Android Penetration Testing using Dynamic Analyzer MobSF

 

Hi everyone, in this article, I will explain how to test Android applications using MobSF as Dynamic Application Security Testing or Dynamic Analyzer. I’ll try to explain all things in detail yet more clearly.

Introduction

“Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.”

Preparation

• Git & Python 3.8–3.9
• JDK 8+
• Microsoft Visual C++ Build Tools
• OpenSSL (non-light)
• Wkhtmltopdf
• Genymotion and VirtualBox (For Dynamic Analyzer Testing)

Setup MobSF

Clone from the MobSF Github repository by running the following command.

    # git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git

Enter the folder from Github that has been cloned before.
    # cd Mobile-Security-Framework-MobSF

Run the setup.bat command.
    # ./setup.bat

Run MobSF

An easy step in running MobSF is to enter the previous installation folder and run the following command:

    # run.bat 127.0.0.1:8000

Type of Analysis

MobSF provides functionality to check mobile application security vulnerabilities (APK, IPA & APPX) and zipped source code. It works in two ways Static Analysis and Dynamic Analysis.

Static Analysis

In static analysis or static testing, MobSF will perform source code-based analysis without running the application to not depend on the runtime environment. So that static analysis can be used in line with application development. Static testing will be more effectively carried out regularly within a predetermined time so that every time an update or release of code is carried out, at the same time, the test has been done without having to run the application.

Dynamic Analysis

Dynamic Analysis testing is the process of real-time application testing or when the application software is in operation. Meanwhile, the main purpose of Dynamic Analysis is to analyze and look for security holes in running Android applications. Dynamic analysis can be applied when application development has entered the production phase or after the development phase.

Setup Dynamic Analyzer

Run Genymotion Android VM version 4.1 to 10.0 (x86, up to API 29). I use a Samsung Galaxy S6 Device and API 25 for Android Virtual Device because I think it was stable on my laptop.

 

Upload your APK which will be tested at dashboard MobSF. I use the Diva application. After successfully uploading the APK file, then do a Dynamic Analysis by selecting the Start Dynamic Analysis menu on the MobSF dashboard.

MobSF will then install the Diva application on the Android Virtual Device that is connected to MobSF. If the application cannot be installed properly, this can happen because the Android API version you are using does not comply with the minimum requirements required by MobSF. Then, after successfully installing the application, you will be directed to the Dynamic Analyzer page. The dashboard page contains a set of menus that can be used in performing Dynamic Analysis testing.

The emulator application will automatically run and be displayed on the Dynamic Analyzer Page by pressing the Start Instrumentation button.

Example Attack Scenarios

Diva has various features that can be used, such as credential input and a simple form that only contains a single field. In general, Android data storage is categorized into two types, namely internal and external. Internal storage gives applications the right to store application data, both cached data and others. On this occasion, I will try to show two features that the diva has designed to have Insecure Data Storage and Insufficient Cryptography vulnerabilities.

The figure above shows the Insecure Data Storage Part 1 feature. This feature contains input username and password. Username and password will be stored by the application in the storage provided. I tried to enter credentials with the username “Dila Dina” and the password “password123”. As in the explanation initially, every activity carried out by users on the application will be recorded by MobSF. Then, to determine whether the input form on the Insecure Data Storage feature has vulnerabilities, by looking at the report on the Generate Report feature on MobSF. In the application directory, we can see that there is an XML store named jakhar.aseem.diva_preferences.xml.

                                                                 XML File and Credentials

From the XML file, it can be seen that MobSF gets the Diva application using XML as credential data storage. We can see the contents of the credentials entered in the Insecure Data Storage Part 1 feature without any encryption.

In Insecure Data Storage Part 2, was found the same thing. I tried to enter the username and password. Then, the results show that this feature stores credentials in the SQLite database with the name ids2.

                                                            Feature Insecure Data Storage Part 2

Within the applications directory, we can see a database called ids2 without any encryption at all, so this is a vulnerability in the form of Insufficient Cryptography so that it includes a vulnerability in the form of Insufficient Cryptography. It includes findings due to anyone with physical access to data that has been encrypted improperly or mobile malware acting on an adversary’s behalf.

                                                                                    Database ids2