Android Penetration Testing

Intro

Pentesting Android Apps is an interesting challenge since it combines several aspect of web and binary applications. The following article is meant as an introduction to Android pentesting for anyone with basic to intermediate security and linux skills. I used a debian testing (bullseye at the time of writing) virtual machine with added kali sources as base. But thats a personal preference kali or a specialized android penetsting system like "Mobexler" https://mobexler.com should work as well.
When using a virtual machine it should have a reasonable amount of memory to speed up static analysis and emulation. Less than 8GB is probably not a good idea, more is of course better. Adding a few cores should also help emulation. Paravirtualization should also be enabled (VT-x/AMD-V) to use genymotion.

My System Setup
cat /etc/apt/sources.list
#------------------------------------------------------------------------------#
#                   OFFICIAL DEBIAN REPOS                    
#------------------------------------------------------------------------------#

###### Debian Main Repos
deb http://deb.debian.org/debian/ testing main contrib non-free
deb-src http://deb.debian.org/debian/ testing main contrib non-free

deb http://deb.debian.org/debian/ testing-updates main contrib non-free
deb-src http://deb.debian.org/debian/ testing-updates main contrib non-free

deb http://deb.debian.org/debian-security testing-security main
deb-src http://deb.debian.org/debian-security testing-security main

#------------------------------------------------------------------------------#
#                      UNOFFICIAL  REPOS                       
#------------------------------------------------------------------------------#


###Sublime Text
deb https://download.sublimetext.com/ apt/stable/


###Vivaldi Browser
deb [arch=i386,amd64] http://repo.vivaldi.com/stable/deb/ stable main

###Virtualbox
deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian groovy contrib

###Kali
deb http://http.kali.org/kali kali-rolling main contrib non-free
deb http://http.kali.org/kali kali-bleeding-edge main contrib non-free
cat /etc/apt/preferences.d/debiankali 
Package: *
Pin: release a=testing
Pin-Priority: 1000

Package: *
Pin: release n=kali
Pin-Priority: 850

Package: *
Pin: release n=kali-bleeding-edge
Pin-Priority: 800

MobSF Installation

To quote the gihub page MobSF, the Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis https://github.com/MobSF/Mobile-Security-Framework-MobSF

Using a automatic framework to do penetration testing is a double edges sword and generally not a good idea for learning. But the output MobSF creates from its static analysis is a great way to understand how android applications work so I chose it as a starting point.

The installation was relatively simple on a debian bullseye. Starting from the official documentation I just had to adjust the java version and replace one library:

# debian bullseye
apt install git python3.9 openjdk-11-jdk python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg62-turbo-dev zlib1g-dev wkhtmltopdf

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh

MobSF also comes as docker (Mobexler uses the docker installation), but it is very annoing to set up the docker with dynamic analysis and much easier to install directly.

MobSF