Android hacking tools update for Sept 2018

This article outlines a few “lessons learned” during an Android pen-test, specifically on which parts of my toolset I needed to update to accommodate newer android versions (Android v7+)

  • MultiDex support

One of the standard pen-test techniques is to decompile the App’s source code. Typically this is done by converting the APK DEX code to a JAR file using Dex2Jar, then reading that JAR file using some decompile like JD-GUI. When using Dex2Jar on a recent APK file, the resulting java code in the JAR file was suspiciously sparse. There were barely any classes pertaining to the actual target – most of the code was external libraries.

Opening the APK in ApkStudio gave a clue to the reason why:

1

The presence of the “smali_classes2” and “smali_classes3” folders signified a “MultiDex” APK, typically used for when your APK has a large amount of methods:

https://developer.android.com/studio/build/multidex

It seems that the plain vanilla Dex2Jar doesn’t have support for these types of filesLuckily, it wasn’t hard to find a fork of the project by DexPathcher, whose version of Dex2Jar does support theses files and correctly parsed the Dex files into a correct JAR file. The fork can be found here:

https://github.com/DexPatcher/dex2jar/releases

Alternatively, the excellent JADX supports direct APK -> JAVA decompilation even with multi-dex files

  • Proxying App Traffic

Another common step during pentesting is configuring the Android device towards a proxy such as OWASP ZAP or BurpSuite to be able to inspect traffic passing to/from the app. The first step is to install the proxy’s CA certificate on the phone – which is covered in detail on other sites. However, simply installing the certificate does not work in Android 7+, as pointed out by Charles Proxy:

https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/

Basically the app under test needs to be decompiled, and a new file added in res/xml/network_security_config.xml:

<network-security-config>
   <base-config> 
      <trust-anchors>
         <certificates src="system" />
         <certificates src="user" />
      </trust-anchors>
   </base-config>
   <debug-overrides> 
      <trust-anchors> 
         <certificates src="user" /> 
      </trust-anchors> 
   </debug-overrides> 
</network-security-config>

Then a reference to the above file has to be inserted into the app manifest:

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
<application android:networkSecurityConfig="@xml/network_security_config" ... >
...
</application>
</manifest>

Last – the whole app needs to be recompiled and signed…

….. quite a hassle to do …..

Luckily levyitay has our back with an excellent bash script AddSecurityExceptionAndroid, which does all the above automatically for you, and can be found here:

https://github.com/levyitay/AddSecurityExceptionAndroid

Advertisements