MASTG Techniques

📌 These study notes serve as a concise reference, capturing the essential insights, guidelines, and best practices for securing mobile applications, based on the OWASP MASTG (Mobile Application Security Testing) Standard - Techniques.

🌐 Resources 🔗

OWASP MASTG
OWASP MASVS
MASTG - Tests
MASTG - Techniques
MASTG - Tools
MASTG - Apps

Android

Device Remote Shell

Enable Developer Mode and USB debugging on the device

adb (Android Debug Bridge) - listen port 5037

# USB
adb devices -l
adb shell
adb -s <device_ID> shell
su

# WiFi (same network)
# Set a listener on the device (via USB)
adb tcpip 5555
# Disconnect USB and run from host pc (same network)
adb connect <device_IP>
adb devices
adb shell

# SSH
# On device > Setup Termux (default port 8022)
sshd
# On Host pc
ssh -p 8022 <device_IP>

# "SSH for Magisk" Module can be used too

Data transfer

using Android Studio device file explorer
using adb

adb pull <remote> <local>
adb push <local> <remote>

objection - runtime mobile exploration toolkit for security testing on non-rooted devices. Injects the Frida gadget into an application by repackaging it, disable SSL pinning methods, access app storage, execute custom Frida scripts, list activities/services/broadcast receivers, start activities, ecc
On rooted device with frida-server configured, Objection can connect directly to it without app repackage.
Interact with it via Objection REPL
The ability to perform advanced dynamic analysis on non-jailbroken devices is one of the features that makes Objection incredibly useful.

using objection

# Connect to a patched APK
objection explore

# Connect to a specific app
frida-ps -Ua | grep -i telegram
objection --gadget="org.telegram.messenger" explore
cd ..
ls
file download <file_name>

using Termux remote access (e.g. SFTP)

sftp -P 8022 root@localhost

Obtaining and Extracting Apps

Non-official websites/third party stores like APKMirror, APKPure. Pay attention to the APK that may contain malware!!!
Extract the App Package from the Device

adb shell pm list packages
adb shell pm list packages | grep -i <name>
adb shell pm list packages -3 -f
adb shell pm path <package name>
adb pull <apk path>

Repack & Install App

Patching Android Apps

objection patchapk --source app-release.apk

Install apps via adb

adb install <path_to_apk>

App Information Gathering

List installed Apps

adb shell pm list packages
adb shell pm list packages -3 -f
adb shell pm path <app_package_id>

# Get all installed apps on USB device & # List running apps
frida-ps -Uai
adb shell ps

Exploring the app package

🔗 Reference Training Apps

apktool

# Unpack APK
apktool d <app-name.apk>

📌 The Android Manifest is the main source of information, includes package name, permissions, app components, etc.

cat apktool.yml

grep -i <keyword> AndroidManifest.xml

# e.g.
grep -i permission AndroidManifest.xml
grep -i android:allowBackup AndroidManifest.xml
grep -i activity AndroidManifest.xml
grep -i service AndroidManifest.xml
grep -i provider AndroidManifest.xml
grep -i receiver AndroidManifest.xml
grep -i debuggable AndroidManifest.xml

Accessing App Data Directories

frida-ps -Uai | grep -i appname
objection -g it.appname explore

env
    Name                    Path
    ----------------------  --------------------------------------------------------------------------------
    cacheDirectory          	  /data/user/0/it.appname/cache
    codeCacheDirectory        /data/user/0/it.appname/code_cache
    externalCacheDirectory   /storage/emulated/0/Android/data/it.appname/cache
    filesDirectory          		 /data/user/0/it.appname/files
    obbDir                 			    /storage/emulated/0/Android/obb/it.appname
    packageCodePath        	    /data/app/~~JEIPs_hOcZEloovI4ycnFw==/it.appname-JYsDjTAW2zm7oBXBiPT7xQ==/base.apk

ls
	Type       Last Modified            Read  Write  Hidden  Size       Name
	---------  -----------------------  ----  -----  ------  ---------  --------------------------------------------------------------------------------------------
	File       2022-09-14 08:03:22 GMT  True  True   False   0.0 B      generatefid.lock
	Directory  2023-08-04 13:05:27 GMT  True  True   False   3.4 KiB    datastore
	Directory  2023-07-19 08:30:32 GMT  True  True   False   3.4 KiB    config
	File       2022-09-20 11:35:03 GMT  True  True   False   44.6 KiB   didomi_config_cache.json
	Directory  2023-08-04 10:25:44 GMT  True  True   False   3.4 KiB    AFRequestCache
	File       2023-08-01 13:12:28 GMT  True  True   False   562.0 B    PersistedInstallation.W0RFRkFVTFRd+MTo1NjYwOTMxNjMwMjQ6YW5kcm9pZDozMTZhOTNiN2FkNjgzYWUz.json
	File       2023-08-04 13:03:53 GMT  True  True   False   31.0 B     optly-background-watchers.json

Monitoring System Logs

logcat

adb logcat > logcat.log

# Specific app log output
frida-ps -Uai | grep -i <name>
adb logcat | grep "$(adb shell ps | grep <package-name> | awk '{print $2}')"

Network Monitoring

Tools:
tcpdump
netcat
Wireshark

Traffic Sniffing - tcpdump / Wireshark

# On Android phone
tcpdump

# Remote sniff Android phone's network traffic
tcpdump -i wlan0 -s0 -w - | nc -l -p 11111

# On host, listen to traffic using Wireshark
adb forward tcp:11111 tcp:11111
nc localhost 11111 | wireshark -k -S -i -

Interception Proxies

OWASP ZAP
Burp Suite
Configuring an Android Device to Work With Burp.
Installing Burp's CA certificate to an Android device.
Configuring an iOS Device to Work With Burp.
Installing Burp's CA certificate to an iOS device.

BurpSuite

Export cert from BurpSuite in DER format (or download the cert from the http://burpsuite page after setting the Proxy on the device)

openssl x509 -inform DER -in burp-ad -out burp.pem
adb push burp.pem /sdcard/
# Install burp.pem in the user certificate store

# Move User Certificates to rot store / System CAs (using Magisk module Movecert)

Set Proxy on device WiFi Network
- Host with BurpSuite must be on the same WiFi network
- Bypass NET::ERR_CERT_VALIDITY_TOO_LONG
"NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED"

ZapProxy

🔗 Setting up ZAP for Android

Bypassing the Network Security Configuration

🔗 Adding the Proxy's certificate among system trusted CAs using Magisk
🔗 MagiskTrustUserCerts
- This module will automatically add all user-installed CA certificates to the list of the system trusted CAs (reboot is necessary)

Manual

Not always working

adb shell
mount -o rw,remount /system
# mount -o rw,remount -t ext4 /system

openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
mv cacert.pem <hash>.0
mv <hash>.0 /system/etc/security/cacerts
chmod 644 <hash>.0

📌 Starting with Android 7.0 (API level 24), the Android OS will no longer trust user CA certificates by default, unless specified in the application

Obstacles

Security controls such as root detection, certificate pinning
Client isolation in wireless networks

# Intercept traffic in WiFis with Client Isolation

# Configure Android device proxy to point to 127.0.0.1:8080
# Connect device via USB to host PC
# Make a reverse port forwarding
adb reverse tcp:8080 tcp:8080

Non-proxy-aware apps: e.g. Xamarin, or the app verifies if proxy is set and doesn't allow any traffic if it is set

# Enable "Support invisible proxying" in Burp Proxy request handling options

# iptables - redirect Android traffic to interception proxy
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination <Your-Proxy-IP>:8080

iptables -t nat -L
# Reset iptables
iptables -t nat -F

# bettercap - target and host on same network
sudo bettercap -eval "set arp.spoof.targets <ANDROID-IP>; arp.spoof on; set arp.spoof.internal true; set arp.spoof.fullduplex true;"

Proxy detection - bypass using Frida script

Bypassing Certificate Pinning

Static

Intercepting certificate is not accepted as a valid certificate if the app is implementing SSL Pinning.

Frida: Use the frida-multiple-unpinning script

frida --codeshare akabe1/frida-multiple-unpinning -f YOUR_BINARY

Objection (rooted device): Use the android sslpinning disable command

android sslpinning disable

Xposed: Install the TrustMeAlready or SSLUnpinning module.

Custom Certificate Pinning

🔗 Advanced - Bypassing SSL Pinning in Android Applications

# Certificate hashes
grep -ri "sha256\|sha1" ./smali
# Replace hashes with proxy's CA hash

# Certificate files
find ./assets -type f \( -iname \*.cer -o -iname \*.crt \)
find ./res -type f
# Replace files with proxy's certificates

# Truststore files
find ./ -type f \( -iname \*.jks -o -iname \*.bks \)

e.g. App uses BKS (BouncyCastle) truststore

keytool -importcert -v -trustcacerts -file proxy.cer -alias aliascert -keystore "res/raw/truststore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "providerpath/bcprov-jdk15on-164.jar" -storetype BKS -storepass password

# proxy.cer - proxy's certificate
# aliascert - alias for proxy's cert
# BouncyCastle Provider jar file
# password - keystore pw, from decompiled app code

# List BKS truststore certs
keytool -list -keystore "res/raw/truststore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "providerpath/bcprov-jdk15on-164.jar"  -storetype BKS -storepass password

# Repackage the app and install it on device

Dynamic

More convenient and faster to perform.

Find the correct method to hook by searching for strings and licences files, identifying the used library. Examine the source code (SMALI code) to find methods suited for dynamic instrumentation.

🔗 Circumventing SSL Pinning in obfuscated apps with OkHttp

# Search for all methods that take a string and a variable list of strings as args and return a complex object

grep -ri java/lang/String;\[Ljava/lang/String;)L ./

Hook each method with Frida and print the arguments. Find the one that prints out a domain name and a cert hash. Modify the arguments to circumvent the implemented pinning.

Reverse Engineering Android Apps

[...]

PreviousOWASP MAS NextMASTG Tests

Last updated 5 months ago