Scribd
Upload
2K views2 pages

Mobile Hacking: Cheat Sheet

This document provides a cheat sheet for assessing mobile applications. It outlines the main steps which include decompiling/disassembling the APK, reviewing the codebase, running the app, using dynamic instrumentation, and analyzing network communications. It also lists several OWASP mobile security projects and tools commonly used for mobile application assessments, including adb, apktool, jadx, and Frida. The document further provides information on APK structure, data storage locations, keystore creation, interacting with the package manager and activity manager.

Uploaded by

Jorelfos
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
2K views2 pages

Mobile Hacking: Cheat Sheet

This document provides a cheat sheet for assessing mobile applications. It outlines the main steps which include decompiling/disassembling the APK, reviewing the codebase, running the app, using dynamic instrumentation, and analyzing network communications. It also lists several OWASP mobile security projects and tools commonly used for mobile application assessments, including adb, apktool, jadx, and Frida. The document further provides information on APK structure, data storage locations, keystore creation, interacting with the package manager and activity manager.

Uploaded by

Jorelfos
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 2

Mobile Hacking CHEAT SHEET

ASSESSING MOBILE APPLICATIONS V0.1


MAIN STEPS OWASP MOBILE SECURITY PROJECTS TOOLS
• Decompile / Disassemble the APK Mobile Security Testing Guide • adb
• Review the codebase • https://github.com/OWASP/owasp-mstg • apktool
• Run the app Mobile Application Security Verification Standard • jadx
• Dynamic instrumentation • https://github.com/OWASP/owasp-masvs • Frida
• Analyze network communications Mobile Security Checklist • BurpSuite
• https://github.com/OWASP/owasp-mstg/tree/master/Checklists

APK Structure Code Tampering


META-INF 1. Disassemble and save the smali code into output directory
• Files related to the signature scheme (v1 scheme only) # apktool d <APK_file> -o <directory_output>
lib 2. Modify the app (smali code or resource files)
• Folder containing native compiled code (ARM, MIPS, x86, x64) 3. Build the modified APK
assets # apktool b <directory_output> -o <APK_file>
• Folder containing application specific files 4. Sign the APK created with the debug keystore provided by the Android SDK
res # jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1
• Folder containing all the resources of the app -keystore <Android_SDK_path>/debug.keystore -storepass android <APK_file> androiddebugkey
classes.dex [classes2.dex] … 5. (Optional) Uses zipalign to provide optimization to the Android APK
• Dalvik bytecode of the app # zipalign -fv 4 <input_APK> <output_APK>
AndroidManifest.xml
• Manifest describing essential information about the app (permissions, components, etc.) Keystore Creation
One-liner to create your own keystore
Data Storage # keytool -genkeypair -dname "cn=John Doe, ou=Security, o=Randorisec, c=FR" -alias <alias_name>
-keystore <keystore_name> -storepass <keystore_password> -validity 2000 -keyalg RSA -keysize 2048
User applications -sigalg SHA1withRSA
# /data/app/<package-name>/
Shared Preferences Files Package Manager
# /data/app/<package-name>/shared_prefs/
SQLite Databases List all packages on the device
# /data/app/<package-name>/databases/ # adb shell pm list packages
Internal Storage Find the path where the APK is stored for the selected package
# /data/app/<package-name>/files/ # adb shell pm path <package-name>
List only installed apps (not system apps) and the associated path
# adb shell pm list packages -f -3
Content Provider List packages having the specified pattern
# adb shell pm list packages -f -3 [pattern]
Query a Content Provider
# adb shell content query --uri content://<provider_authority_name>/<table_name> Activity Manager
Insert an element on a Content Provider
# adb shell content insert --uri content://<provider_authority_name>/<table_name> Start an Activity with the specified Intent
--bind <param_name>:<param_type>:<param_value> # adb shell am start -n <package_name/activity_name> -a <intent_action>
Delete a row on a Content Provider Start an Activity with the specified Intent and extra parameters
# adb shell content delete --uri content://<provider_authority_name>/<table_name> # adb shell am start -n <package_name/activity_name> -a <intent_action> --es <param_name>
--where “<param_name>=‘<param_value>’” <string_value> --ez <param_name> <boolean_value> --ei <param_name> <int_value> …

CC BY-SA 4.0 • contact@randorisec.fr • https://www.randorisec.fr The OWASP brand is the property of the OWASP Foundation. OWASP does not endorse any product, services or tools.
Version 0.1 • Updated: 2020-01 Template: https://rstudio.com/resources/cheatsheets/how-to-contribute-a-cheatsheet/ Background psd created by rawpixel.com – https://www.freepik.com
Mobile Hacking CHEAT SHEET
ASSESSING MOBILE APPLICATIONS V0.1
MAIN STEPS OWASP MOBILE SECURITY PROJECTS TOOLS
• Decompile / Disassemble the APK Mobile Security Testing Guide •• adb
adb
• Review the codebase • https://github.com/OWASP/owasp-mstg •• apktool
apktool
• Run the app Mobile Application Security Verification Standard •• jadx
jadx
• Dynamic instrumentation • https://github.com/OWASP/owasp-masvs •• Frida
Frida
• Analyze network communications Mobile Security Checklist •• BurpSuite
BurpSuite
• https://github.com/OWASP/owasp-mstg/tree/master/Checklists

SSL Interception with BurpSuite adb


1. Launch Burp and modify Proxy settings in order to listen on “All interfaces” (or a specific Connect through USB Copy local file to device
interface) # adb -d shell # adb push <local> <device>
2. Edit the Wireless network settings in your device or the emulator proxy settings Connect though TCP/IP Copy file from device
3. Export the CA certificate from Burp and save it with “.cer” extension # adb -e shell # adb pull <remote> <local>
4. Push the exported certificate on the device with adb (into the SD card) Get a shell or execute the specified command Install APK on the device
5. Go to “Settings->Security” and select “Install from device storage” # adb shell [cmd] # adb install <APK_file>
6. Select for “Credentials use” select “VPN and apps” List processes Install an App Bundle
# adb shell ps # adb install-multiple <APK_file_1> <APK_file_2>
Bypass SSL Pinning using Network Security Config List Android devices connected [APK_file_3] …
# adb devices Set-up port forwarding using TCP protocol from
1. Install Burp certificate on your device (SSL Interception with BurpSuite)
Dump the log messages from Android host to device
2. Decompile the APK with apktool # adb logcat # adb forward tcp:<local_port> tcp:<remote_port>
3. Tamper the network_security_config.xml file by replacing the <pin-set> tag by the following
<trust-anchors>
<certificates src="system" /> Frida – Installation
<certificates src="user" /> Install Frida on your system
</trust-anchors> # pip install frida frida-tools (Python bindings)
4. Build and sign the APK (Code Tampering) Download the Frida server binary (https://github.com/frida/frida/releases) regarding your
architecture:
Bypass SSL Pinning using Frida # adb shell getprop ro.product.cpu.abi
1. Install Burp certificate on your device (SSL Interception with BurpSuite) Upload and execute the Frida server binary
2. Install Frida (Frida – Installation) # adb push <frida-server-binary> /data/local/tmp/frida
3. Use “Universal Android SSL Pinning Bypass with Frida” as follow: # adb shell “chmod 755 /data/local/tmp/frida”
# frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f <package_name> # adb shell “/data/local/tmp/frida”

Native Libraries Frida – Tools


Native libraries are loaded using the following function: List running processes (emulators or devices connected through USB)
System.loadLibrary("native-lib"); # frida-ps -U
Native functions are used with the native keyword: List only installed applications
public native String myNativeFunction(); # frida-ps -U -i
To reverse native libraries, the common tools can be used such as: Attach Frida to the specified application
IDA Pro, Radare2/Cutter, Ghidra and Hopper # frida -U <package_name>
Intercept native functions and set callbacks with Frida using the Interceptor module Spawn the specified application without any pause
Interceptor.attach (Module.findExportByName ( “<native-library>", “<function_name>"), { # frida -U -f <package_name> --no-pause
onEnter: function (args) { <your_code>}, Load a script
onLeave: function (retval) {<your_code>} }); # frida -U -l <script_file> <package_name>

CC BY-SA 4.0 • contact@randorisec.fr • https://www.randorisec.fr The OWASP brand is the property of the OWASP Foundation. OWASP does not endorse any product, services or tools.
Version 0.1 • Updated: 2020-01 Template: https://rstudio.com/resources/cheatsheets/how-to-contribute-a-cheatsheet/ Background psd created by rawpixel.com – https://www.freepik.com

You might also like