Mobile Pen-Testing (APK)
Static Analysis
Hello !! A warm welcome to everyone. So today I am gonna take you to the mobile pen-testing. How to perform a pen-testing on the mobile application.
Basically, when we say mobile pen-testing its comes to our mind whether it is IOS or android. Here the question is, the procedure to perform testing is same on both? Yes, as there are two different platforms. We have different tools for IOS and android to perform pen-testing, but there are similarities.
So in this blog, I will take you to the Android platform and show you how to perform static analysis of apk.
To perform hand practices, we can download the vulnerable practice apk from the given below references….
Diva apk — to download click here
Below are the tools required for static analysis:
Mobsf — to download click here
Dex 2 jar — to download click here
JD-GUI — to download click here
Attack scenario
Mobsf in linux
To start with our mobile pen-testing let's know what is mobsf and why we used it?
The Mobile Security Framework (MobSF) is an open-source framework capable of performing end-to-end security testing of mobile applications. MobSF can be used for security analysis of Android and iOS applications.
To run mobsf we run ./run.sh will listen on http://0.0.0.0:8000
Drag and drop the apk you want to test.. and wait for the output…
As you can see, the full status for the scanned apk…
You can download the report, as shown below in Figure.
Further, we move to view the source code and find out the weakness in the application. To do so we will dex 2 jar and check our source code.
First of all we will copy our classes.dex file to dex 2 jar folder and will run cmd..
Then to convert it into a jar file we run a command:
d2j-dex2jar.bat classes.dex
The above command will convert our .dex file into a jar.
Once the file get converted into .jar file. Open JD-GUI and simply drag and drop the .jar file in jd-gui.
Yeah!!! we are ready to view our source code and find the flaws and weaknesses in the application...
Thank You!! All for spending your precious time and reading this article.
Stay tuned for next attack.