Android mobile application pentesting guide
In this article I’m going to cover all the tools and techniques used to conduct a successfull android mobile application penetration test.
Mobile application pentesting process can be devide into two main sub tasks,
- Dynamic Analysis
- Static Analysis
Dynamic Analysis
Tools I’m using
For the testing purposes I’m using genymotion emulator but some android applications can not be installed on emulators due to incompetible arm processors. In that situations I’m using a mobile phone to install the application but keep in mind if you use a mobile device it should be able to root the device.
(FYI: There is another trick to install apk file in unsupported emulator, just install Genymotion-ARM-Translation-for the vm. You can download the translator package from here, https://github.com/m9rco/Genymotion_ARM_Translation download the zip file and drag and drop)
Burpsuite is the proxy I’m using to intercept and modify the api calls.
Environment setup
Intercept the genymotion network traffic using burpsuite. Then install the mobile application apk file in emulator. In some projects I don’t get the apk file from the client in that cases below are the sites I use to get the apk file,
apkmirror.com
apkmonk.com
Analysis process
Static Analysis
Tools
Apktools adb