Mobile Application Security Tools Setting Up
To start mobile application penetration testiong, there are various tools we have to install such as adb, jadx, apktool, frida and etc. In this blog, we are going to talk about list of neccessery tools we used in mobile application security both of Android and iOS platform.
Android
Android Debugging Bridge This tool helps you to communicate to mobile devices or emulator. (https://developer.android.com/tools/releases/platform-tools)
# Common commands
adb devices
adb shell
# Connect the USB cable, run the command below to connect the device via wireless (192.168.1.35 is mobile ip address)
adb tcpip 55555
adb connect 192.168.1.35
adb shell
# Extracting logcat from specific package
adb shell ps | grep com.example.app | awk '{print $2}' | xargs -n1 -I {} /bin/bash -c "adb logcat | grep {}" | tee -a log.txt
# Getting .apk from from mobile devices
adb shell pm list packages | grep [KEY_WORD]
adb shell pm path com.example.app
adb pull /data/app/com.example.app/base.apk
# Upload file into the devices
adb push file.txt /data/local/tmpApktool This tool allow you to disassambling .apk file for various purpose such as Binary Patching, Extracting Application Information, Understanding of Application Logic and etc (https://apktool.org/docs/install/)
apktool d /path/to/apk/file.apk [-r]
apktool b /path/to/apk/fileJade-X The “Jadx” tool helps you to decompile the apk file to a human-readable format. We normally use this tool along with the “apktool” to perform static analysis and binary patching. Because the result of jadx (decompile) is easy to read but cannot be modify, while the result of apktool (disassembling) is difficult to read but modifyable. (https://github.com/skylot/jadx)
scrcpy This tool for screen mirroring (https://github.com/Genymobile/scrcpy)
brew install scrcpy(MobSF) Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. You can install it from scratch but I personally run it by docker (https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/)
docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latestuber-apk-signer as we mentioned previous, to perform binary patching, we mus re-sign the .apk file before install. You can perform re-sign the application from scratch but this is also an easy way to immediately re-sign the application (https://github.com/patrickfav/uber-apk-signer)
java -jar uber-apk-signer.jar --apks /path/to/apksFrida Frida is an awesome tool we used to perform process hooking for various purpose such as Root/Jailbreak Bypass, Certificate Pinning Bypass, Method Swizzling. (https://frida.re/docs/installation/)
pip install frida-toolsFrida Server After installing Frida on pentester’s computer, the frida server is required to execute the device. In case the device is rooted you can download and execute the binary from (https://github.com/frida/frida/releases) on the device. Jailbroken device can be install from cydia
Android
# for rooted devices
adb push frida-server /data/local/tmp
adb shell
su
cd /data/local/tmp
chmod +x frida-server
./frida-serveriOS
Setup frida on your iOS device: https://www.frida.re/docs/ios/
Start Cydia and add Frida’s repository by going to Manage -> Sources -> Edit -> Add and enter https://build.frida.re.
You should now be able to find and install the Frida package which lets Frida inject JavaScript into apps running on your iOS device.
This happens over USB, so you will need to have your USB cable handy, though there’s no need to plug it in just yet.Objection this tools is also useful, in case you has no rooted/jailbreak devices you can embeded th frida gadget by “Objection” (https://github.com/sensepost/objection)
# https://github.com/sensepost/objection
pip3 install objection
# Android
objection patchapk --source app-release.apk
# IOS
security find-identity -p codesigning -v
objection patchipa --source my-app.ipa --codesign-signature [SIGNATURE]
# security, codesign, xcodebuild
# zip & unzip
# 7z
# applesign => npm install -g applesign
# insert_dylib
# git clone https://github.com/Tyilo/insert_dylib
# cd insert_dylib
# xcodebuild
# cp build/Release/insert_dylib /usr/local/bin/insert_dylibiOS
Xcode As we are not a developer building an application, we also need xcode to create a provisioning profile for application re-signing for us. The tools can be directedly installed from Apple Store
ios-deploy Install and debug iOS apps from the command line. Designed to work on un-jailbroken devices (https://github.com/ios-control/ios-deploy)
brew install ios-deployios App Signer This is a GUI tools let you easily re-sign the iOS application (https://www.iosappsigner.com/)
Grapefruit Grep Grapefruit requires Node.js to be installed (https://github.com/ChiChou/grapefruit)
npm install -g igf
igfOther Tools
Java To perform android pentest we have to use various tools which some of them support different java version such as to dissassembling .apk file by apktool, Java version 8 is required. the script below helps ypu to switch java version smoothly
Unix
# ~/.zshrc
alias j8="export JAVA_HOME='/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home'; java -version"
alias j11="export JAVA_HOME=$(/usr/libexec/java_home -v 11); java -version"
alias j20="export JAVA_HOME=$(/usr/libexec/java_home -v 20); java -version"Windows
:: Creates .bat files with specific java version and set path environment to the files location
:: j8.bat
@echo off
set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_202
set Path=%JAVA_HOME%\bin;%Path%
echo Java 8 activated.
:: j19.bat
@echo off
set JAVA_HOME=C:\Program Files\Java\jdk-19
set Path=%JAVA_HOME%\bin;%Path%
echo Java 19 activated.BurpSuite This tool is obviously helpful to inspect and manipulate HTTP request and response. You can download and install from https://portswigger.net/burp/communitydownload
VS Code or any text editor you like, this will be used to perform source code analysis, binary patching and etc. We also would like to recommend of using systax highlight
Ghidra Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency (https://ghidra-sre.org/)
Hopper Hopper Disassembler, the reverse engineering tool that lets you disassemble, decompile and debug your applications (https://www.hopperapp.com/)