Skip to content

botesjuan/mobile-app-pentest

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
code
code
 
 
images
images
 
 
README.md
README.md
 
 

Repository files navigation

Mobile Application Penetration Testing Setup

Problem & Solution

Redirecting Traffic when Proxy Settings on Android Fall Short.
Some mobile apps do not follow the proxy settings on the mobile device wireless adapter settings and traffic is missed for interception.

Create lab that send all traffic from mobile android virtual device to invisible proxy on Kali Linux host providing internet routing.
Here is steps to building and setting up a Mobile Application Penetration Testing lab, providing MITM (Man-in-the-middle) transparant mode proxy.

Disclaimer: this is not detailed noddy guide, but rather enought to setup and do dynamic mobile application security assessments.
Included is quick steps to pull, run, use MobSF Docker image, APK static code review.
Not included is the installing and creating virtual machines.

Parts

  • Windows 10 host machine
  • Oracle VirtualBox
  • Kali Linux Virtual machine
  • Genymotion
  • Android Virtual Machine - Virtual Cellphone
  • Frida Server
  • adb - Android Debug Bridge

Environment Drawing

environment-drawing.png

Virtual Host & Virtual Interfaces

The Android mobile phone virtual machine, network interfaces must all be set to host-only.
Confirm no traffic escape and is going directly to internet instead through the proxy for interception.

On Oracle VirtualBox, set the mobile android VM network interfaces both to host-only matching the one Kali Linux network interface:

host-only-network-interfaces.png

Confirm that both the Android VM virtual network interfaces are on the same Host-only adapter as one of Kali Linux host:

Virtual-network-interfaces-host-only.png

The Kali Linux two network interface IP Addresses one on the same network as Samsung Android Mobile phone virtual device:

kali-linux-multi-homed-ip-addresses.png

Android Mobile VM

Change AndroidWifi from DHCP to Static.
Inside the Android mobile phone set the virtual wireless network AndroidWifi to static IP address 192.168.211.119.
Set Mobile phone wireless gateway IP being that of the Kali Linux VM 192.168.211.117.

android-network-ip4-static-gateway.png

Kali Linux VM

Two Virtual network interfaces:

  • eth0 - Internet - Bridge network adapter 192.168.43.134 / 41.114.154.183
  • eth1 - Android VM to Kali - Host-only network 192.168.211.117

Enable routing of internet traffic from Android VM.
Next, set up the following iptables rules to redirect traffic in a Kali Linux terminal:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo touch /etc/sysctl.conf
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables-save | sudo tee /etc/iptables/rules.v4

The MASQUERADE target is used to hide the source IP address of the Android VM's packets,
making them appear as if they're originating from the Linux VM.

Verify network communication, Now that you have configured the network adapters, IP forwarding, and iptables rules.

Ping from kali to the mobile phone.

MASQUERADE-routing-tables-bridged.png

If network forwarding is set up correctly,
the mobile phone client (192.168.211.119) should be able to reach the internet through the Kali Linux machine (192.168.211.117) as the gateway.

Certificate on Android device

Install a Burp Suite Proxy CA certificate on your Android device, as apps will only trust system-level CAs.

  1. Open Burp Suite. Then, Burp -> Proxy -> Options -> Export CA certificate -> Certificate in DER format.
  2. Use OpenSSL to convert DER to PEM. openssl x509 -inform DER -in burp-cacert.der -out burp-cacert.pem
  3. Get the certificate hash openssl x509 -inform PEM -subject_hash_old -in burp-cacert.pem | head -1
  4. Rename to hash.0 mv burp-cacert.pem 9a5ba575.0
  5. Connect to android mobile adb connect 192.168.211.118:5555
  6. Change /system partition into writable mode with remount adb remount
  7. Transfer certificate adb push 9a5ba575.0 /system/etc/security/cacerts/
  8. Change its permissions adb shell chmod 644 /system/etc/security/cacerts/9a5ba575.0
  9. Confirm that the certificate should now be installed as a system-trusted CA certificate.

verify-system-root-certificate-installed.png

Proxy HTTPS Traffic

Forward all HTTP and HTTPS traffic from the host-only network interface to the listening proxy port 8080 onn Burp Suite running on Kali Linux VM.

sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080

Now the eth1 network interface that connects the Linux VM to the Android VM via the Host-only adapter is forwarding traffic for ports 80 & 443.

Save IPTables

To save the current iptables configuration so it persists after a reboot:

sudo iptables-save | sudo tee /etc/iptables/rules.v4

Configure the System to Load Rules on Boot, with iptables-persistent installed:

sudo apt install iptables-persistent

sudo systemctl enable netfilter-persistent
sudo systemctl start netfilter-persistent
sudo systemctl status netfilter-persistent

iptables-saved.png

Maintainance, operation to Delete the Specific Rules Later & save to rules:

sudo iptables -t nat -D PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -D PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Check state of iptables rules loaded:

sudo iptables -L -v -n
sudo iptables -t nat -L -v -n

Burp Suite Proxy Invisable

In Burp suite settings > Tools > Proxy > Binding tab: Bind to address - All Interfaces.
Request handling - Enable: Support invisible proxying

burp-proxy-Support-invisible-proxying.png

Note: Stop MobSF if port 8080 is error state already in use.

SSL Pinning Bypass

Frida to Bypass Certificate Pinning

pip install frida-tools

Download latest Frida Server Release show all 247 releases*, see reference at bottom for download link.
Push the frida-server binary to mobile android phone:

adb push Downloads\frida-server-16.5.6-android-x86\frida-server-16.5.6-android-x86 /data/local/tmp/frida-server

Connect and execute frida-server:

adb shell
cd /data/local/tmp
chmod 755 frida-server
./frida-server

frida-server.png

Edit the fridaScript.js, Note cert-der.crt as this name and path has been already mentioned in fridascript.js.
Find the target scoped mobile application name in the terminal, processes with Frida:

frida-ps -Ua
frida -U -f com.mobileappname.prod -l c:\tools\fridaScript.js

frida-script-ssl-pinning.png

Happy Traffic interception...

MobSF

Pull the sudo docker image opensecurity/mobile-security-framework-mobsf

sudo docker pull opensecurity/mobile-security-framework-mobsf

Run the docker image for mobsf:

sudo docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf

mobsf-apk-analysis.png

Start: http://0.0.0.0:8000

Credentials: mobsf/mobsf

mobsf-dynamic-static-analyzer.png

Static APK Code Review

Using jadx-gui:

sudo apt install jadx
jadx-gui app-1-0-signed.apk

External References

About

Mobile Application Penetration Testing Setup

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages