Hunting for Vulnerabilities in Android Apps with Burp and APK Tools

For some the world of mobile apps is a mystery, locked deep inside the smart phone they are untouchable and do things we can’t look into, or?

Luckily that’s not true, all you need is Burp, a rooted android phone and APK Tools.

Analyse App Traffic

  1. Set up proxy listener in burp, all interfaces listening on any port you like.
  2. Download the burp CA and install on the Android phone under advanced WiFi options.
  3. Connect to same WiFi as Burp Install
  4. Set HTTP proxy on WiFi to point to Burp host and use the port of the listener you set up.

Good guides for proxy and cert install for Android and IOS can be found here:

After this is set up, you can use Burp to analyse app traffic as you would for normal web apps.

Analyse Source Code for Secrets

Next up we want to see if any secrets like passwords, open hosts or api keys are exposed in the source code in a way that allows us to exploit api/base host.

First Pull Code to Analyst Host

./adb shell pm list packages | grep zimperium
# package:com.zimperium.zanti
./adb pull /data/app/com.zimperium.zanti-1

Extracting the source

.apks are just .zip files, mind blown, but still…this is all we need to do.

unzip com.zimperium.zanti-1.apk

Result of ls

AndroidManifest.xml	assets			classes.dex		jcifs			res
META-INF		base.apk		com			lib			resources.arsc

Manual Inspection

First, we will decompile the code, I use apktool to decompile APKs. Then we will extract class source with jadx.

apktool d -f $APKFILE.apk -o smali
jadx -d out classes.dex

Now we can open our favourite text editor to explore…

Find Low Hanging Fruit

Grep to the rescue, always start by looking for low hanging fruit like so…

grep -r shell .
grep -r api .
grep -r database .
grep -r query .
grep -r post .
grep -r get .
grep -r config .
grep -r auth .

What Next?

Enumerate, Enumerate and Enumerate; that is how bugs are found.