Android penetration testing Basics

I. Application Local Storage check
 
1. View data in sqlite3 format
The local storage of many applications uses the sqlite3 database for storage. We can use the sqlite3 command to view the content, for some Android devices without the sqlite command, we can export the command from the simulator and then copy it to the device.
 
Step 1: Open the simulator and copy the sqlite3 command from the simulator to the PC.

emulator -avd test

adb pull /system/xbin/sqlite3 d:/sqlite3

 
Step 2: Disable the simulator and connect the device to the PC using a USB cable
Run the following command. The following command indicates that the connection is successful.

D:\>adb devices List of devices attached 42890C3429FD117 device

 
Step 3: copy the sqlite3 stored on the PC to the device

adb push d:/sqlite3 /sdcard/

adb shell

adb su

mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system /dev/block/mtdblock3 /system                             

cp /sdcard/sqlite3 /system/xbin/

chmod 777 /system/xbin/sqlite3

Step 4: test whether sqlite3 is successfully installed
We can view the data storage of the email application.

D:\download>adb shell shell@android:/ $ su su shell@android:/ # find / -name *.db | grep email find / -name *.db | grep email /data/data/com.android.email/databases/EmailProvider.db /data/data/com.android.email/databases/EmailProviderBody.db /data/data/com.android.email/databases/webview.db /data/data/com.android.email/databases/webviewCookiesChromium.db /data/data/com.android.email/databases/webviewCookiesChromiumPrivate.db 2|shell@android:/ # sqlite3 /data/data/com.android.email/databases/EmailProvider .db d.email/databases/EmailProvider.db                                            < SQLite version 3.7.4 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> .tables .tables Account               FollowupFlag_Updates  Message_Deletes Account_CB            HostAuth              Message_Updates Attachment            Mailbox               Policies CertificateCache      Mailbox_CB            RecipientInformation FollowupFlag          Message               android_metadata FollowupFlag_Deletes  Message_CB sqlite> .dump HostAuth .dump HostAuth PRAGMA foreign_keys=OFF; BEGIN TRANSACTION; CREATE TABLE HostAuth (_id integer primary key autoincrement, protocol text, add ress text, port integer, flags integer, login text, password text, domain text, accountKey integer); INSERT INTO "HostAuth" VALUES(1,'pop3','pop.163.com',110,4,'test@163.com' ,'test',NULL,1); INSERT INTO "HostAuth" VALUES(2,'smtp','smtp.163.com',25,4,'test@163.com' ,'test',NULL,1); COMMIT; sqlite>

The HostAuth table stores the account information of the mailbox. The logon password is stored in plaintext.



Ii. Network Communication check
The Network Communication includes the HTTP layer and the TCP layer. We can use an HTTP proxy to manipulate HTTP layer data packets, such as BurpSuite and Paros, or operate socket layer data packets through Wireshark, tcpdump, Mallory, and ADVsock2pipe. I have written some articles in this regard.
Discussion on mobile app communication analysis methods
Capture communication packets on mobile devices in real time
The simplest way to capture data packets is to use the tcpdump command to save the captured data packets and use tools such as wireshark to view them offline. This method can be used to check whether sensitive information is leaked.
Like sqlite3, this command is not available on the default android device. We need to export it from the simulator and copy it to the device in a similar way to use

adb push d:/tcpdump /sdcard/

adb shell

adb su

mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system /dev/block/mtdblock3 /system                             

cp /sdcard/tcpdump /system/xbin/

chmod 777 /system/xbin/tcpdump

To be continued