• Introduction to Android Testing
– Static Analysis
– Dynamic Analysis
– Local Storage Inspection
Android Security Testing
• Can install apps on device and go hack the
• Can install the application in the
emulator and test it.
• Android is a Linux kernel based OS.
• Dalvik VM (Dalvik Virtual Machine) makes the
dex file (Dalvik Executables) reach execution.
• APK (Android Application Package) contains all
the resources, i.e. manifest file, signatures,
dex file, and other resources in a zipped
So what happens.
• Java source code is compiled to Java byte
Code using Java Compiler
• Byte code is converted into Dalvik Code using
• Dalvik Executable (Dex file) goes to “Dalvik
VM” and executes within it.
Pentest. How to do?
• Break the testing into
– Static Testing
– Dynamic Testing
– Local Storage
• Try to uncover issues in
• Get the .apk file.
• Reverse Engineer it.
• Decompile / Dis-assemble it.
• Dis-assemble it using
– Dedexer gives assembly like output) or
– Baksmali (based on dedexer and gives code more easy to understand.
• Decompile it using
– Dex2jar (dalvik code turns to Java byte code (jar file).
– Use jd-gui to view the java source codes.h
What to look for?
• Look for api information, database connection strings, internal
/ external IP disclosures and ports, etc.
• If you are lucky, you might get a password too, Believe me
developers are crazy.
• If you can go for social engineering stuff, lot of emails can be
• Tip: A pair of /* and */ holds a lot of information.
Local Storage Inspection
• Check for sensitive data getting stored on client side.
• XML files, database files are most commonly found
• Inspect memory for information sensitive
information > memdump
• Inspect generated logs for sensitive information >
• Uninstall and check if things remain in application
• AppUse is quite slow:
– Save time in loading your Emulator.
– Save time in installing app.
• ADB always run behind device. If you are idle, adb don’t work, or restart your
– Keep your ADB attached to device constantly.
• Commands for every push, apk installation, etc.
– Get Drag and Drop feature.
• Organization might ask you to get application from play store.
– Get Play Store.
– give you all the above sweet cake.
– Supports Webcam, mike, GPS, etc. as well --------- Haven’t tested them however
– Not stable. --------- One bad out of six is never a bad.
Time UP : What next?
• OWASP mobile TOP 10
• Drozer (for Inter
• Explore new tools all
• Keep sharing.