This article outlines a few “lessons learned” during an Android pen-test, specifically on which parts of my toolset I needed to update to accommodate newer android versions (Android v7+)
One of the standard pen-test techniques is to decompile the App’s source code. Typically this is done by converting the APK DEX code to a JAR file using Dex2Jar, then reading that JAR file using some decompile like JD-GUI. When using Dex2Jar on a recent APK file, the resulting java code in the JAR file was suspiciously sparse. There were barely any classes pertaining to the actual target – most of the code was external libraries.
Opening the APK in ApkStudio gave a clue to the reason why:
The presence of the “smali_classes2” and “smali_classes3” folders signified a “MultiDex” APK, typically used for when your APK has a large amount of methods:
It seems that the plain vanilla Dex2Jar doesn’t have support for these types of files. Luckily, it wasn’t hard to find a fork of the project by DexPathcher, whose version of Dex2Jar does support theses files and correctly parsed the Dex files into a correct JAR file. The fork can be found here:
Alternatively, the excellent JADX supports direct APK -> JAVA decompilation even with multi-dex files
Proxying App Traffic
Another common step during pentesting is configuring the Android device towards a proxy such as OWASP ZAP or BurpSuite to be able to inspect traffic passing to/from the app. The first step is to install the proxy’s CA certificate on the phone – which is covered in detail on other sites. However, simply installing the certificate does not work in Android 7+, as pointed out by Charles Proxy:
Basically the app under test needs to be decompiled, and a new file added in res/xml/network_security_config.xml:
<network-security-config> <base-config> <trust-anchors> <certificates src="system" /> <certificates src="user" /> </trust-anchors> </base-config> <debug-overrides> <trust-anchors> <certificates src="user" /> </trust-anchors> </debug-overrides> </network-security-config>
Then a reference to the above file has to be inserted into the app manifest:
<?xml version="1.0" encoding="utf-8"?> <manifest ... > <application android:networkSecurityConfig="@xml/network_security_config" ... > ... </application> </manifest>
Last – the whole app needs to be recompiled and signed…
….. quite a hassle to do …..
Luckily levyitay has our back with an excellent bash script AddSecurityExceptionAndroid, which does all the above automatically for you, and can be found here: