Hunnic Cyber - Logo

Android Hacking Toolkit (Part 1)

There are many tools available for Android App Testing. This post aims to outline the tools that we use at Hunnic Cyber to perform Android App Testing.

From taking screenshots, to dynamic analysis, there are many ways that you can save time.

The core tools that we use:

  1. AppUse
  2. MobSF Framework
  3. BurpSuite Professional
  4. Rooted Android Phone

AppUse

AppUse is a VM developed by AppSec Labs. It is a unique platform for mobile application security testing, Android and iOS applications and includes exclusive custom-made tools and scripts created by AppSec Labs.

The tool costs $399, however in our opinion it is worth the purchase and you can get it from here.

Having used AppUse on our client engagements, it allows you to automate a lot of your testing activities.

Some of the benefits we have found:

  • When taking a screenshot on the phone typically you would use ADB to transfer the files back and forth between the phone. With AppUse it is as simple as pressing the screenshot button on the control panel and it will be saved on your folder
  • Downloading APKs, decompiling them, then repatching using the tools on AppUse, reinstalling are as simple as a few buttons and editing the Smali code
  • Configure proxy for any protocol/port (even binary protocols!)
  • Edit application files
  • Launch emulator/auto detect your testing device directly into the AppUse dashboard interface
  • Easily send broadcast messages and start activities and services
  • Perform runtime manipulation with Reframeworker
  • Easily broadcast receivers, and services detection
  • Launch any tool you need for your penetration testing using the Tools section.
  • Disassemble APK
  • Decompile APK
  • Convert APK to debug mode
  • View APK Manifest

MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis.

Using MobSF is incredibly simple. Once you have downloaded the APK from the device or have been provided it by the client, you can simply upload it to the WebUI.

The full list of features can be seen here on their Github and looks like this:

If you have gone ahead and purchased AppUse, then simply install Docker in the AppUse VM using the commands here.

Once you have installed Docker then run the following commands to download and run MobSF in your AppUse VM:

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Now you should have a pretty good based for Android Testing in a single VM. Snapshot it, so that you can revert to for each engagement.

BurpSuite Professional

I don't believe that we need to go into any detail about this tool, but it is important for intercepting the traffic between the client application and the backend server.

Of course you can use other tools like ZAP and Fiddler, however they do not provide the level of features that Burp provides.

Rooted Android Phone

Finally you will need an Android phone to perform these testing on. While AppUse does provide emulators for both Intel and Arm based architectures, it is always best to do the testing natively.

There are plenty of good, cheap phones to choose from, however it is recommended to stay away from Huawei phones.

Conclusion

In the next blog post we are going to be walking through the rooting of an Android device, the use of each of the mentioned tools, how to install them, and how to perform the most common security tests against a purposefully vulnerable application.