14 novembre 2017

Android Penetration testing methodology

Pentest Android

On Web or mobile (Android in our example), application, according to the “Penetration Testing Execution Standard”, the process of penetration testing can be divided into seven principal stages :

  • (1) Pre-engagement Interactions
  • (2) Intelligence Gathering
  • (3) Threat Modeling
  • (4) Vulnerability Analysis
  • (5) Exploitation
  • (6) Post Exploitation
  • (7) Reporting.

All preceding phase can be applied on Android system, but with different tools. This PTES’s methodology is not necessary linear and can be cyclic.

1- Pre-engagement Interactions

This phase comprise to define the scope, the points of contact and how to exchange data. The final point of this stage is signing the contract. All these preceding points are similar to classical penetration testing of system infrastructure.

2- Intelligence Gathering

This is the reconnaissance phase of classical pentesting. On Android we need to profile the target, i.e. reviewing the objectives, description, dependencies, proprieties, permissions, and development history of the component or application. All of these information can be found be reviewing some basic information of Google Play Store.

Other key point of the reconnaissance phase is to determine all entries points of Android’s component. For application, these entries points are defined in Android Manifest’s file named AndroidManifest.xml. So, we need some reverse-engineering tool like APKtool to have this file:

3- Threat Modeling

At this stage, we need to know the assets, the threats and the impacts that can affect our component and enterprise. All data of an Android’s application can be found in /data/data/<app_name>/ directory. Android’s application is a compressed .apk file that can be found into one of these following directories /system/app, /system/priv-app, /data/app, or /data/app-private.

To found the correct directory of the application package .apk file, we can use the following command in Linux terminal computer: adb shell pm path <app_name>. And the correct name of application can be found by this command: adb shell pm list package.

For example, these two commands help to found the .apk file of the Android’s Calculator:

$ adb shell pm list package | grep calc
$ adb shell pm path com.android.calculator2

Note that we can use an Android internal tool named dumpsys to get all relevant information about an application. Run this: (android)$ dumpsys package <app_name>.

4 – Vulnerability Analysis

This phase is the process of using the information gathering during the previous phases to discover weaknesses and flaws in Android’s component. For apps, to perform this stage, we can use some tools like AndroBug. This open-source tool, written in Python language by Yu-Cheng Lin, can be downloaded on https://github.com/AndroBugs/AndroBugs_Framework and be executed like this:

$ apktool d <app_file.apk> -o <output_DIR>
$ adb shell pm list package | grep calc

$ adb shell pm path com.android.calculator2
$ python androbug.py -f <application_file>.apk

5 – Exploitation

Exploitation phase focuses solely on establishing access to an Android’s component by bypassing security restrictions. We win the goal if we can use another application to harm our target. To perform this stage, we can use the tool Drozer which is an Android Security Assessment and Ex- ploitation tool (see https://labs.mwrinfosecurity.com/tools/drozer/ for more information about this tool).

6- Post Exploitation

The purpose of this phase is to determine the value of the machine compromised and to maintain control of the machine for later use (i.e. pivoting). In Android ecosystem, this phase exist only if we assess Android devices. In that case, it is useful to exploit vulnerabilities of an installed application and to use this application to compromise the entire device by escalating privilege (e.g. having install permission). This stage can be performed by using Metasploit framework (see https://www.metasploit.com for more detail).

7 – Reporting

According to my colleague2, the report is an essential part of a penetration testing and, as said Lam et al., “if you do not document it, it did not happen”. Indeed, this report will document the methodology, the vulnerabilities, the exploits and the mitigations. In BSSI/EVA, the report is considered as an important communication tool which is the only tangible evidence that our client will receive from our red team.


In this post, we apply an well known penetration testing methodology outlined by the PTES (Penetration Testing Execution Standard). In all seven phases of PTES standard, we give some useful tools that can be use on Android Ecosystem.

Oumar Diao :
Consultant BSSI

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *