First, we have multiple available tools for the penetration test of mobile apps on the Android platform to easily download and install the environment for testing. these tools will help us build a virtual environment to install Android mobile apps and install a smart phone for security testing.
In this article, we will discuss:
1. Set the simulator
2. Set proxy (Burp Suite)
3. Install the certificate
4. Install the test application (Goatdroid)
Set Simulators
You can download the Android SDK from the following link: http://developer.android.com/sdk/index.html. It depends on the operating system. You can download it from Linux or Windows. I will use the Windows 7 demo.
After downloading, you can extract and bundle. As you can see, there are sdkmanager.exe and other folders in the package. Now, we want to create a simulator, so we will start the Android SDK manager to create our AVD (Android virtual device), which will be our virtual Android mobile phone, we can install the application.
Start the Android manager, enter Manage AVDs, and add a new one. You can create a new AVD by giving it the name of Myandroid. You can select any device. I have selected Nexus 4. Select the target version as the version you are interested in. Other options are clear and you can select the desired version. You can allocate memory and give the SD card a certain amount of space because it will work in this space ,. In addition, do not forget to select the snapshot option to save the AVD status.
As you can see, MyAndroid appears in the AVD system list and can be used. Let's start the device.
After the virtual device is started, we can see the Nexus 4.
To test the mobile devices to be installed on the simulator, we need to set the Burp Suite to intercept the requests/responses captured by the proxy. The free version of my Burp Suite was used for this demonstration. First, we will configure the Burp Suite to listen on the external interface. Choose Proxy → Options → Proxy Listeners → Edit → Binding select "Specific address" or select "All interfaces." To listen ." This allows Virtual Devices to connect to the Burp Suite.
To connect a virtual device to the Burp Suite, choose Settings> wireless and network> More> VPN> mobile network> Access Point Name> select the device's default APN and edit access point. Set the port running in Burp Suite as the proxy IP address and port of the main system. See the following:
This will allow the Burp Suite to intercept all requests generated through the Virtual Device. As you can see below, when we open a browser, the request to access Google is intercepted by the Burp Suite agent, which confirms that our settings are correct and work properly.
At the same time, you may notice that when we browse the hosted over HTTP site, it generates a pop-up window to notify us that the connection is untrusted.
To avoid this pop-up window, we will install the Burp certificate on the device every time we browse the website through HTTPS, so that we can trust the Burp Suite on the VD browser and communicate smoothly. This will save us time while we conduct security testing. To install the Burp Suite certificate, first import it.
Access any HTTTPS web application (Firefox in my case) from our system browser. One of the proxies is configured as Burp Suite. Please note that, I have configured my Firefox browser in tools → options → networking → settings → manually configure proxy server settings to use Burp as proxy. Please refer to this:
When you browse a website, the browser generates a warning indicating that the connection is untrusted. Click "add exception", and then you can go to "View ". To import a certificate, see "details ".
You can select "PortSwigger CA" to export it and save it to the system. Save the Certificate in CRT format.
Our next task is to install this certificate on a virtual device. Let's put this certificate on a virtual device. Here, we import the certificate to the SD card. One way is to use the "adb push" command to send the certificate to the VD in the SD card.
As we can see in the SD card folder, PortSwiggerCA. crt is successfully saved.
So our certificate is inside our virtual device. It is time to install the certificate. Choose Settings> Security> install from SD card.
After you click OK, The PortSwiggerCA certificate is successfully installed.
Verify the installation and go to Settings → Security → Trusted Credentials. You can view the Installed Certificate after you log on successfully.
Therefore, we are all set to mobile app penetration testing.
The next step is to install the virtual device of the application, which will undergo security check. The test application we will use is Goatdroid (https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project) from OWASP.
This application can be downloaded from the following URL:
Https://github.com/downloads/jackMannino/OWASP-GoatDroid-Project/OWASP-GoatDroid-0.9.zip
This Android app is intentionally becoming vulnerable for tutorial purposes. We will push the AVD in this application. Let's download the zip file and extract the content.
Let's take a look at what it contains.
Goatdroid_apps contains two vulnerable applications:
FourGoats
HerdFinancial
We will install these two applications in AVD. In addition, the goatdroid-0.9.jar will start the two applications of the server to communicate.
Let's start goatdroid-0.9.jar:
You can specify the location and SDK path of the virtual device to be accessed by the application. As you can see, it can also push apk files (FourGoats and HerdFinancial) to Virtual Devices and install these vulnerable applications. Make sure that the path specified in the virtual device and SDK path is correct.
Let's push the app to the device.
And, as you can see, the application is successfully installed on the device and will be displayed in VD.
Start the Web service because we need to log on to fourgoats. Let's first provide the application of the destination information to access fourgoats, Burp Suite (IP 192.168.4.9 port 8082) and W will be accessed on the web Service (9888) port.
Now, you are all set to the user name goatdroid and password goatdroid used for Logon. you are preparing to test this application. A successful login request is captured and modified in the middle of the Burp Suite. In the same way, you can test other applications such as HerdFinancial.
This article is translated by InfoSecLab. If any translation or editing error occurs, contact the Administrator. We will handle the problem as soon as possible. repost the article as copyright. Thank you. I hope this article will help you.
[]