Android Mobile App Pen-Test Tricks Part I – Installing CA Certificates
Just like a web application penetration test, a mobile application penetration test is not voodoo magic, but rather an exercise in knowledge, prioritization, and efficiency. During years of hard work, penetration testers hone their methodology and develop efficient ways of applying their knowledge in order to identify specific vulnerabilities within mobile applications. The "Android Mobile Application Penetration Test Tricks" blog series will examine some techniques that you can use while performing your own penetration tests. The same concepts apply to conducting application penetration tests within Apple iOS, but obviously the implementation details are different.
In order to get your Android emulator functional, please refer to Christopher Emerson's excellent "Android Application Security Assessments" blog series. Learn how to install the Windows emulator, install the Linux emulator, configure an intercepting proxy, and install Android applications. Let's pick up where Christopher left off.
Let's hope that your Android application communicates over encrypted SSL network connections. If this is not the case, please slap the developers repeatedly. If this is the case, configuring an intercepting proxy will likely break application functionality as the intercepting proxy Certificate Authority (CA) certificate is not trusted by the emulator. Let's fix that. For the purposes of this tutorial, let's assume that you're using the Burp intercepting proxy and Android 4.2 (API Level 17, commonly known as Jelly Bean), the current version at the time of writing. Other versions of Android 4.0 (API Level 14, commonly known as Ice Cream Sandwich) and later can be configured in a similar manner.
The first step is to download your Burp CA certificate. Assuming that Burp is configured as your proxy server, you can download the certificate by browsing to http://burp/cert. The certificate is downloaded as a DER (Distinguished Encoding Rules) certificate, which is perfect for importing into the Android operating system. Just append ".der" onto the filename when you save the certificate. If you're using another intercepting proxy, you can download the certificate using your browser. For example, let's assume that you're using Firefox 19.0.2, the current version at the time of writing. Assuming that Firefox is configured to use your intercepting proxy, browse to an arbitrary SSL site and then click the padlock to the left of the address bar:
Click "More Information…", select "Security", click "View Certificate", select the "Details" tab, highlight the name of the intercepting proxy CA (not the specific site), and click "Export…":
Make your life easier by saving the certificate in "X.509 Certificate (DER)" format. Once you have downloaded the CA certificate you can start your AVD (Android Virtual Device):
$ emulator64-arm -avd myEmulator -http-proxy http://localhost:8080
Just replace "myEmulator" with the name of your AVD and modify the Burp port "8080" accordingly. In addition, note that the "emulator64-arm" command is for Android ARM emulators running within 64-bit operating systems. Depending on your operating system and emulator processor, you might need to run one of the other emulator commands instead (i.e., emulator, emulator-arm, emulator-x86, emulator64-x86, emulator-mips, or emulator64-mips). Once your emulator is running you can copy the certificate into the emulator filesystem with the following ADB (Android Debug Bridge) command:
$ adb push cacert.der /mnt/sdcard
13 KB/s (712 bytes in 0.052s)
Now we can finally install the certificate. There are a few ways to do this. The easiest is to browse to the certificate file with a file manager such as ASTRO File Manager. You can download the APK (Application Package) for ASTRO File Manager 3, the most stable version at the time of writing, from http://www.metago.net/downloads/. Alternatively, you can obtain the APK by from a physical Android device. You can install the APK within your emulator with the following ADB command:
$ adb install ASTRO_3.1.427.std.apk
3018 KB/s (2915424 bytes in 0.943s)
Now you're cooking with gas! Launch ASTRO File Manager and click "MANAGE MY FILES" and you should see the certificate in the /mnt/sdcard directory:
Click on the certificate and you'll be prompted to name the certificate. Enter a name and select "OK". You'll then be prompted to configure a lock screen pattern, PIN, or password in order to enable credential storage. Complete this step and the certificate will be installed. You can view the installed the certificate by selecting "Settings", "PERSONAL / Security", "CREDENTIAL STORAGE / Trusted Credentials", and "USER". You can click on the certificate in order to view certificate details.
Alternatively, instead of using ASTRO File Manager you can install the certificate by selecting "Settings", "PERSONAL / Security", and "CREDENTIAL STORAGE / Install certificates from SD card". However, your mileage may vary as in my environment the emulator does not consider the /mnt/sdcard directory to be a SD card within this context. In this case you'll receive the error message "No certificate file found in the SD card." Hopefully future emulator versions will fix this bug.
Your intercepting proxy CA certificate is now trusted by the emulator, so you can now proceed with your mobile application penetration test! Well that's all for this installment of the "Android Mobile Application Penetration Test Tricks" blog series. In our next installment we'll get busy with BusyBox!