Android Mobile App Security Testing – Part 1

I am currently performing security testing of Android Mobile Apps. I am documenting the whole process, tools and configuration steps necessary for security testing, so this may help someone who starts fresh. 

Step 1: Download Oracle VirtualBox

 

Step 2: Download and Install Kali Linux

 

Step 3: Download Genymotion Personal Use and Google Nexus Simulator

You need to register and login with an email address to use Genymotion.

 

In the Genymotion console, download Google Nexus 6 Android API 5.1. Before starting Google Nexus simulator, click on the 3 dots (…) and choose Edit.

Install and Configure Genymotion Simulator

 

In the Network mode, choose the same network that Kali Linux is connected. Because in the later stage, we use ADB tool to connect to Android simulator from Kali Linux. This is possible only if both are connected to same network. 

Genymotion Bridge mode

 

Step 4: Install ADB and Start Google Nexus

Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device (in our case, Google Nexus). The adb command facilitates a variety of device actions, such as installing and debugging apps.

In Kali Linux, execute following command to install ADB.

# apt-get install adb

At this stage, you also start Google Nexus simulator by clicking Start on 3 dots (…) in Genymotion.

Install and Configure Genymotion Simulator

You need to find the IP address of your Android device, in Google Nexus 6, navigate to Settings on the phone and find Wi-Fi IP Address. 

IP Address of Genymotion Android

 

Step 5: Connect to Android Google Nexus

In the Kali Linux, issue following command to connect to the device by its IP address.. You need to change IP address matching your’s.

# adb connect 192.168.100.14

If ADB server process is not already running, it starts server and binds to local port TCP 5037. The server then sets up connection to device on scanning random port 5555 to 5585.

Issue following command to confirm that your host computer is connected to the target device:

# adb devices

genymotion ADB Connect

You’re now good to go!

If the adb connection is ever problem, make sure that your Kali Linux and Genymotion arel connected to the same Wi-Fi network.

Issue following command if in case you want to reset your adb host:

adb kill-server

Then start over from the beginning of Step 5.

See you in Part 2 of this article.

Disable SSL/TLS Diffie-Hellman Modulus 1024 Bits

When a SSL/TLS connection is established using DH <=1024 bits, an attacker could find the shared secret in a short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plain text or potentially violate the integrity of connections.

How to detect vulnerability?

Use nmap

nmap -Pn -p 443 –script ssl-dh-params <IP-address>

nmap DH 1024

 

How to fix vulnerable systems?

  1. Navigate to following path in Registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
\SChannel\KeyExchangeAlgorithms

2. Create new sub key named Diffie-Hellman, if it didn’t already exists.

DH 1024 Bits

3. Create DWORD called Enabled and set 0 value.

Disable SSL RC4 Cipher Suits on Windows Server

Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols provide integrity, confidentiality and authenticity services to other protocols that lack these features. SSL/TLS protocols use ciphers such as AES, DES, 3DES and RC4 to encrypt the content of the higher layer protocols. However, RC4 is considered as practically vulnerable and RC4 is recommended to be disabled on Server.

How to detect Vulnerability?

Download and use testssl.sh

.testssl.sh –rc4 <ip-address>

testssl.sh rc4

 

How to fix Vulnerable Systems?

  1. Navigate to following path in regedit.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\SecurityProviders\SCHANNEL\Ciphers

2. Create following RC4 sub keys if they do not exists already.

Disable RC4 Cipher on Windows Server

3. Create REG_DWORD called Enabled and set as 0 value for all the 3 RC4 folders.

 

PenTest Tool: Ping Sweep

Ping Sweep is similar to Ping but the difference is the number of IP addresses that can be scanned with these tools. Ping Sweep is used to scan a network or large number of IP addresses to find out how many hosts are Live, where as, Ping is used to scan a single host or IP address.

Ping Sweep and Ping, both, sends out ICMP echo request to host and wait for ICMP echo reply to determine the host status.

Ping Sweep Tools:

nmap command:

-sP option does only Ping scan to determine Live status of host.

c:\Tools\nmap-7.70>nmap.exe -sP 192.168.100.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-01 11:41 Arab Standard Time
Nmap scan report for 192.168.100.1
Host is up (0.012s latency).
MAC Address: 4C:1F:CC:2B:04:C0 (Huawei Technologies)
Nmap scan report for 192.168.100.3
Host is up (0.033s latency).
MAC Address: 54:60:09:0D:2E:6E (Google)
Nmap scan report for 192.168.100.8
Host is up (0.043s latency).
MAC Address: 9A:FC:11:B6:6C:BA (Unknown)
Nmap scan report for 192.168.100.18
Host is up (0.081s latency).
MAC Address: C0:9F:05:65:13:99 (Guangdong Oppo Mobile Telecommunications)
Nmap scan report for 192.168.100.10
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 12.03 seconds

 

In networks, where ICMP is blocked at the firewall, you certainly cannot use above command to determine the host status. Instead, use TCP sync command to determine host status.

c:\Tools\nmap-7.70>nmap -sS -p80 192.168.100.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-01 12:07 Arab Standard Time
Nmap scan report for 192.168.100.1
Host is up (0.0048s latency).

PORT STATE SERVICE
80/tcp open http
MAC Address: 4C:1F:CC:2B:04:C0 (Huawei Technologies)

Nmap done: 1 IP address (1 host up) scanned in 4.45 seconds

GUI Tools: 

There are plenty of GUI tools that does similar job, one among them is ping sweep | pentest-tools.com 

The tool calls Nmap with the proper parameters in order to do the sweeping. Behind the scene, Nmap sends multiple probes to the target systems to provoque responses which could suggest the hosts’ liveness:

  • ICMP echo requests
  • TCP SYN on ports 80,443
  • ICMP timestamp requests