Mobile Pen-Testing (APK)

Static Analysis

Shadab Ahmed Ansari
3 min readJun 10, 2021

Hello !! A warm welcome to everyone. So today I am gonna take you to the mobile pen-testing. How to perform a pen-testing on the mobile application.

Basically, when we say mobile pen-testing its comes to our mind whether it is IOS or android. Here the question is, the procedure to perform testing is same on both? Yes, as there are two different platforms. We have different tools for IOS and android to perform pen-testing, but there are similarities.

So in this blog, I will take you to the Android platform and show you how to perform static analysis of apk.

To perform hand practices, we can download the vulnerable practice apk from the given below references….

Diva apk — to download click here

Below are the tools required for static analysis:

Mobsf — to download click here

Dex 2 jar — to download click here

JD-GUI — to download click here

Attack scenario

Mobsf in linux

To start with our mobile pen-testing let's know what is mobsf and why we used it?

The Mobile Security Framework (MobSF) is an open-source framework capable of performing end-to-end security testing of mobile applications. MobSF can be used for security analysis of Android and iOS applications.

Start mobsf

To run mobsf we run ./run.sh will listen on http://0.0.0.0:8000

GUI f mobsf

Drag and drop the apk you want to test.. and wait for the output…

As you can see, the full status for the scanned apk…

APK Static mobsf report

You can download the report, as shown below in Figure.

PDF Report

Further, we move to view the source code and find out the weakness in the application. To do so we will dex 2 jar and check our source code.

First of all we will copy our classes.dex file to dex 2 jar folder and will run cmd..

classes.dex file in dex2jar

Then to convert it into a jar file we run a command:

d2j-dex2jar.bat classes.dex

The above command will convert our .dex file into a jar.

Converting .dex into .jar

Once the file get converted into .jar file. Open JD-GUI and simply drag and drop the .jar file in jd-gui.

Dragging .jar file in jd-gui
Ready to view source code

Yeah!!! we are ready to view our source code and find the flaws and weaknesses in the application...

Thank You!! All for spending your precious time and reading this article.

Stay tuned for next attack.

--

--

Shadab Ahmed Ansari
Shadab Ahmed Ansari

Written by Shadab Ahmed Ansari

Senior Security Analyst | Penetration Tester

Responses (1)