white paper: pentesting android apps on mac · minerva information security inc - 37 n orange ave...

MINERVA Information Security Inc - 37 N Orange Ave Ste 500, Orlando, FL 32801, USA

MINERVA Information Security Ltd - Prama House, 267 Banbury Rd, Oxford OX2 7HT, UK

White Paper: Pentesting

Android Apps on Mac

by

Adrian Pastor

Public Information

19-Jul-15 www.minerva-is.net – Public Information 2

Table of Contents

Executive Summary ...................................................................................... 3

Introduction .................................................................................................... 4

Android SDK Setup ....................................................................................... 4

First Emulator Run ....................................................................................... 6

Importing Self-signed CA Certificate ...................................................... 7

Emulator Restart ........................................................................................ 13

Cleaning Up .................................................................................................. 14

Acknowledgments ...................................................................................... 15

About MINERVA .......................................................................................... 15

Works Cited ................................................................................................. 16

Tools Mentioned .......................................................................................... 16


Executive Summary

Mobile application penetration testing has experienced a significant increase in

demand over the last few years. This is due to the ever-growing number of

smartphone users worldwide who use apps to consume products and services

from the comfort of their thumbs. By 2016, the number of smartphone users is

predicted to reach 2.16 billion (eMarketer); that’s almost 30% of the world’s

population predicted for 2016 (GeoHive). Of all the different smartphone

operating systems, Android continues to have the greatest market share,

accounting for more than 50% of the market share worldwide as of 2015

(McGrath).

Demand for mobile app pentesting is likely to continue to grow as merchants and

service providers continue to push critical functionality to their apps. This includes

transmitting, processing, and storing personally-identifiable information (PII),

cardholder and bank account data.

Being able to read and modify messages transmitted by the mobile app in scope

for security testing is one of the most important prerequisites for a successful

engagement. The technical procedures documented in this paper are written for

developers and pentesters who need to accomplish such task. The author

assumes that the app in scope was developed for the Android operating system

and that the tester is a Mac user with no access to an Android handset.


Introduction

The method documented in this paper assumes the tester is a Mac OS X user

who has installed either the free or professional edition of Burp Suite. It has been

optimized to meet the following requirements:

• No Integrated Development Environment (IDE) such as Android Studio or

Eclipse is installed

• Only limited storage capacity is available to set up the testing

environment

• Tester has no budget to purchase additional software

• Tester has no access to an Android handset

• There is limited time to set up the testing environment

The scope of this paper is limited to interception of unencrypted and encrypted

communications of Android apps using the Burp intercepting proxy. Local app

security checks such as application decompiling and debugging were considered

out of scope. The procedures below can also be used as guidance when other

proxies such as Proxy.app or ZAP are used. Windows users are recommended to

read Kunjan Shah’s excellent paper on the subject (Shah).

Android SDK Setup

Make sure you have the latest version of Java Runtime Environment (JRE) and

Java Development Kit (JDK) from www.oracle.com installed, which at time of

writing is version 8:

$ java -version

java version "1.8.0_45"

Java(TM) SE Runtime Environment (build 1.8.0_45-b14)

Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode)

$ javac -version

javac 1.8.0_45

Install stand-alone SDK tools for Mac from developer.android.com. E.g. android-

sdk_r24.3.3-macosx.zip. Unzip the file into your directory of preference, home in

our case:


Next, install Platform-tools, Build-tools, SDK Platform, and the ARM EABI v7a (or

newer if available) System Image using the SDK manager. If you don’t have the

latest version of JDK you won’t see these packages as available on the SDK

Manager:

$ ~/android-sdk-macosx/tools/android

Click Install button and accept license for each package selected:


Before we can run the emulator we need to create an Android Virtual Device

(AVD). First, list the target platforms available. Only one should be shown in our

case since we only installed one System Image (ARM EABI v7a):

First Emulator Run

List available targets:

$ ~/android-sdk-macosx/tools/android list targets

Available Android targets:

----------

id: 1 or "android-22"

Name: Android 5.1.1

Type: Platform

API level: 22

Revision: 2

Skins: HVGA, QVGA, WQVGA400, WQVGA432, WSVGA, WVGA800 (default), WVGA854,

WXGA720, WXGA800, WXGA800-7in

Tag/ABIs : default/armeabi-v7a

We can now create an AVD. If your target ID is not 1, replace the value below as

needed:


$ ~/android-sdk-macosx/tools/android create avd -n testavd -t 1

Importing Self-signed CA Certificate

Next we need to import Burp’s self-signed CA certificate as a trusted root into

the AVD. Make sure your OS X browser (not the emulator’s) is configured to use

Burp as a proxy (loacalhost:8080 by default). Visit http://burp/cert and save

‘cacert.der’ file:

Next, convert the downloaded DER-encoded certificate to ASCII PEM format:

$ openssl x509 -inform der -in cacert.der -out cacert.crt

Then we need to create an SD card. The SD card will be used by the AVD to

access the converted certificate (cacert.crt):

$ ~/android-sdk-macosx/tools/mksdcard -l testsdcard 9M ~/androidsdcard

Confirm SD card has been created successfully:

$ file ~/androidsdcard

/Users/user/androidsdcard: x86 boot sector, code offset 0x5a, OEM-ID "MSWIN4.1", Media

descriptor 0xf8, sectors 18432 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 143, reserved3

0x800000, serial number 0x1b044206, label: " SDCARD"


We can finally run the emulator (the emulator is likely to take a while to load the

virtual device):

$ ~/android-sdk-macosx/tools/emulator -avd testavd -sdcard ~/androidsdcard


Make sure that netcat (nc) is allowed to receive incoming connections by your OS

X firewall:

On your OS X terminal, run the following command on the directory where

‘cacert.crt’ is located. It will serve the Burp’s CA certificate using netcat:

$ nc -vv -l 1111 < cacert.crt

Back on your Android adb shell, type the following command, where 10.1.2.3 is

the IP address of your MAC (W)LAN interface:

root@generic:/ # nc 10.1.2.3 1111 > /sdcard/cacert.crt

If you haven’t waited long enough for the emulator to load the AVD, you will

receive the following permission error when trying to save the certificate to the

SD card. The solution is to simply wait a bit longer and try both of the above

netcat commands again:

/system/bin/sh: can't create /sdcard/cacert.crt: Read-only file system


On the Android emulator, go to Install certificate Settings / Security / Credential

storage / Install from SD card:


Select ‘cacert.crt’:


Set PIN if prompted:


Confirm that Burp’s CA certificate has been successfully installed under Settings

/ Security / Credential storage / Trusted credentials / User:

Emulator Restart

Restart emulator with proxy settings enabled to use Burp:

$ ~/android-sdk-macosx/tools/emulator -avd testavd -sdcard ~/androidsdcard -http-proxy

http://localhost:8080

On your OS X terminal, install APK of app in scope for your pentest:

$ ~/android-sdk-macOS X/platform-tools/adb install ~/my-app.apk

Congratulations, you should now be able to see traffic from your Android app on

Burp, including HTTPS traffic:


Cleaning Up

Remove APK and SD card once the pentest has ended:

$ ~/android-sdk-macosx/platform-tools/adb shell 'pm list packages -f' |grep -i yourappname

$ ~/android-sdk-macosx/platform-tools/adb uninstall apppackagename

$ rm ~/androidsdcard


Acknowledgments

The author would like to thank Jan Fry and Monsy Carlo for their kind feedback.

About MINERVA

MINERVA is a boutique cybersecurity consultancy providing tailored services that

align with your business goals. We identify security threats and help clients

mitigate the associated risks.

In today’s rapidly evolving world no two businesses are alike and we believe that

no two security assessments should be either. Our consultants have all worked

with organisations across a wide range of industries from tech start-ups to those

listed on the FTSE 100 and Fortune 500. Our broad experience, along with our

desire to understand your business objectives, allows for the development of a

personalized security approach that can safeguard your information and

reputation.

MINERVA is a privately-owned, vendor-neutral company with no external

investors, and no sales targets. This allows us more time to focus on your needs

and provide a quality service.


Works Cited

eMarketer. 2 Billion Consumers Worldwide to Get Smart(phones) by 2016. 11

December 2014. <http://www.emarketer.com/Article/-/1011694>.

GeoHive. Population of the entire world, yearly, 1950 - 2100. 7 July 2015

<http://www.geohive.com/earth/his_history3.aspx>.

Shah, Kunjan. Penetration Testing Android Applications. 2010.

<http://tinyurl.com/p2zrolc>.

McGrath, Felim. Android mobile now has huge lead over iOS. 10 June 2015.

<http://tinyurl.com/opkql94>.

Tools Mentioned

Android SDK tools <http://developer.android.com/sdk/index.html#Other>

Burp <https://portswigger.net/burp/download.html>

Java JRE and JDK <http://oracle.com/technetwork/java/javase/downloads/>

Proxy.app <http://www.proxyapp.io>

ZAP <https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project>

white paper: pentesting android apps on mac · minerva information security inc - 37 n orange ave...

Documents