however, an open-source android apps pen-testing distro called “Santoku ISO” specially made for android apps pen-testing. Choosing the right Operating System:Īndroid pen-testing on windows operating system is a little bit difficult due to the unavailability of tools for Windows OS. make sure that you have the right USB drivers installed on your mobile device and a USB cable in very good condition otherwise, you could face many problems. If you wanna test applications that involve any attraction with the camera or fingerprint components including how the device behaves then I would suggest doing it on real mobile devices. Setting up the Android testing Environment:Īndroid pen-testing can be done on both Real devices or VM emulators. The below figure shows all the possible attack aspects of pen-testing an android app. This file contains pre-compiled resources. (Dalvik is a discontinued process virtual machine in Google’s Android operating system that executes applications written for Android.) Resources.arsc: Res directory contains the resources that are not compiled into resources.arsc xĬx are the classes that are compiled in the dex file format understandable by Dalvik virtual machine. MIPS (compiled code for MIPS processors).arm64-v8a(code for all ARM64 processors).Armeabi (Code for all the ARM-based processors).this directory further splits into more directories. The lib directory contains the compiled code of the software layer of a processer. SF (Contains resources and SHA1-Digest).RSA (The Certificate of the application).META-INF directory contains the following files: This directory contains application assets. this file usually present in the form of Android binary XML that can be converted into understandable form (Plain-text XML) with different tools. Contents of an APK File:ĪndroidManifest.xml contains the name of the application, version, access rights, referenced libraries, etc. I won’t cover the comprehensive details of the security model. there’s another mechanism called “Permission” that enforces different restrictions on the specific operations that a particular process can perform. Security between android application and the system is enforced at the process level through different Linux facilities, such as user and group IDs. Android Security Model:Īndroid’s Security Model consists of two parts: For example, the Android Runtime (ART) relies on the Linux kernel for underlying functionalities such as threading and low-level memory management. The foundation of the Android platform is the Linux kernel. These APIs form the building blocks you need to create Android apps by simplifying the reuse of core, modular system components. The Android OS is available to you through APIs written in the Java language. Some core Android system components, such as ART and HAL, are built from native code that requires native libraries written in C and C++. Any third-party application can become the user’s default usage. The below diagram shows the major components of the Android platform.Īndroid comes with different sets of apps for SMS, Email, internet browsers, etc. Let’s get started: Android Architecture:Īndroid is an open-source Linux-based system created for a wide array of devices. Additionally, you need to set up a virtual or real device according to which type of applications you wanna test. The difference is that you have to figure out a different method by reverse engineering applications. Pen-testing android apps require different methodologies than web applications. In this article, I’m not gonna only write about android apps pen-testing but I’ll also describe how to setup Android testing LAB/ENVIRONMENT including different open source tools and scripts. if you are developing applications for Android and iOS devices and you’re not up to speed on pen-testing strategies, you have to get into it quickly. Getting Started in Android apps Pen-testing (PART-1):Īmazing development and growth in mobile apps have carried a bunch of vulnerabilities that attackers are ready to exploit. I hope this article will help you with learning something new. My name is M.Qasim Munirand this is my first blog article that I’m writing about getting started in android apps pen-testing.
0 Comments
Leave a Reply. |