quickly and clearly. Alternatively, some online de-compilers exist as well, such as https://jdec.app/

decompile android applications

Android Emulators

An Android emulator allows users to run Android applications without a physical Android device.

It can be used to investigate suspicious applications and malware. Originally Android emulators were indented to test applications on different devices.

‘Android Studio’ includes a built-in emulator that can emulate a variety of different Android devices and Android versions. It uses HAXM to accelerate emulation on Intel computers.

Android studio

‘NOX’ android emulator is a virtual machine that runs on a virtual box. NOX can be rooted from the settings, and it has a lot of options that can be changed and controlled by the user during runtime.

NOX

‘Genymotion’ emulator also runs on VirtualBox and runs the devices in x86 architecture, which is excellent for performance, but most Android devices today run on ARM.

Genymotion