If you are here means you are looking for android application security guide. Then this is perfect blog for you i would not say you will be master android pen-testing after reading these blogs, but i assure you that you will know basics of android application pen-testing.
To learn and understand better android application security and any potential threat vectors we should know some basics of Android Applications. Android applications are build using java. Android SDK compile the code written in java to APK (Android Package). APK is zip file with and extension .apk. APK file contains all android app related files like android-manifest.xml, classes.dex, etc. APK enables user to install and utilize all the files compiled while using SDK in Android environment.
The most important aspect of Android application is “App components”. App component are the entry point of application, system can use them to enter in application. These app components determine behaviour of the application. There are following four components of app: Content Provider, Activity, Services, and Broadcast Receiver. We are going to target these four components in this article. These basics are more than enough to know android application structure.
I would like to introduce the awesome tool used to pen test android application i.e. – “DROZER”. According to MWR labs Official documentation: Drozer allows you to assume the role of an Android app, and to interact with other apps, through Android’s Inter-Process Communication (IPC) mechanism, and the underlying operating system.
To pen-test android application we will require following lab setup:
1. A workstation (I am using windows 7) with the following:
a. JRE or JDK
b. Android SDK
2. An Android device or emulator running Android 2.1 or later. (I am using Genymotion Emulator for Windows, which is simply awesome).
3. Drozer console: you should have drozer Console installed on your PC. To download and install drozer console on your system follow https://www.mwrinf osecurity.com/products/drozer/community-edition/ (I am using APPIE framework which comes with preinstalled drozer console.)
4. Drozer Client APK: To connect android emulator with drozer console you will need to install drozer client on android device. That can be done using adb shell (I am assuming that reader is aware about ADB.)
Thats for now, i will come up with next blog with more interesting info.