Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Cyber Security Group

Android Application Security Assessments - Part 1: Setting Up Your Windows Testing Environment

Created: 19 Dec 2011 • Updated: 10 Jan 2012 • 4 comments
Christopher.Emerson's picture
+7 9 Votes
Login to vote

Welcome to the exciting world of Android Application Security Assessments.  You are presumably here to learn how to perform vulnerability assessments against Android applications.  If you are looking for tips on growing organic produce, please head one blog over.

Let’s start by setting up our test environment, in this case, a Windows XP system.  The Linux setup will be detailed in the next blog posting. 

Android SDK

Let’s assume you already have Windows XP installed.  You will need to download the Android SDK.  Grab the installer and run it.  During the installation, the Windows installer will check to see if the proper Java SE Development Kit (JDK) is already installed.  If not, it will install it on your behalf.  (Yay!) 

Trust Google’s recommendations and select the defaults during the installation.

Now, you will want to run the ‘android.bat’ file (located in the ‘tools\’ directory).  This will launch the Android SDK and AVD Manager.

            Click on ‘Available Packages’ in the menu on the left.

            In the main window, expand the Android Repository.

            Select the packages you would like to download.
                        Check the box next to ‘Android SDK Platform-tools, revision n
                        Check the box next to the Android SDK Platform you would like to emulate.
                                  (You can always reopen the Android SDK and AVD Manager and download more Android SDK Platforms later.)
                        Press the ‘Install Select’ button.
                        Press ‘Install’.

            Optional: I recommend adding the ‘tools/’ and ‘platform-tools/’ folders to your PATH environment variable.

            Right-Click on ‘My Computer’, select ‘Properties’ and the select the ‘Advanced Tab’.  Press the ‘Environment Variables’ button.  A new dialog box will appear.  Under ‘System Variables’, double-click on ‘Path’.  Add the full path to ‘tools/’ and ‘platform-tools/’ folders to the path.

Java

In case you missed it, the Windows installer will check to see if the proper Java SE Development Kit (JDK) is already installed.  If not, it will install it on your behalf.  (Yay again!)

Proxy (BURP)

BURP is my personal proxy of choice.  Others may prefer Paros, WebScarab or ZAP and their sites can show you how to setup those proxies. 

Once your proxy finishes downloading, extract the contents to a folder of your choosing.

Next time we will discuss this same setup, but replacing Linux as your OS du jour.

Comments 4 CommentsJump to latest comment

Mick2009's picture

Android Application Security Assessments - Part 2: Setting Up Your Linux Testing Environment
https://www-secure.symantec.com/connect/blogs/httpswww-securesymanteccomconnectblogsandroid-application-security-assessments-part-1-setting

With thanks and best regards,

Mick

+1
Login to vote
nmonkee's picture

http://labs.mwrinfosecurity.com/tools/2012/03/16/mercury/

 

A free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android.

  • Use dynamic analysis on Android applications and devices for quicker security assessments.
  • Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices.
  • The easy extensions interface allows users to write custom modules and exploits for Mercury.
  • Replace custom applications and scripts that perform single tasks with a framework that provides many tools.

Mercury allows you to:

  1. Interact with the 4 IPC endpoints - activities, broadcast receivers, content providers and services
  2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
  3. Find information on installed packages with optional search filters to allow for better control
  4. Built-in commands that can check application attack vectors on installed applications
  5. Tools to upload and download files between the Android device and computer without using ADB (this means it can be done over the internet as well!)
  6. Create new modules to exploit your latest finding on Android, and playing with those that others have found
0
Login to vote
lorainebell's picture

A study of 13,500 Android apps show that about 8 percent of the apps do not have the security to protect users from data theft. As a result, users are vulnerable to accessed logins and banking information, as well as manipulation of app commands and etc. They said that the vulnerable apps could be exploited, allowing an attacker to steal highly sensitive usernames and passwords for Facebook, WordPress, Twitter, Google, Yahoo and, even more worryingly online banking accounts.

0
Login to vote