Video Screencast Help
Search Video Help Close Back
to help

What's@Stake

Showing posts tagged with Android
Showing posts in English
Android Application Security Assessments - Part 6: Other Tools and Random Musings
Christopher.Emerson | 01 Feb 2012 | 1 comment

We have come to the end of this series and you should now have an idea of how to start your own Android Application Security Assessment and even reverse engineer your app to source code.  Before we go, here are a few other mumblings that you may find useful. 

Additional tools for your arsenal:

Android Debug Bridge(ADB) is a command line client application that allows you to communicate with the emulator (or a connected Android device).  This came with the Android SDK and you already used this to install an...

Read more
Android Application Security Assessments - Part 5: Reverse Engineering The .apk File
Christopher.Emerson | 01 Feb 2012 | 4 comments

There are times in security engagements when having an application’s source code can make your life infinitely easier.  Fortunately, there are publicly available tools to make this a painless process.

If you you are looking for how to install apps into your environment, take a look here, or check here for a list of all the previous entries in this series.

 

Convert The Android Application Package File (.apk) File To A Java Archive (.jar)

Remember that copy of the .apk file that our project team gave us (or that we downloaded from the Marketplace)?  You are going to need that.

The Android .apk file is essentially a compressed file, containing the manifest file, certificates, resources, assets and the program code, compiled in the Dalvik Executable (.dex) format.

Converting your target .apk file into a .jar file is pretty simple.

...
Read more
Android Application Security Assessments - Part 4: Installing Applications In Your Emulator
Christopher.Emerson | 24 Jan 2012 | 0 comments

If you were using your Android device for testing, this could be as simple as visiting the Marketplace, searching for your app and pressing Install.  But we already went through the effort of setting up our testing environment, and the Android emulator cannot download apps directly, so we are going to have to jump through a few hoops to get your target application installed.

 

Obtain The Android Application Package File (.apk)

In most situations, you should simply ask your project contact “Hey, can you please send me the .apk file?”  Do not forget to say please!

If, for whatever reason, that is not an option for you, all hope is not lost.

  1. Download the target application from the marketplace to your physical Android...
Read more
Android Application Security Assessments - Part 3: Starting Your Emulator And Configuring Your Proxy
Christopher.Emerson | 18 Jan 2012 | 1 comment

You now should have a working test environment with all of the primary assessment tools.  Time to create our Android Virtual Device (AVD) and connect it via proxy!

Create an AVD

To start, you will want to run the android file (located in the ‘tools/’ directory).  This will launch the Android SDK and AVD Manager.

  • Linux: $ ./android
  • Windows: C:\>android

            Click on ‘Virtual Devices’ (if it is not already selected) in the menu on the left.

            On the far right, press the “New” button.

            Fill in the data for your new AVD (...

Read more
Android Application Security Assessments - Part 2: Setting Up Your Linux Testing Environment
Christopher.Emerson | 10 Jan 2012 | 1 comment

Last time we took a look and setting up our environment for Windows users.  Now let’s take a look at the setup for Ubuntu Linux users.

Java

If you need help installing Ubuntu, there are many useful sites to walk you through the process.  Once your OS is ready, you will need to install Java.  I personally prefer the official JDK from Oracle and I will show you how to install that.  If you choose to use OpenJDK, let me know how that goes for you.

Start by determining what the currently available version of java is:

        $ apt-cache search jdk | grep sun

Next, download and install java via apt-get:

        $ apt-get install sun-java6-jdk sun-java6-jre

Confirm your install has...

Read more
Android Application Security Assessments - Part 1: Setting Up Your Windows Testing Environment
Christopher.Emerson | 10 Jan 2012 | 4 comments

Welcome to the exciting world of Android Application Security Assessments.  You are presumably here to learn how to perform vulnerability assessments against Android applications.  If you are looking for tips on growing organic produce, please head one blog over.

Let’s start by setting up our test environment, in this case, a Windows XP system.  The Linux setup will be detailed in the next blog posting. 

Android SDK

Let’s assume you already have Windows XP installed.  You will need to download the Android SDK.  Grab the installer and run it.  During the installation, the Windows installer will check to see if the proper Java SE Development Kit (JDK) is already installed.  If not, it will install it on your behalf.  (Yay!) 

Trust Google’s...

Read more