Pentest Diaries Ep.8: Android Pentesting Highlights
In this edition of Pentest Diaries, we had the opportunity to sit down with three of our distinguished Core members to talk Android Pentesting. We were joined by Harsh Bothra, Patricio Castagnaro, and Vinesh Redkar. A lot was covered in our time together, so we'd like to touch on some highlights from those learnings.
Watch the podcast video here:
Also, we provided the list below so you can dive straight into the sections of the podcast most relevant to you!
1:00 Opening Moves 6:00 Tools Used 11:00 Time Consumption 18:14 Blockers in Android Pentesting 27:00 Exploit Chains 36:55 Windows 11 and Android 43:12 Why is Android pentesting important?
Listen to the whole podcast to get the most out of the Core's amazing takes on this subject.
First Steps in Engagement
It is important to get your bearings before any engagement. Mindfully charting a course and using experiences from previous engagements provides a repeatable path for success.
So, our guests opened up to their “First Steps” during a Pentesting engagement.
Harsh Bothra started by saying, “Before the engagement starts, I quickly make sure that some of the protections for SSL pinning and root protections are in place or not - in case they are bypassable. So we can convey to the client, 'This is not bypassable, this seems like it might take some time to bypass it'.”
Harsh will then set up his workflow based on this assessment. He plots a course through the application from API, to static functionalities, and finishes with dynamic testing. In retrospect, also shows a healthy amount of communication between being a pentester and conferring with a client to ease the burden of testing.
Patrio Castagnaro followed by stating he, “Always uses the application as an end user at the beginning of the project, because I can get a better understanding of the application, about the functions, the uses cases - because the applications doesn’t always have documentation.”
He does this to define his understanding of the application workflows and to identify the protections in place. Some of these protections include anti-emulation, SSL pinning, and ciphered code.
Vinesh Redkar stated, "I always start my assessment after understanding the business requirement, right? First, I need to understand what is the business case which they are trying to achieve by using this application. Then I can build the test cases also associated with those business cases.”
Vinesh goes on to explain how he uses the OWASP mobile application checklist to perform his assessment and breaks it down into “Static, Dynamic, and local storage analysis.”
Android Pentesting Tools
General pentesting comes with an extended gallery of tools. They range from those that are industry standards, to repositories that hold unknown treasures as-well. However, I was interested in asking our pentesters what they use personally for their Android engagements.
This was a rough list of the tools suggested by Harsh, Patricio, and Vinesh.
APKLeaks - Scans the apk file for URIs, endpoints, and other hidden valuables.
Burp Suite Pro - Used in dynamic pentesting as an intercept for the application.
Qark - An automated static analysis tool designed originally for malware analysis scoring. It provides threat intel that functions as a way to find static issues quickly.
JADX - Used for source code analysis - can be used to see if there are obfuscation tactics used.
House - Designed for helping assess mobile applications by implementing dynamic function hooking and intercepting
Mind Maps and Checklists
After discussing tools, the importance of mental mapping and checklists took the stage.
Particio mentions that using OWASP checklists aids in processes outside of your own because, “You can mark what you do, in which category, (for instance) Static analysis. Did you do all the tasks for static analysis?...you can end up finding something, pause, and then forget some tasks that are really important. Even if it’s not a mind map, it’s important after 2-3 days to go back to the checklist to see if you’ve forgotten something.”
This speaks to the many variables pentesters are constantly keeping track of. Being organized during a test helps with the gamut of parallel processes a pentester is keeping track of through any engagement. These checklists allow you to walk yourself back, after wandering off on another lead you may find.
Vinesh added that, “Sometimes when you do a pentest, things can become too complicated. You are not sure from which point to choose statics/checklist or mindmaps, but also what’s happened to me a lot of times is that the application is a lot bigger than it’s scope initially…(so) there is the possibility you might miss something.”
It was brought up that Harsh had previously created an incredible mind map for Android pentesting. I highly recommend this resource to pentesters at any level.
Our conversation shifted into a subject pentesters should always be aware of, blockers. It is a gift to know what potential roadblocks can happen during these tests. When it comes to Android, this is what they had to say.
Harsh was the first to go stating, “I always raise my hands for SSL pinning and root detection, because they (the client) always want it. Especially when the client is like ‘We want you to bypass it, we want to see how much defense-in-depth we have already implemented.’ Another, is when you find traffic that is encrypted.”
Patricio remarked on how the value of what is being tested could shift. How meaningful steps made in a pentest might not hold weight for a client looking for specific results. He stated, “There are different objectives like, ‘Hey, we don’t care about the platform protections (which could be Android, iOS, etc) we want to focus on the business logic. Why? Because we are moving money, or we are banking, or we are a financial application and we really want to put the focus there.’ ...Because you can spend, I don’t know,5-3-10 days and then go to the next step, and that step wasn’t important for the customer.”
Vinesh brought up a great point in stating, “As per the regulation, or as per their organization, they have different risk metrics, right - to categorize this list. So, based on the client's justification we will report root detection, but they can consider that root detection does not apply to the application. It is based on the business and their organization."
He continued, “For the company report we have all listings, right, and also explain the pentester’s point of view to them. Like, ‘I chained this attack - and chaining is very important.’ If we are able to demonstrate attacks which are mentioned in the checklist are connected and that is causing a major impact, then we might be able to convince them, ‘Yes, this pentest is showing value, because we were able to chain this attack’...instead of them just accepting the risk.”
Next, we discussed exploit chains. I highly suggest you listen to this section. The stories and tricks used by these pros should be heard firsthand. You can find the start of this conversation at 27:00.
Feelings on Windows 11 Native Android
Windows 11 is just around the corner. With every new OS starts an open season for unseen vulnerabilities sneaking past code review, and under the scale of a massive launch. It was suggested there will be an Android subsystem that will bridge Android applications to run native to X86 systems. I decided to ask about their perspective on an Android subsystem as pentesters.
Harsh started by stating, “I feel like a lot of botnet networks are going to come soon because of that. Also, local privilege escalations, and sandbox escapes are going to come on to the market. Because Android and Windows, you’re basically combining two different operating systems into something - and making isolation layered for that would be an interesting thing for a lot of researchers.”
Vinesh then brought up an important note about the release stating, "I think that Microsoft clearly states that they are not going to allow android apk to be installed on the application at the moment. They are only allowing it from the amazon app store."
He explained that the possibility of attack could theoretically happen - if this was implemented like the Linux subsystem explaining, “If you see Ubunutu, how the system works on Windows 10, it basically has access to your local directory as well, right - same for Android also. Even if they do the sandboxing, something will be accessible by that Android environment. Which is hosted on the Windows platform. There could be a credential type attack possible - like running a mimkatz on that system and dumping windows lsaas file and export it to yourself somewhere else."
We closed on the guest's opinions on the need for Android pentesting. Again, I believe this one is best heard firsthand too.
Thanks again to Harsh Bothra, Patricio Castagnaro, and Vinesh Redkar for making this an engaging and thoughtful discussion around this subject. Connect with them on LinkedIn and follow on Twitter for more of their takes on offsec!