Scribd
Upload
43 views

APK Testing Report

Assignment.apk contains 8 challenges to test security aspects of Android applications. Various tools like MobSF, ADB, APK Tool, Burp Suite, and Drozer were used to analyze the APK and address each challenge through static and dynamic analysis. The challenges involved concepts like logging, file permissions, URI handling, SSL MITM attacks, encryption, content provider access, and custom intents.

Uploaded by

0xt3st
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
43 views

APK Testing Report

Assignment.apk contains 8 challenges to test security aspects of Android applications. Various tools like MobSF, ADB, APK Tool, Burp Suite, and Drozer were used to analyze the APK and address each challenge through static and dynamic analysis. The challenges involved concepts like logging, file permissions, URI handling, SSL MITM attacks, encryption, content provider access, and custom intents.

Uploaded by

0xt3st
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

APK TESTING REPORT

Mobile Ecosystem Security


APK INFORMATION

APK Name :- Assignment.apk

Package Name :- com.intrepidusgroup.learner

Description :- Assignment.apk has eight challenges which are


designed as:-
TESTING PLATFORM

Host Machine :- Microsoft Windows


Virtual Machine :- Kali Linux
Assignment.apk has been installed in Android Virtual
Environment(GenyMotion)

TOOLS

Adb :- Android Debug Bridge is a tool used to communicate with the phone
Apk Tool :- A tool for reverse engineering 3rd party, closed, binary Android
apps. It can decode resources to nearly original form and rebuild them after
making some modifications.
MobSF:- Mobile Security Framework (MobSF) is an automated, all-in-one
mobile application (Android/iOS/Windows) pen-testing, malware analysis and
security assessment framework capable of performing static and dynamic
analysis.
Drozer :- Drozer (formerly Mercury) is the leading security testing framework
for Android.
Burpe Suite :- Intercept tool by Portswigger
Assignment.apk Analysis Using MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one mobile
application (Android/iOS/Windows) pen-testing, malware analysis and security
assessment framework capable of performing static and dynamic analysis.
MobSF is used to analyse the Java Code of the Application.
Connect to Phone

To connect to phone and install the apk we will use the following commands as
shown below :-

192.168.42.102 = IP of Mobile Phone

# adb install Assignment.apk

Lesson 1: Android Logging Secret

Analysed the java code of com/intrepidusgroup/learner/Lesson1Activity.java and


the instruction given in lession 1 we get to know that create challenge function is
followed by fillLogwithGarbage( ) function which is responsible for creating logs
appending with “LEARNER”

Analyzing the log with Learner as a tag


Lesson 2: Screwy File Permission

In java source of file com/intrepidusgroup/learner/Lesson2Activity.java the code


for generating the file name is visible according to which the file name is current
date with phone number and extension as .txt But, Here the need is to find the file
in the apk package following the hint

Location of file
Lesson 3: URI Handler Craziness

Just By analyzing the file Just by


com/intrepidusgroup/learner/Lesson3HandlerActivity.java we will get the
answer for this challenge
Lesson 4: SSL Man in the Middle Attack

This challenge requires Burp Suite to be configured with the custom phone.
Download the burp certificate from http://burp from phone’s browser as cert.der

After adding the PortSwigger Certificate as a trusted one in System < Security <
Trusted Credentials, Open the Learner application and click on resend code while
keeping burp suite intercept as on. The Secret Token Header is the key for this
level, i.e. i6ju7n2zx7
Lesson 6: Encryption vs Encraption

Analysing the com/intrepidusgroup/learner/Lesson6Activity.java code we get to


know the AES Encryption is used with key “intrepidlearner1”

We had used online tool to decrypt the phone number that is provided to us.
Lesson 7: Shared with the World
Drozer is an open source software, a framework for Android security
assessments. “Drozer allows you to assume the role of an Android app, and to
interact with other apps, through Android’s Inter-Process Communication (IPC)
mechanism, and the underlying operating system.”

Download the drozer.apk and install in the phone and forward the tcp ports.

Lesson 8: Malicious intent


Analysing the Manifest.xml file will help in this case .The file includes nodes of
each of the files including Activities, Services ,Content Providers and Broadcast
Receiver that makes an application and intent filters Permission determines how
they coordinate with each of the other Application.

In Lesson8AuxActivity.java we can see that class Lesson8AuxActivity calls for


action with an extra string defined in function getSecret() and the secret is current
date.
Drozer is being used
Following are the steps to call the action
“com.intrepidusgroup.learner.custom.intent.action.SEND” :

Command

You might also like