Hacking Android Apps : Part 1

Mobile hacking is an important skill because only few hackers are hunting bugs on mobile apps and the rate of duplicate report is very much lower. All the major companies have both Android and iOS versions of an app but for now we will look only into Android

Setting Up Mobile Proxy

First step to get started is to set up your testing mobile device to work with a proxy. This generally involves installing the proxy's certificate on your device and changing your proxy's settings. I generally do not recommend using a physical device for testing as mobile testing is dangerous and may accidently damage the device. I recommend to use mobile emulator for testing. Download and install Burp Suite Community Edition and then you will need to configure Burp's proxy to accept connections from your device.
Navigate to Burp's Proxy -> Options tab. In the Proxy Listeners section, click Add. In the pop-up window enter a port number that is not currently in use and select All interfaces as the Bind to address option. Click OK. Now your proxy is ready to accept connections from any android device connected to same Wi-Fi network. As you all know this should not be performed in any public Wi-Fi network.

Now, you will need to configure your Android device to work with the proxy. Navigate to Settings -> Network -> Wi-Fi. Tap and hold the Wi-Fi network your are connected to and select Modify Network. Now select a proxy hostname and port. Now you need to enter your computer's IP address and port number you have selected in your Burp Suite. Your Burp proxy is now ready to start intercepting traffic from your device. In order to intercept HTTPS traffic from your mobile you have to install Burp's certificate on your device. You can visit http://burp/cert from your computer and download the certificate, copy the certificate to your mobile. Navigate to Settings -> Security -> Install Certificates from Storage. Click the certificate you have downloaded and copied then select VPN and apps for the Certificate use option. Now you can intercept HTTPS traffic as well

Certificate Pinning

This is a security mechanism that limits an application to trust only certificates that are predefined. This is also called as SSL Pinning, it provides additional security against man-in-the-middle-attacks (Burp Suite in this case). You can intercept the traffic only if you can bypass the certificate pinning or else the application won't trust your proxy's SSL certificate. and you will not be able to intercept HTTPS traffic

It is important to bypass certificate pinning inorder to intercept the traffic of protected apps. The process of bypassing the certificate pinning may vary from one application to another application. There are some popular tools like Frida and Objection that allows you to bypass certificate pinning. Run the Objection command android sslpinning disable to bypass pinning

Structure of an APK

It is very much important to understand what Android applications are made of before you attack Android Applications. Android Applications are distributed and installed in a file format Android Package (APK). They are just like ZIP files and contain the application manifest file, and the application resources. The AndroidManifest.xml file contains the application's package name, version, components, access rights. And with the components of your target application will provide you with a good overview of how it works.

There are 4 types of components namely Activities, Services, BroadcastRecievers and ContentProviders. Activities are components that interact with the user. Services are operations that are running the background. BroadcastRecievers allow an app to interact with the system and other applications. ContentProviders provide a way to share data with other applications

The classes.dex file contains the application's source code compiled in the DEX file format. The resources.arsc file contains the application's precompiled resources, such as strings, colors and styles. The lib folder contains compiled code that is platform dependent and each subdirectory in lib contains the specific source code to a particular architecture. The assets folder contains the application's assets and META-INF folder contains MANIFEST.MF file, which stores metadata about the application. This contains the certificate and signature of the APK