๐๏ธ Drozer
Drozer is an Android Security Assessment and Attack Framework. It consists of a client/server model where the โserverโ runs on the Android device, and the client run on your laptop. Drozer was written in, and only runs on, Python2. Even though Python2 is now deprecated โ and removed from macOS 12.3 and later โ Drozer remains a very capable tool for interrogating an Android application.
๐๏ธ Android Keyboard Cache
Keyboard caching is more complex on Android than it is on iOS. There is no centrally located file where the cache is stored, and Android allows you to install custom keyboards on a per app basis if desired. Most apps will ship using the standard โGBoardโ keyboard which is the default on the device. If the app embeds its own keyboard, then you will most likely discover that during the Static Analysis phase when reviewing the app files on the device.
๐๏ธ System Logs
Like any Linux based system, Android keeps a centralized structure of logs. Logging within the application is implemented with the Log class. There are varying levels of logs:
๐๏ธ Android App Backup
Apps that target Android 6.0 (SDK 23) and higher can use the built-in "Auto Backup" feature. It is up to the Developer whether to allow this functionality or not. The setting for this is stored in the app AndroidManifest.xml file as the parameter android:allowBackup. This setting takes a Boolean response of either true or false.
๐๏ธ Memory Dumps
There are many applications and scripts available to dump the process memory. The easiest way is to use the Fridump tool.
๐๏ธ Filesystem Monitoring
Monitoring the file system is a good way of determining which files the app is writing to or reading from as it is being used. Reviewing the file system activity may point you to files or databases that you can review for sensitive information. Performing this tracing can easily be accomplished using the fsmon utility.
๐๏ธ Monitor Cryptographic Functions
Cryptography is crucial to mobile application security since a lot of attacks are based on a threat actor having physical access to the device. Cryptography includes Encryption/Decryption, Hashing, Message Authentication Codes (MAC), Signatures, and Key Derivation Functions (KDFโs).
๐๏ธ Android Keystore Monitoring
The Android keystore allows developers to create and store encryption keys. These keys are stored inside of specialized, secure hardware such as the Trusted Execution Element (TEE). Android then provides APIs to interact with the TEE and obtain the results from the cryptographic operations. During a mobile test, it is a good idea to evaluate the security of the Keystore to ensure that the cryptographic functions in use are secure.
๐๏ธ Review App Session Cookies
On you are logged into the mobile app, a session is established from the back-end server.
๐๏ธ Local Server
Generally, Android would not have an app that has an active service (listener) running on it. However, it is possible that an app is running its own web server in order to serve up content by a reverse proxy. This is rare, but does happen. During a penetration testing engagment, you should look to see if the app accepts incoming connections.
๐๏ธ Shared Preferences
Cryptography is crucial to mobile application security since a lot of attacks are based on a threat actor having physical access to the device. Cryptography includes Encryption/Decryption, Hashing, Message Authentication Codes (MAC), Signatures, and Key Derivation Functions (KDFโs).
๐๏ธ Encrypted Shared Preferences
Starting in Android 6.0 (API Level 23), Android introduced a standard way to encrypt data in the shared_prefs directory. This is a great way to store small bits of information that the app would need during its operation, but not have it reside on the device in plain text. Encrypted shared preferences use a key-value pair when saving the data.
๐๏ธ Biometrics Testing
It is important to note that biometrics testing should always be performed on a physical device.
๐๏ธ Exploiting App Vulnerable To Janus (CVE-2017-13156)
A serious vulnerability in Android allows attackers to inject a malicious DEX (Dalvik Executable) file into an APK without affecting the code signatures. This attack was named Janus, after the Roman god of duality.
๐๏ธ Task Hijacking Vulnerability
Task hijacking is a vulnerability that affects Android applications based on how the Task Control features are configured in the AndroidManifest.xml file. This could allow an attacker or malicious app to takeover legitimate apps to steal information.