Learning Android Application Security Testing (Part1) from scratch)
In this series of articles, using InsecureBankv2, an Android app with vulnerabilities, we can learn about the concepts related to Android app security. We will look at every problem from the perspective of a newbie. Therefore, I suggest new users follow this series of articles. Since the tutorial starts from scratch, the previous things are quite basic. Please fly first. Before testing Android apps, we need to build a suitable mobile penetration platform. First, we need to download Eclipse ADT bundle and install it. Here I will not repeat things that create wheels too much. There are two folders: tools and platform-tools. These two are very important and need to be added to the environment variables. Run the following command to add the PATH to the environment variable: export path =/PATH/to/dir: $ PATH. add the tools and platform-tools folders to the environment variables. After the operation, you can use all the commands at will. Then check whether it works. You can enter the adb command and you can get the following output results. To ensure that applications can run on our computers, we also need a handy simulator. Eclipse Android Virtual Device is an Android simulator. You can search for it online to learn how to create a Virtual Device. However, for this series of articles, I will use another tool Genymotion to create virtual devices. There are many reasons. One is that the processing speed is faster, and the other is that the virtual device created using Genymotion automatically obtains the root permission by default. This means that you can freely install the application, which is convenient for auditing Android applications. After Genymotion is installed, You need to register an account (free of charge) and create different simulators based on your needs. Now we will clone the source code of InsecureBankv2 from github. Open the virtual device you created. This step is very simple. An apk file exists in the project file cloned from github. You can use the adb install InsecureBankv2.apk command to install this application. You can see success in, which indicates that the apk file has been successfully installed, and you can see the corresponding application icon in the simulated device. But sometimes you just want to compile this file instead of running this apk file. In this case, you need to open Eclipse and find File> Switch Workspace, select the Insecurebank folder you created, go to File> Import, and select the existing Android code to put it into the Workspace. Select the folder where the application is located. You can see that Eclipse has put the application into your workspace. At this time, you can click the play button at the top to start running the application. When the simulator runs properly, choose to run the Android Application. No surprise. At this time, you can see that the application runs successfully in the simulator. Start the backend python service at the same time. You can use the python app. py-port 8888 command to enter the IP address and port in the application. Now you can use the default credential to log on to this application. Dinesh/Dinesh @ 123 $ jack/Jack @ 123 $ please ensure that you have installed the following tools, which will be used in the details we will discuss later. DrozerAndbugIntrospydex2jarapktool In addition, you can use the adb shell to connect to your simulator and see what you want to do. In the next article, we will learn about the vulnerabilities in the InsecureBankv2 project and learn more about the security of Android apps. InsecureBankv2 Project address: https://github.com/dineshshetty/Android-InsecureBankv2 Eclipse ADT bundle: https://developer.android.com/sdk/installing/index.html?pkg=adt