This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

SettingupMobileTestingLab

From OWASP
Revision as of 11:26, 6 June 2013 by Tarek (talk | contribs)

Jump to: navigation, search

This document details how to set up an Android lab so you can do mobile app assessments without the need for a physical mobile phone. It will discuss some of the common and useful tools, what their purposes are and how they can be used.

The prerequisites are simple: Java and an OS.

URL: http://java.com/en/download/index.jsp


Install Android Software Development Kit (SDK)

“The Android SDK provides you the API libraries and developer tools necessary to build, test, and debug apps for Android”. There are two parts to SDK. The SDK manager where you can install the tools and the Android versions of your choice. And the AVD (android virtual device) manager (we'll get to that in a minute). That's what creates the emulator that we'll be playing around with.

URL: http://developer.android.com/sdk/index.html


Install tools

Install the tools and the Android OS. At a minimum you'll want the SDK tools and SDK platform tools which we'll use later on. Then choose an Android version. There's a long list of Android versions and other extras. I usually go with the latest version. It's a straight forward next install process but it might take a while.


Emulator

Step three is to set up an Android emulator. You do this using the AVD manager which is part of the SDK tool. AVD stands for Android Virtual Device and it looks something like this. You click on New and here's what these options mean.


Create AVD

Enter a name for your virtualized Android, and select the version of Android you want to use from the drop-down menu if you've installed different versions. Enter a size under the SD Card entry; this is a virtual SD card that’s actually an IMG file that Android will use to store your settings and files in.

Diff between Android and Google API?


Start Emulator

By now you'll have a fully functioning emulator that you can use just like your phone. One thing you'll notice missing is the Android market or play store which you usually use to download and install applications. The good news is that we don't need it... for now.


Install apk

without the need of the android market we can install the application directly if we have the .apk file. This is the Android Application Package (APK) file. It sounds fancy but it's really a zipped file based on JAR format which will come in handy when we try to reverse the application later. Usually the client will provide this file.


ADB

To install apk file we use the Android Debugging Bridge. The ADB tool part of the paltform-tools we installed with the SDK manager at the beginning. It's got a lot of uses one of which is to install and uninstall app. We do this by typing going to the platform-tools directory and lunching adb with the install command while the emulator is running


Proxy

Start up the emulator using the proxy command to tell it to tunnel traffic through your local proxy. In this current setup you'll also be able to test https website but you'll not be able to authenticate if there's a login page because of certificate errors. There seems a lot of ways to documented to overcome this but non has worked for me. So if anyone has any tips or solutions please do share hem with me.


Mallory

What if the application you're testing that doesn't use standard http/s but instead uses some proprietary protocol? There's a tool for that called mallory. It's a very effective transparent TCP/UDP proxy. Setting it up is a bit of pain but the process is well documented online. If you need the resources let me know and I'll send them over.


Decompiling app (jd-gui)

Apart from treating the application as a regular WAVA there are a few other things to do. One is trying to decompile the application. We already mentioned that the .apk is a compressed JAR format and so it can easily be decompiled using numerous tools. Here's an example of a class Adel found the encryption key in.


Shell

We can browse the application directory using the adb tool. By issuing the shell command we can browse to the /data/data folder where the packages are installed. We can then look for interesting information such as encryption keys in xml files


Memory

Android ships with a debugging tool called the Dalvik Debug Monitor Server (DDMS). This is part of the Eclipse tool suite so obviously we need to install Eclipe. We can use this to obtain a memory dump of the application during runtime. This hopefully will yield some good information.


Memory Analyzer

Once we create a dump we can analyze it using a tool called the (can any one guess) Memory Analyzer which is part of Eclipse. However before we can do that we need to convert the dump to the proper hprof format using hprof-conv in sdk


Santoku

Now if all this sounds like a lot of work luckily the good guys at owasp and our french t&v team has saved us a lot of trouble. Owasp has created a backtrack like os for mobile testing called santoku. And the good guys in our french team namely alaeddin and adel have created working vms and avds to save us all some time. So feel free to reach out for them and ask them for those