Android Application Security Assessments - Part 1: Setting Up Your Windows Testing Environment
Welcome to the exciting world of Android Application Security Assessments. You are presumably here to learn how to perform vulnerability assessments against Android applications. If you are looking for tips on growing organic produce, please head one blog over.
Let’s start by setting up our test environment, in this case, a Windows XP system. The Linux setup will be detailed in the next blog posting.
Android SDK
Let’s assume you already have Windows XP installed. You will need to download the Android SDK. Grab the installer and run it. During the installation, the Windows installer will check to see if the proper Java SE Development Kit (JDK) is already installed. If not, it will install it on your behalf. (Yay!)
Trust Google’s recommendations and select the defaults during the installation.
Now, you will want to run the ‘android.bat’ file (located in the ‘tools\’ directory). This will launch the Android SDK and AVD Manager.
Click on ‘Available Packages’ in the menu on the left.
In the main window, expand the Android Repository.
Select the packages you would like to download.
Check the box next to ‘Android SDK Platform-tools, revision n’
Check the box next to the Android SDK Platform you would like to emulate.
(You can always reopen the Android SDK and AVD Manager and download more Android SDK Platforms later.)
Press the ‘Install Select’ button.
Press ‘Install’.
Optional: I recommend adding the ‘tools/’ and ‘platform-tools/’ folders to your PATH environment variable.
Right-Click on ‘My Computer’, select ‘Properties’ and the select the ‘Advanced Tab’. Press the ‘Environment Variables’ button. A new dialog box will appear. Under ‘System Variables’, double-click on ‘Path’. Add the full path to ‘tools/’ and ‘platform-tools/’ folders to the path.
Java
In case you missed it, the Windows installer will check to see if the proper Java SE Development Kit (JDK) is already installed. If not, it will install it on your behalf. (Yay again!)
Proxy (BURP)
BURP is my personal proxy of choice. Others may prefer Paros, WebScarab or ZAP and their sites can show you how to setup those proxies.
Once your proxy finishes downloading, extract the contents to a folder of your choosing.
Next time we will discuss this same setup, but replacing Linux as your OS du jour.
About What's@Stake
This is where you will find thought leadership in the areas of Security Strategy and Security Assessment by Symantec’s Security Business Practice. Through the acquisition of @stake in late 2004, Symantec has become the leader in third-party security assessment services such as Penetration Testing, Vulnerability Assessment, and Security Program Assessment. Now combined with a premiere team of CISO-level Security Strategists, this team offers their insights on the latest security trends, strategies to address them, and the latest research on the vulnerabilities and attack methods used in their assessments.
Frequently Used Documents
PCI Assessment Services
Penetration Testing and Vulnerability Assessment Services
Mobile Security Assessment Services
Security Program Assessment
Comments
Part 2 Now Available!
Android Application Security Assessments - Part 2: Setting Up Your Linux Testing Environment
https://www-secure.symantec.com/connect/blogs/httpswww-securesymanteccomconnectblogsandroid-application-security-assessments-part-1-setting-
With thanks and best regards,
Mick
Updated Link
That link doesn't seem to be working. Try this one:
https://www-secure.symantec.com/connect/blogs/android-application-security-assessments-part-2-setting-your-linux-testing-environment
Android Assessment Framework from MWR
http://labs.mwrinfosecurity.com/tools/2012/03/16/mercury/
A free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android.
Mercury allows you to:
Would you like to reply?
Login or Register to post your comment.