There are a number of ways to set up a pentest environment for testing Android applications. It is possible to use a dedicated third-party virtual machine (VM) with pre-installed packages (e.g. Santoku) or you can create your own environment. The fastest and easiest way is probably using a dedicated VM with pre-installed packages. However, building your own environment will always give the additional benefit of full control over the environment, not to mention you will learn a lot during the process.
In this post, I will cover a step-by-step guide on how to build your own basic test environment on a Linux machine using a physical Android device.
- Linux operating system
- Java Runtime Environment (JDK is not mandatory but can be handy)
- Android SDK
- Basic tools: apktool, dex2jar, jadx, drozer
- Android device
Installing Java (JRE or JDK)
Since we are only going to be using Java to run some Java applications (not serious Java development), we don’t need to worry too much about which version of Java we install. Both OpenJDK and OracleJDK are totally fine. Based on personal experiences, I prefer to use Oracle JDK, but I’ll include the steps for both.
A. Installing OpenJDK from repository
Most of the Linux distributions’ repository contain the OpenJDK packages. The easiest way to install them is using one of the distro’s package managers.
On Debian based systems (Debian, Ubuntu):
sudo apt-get install openjdk-X-jre
On RPM-based systems (Fedora, Red Hat, Oracle Linux)
sudo yum install java-1.X.0-openjdk
Where there is an ‘X’ replace it with 8, 7 or 6 to choose the exact version of Java you want to install. I recommend installing multiple versions as there are some older tools that only work with older versions of Java.
B. Installing OracleJDK
You can download Oracle Java from the official Oracle homepage. Here you can choose the installation package (deb or rpm) for your Linux distribution or you can download a ‘tar.gz’ archive file and take care of the installation manually.
Since I usually use multiple instances of Java on my local machine, I don’t use the installer packages, I take care of maintaining them by myself. The down-side of this method is that you need to manually update the Java from time to time.
1. Download the Java version you need (latest available update possible).
For example, download the ‘jdk-8u162-linux-x64.tar.gz’ into the ‘/opt/Java/’ folder where you can keep the different versions of Java.
2. Extract the archive on your local drive.
tar -xvzf jdk-8u162-linux-x64.tar.gz
3. Optional: remove the tar.gz archive since you do not need it anymore.
4. Place Java executables into your PATH to let your operating system find them.
There are hundreds of ways to achieve this, depending on your taste. However, I am going to share my preferred approach as an example.
My different versions of Java JDKs are located under the ‘/opt/Java’ folder separately.
Create symlinks for the different Java versions under the ‘/usr/local’ folder.
sudo ln -fs /opt/Java/jdk1.8.0_xx /usr/local/java8
sudo ln -fs /opt/Java/jdk1.7.0_xx /usr/local/java7
sudo ln -fs /opt/Java/jdk1.6.0_xx /usr/local/java6
Create a symlink for the currently used Java environment
sudo ln -fs /usr/local/java8 /usr/local/java
Create symlinks for Java executables under the ‘/usr/bin’ folder (PATH contains this folder).
sudo ln -fs /usr/local/java/bin/java /usr/bin/java
sudo ln -fs /usr/local/java/bin/javac /usr/bin/javac
sudo ln -fs /usr/local/java/bin/javadoc /usr/bin/javadoc
sudo ln -fs /usr/local/java/bin/javah /usr/bin/javah
sudo ln -fs /usr/local/java/bin/javap /usr/bin/javap
sudo ln -fs /usr/local/java/bin/jar /usr/bin/jar
sudo ln -fs /usr/local/java/bin/jarsigner /usr/bin/jarsigner
With this approach, to switch between the different Java versions you only need to change the ‘/usr/local/java’ symlink to the one you want to use.
5. Optional: create helper scripts to switch between different Java versions.
I have my helper scripts to change quickly and easily between the Java versions. For example, below is a bash script that changes to Java 8 ‘switch_java8.sh’
echo “Switch Java to Oracle JDK8…”
sudo rm /usr/local/java
sudo ln -s /usr/local/java8 /usr/local/java
Installing Android SDK
If we want to test
Android applications with our Linux machine, we need to be able to communicate
with the Android device itself (even if it is emulated). To do so, we at least need
the Android Debug Bridge (adb) program (see https://developer.android.com/studio/command-line/adb.html).
However, as we will see later, a complete set of tools (Android SDK Tools,
which comes with ADB and Fastboot bundled) or even a whole Integrated
Development Environment (IDE) can sometimes be handy.
From my personal
experiences, it’s worthwhile installing an IDE (e.g. Eclipse or Android Studio)
that can be very helpful, for instance by API hooking when we need to develop a
custom hook application. Therefore, I recommend installing the Android SDK
through the Android
instructions can be found here: https://developer.android.com/studio/install.html.
Basically, you need to do the following 4 simple steps:
1. Download the latest available version of the Android Studio from the official page
2. Extract the zip archive
3. Install the required dependencies for 64-bit operating systems (32-bit libraries)
On Debian based systems (Debian, Ubuntu):
sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386 lib32z1 libbz2-1.0:i386
On RPM-based systems (Fedora, Red Hat, Oracle Linux)
sudo yum install zlib.i686 ncurses-libs.i686 bzip2-libs.i686
4. Launch the installer by navigating to the ‘android-studio/bin/’ directory and execute the ‘studio.sh’ bash script.
After this, navigate through the steps of the installation wizard. I recommend choosing the ‘custom’ installation type, selecting the components you need and the target folder where the AndroidSDK will be placed
Setting up Android Studio
After installing Android Studio, you need to take a moment to set up the environment.
1. Make the Android SDK executables available for the operating system
During the installation you selected the location of the Android SDK. Under this folder there are two sub-folders that contain the executables you need to make available. You can put these folders on your system PATH or you can create symlinks for the particular binaries under a folder that is already in the PATH.
To put the folders in the system PATH for example place the following lines into the ‘.bashrc’ file under your home folder:
2. Install additional SDK platforms and tools
Sometimes when you work with different Android devices, depending on what Android OS versions are running on them you may need to install additional SDK platforms. By default, only the latest API version (at the time of installation) is installed. If you want to work with a specific version of Android, you need to install the appropriate API level (e.g. Cydia Substrate works only until Android 4.3).
Launch the Android Studio, click on the ‘Configure’ and choose ‘SDK Manager’. Here you can select additional platforms and tools to be installed.
Here you can also install system images for emulated Android devices if you decide to test on your laptop without a physical device.
3. Optional: Create desktop entry (launcher) to start Android Studio
Initial Setup with an Android Device
At this point, we are ready to set up our Android test device and connect to it with our laptops.
1. Enable ‘Developer options’ on the device
This can be different from device to device. However, once you’ve found the ‘Build number’ section in the settings and tapped on it several times the developer options will been enabled.
On a stock Android device navigate to the ‘Settings’ -> ‘About phone’ menu item and tap several times on the ‘Build number’. After this a new menu item will appear under the Settings: ‘Developer options’
2. Turn on ‘USB debugging’
To connect to the device and gain shell access we need to turn on ‘USB debugging’ by navigating to the newly appeared menu ‘Developer options’ and turning on the Debugging:
3. Connect to the device via ADB
Connect the device with a USB cable to your machine, open a terminal and initiate the connection with the adb command.
When you connect for the very first time, the Android device will ask you to allow USB debugging. Tick the box with ‘Always allow from this computer’ and tap on the OK.
After this, you should have shell access to the Android device.
shell@mako:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
Installing Basic Tools
There are a number of fundamental tasks that need to be taken care of during an Android application pentest. For your benefit, I’ve listed a few tools below that can help:
This tool is used for reverse engineering Android applications. Apktool extracts the APK application package, decodes the resources and disassembles the DEX files to smali code. This tool can be used to “re-pack” the application after patching (modifying) it.
The tool is a standalone jar and does not require installation. Download the latest available version from the link below:
The tool can be launched with the following command:
java -jar apktool.jar
JADX is a DEX to Java decompiler. The tool makes it is possible to obtain the nearly original Java source code from Android DEX files or complete APK packages.
This tool also does not require installation. Download the latest available version from the following URL:
Drozer is a leading framework for Android security assessments. The tool allows you to search for security vulnerabilities by assuming the role of an Android app and interacting with other app. Drozer also provides a platform for the sharing and reuse of exploits.
To install Drozer and learn more about the tool, follow the link below:
So, these are the steps needed to set up a Mobile Pentesting Environment on Linux. If you found this guide useful, feel free to download a copy here and stay tuned for a series of upcoming posts focused on Mobile Application Testing.