Hunting for Vulnerabilities in Android Apps with Burp and APK Tools
For some the world of mobile apps is a mystery, locked deep inside the smart phone they are untouchable and do things we can’t look into, or?
Luckily that’s not true, all you need is Burp, a rooted android phone and APK Tools.
Analyse App Traffic
- Set up proxy listener in burp, all interfaces listening on any port you like.
- Download the burp CA and install on the Android phone under advanced WiFi options.
- Connect to same WiFi as Burp Install
- Set HTTP proxy on WiFi to point to Burp host and use the port of the listener you set up.
Good guides for proxy and cert install for Android and IOS can be found here: https://support.portswigger.net/customer/portal/topics/754329-mobile-devices/articles
After this is set up, you can use Burp to analyse app traffic as you would for normal web apps.
Analyse Source Code for Secrets
Next up we want to see if any secrets like passwords, open hosts or api keys are exposed in the source code in a way that allows us to exploit api/base host.
First Pull Code to Analyst Host
./adb shell pm list packages | grep zimperium # package:com.zimperium.zanti ./adb pull /data/app/com.zimperium.zanti-1
Extracting the source
.apks are just .zip files, mind blown, but still…this is all we need to do.
Result of ls…
AndroidManifest.xml assets classes.dex jcifs res META-INF base.apk com lib resources.arsc
First, we will decompile the code, I
apktool d -f $APKFILE.apk -o smali jadx -d out classes.dex
Now we can open our favourite text editor to explore…
Find Low Hanging Fruit
Grep to the rescue, always start by looking for low hanging fruit like so…
grep -r shell . grep -r api . grep -r database . grep -r query . grep -r post . grep -r get . grep -r config . grep -r auth .
Enumerate, Enumerate and Enumerate; that is how bugs are found.