How to: Testing Android Application Security, Part 1

By on

This blog was written by Kunal Garg.

The popularity of Android devices and applications makes it a target for malware and other threats. This post is the first in a short series on Android application security.

Similar to its use for web applications, penetration (“pen”) testing is a part of developing mobile applications. We will discuss in detail the process for performing security testing on Android applications.

Setting up the pen-testing environment

Android Studio is the official integrated development environment for Android. Here are the steps for setting up Android Studio.

  1. Download and install the latest Java Development Kit.
  2. Set the JAVA_HOME variable with the path pointing to the Java Development Kit.
  3. Download and install Android Studio.
  4. Once it is installed, create an Android virtual device (emulator).
  5. Browse to “Tools–>Android–>Avd Manager–>Create Virtual Device” and create a new virtual device as shown in the following screens.

20160523 Android App Security 1

Android virtual device settings.

20160523 Android App Security 2

Further Android virtual device settings.

Customize parameters such as RAM, AVD Name, Android Version, and Internal Storage to suit your requirements. (We used device types Nexus 5 and Android Version Lollipop.)

 

Capturing traffic

Capturing traffic from emulator requires the proxy tool to act as a “man in the middle.” Follow these steps.

  1. Export the certificate from your proxy tool, and save it as proxy.cer.
  2. Push the certificate onto the emulator using the command

adb push proxy.cer /sdcard/

  1. Browse to SettingsàSecurityàInstall from the SD card, and install the certificate on the emulator.
  2. The Android virtual device will force the user to set the PIN on the device. Set the PIN.
  3. In the proxy tool, set the proxy listener to listen on local interface (127.0.0.1) and on any port (for example, 8082).
  4. Start the emulator using the command

emulator -avd test -no-audio -http-proxy http://127.0.0.1:8082

  1. Note that the traffic will pass via the proxy tool (Burp), as shown in the following screen:

20160523 Android App Security 3

Traffic captured in the proxy tool.

Common workarounds

  • An emulator crash during boot is a known issue. To mitigate, use the toggle “-no audio.”
  • In case the traffic is not routing via proxy, use local host rather than the loopback IP address (127.0.0.1).

emulator -avd avdname -no-audio -http-proxy http://localhost:Portno

  • Often the virtual device loads momentarily and then crashes. In this case go to “Tools–>Avd Manager–>Select Device–>View Details” and traverse to the emulator-user.ini file. In this file modify the parameters as “x =0” and “window.y =0.”

 

Leave a Comment

Similar articles

Many of us use Bluetooth technology for its convenience and sharing capabilities. Whether you’re using wireless headphones or quickly Airdropping photos to your friend, Bluetooth has a variety of benefits that users take advantage of every day. But like many other technologies, Bluetooth isn’t immune to cyberattacks. According to Ars Technica, researchers have recently discovered ...
Read Blog
A new banking trojan has emerged and is going after users’ Android devices. Dubbed Cerberus, this remote access trojan allows a distant attacker to take over an infected Android device, giving the attacker the ability to conduct overlay attacks, gain SMS control, and harvest the victim's contact list. What's more, the author of the Cerberus ...
Read Blog
5G has been nearly a decade in the making but has really dominated the mobile conversation in the last year or so. This isn’t surprising considering the potential benefits this new type of network will provide to organizations and users alike. However, just like with any new technological advancement, there are a lot of questions ...
Read Blog