Android Applications Penetration Testing Notes

Table of Contents

• ADB Commands
  • Basic Commands
  • Take screenshots/screenrecord for PoC
  • Start an Activity or Broadcast
• Drozer
• Rooting Pixel 5A device
• Burp Proxy
• ADB Over Wi-Fi

This is my notes that I took during my Android Application Penetration Testing over the years.

ADB Commands

Basic Commands

These are regular commands to interact with Android rooted device

#basic commands
adb devices
adb shell
adb push ./file /sdcard/
adb pull /sdcard/file .
adb install file.apk

# Looking for the application and it's path
adb shell pm list packages
adb shell pm list packages -3
adb shell dumpsys package <package-name>
adb shell pm path <package-name>

# logcat
adb logcat "MainActivity:V *:S"
adb logcat -v "brief"

Take screenshots/screenrecord for PoC

adb exec-out screencap -p > screenshot.png
adb shell screencap /sdcard/screencap.png
adb shell screenrecord /sdcard/screenrecord.mp4

Start an Activity or Broadcast

With ADB, we can start the exported activity or broadcasts. Below commands help with the syntax.

adb shell am start -n com.example.app/.ExportedActivity
adb shell am start -n com.example.app/com.example.app.ExportedActivity
adb shell am start -n com.example.app/.activities.Activity1 -a "android.intent.action.VIEW" -d "https://www.google.com"
adb shell am start -n com.example.app/.Activity2 -a "android.intent.action.SEND" --eu android.intent.extra.STREAM content://sdcard/Download/Test.pdf
adb shell am start -n com.example.app/.Activity2 -a "android.intent.action.SEND" --eu android.intent.extra.STREAM file:///sdcard/Download/Test.pdf
# Observe extra / for the file

Explanation:

• -a intent action like VIEW/SEND

• -n component name like activity name

• -c category intent like LAUNCHER

• -eu extra URI

• -d data URI

• -t mime type

Android Debug Bridge (adb) Activity Manager doc

Convert above adb shell commands into an app and interact with our app. (Create a malicious app and interact with vulnerable app)

Intent intent=new Intent("android.intent.action.VIEW");
intent.setComponent(new ComponentName("com.example.app","com.example.app/.activities.Activity1"));
String url="https://www.google.com";
intent.setData(Uri.parse(uri));
startActivity(intent);
//if we need extras, use putExtra
intent.putExtra("key",value);

Drozer

Drozer is little bit old and it’s rewritten recently with Python3 support. Drozer

adb forward tcp:31415 tcp:31415
docker run --net host -it withsecurelabs/drozer console connect --server <phones IP address>
dz>run app.package.list -f <packagename>
dz>

Drozer Tutorial

Rooting Pixel 5A device

I used below post and followed the steps to root the Pixel 5A. Reference

Below are some notes during the process: From Google website, download the "Link", not "Flash" AndroidImages

Look for "boot.img" file, not "bootxxxxxxx.img". Extract all zip files in the folder. Commands used during this process

fastboot flash boot "boot.img"
adb reboot-fastboot
adb pull /sdcard/Download/magisk_patched-263000_xyzabc.img
adb reboot-fastboot
fastboot flash boot "magisk_pathed-263000_xyzabc.img"
adb devices
adb shell

Burp Proxy

From Android Nougat(7), the MiTM with burp is become harder and harder. Android implementing several changes to the way it evaluates the certificates of User and System. Below commands will be handy to quickly set up burp proxy

adb push 9a5ba757.0 /sdcard/
adb shell
mv /sdcard/9a5ba757.0 /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/9a5ba757.0
adb reboot

Reference

After Android 14, there are few more changes happened. Due to that, we see few more issues.

Reference

Reference1

ADB Over Wi-Fi

For some reasons if you are using Docker container to test the Android apps and your host machine (Mac/Windows) don’t have required mobile tools. You can pull a docker image and run the required tools inside the docker container. In such scenarios, connecting the device over USB won’t be successful. That may be limitations with Docker. In this scenario, we can use ADB Over Wi-Fi.

Docker Forum Discussion

Steps to configure the ADB over Wi-Fi

• Connect the device and the computer to the same Wi-Fi network

• Plug the device to the computer with a USB Cable to configure the connectoin

• On terminal : adb tcpip 5555

• On terminal : adb shell ip addr show wlan0 and copy the IP Address after the "inet" until the "/". You can also find inside the Settings of the device.

• On terminal : adb connect ip-address-of-device:5555

• Disconnect the USB cable, but still you can see the device with adb devices command.