This article outlines a few “lessons learned” during an Android pen-test, specifically on which parts of my toolset I needed to update to accommodate newer android versions (Android v7+)
-
MultiDex support
One of the standard pen-test techniques is to decompile the App’s source code. Typically this is done by converting the APK DEX code to a JAR file using Dex2Jar, then reading that JAR file using some decompile like JD-GUI. When using Dex2Jar on a recent APK file, the resulting java code in the JAR file was suspiciously sparse. There were barely any classes pertaining to the actual target – most of the code was external libraries.
Opening the APK in ApkStudio gave a clue to the reason why:
The presence of the “smali_classes2” and “smali_classes3” folders signified a “MultiDex” APK, typically used for when your APK has a large amount of methods:
https://developer.android.com/studio/build/multidex
It seems that the plain vanilla Dex2Jar doesn’t have support for these types of files. Luckily, it wasn’t hard to find a fork of the project by DexPathcher, whose version of Dex2Jar does support theses files and correctly parsed the Dex files into a correct JAR file. The fork can be found here:
https://github.com/DexPatcher/dex2jar/releases
Alternatively, the excellent JADX supports direct APK -> JAVA decompilation even with multi-dex files
-
Proxying App Traffic
Another common step during pentesting is configuring the Android device towards a proxy such as OWASP ZAP or BurpSuite to be able to inspect traffic passing to/from the app. The first step is to install the proxy’s CA certificate on the phone – which is covered in detail on other sites. However, simply installing the certificate does not work in Android 7+, as pointed out by Charles Proxy:
https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/
Basically the app under test needs to be decompiled, and a new file added in res/xml/network_security_config.xml:
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
<debug-overrides>
<trust-anchors>
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
Then a reference to the above file has to be inserted into the app manifest:
<?xml version="1.0" encoding="utf-8"?> <manifest ... > <application android:networkSecurityConfig="@xml/network_security_config" ... > ... </application> </manifest>
Last – the whole app needs to be recompiled and signed…
….. quite a hassle to do …..
Luckily levyitay has our back with an excellent bash script AddSecurityExceptionAndroid, which does all the above automatically for you, and can be found here:
David Vassallo's Blog 
You must be logged in to post a comment.