Thursday, February 6, 2025
HomeAndroidAndroid Application Penetration Testing Part - 4

Android Application Penetration Testing Part – 4

Published on

SIEM as a Service

Follow Us on Google News

As per my last article(Part 1), ( Part 2), (part-3) we had a look at basic architecture and penetration testing tools and ADB. Now let’s see some entry points for Android application Penetration testing.

From the perspective of security, the manifest file is usually the first thing that a penetration tester will check on an engagement.

c

Android Manifest File

  • It provides all details about an Android application
  • It names the Java package for the application
  • It declares all permissions
  • It describes Android applications components
  • It contains a declaration of a minimum level of API that application requires
  • minimum Android version required to run the program
  • services

We will use insecurebank.apk application to demonstrate

Allow debuggable: true

If an application is marked as debuggable then any attacker can access the application data by assuming the privileges of that application or can run arbitrary code under that application permission. In the case of a non-debuggable application, an attacker would first need to root the device to extract any data.

Java Debug Wire Protocol is the central link between the Debugger and the JVM instance

Without a rooted phone it is possible to extract the data or run an arbitrary code using application permission

             Before app start   after app start    

Above is the shell access of my personal phone which is not rooted.

Allow backup: true 

This setting defines whether application data can be backed up and restored by a user who has enabled usb debugging. Therefore applications that handle and store sensitive information such as card details, passwords etc. should have this setting set too false to prevent such risks

Open terminal

– Adb backup –apk –shared (apk name)

Cat backup.ab zlib-flate -uncompress > backup_compressed.tar

Permissions

Permission is a restriction that limits access to a part of the code or to data on the device.

Applications that have permission to copy data to external storage should be reviewed to ensure that no sensitive information is stored.

All the permissions that the application requests should be reviewed to ensure that they don’t introduce a security risk.

There are four values that can be used with this attribute:

  • Normal
  • Dangerous
  • Signature
  • Signature Or System

Example-

<Permission>

Android: protectionLevel=”signature”

</permission>

Intents

These are the components that are used to bind two or more different Android components together. Intents could be used to perform a variety of tasks, such as starting an action, switching activities, and starting services.

Intents can be used to launch an activity, send it to any interested broadcast receiver components, and communicate with a background service. Intents messages should be reviewed to ensure that they don’t contain any sensitive information that could be intercepted.

<Intent-filter>

<action android: name=”string” />

<category android: name=”string” />

</intent-filter>

Explicit intents connect one activity to another in the same application. These intents designate the target component by its name and they are typically used for application-internal messages – such as an activity launching a sister activity when a user clicks a button.

Implicit intents do not name a target and the field for the component name is left blank. Implicit intents are often used to activate components in other applications. For example, if we want to show the user a location on a map, we can use an implicit intent to request that another capable app show a specified location on a map.

You can follow us on LinkedinTwitter, and Facebook for daily Cybersecurity updates also you can take the Android Hacking and Penetration Testing Course to keep yourself self-updated.

Also Read

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit 3,000 ASP.NET Machine Keys to Hack IIS Web Servers Remotely

Microsoft has raised alarms about a new cyber threat involving ViewState code injection attacks...

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...

Flesh Stealer Malware Attacking Chrome, Firefox, and Edge Users to Steal Passwords

A newly identified malware, Flesh Stealer, is rapidly emerging as a significant cybersecurity threat...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

BADBOX Botnet Surges: Over 190,000 Android Devices Infected, Including LED TVs

The BADBOX botnet, a sophisticated malware operation targeting Android-based devices, has now infected over...

Malicious Android & iOS Apps Downloaded Over 242,000 Times, Stealing Crypto Recovery Keys

A sophisticated malware campaign, dubbed SparkCat, has infiltrated Google Play and Apple’s App Store,...

Android Security Update Fixes Linux Kernel RCE Flaw Allow Read/Write Access

On February 3, 2025, Google published its February Android Security Bulletin, which addresses a...