How to: Testing Android Application Security, Part 1

The popularity of Android devices and applications makes it a target for malware and other threats. This post is the first in a short series on Android application security.

Similar to its use for web applications, penetration (“pen”) testing is a part of developing mobile applications. We will discuss in detail the process for performing security testing on Android applications.

Setting up the pen-testing environment

Android Studio is the official integrated development environment for Android. Here are the steps for setting up Android Studio.

  1. Download and install the latest Java Development Kit.
  2. Set the JAVA_HOME variable with the path pointing to the Java Development Kit.
  3. Download and install Android Studio.
  4. Once it is installed, create an Android virtual device (emulator).
  5. Browse to “Tools–>Android–>Avd Manager–>Create Virtual Device” and create a new virtual device as shown in the following screens.

20160523 Android App Security 1

Android virtual device settings.

20160523 Android App Security 2

Further Android virtual device settings.

Customize parameters such as RAM, AVD Name, Android Version, and Internal Storage to suit your requirements. (We used device types Nexus 5 and Android Version Lollipop.)

 

Capturing traffic

Capturing traffic from emulator requires the proxy tool to act as a “man in the middle.” Follow these steps.

  1. Export the certificate from your proxy tool, and save it as proxy.cer.
  2. Push the certificate onto the emulator using the command

adb push proxy.cer /sdcard/

  1. Browse to SettingsàSecurityàInstall from the SD card, and install the certificate on the emulator.
  2. The Android virtual device will force the user to set the PIN on the device. Set the PIN.
  3. In the proxy tool, set the proxy listener to listen on local interface (127.0.0.1) and on any port (for example, 8082).
  4. Start the emulator using the command

emulator -avd test -no-audio -http-proxy http://127.0.0.1:8082

  1. Note that the traffic will pass via the proxy tool (Burp), as shown in the following screen:

20160523 Android App Security 3

Traffic captured in the proxy tool.

Common workarounds

  • An emulator crash during boot is a known issue. To mitigate, use the toggle “-no audio.”
  • In case the traffic is not routing via proxy, use local host rather than the loopback IP address (127.0.0.1).

emulator -avd avdname -no-audio -http-proxy http://localhost:Portno

  • Often the virtual device loads momentarily and then crashes. In this case go to “Tools–>Avd Manager–>Select Device–>View Details” and traverse to the emulator-user.ini file. In this file modify the parameters as “x =0” and “window.y =0.”

 

The post How to: Testing Android Application Security, Part 1 appeared first on McAfee.