[PDF] White Paper: Pentesting Android Apps on Mac

MINERVA Information Security Inc - 37 N Orange Ave Ste 500, Orlando, FL 32801, USA MINERVA Information Security Ltd - Prama House, 267 Banbury Rd, Oxford OX2 7HT, UK White Paper: Pentesting Android Apps on Mac by Adrian Pastor Public Information

19-Jul-15 www.minerva-is.net - Public Information 2 Table of Contents Executive Summary ...................................................................................... 3 Introduction .................................................................................................... 4 Android SDK Setup ....................................................................................... 4 First Emulator Run ....................................................................................... 6 Importing Self-signed CA Certificate ...................................................... 7 Emulator Restart ........................................................................................ 13 Cleaning Up .................................................................................................. 14 Acknowledgments ...................................................................................... 15 About MINERVA .......................................................................................... 15 Works Cited ................................................................................................. 16 Tools Mentioned .......................................................................................... 16

19-Jul-15 www.minerva-is.net - Public Information 3 Executive Summary Mobile application penetration testing has experienced a significant increase in demand over the last few years. This is due to the ever-growing number of smartphone users worldwide who use apps to consume products and services from the comfort of their thumbs. By 2016, the number of smartphone users is predicted to reach 2.16 billion (eMarketer); that's almost 30% of the world's population predicted for 2016 (GeoHive). Of all the different smartphone operating systems, Android continues to have the greatest market share, accounting for more than 50% of the market share worldwide as of 2015 (McGrath). Demand for mobile app pentesting is likely to continue to grow as merchants and service providers continue to push critical functionality to their apps. This includes transmitting, processing, and storing personally-identifiable information (PII), cardholder and bank account data. Being able to read and modify messages transmitted by the mobile app in scope for security testing is one of the most important prerequisites for a successful engagement. The technical procedures documented in this paper are written for developers and pentesters who need to accomplish such task. The author assumes that the app in scope was developed for the Android operating system and that the tester is a Mac user with no access to an Android handset.

19-Jul-15 www.minerva-is.net - Public Information 4 Introduction The method documented in this paper assumes the tester is a Mac OS X user who has installed either the free or professional edition of Burp Suite. It has been optimized to meet the following requirements: • No Integrated Development Environment (IDE) such as Android Studio or Eclipse is installed • Only limited storage capacity is available to set up the testing environment • Tester has no budget to purchase additional software • Tester has no access to an Android handset • There is limited time to set up the testing environment The scope of this paper is limited to interception of unencrypted and encrypted communications of Android apps using the Burp intercepting proxy. Local app security checks such as application decompiling and debugging were considered out of scope. The procedures below can also be used as guidance when other proxies such as Proxy.app or ZAP are used. Windows users are recommended to read Kunjan Shah's excellent paper on the subject (Shah). Android SDK Setup Make sure you have the latest version of Java Runtime Environment (JRE) and Java Development Kit (JDK) from www.oracle.com installed, which at time of writing is version 8: $ java -version java version "1.8.0_45" Java(TM) SE Runtime Environment (build 1.8.0_45-b14) Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode) $ javac -version javac 1.8.0_45 Install stand-alone SDK tools for Mac from developer.android.com. E.g. android-sdk_r24.3.3-macosx.zip. Unzip the file into your directory of preference, home in our case:

19-Jul-15 www.minerva-is.net - Public Information 5 Next, install Platform-tools, Build-tools, SDK Platform, and the ARM EABI v7a (or newer if available) System Image using the SDK manager. If you don't have the latest version of JDK you won't see these packages as available on the SDK Manager: $ ~/android-sdk-macosx/tools/android Click Install button and accept license for each package selected:

19-Jul-15 www.minerva-is.net - Public Information 6 Before we can run the emulator we need to create an Android Virtual Device (AVD). First, list the target platforms available. Only one should be shown in our case since we only installed one System Image (ARM EABI v7a): First Emulator Run List available targets: $ ~/android-sdk-macosx/tools/android list targets Available Android targets: ---------- id: 1 or "android-22" Name: Android 5.1.1 Type: Platform API level: 22 Revision: 2 Skins: HVGA, QVGA, WQVGA400, WQVGA432, WSVGA, WVGA800 (default), WVGA854, WXGA720, WXGA800, WXGA800-7in Tag/ABIs : default/armeabi-v7a We can now create an AVD. If your target ID is not 1, replace the value below as needed:

19-Jul-15 www.minerva-is.net - Public Information 7 $ ~/android-sdk-macosx/tools/android create avd -n testavd -t 1 Importing Self-signed CA Certificate Next we need to import Burp's self-signed CA certificate as a trusted root into the AVD. Make sure your OS X browser (not the emulator's) is configured to use Burp as a proxy (loacalhost:8080 by default). Visit http://burp/cert and save 'cacert.der' file: Next, convert the downloaded DER-encoded certificate to ASCII PEM format: $ openssl x509 -inform der -in cacert.der -out cacert.crt Then we need to create an SD card. The SD card will be used by the AVD to access the converted certificate (cacert.crt): $ ~/android-sdk-macosx/tools/mksdcard -l testsdcard 9M ~/androidsdcard Confirm SD card has been created successfully: $ file ~/androidsdcard /Users/user/androidsdcard: x86 boot sector, code offset 0x5a, OEM-ID "MSWIN4.1", Media descriptor 0xf8, sectors 18432 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 143, reserved3 0x800000, serial number 0x1b044206, label: " SDCARD"

19-Jul-15 www.minerva-is.net - Public Information 8 We can finally run the emulator (the emulator is likely to take a while to load the virtual device): $ ~/android-sdk-macosx/tools/emulator -avd testavd -sdcard ~/androidsdcard

19-Jul-15 www.minerva-is.net - Public Information 9 Make sure that netcat (nc) is allowed to receive incoming connections by your OS X firewall: On your OS X terminal, run the following command on the directory where 'cacert.crt' is located. It will serve the Burp's CA certificate using netcat: $ nc -vv -l 1111 < cacert.crt Back on your Android adb shell, type the following command, where 10.1.2.3 is the IP address of your MAC (W)LAN interface: root@generic:/ # nc 10.1.2.3 1111 > /sdcard/cacert.crt If you haven't waited long enough for the emulator to load the AVD, you will receive the following permission error when trying to save the certificate to the SD card. The solution is to simply wait a bit longer and try both of the above netcat commands again: /system/bin/sh: can't create /sdcard/cacert.crt: Read-only file system

19-Jul-15 www.minerva-is.net - Public Information 10 On the Android emulator, go to Install certificate Settings / Security / Credential storage / Install from SD card:

19-Jul-15 www.minerva-is.net - Public Information 11 Select 'cacert.crt':

19-Jul-15 www.minerva-is.net - Public Information 12 Set PIN if prompted:

19-Jul-15 www.minerva-is.net - Public Information 13 Confirm that Burp's CA certificate has been successfully installed under Settings / Security / Credential storage / Trusted credentials / User: Emulator Restart Restart emulator with proxy settings enabled to use Burp: $ ~/android-sdk-macosx/tools/emulator -avd testavd -sdcard ~/androidsdcard -http-proxy http://localhost:8080 On your OS X terminal, install APK of app in scope for your pentest: $ ~/android-sdk-macOS X/platform-tools/adb install ~/my-app.apk Congratulations, you should now be able to see traffic from your Android app on Burp, including HTTPS traffic:

19-Jul-15 www.minerva-is.net - Public Information 14 Cleaning Up Remove APK and SD card once the pentest has ended: $ ~/android-sdk-macosx/platform-tools/adb shell 'pm list packages -f' |grep -i yourappname $ ~/android-sdk-macosx/platform-tools/adb uninstall apppackagename $ rm ~/androidsdcard

19-Jul-15 www.minerva-is.net - Public Information 15 Acknowledgments The author would like to thank Jan Fry and Monsy Carlo for their kind feedback. About MINERVA MINERVA is a boutique cybersecurity consultancy providing tailored services that align with your bus iness goals. We identify sec urity threats and help cl ients mitigate the associated risks. In today's rapidly evolving world no two businesses are alike and we believe that no two security assessments should be either. Our consultants have all worked with organisations across a wide range of industries from tech start-ups to those listed on the FTSE 100 and Fortune 500. Our broad experience, along with our desire to understand your business objectives, allows for the development of a personalized security approach that can safeguard your information and reputation. MINERVA is a privately-owned, vendor-neutral company with no external investors, and no sales targets. This allows us more time to focus on your needs and provide a quality service.

19-Jul-15 www.minerva-is.net - Public Information 16 Works Cited eMarketer. 2 Billion Consumers Worldwide to Get Smart(phones) by 2016. 11 December 2014. . GeoHive. Population of the entire world, yearly, 1950 - 2100. 7 July 2015 . Shah, Kunjan. Penetration Testing Android Applications. 2010. . McGrath, Felim. Android mobile now has huge lead over iOS. 10 June 2015. . Tools Mentioned Android SDK tools Burp Java JRE and JDK Proxy.app ZAP