This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "SettingupMobileTestingLab"

From OWASP
Jump to: navigation, search
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
This document details how to set up an Android lab so you can do mobile app assessments without the need for a physical mobile phone. It will discuss some of the common and useful tools, what their purposes are and how they can be used.
+
This document details how to set up an Android lab so you can perform mobile app assessments without the need for a physical mobile phone. It will discuss some of the common and useful tools, what their purposes are and how they can be used.
  
 
The prerequisites are simple: Java and an OS.
 
The prerequisites are simple: Java and an OS.
Line 12: Line 12:
  
 
URL: http://developer.android.com/sdk/index.html
 
URL: http://developer.android.com/sdk/index.html
 
  
  
 
== Install tools ==
 
== Install tools ==
  
Install the tools and the Android OS. At a minimum you'll want the SDK tools and SDK platform tools which we'll use later on. Then choose an Android version. There's a long list of Android versions and other extras. I usually go with the latest version. It's a straight forward next install process but it might take a while.
+
Install the tools and the Android OS. At a minimum you'll want the SDK tools and SDK platform tools which we'll use later on. Then choose an Android version. There's a long list of Android versions and other extras. It's a straight forward install process but it might take a while.
  
 +
[[File:1-_sdk_manager.png]]
  
 
== Emulator ==
 
== Emulator ==
  
Step three is to set up an Android emulator. You do this using the AVD manager which is part of the SDK tool. AVD stands for Android Virtual Device and it looks something like this. You click on New and here's what these options mean.
+
Step three is to set up an Android emulator. You do this using the AVD manager which is part of the SDK tool. AVD stands for Android Virtual Device and it looks like the picture below.
 +
 
 +
[[File:install emulator.png]]
  
 +
Once the installation is complete you'll need to create a new AVD simply by clicking on New on the Android Virtual Device Manager
  
 +
[[File:andoird avd new.png]]
  
 
== Create AVD ==
 
== Create AVD ==
Line 30: Line 34:
 
Enter a name for your virtualized Android, and select the version of Android you want to use from the drop-down menu if you've installed different versions. Enter a size under the SD Card entry; this is a virtual SD card that’s actually an IMG file that Android will use to store your settings and files in.
 
Enter a name for your virtualized Android, and select the version of Android you want to use from the drop-down menu if you've installed different versions. Enter a size under the SD Card entry; this is a virtual SD card that’s actually an IMG file that Android will use to store your settings and files in.
  
Diff between Android and Google API?
+
[[File:create avd.png]]
 
 
  
 
== Start Emulator ==
 
== Start Emulator ==
Line 37: Line 40:
 
By now you'll have a fully functioning emulator that you can use just like your phone. One thing you'll notice missing is the Android market or play store which you usually use to download and install applications. The good news is that we don't need it... for now.
 
By now you'll have a fully functioning emulator that you can use just like your phone. One thing you'll notice missing is the Android market or play store which you usually use to download and install applications. The good news is that we don't need it... for now.
  
 
+
[[File:working emulator.png]]
  
 
== Install apk ==
 
== Install apk ==
  
without the need of the android market we can install the application directly if we have the .apk file. This is the Android Application Package (APK) file. It sounds fancy but it's really a zipped file based on JAR format which will come in handy when we try to reverse the application later. Usually the client will provide this file.
+
without the need of the android market we can install the application directly if we have the .apk file. This is the Android Application Package (APK) file. In reality it's a zipped file based on JAR format which will come in handy when we try to reverse the application later.
 
 
  
 +
[[File:apk.png]]
  
 
== ADB ==
 
== ADB ==
  
To install apk file we use the Android Debugging Bridge. The ADB tool part of the paltform-tools we installed with the SDK manager at the beginning. It's got a lot of uses one of which is to install and uninstall app. We do this by typing going to the platform-tools directory and lunching adb with the install command while the emulator is running
+
To install apk file we use the Android Debugging Bridge. The ADB tool part of the platform-tools we installed with the SDK manager at the beginning. It's got a lot of uses one of which is to install and uninstall app. We do this by typing going to the platform-tools directory and lunching adb with the install command while the emulator is running
 
 
  
 +
[[File:adb install.png]]
  
 
== Proxy ==
 
== Proxy ==
  
Start up the emulator using the proxy command to tell it to tunnel traffic through your local proxy. In this current setup you'll also be able to test https website but you'll not be able to authenticate if there's a login page because of certificate errors. There seems a lot of ways to documented to overcome this but non has worked for me. So if anyone has any tips or solutions please do share hem with me.
+
Start up the emulator using the proxy command to tell it to tunnel traffic through your local proxy. In this current setup you'll also be able to test https website but you'll not be able to authenticate if there's a login page because of certificate errors. There seems to be a lot of ways documented to overcome this. One my favorite is using Mallory.
  
 +
[[File:proxy command.png]]
  
 
== Mallory ==
 
== Mallory ==
  
What if the application you're testing that doesn't use standard http/s but instead uses some proprietary protocol? There's a tool for that called mallory. It's a very effective transparent TCP/UDP proxy. Setting it up is a bit of pain but the process is well documented online. If you need the resources let me know and I'll send them over.
+
What if the application you're testing that doesn't use standard http/s but instead uses some proprietary protocol? There's a tool for that called Mallory. It's a very effective transparent TCP/UDP proxy. Setting it up is a bit tedious but the process is well documented online.
  
 +
[[File:mallory.png]]
  
 
== Decompiling app (jd-gui) ==
 
== Decompiling app (jd-gui) ==
  
Apart from treating the application as a regular WAVA there are a few other things to do. One is trying to decompile the application. We already mentioned that the .apk is a compressed JAR format and so it can easily be decompiled using numerous tools. Here's an example of a class Adel found the encryption key in.
+
Apart from treating the application as a regular application there are a few other things to do. One is trying to decompile the application. We already mentioned that the .apk is a compressed JAR format and so it can easily be decompiled using numerous tools.
  
  
Line 70: Line 75:
 
We can browse the application directory using the adb tool. By issuing the shell command we can browse to the /data/data folder where the packages are installed. We can then look for interesting information such as encryption keys in xml files
 
We can browse the application directory using the adb tool. By issuing the shell command we can browse to the /data/data folder where the packages are installed. We can then look for interesting information such as encryption keys in xml files
  
 
+
[[File:shell.png]]
  
 
== Memory ==
 
== Memory ==
Line 76: Line 81:
 
Android ships with a debugging tool called the Dalvik Debug Monitor Server (DDMS). This is part of the Eclipse tool suite so obviously we need to install Eclipe. We can use this to obtain a memory dump of the application during runtime. This hopefully will yield some good information.
 
Android ships with a debugging tool called the Dalvik Debug Monitor Server (DDMS). This is part of the Eclipse tool suite so obviously we need to install Eclipe. We can use this to obtain a memory dump of the application during runtime. This hopefully will yield some good information.
  
 +
[[File:ddms.png]]
  
 
== Memory Analyzer ==
 
== Memory Analyzer ==
Line 81: Line 87:
 
Once we create a dump we can analyze it using a tool called the (can any one guess) Memory Analyzer which is part of Eclipse. However before we can do that we need to convert the dump to the proper hprof format using hprof-conv in sdk
 
Once we create a dump we can analyze it using a tool called the (can any one guess) Memory Analyzer which is part of Eclipse. However before we can do that we need to convert the dump to the proper hprof format using hprof-conv in sdk
  
 +
[[File:mem analyzer.png]]
  
 
== Santoku ==
 
== Santoku ==
  
Now if all this sounds like a lot of work luckily the good guys at owasp and our french t&v team has saved us a lot of trouble. Owasp has created a backtrack like os for mobile testing called santoku. And the good guys in our french team namely alaeddin and adel have created working vms and avds to save us all some time. So feel free to reach out for them and ask them for those
+
Now if all this sounds like a lot of work luckily there's a ready made Linux distro called Santoku that has all the tools preinstalled.
 +
 
 +
[[File:Santoku.png]]

Latest revision as of 10:52, 7 June 2013

This document details how to set up an Android lab so you can perform mobile app assessments without the need for a physical mobile phone. It will discuss some of the common and useful tools, what their purposes are and how they can be used.

The prerequisites are simple: Java and an OS.

URL: http://java.com/en/download/index.jsp


Install Android Software Development Kit (SDK)

“The Android SDK provides you the API libraries and developer tools necessary to build, test, and debug apps for Android”. There are two parts to SDK. The SDK manager where you can install the tools and the Android versions of your choice. And the AVD (android virtual device) manager (we'll get to that in a minute). That's what creates the emulator that we'll be playing around with.

URL: http://developer.android.com/sdk/index.html


Install tools

Install the tools and the Android OS. At a minimum you'll want the SDK tools and SDK platform tools which we'll use later on. Then choose an Android version. There's a long list of Android versions and other extras. It's a straight forward install process but it might take a while.

1- sdk manager.png

Emulator

Step three is to set up an Android emulator. You do this using the AVD manager which is part of the SDK tool. AVD stands for Android Virtual Device and it looks like the picture below.

Install emulator.png

Once the installation is complete you'll need to create a new AVD simply by clicking on New on the Android Virtual Device Manager

Andoird avd new.png

Create AVD

Enter a name for your virtualized Android, and select the version of Android you want to use from the drop-down menu if you've installed different versions. Enter a size under the SD Card entry; this is a virtual SD card that’s actually an IMG file that Android will use to store your settings and files in.

Create avd.png

Start Emulator

By now you'll have a fully functioning emulator that you can use just like your phone. One thing you'll notice missing is the Android market or play store which you usually use to download and install applications. The good news is that we don't need it... for now.

Working emulator.png

Install apk

without the need of the android market we can install the application directly if we have the .apk file. This is the Android Application Package (APK) file. In reality it's a zipped file based on JAR format which will come in handy when we try to reverse the application later.

Apk.png

ADB

To install apk file we use the Android Debugging Bridge. The ADB tool part of the platform-tools we installed with the SDK manager at the beginning. It's got a lot of uses one of which is to install and uninstall app. We do this by typing going to the platform-tools directory and lunching adb with the install command while the emulator is running

Adb install.png

Proxy

Start up the emulator using the proxy command to tell it to tunnel traffic through your local proxy. In this current setup you'll also be able to test https website but you'll not be able to authenticate if there's a login page because of certificate errors. There seems to be a lot of ways documented to overcome this. One my favorite is using Mallory.

Proxy command.png

Mallory

What if the application you're testing that doesn't use standard http/s but instead uses some proprietary protocol? There's a tool for that called Mallory. It's a very effective transparent TCP/UDP proxy. Setting it up is a bit tedious but the process is well documented online.

Mallory.png

Decompiling app (jd-gui)

Apart from treating the application as a regular application there are a few other things to do. One is trying to decompile the application. We already mentioned that the .apk is a compressed JAR format and so it can easily be decompiled using numerous tools.


Shell

We can browse the application directory using the adb tool. By issuing the shell command we can browse to the /data/data folder where the packages are installed. We can then look for interesting information such as encryption keys in xml files

Shell.png

Memory

Android ships with a debugging tool called the Dalvik Debug Monitor Server (DDMS). This is part of the Eclipse tool suite so obviously we need to install Eclipe. We can use this to obtain a memory dump of the application during runtime. This hopefully will yield some good information.

Ddms.png

Memory Analyzer

Once we create a dump we can analyze it using a tool called the (can any one guess) Memory Analyzer which is part of Eclipse. However before we can do that we need to convert the dump to the proper hprof format using hprof-conv in sdk

Mem analyzer.png

Santoku

Now if all this sounds like a lot of work luckily there's a ready made Linux distro called Santoku that has all the tools preinstalled.

Santoku.png