Android application security
How to test Android application security?
Decompile APK file
- Get APK file
- Use dex to Java decompiler
- Navigate through sources
What to search?
- Embedded SQLite databases
- URL thanks to the following regex:
grep -REo '(http|https)://[^/"]+' . | grep -v 'Binary\|retrofit2\|android.com'
Use a rooted device or a simulator
What to search?
- Access to SQLite database
- Access to SharedPreferences
- Access to saved files
Capture HTTP traffic
What to search?
- URIs
- HTTP Message Body
A relevant tool: QARK
- decompile APK file
- spots several Android application vulnerabilities
- generates a final report
Android specific things
Code obfuscation: Proguard, DexGuard
Preferences: Hawk
SQLite databases: SQLCipher
new SqlCipherDatabaseSource(context, Models.DEFAULT, "db_name.sqlite", "db_password", DB_VERSION);
See also
URL storage
- Encrypt URL related things
- see AESCrypt-Android
For example, run the following code:
String password = "android_starter_alt";
String message = "https://api.github.com";
String encryptedMsg = AESCrypt.encrypt(password, message);
And the encryptedMsg
variable contains the value to store in source file and to decrypt at runtime.
Server-side
- More secure exchange format? protobuf?
- Useful tool to avoid spam? fail2Ban?
- Cipher URL segment path (no “/users/12” but a hash)? Need a retrofit interceptor to cipher
- Encrypt bodies with public-key cryptography?
Resources
Other
- [ ] Androwarn?
- [ ] devknox?
- [ ] Inspeckage?