Android Application Security Part 4-Get to know about your Arsenals

For all the demos below i have used FourGoats Application from OWASP-Goatdroid-Project. You can download from here

Android Debug Bridge

Below i have described must know methods of adb but i would recommend you to go through ADB Documentation to gain a better understanding of it.

  • adb devices – It Prints a list of all attached emulator/device instances.
  • adb install

    – It is used to install an apk file in to an Emulated/Connected Device. We will be pushing apk which we have downloaded above.

  • adb pull – It is used to fetch some data from Emulated device(remote) to local host(local).
  • adb push – It is used to push some data from local host(local) to Emulated Device(remote).Similarly we can also push file to the device.
  • adb forward – Forwards socket connections from a specified local port to a specified remote port on the emulator/device instance.
  • adb shell – Adb provides a Unix shell that you can use to run a variety of commands on an emulator or connected device.

Although there are some other utilities, Activity Manager(am) and Package Manager(pm) in adb shell. But we will use drozer for the same commands just because drozer offers to do task simply.

Drozer

Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ Inter Process Communication(IPC) endpoints and the underlying OS.

As Drozer is a very important tool in Android Application Security Assessment, i have written a seperate post for it.

Android Application Security Part 5- Firing Drozer

Apktool Usage

  • Type apktool in the Appie and it will list the default options of apktool.
  • Mainly we will be decoding an APK file for that we need to run apktool d filename.apk. After running that , it will create a folder in the same directory with decompiled files in it.

dex2jar Usage

  • dex2jar is mainly used to convert an APK file in to a jar file containing reconstructed source code.
    dex2jar filename.apk command will convert the APK file in to a jar file.

JD-GUI Usage

  • Above we have converted the APK file in to a jar file.

  • Now you can open that jar file in JD-GUI and view that reconstructed source code.

  • First type jdgui in Appie,it will open JD-GUI within the Appie.
  • Then open up the jar file in JD-GUI.