Mobile Application Testing Tool Suite

Mobile Penetration Testing
by TechnoHerder : Leave a comment

Overview

A compilation of commonly used Mobile Application Testing Tools, broken down by tool and denoted by Platform (Android or iOS).

MobSF – Platform: Android, iOS

MobSF is as close as you’ll likely get to free, Open-Source Vulnerability Scanning for Android and iOS Applications. Extremely intuitive to use. To scan an application, upload the respective .apk (Android) or .ipa (iOS) to the web application after installation.

Resources:

Burpsuite – Platform: Android, iOS

Burpsuite will still be a very integral part of your toolkit. There are a few caveats to successfully intercepting traffic between a physical (or emulated) device and your machine, but there are plenty of resources available. Stay tuned and one will pop up here too!

Resources:

Apktool – Platform: Android

Apktool allows you to disassemble Android Package (.apk) files to near original form, allowing for closer analysis of application source code and resources (including resources.arsc, classes.dex, XMLs).

Resources:

Dex2jar (d2j) and jd-GUI – Platform: Android

Both d2j and jd-GUI are used in tandem to assist with your review of the application source code. Dex2jar is used to decompile an APK into jar format, while jd-GUI is the interface which you’ll use to be able to easily review and navigate everything. 

To convert .apk to .jar, run the script relevant (found in resources below) to your OS (Windows or Linux):

## Windows:
d2j-dex2jar.bat myapplication.apk

## Linux:
d2j-dex2jar.sh myapplication.apk

Once complete, open jd-GUI (downloadable from resources below) and select your .jar file.

Resources:

Android Debug Bridge (ADB)

ADB is the primary way of connecting and working on your Android device. You’ll use this extremely often for a variety of purposes, some examples include:

  • Viewing local storage information
  • Viewing application logs (using logcat)
  • Uploading or downloading files to/from the device (push/pull)
  • Running Android-level intents (e.g., opening file explorer, camera)
  • Used during the rooting process (recovery, fastboot)

ADB can be used across both Windows and Linux, so pick whichever you’re most comfortable with. I use Linux if I’m working with a physical USB-connected device, and Windows if I’m emulating.

Resources:

I’ll continue to add further tooling as regularly as I can. More coming soon!

How to Install ADB on Windows, macOS, and Linux – XDA

xda-developers.com

Phone Setup. Launch the Settings application on your phone. Tap the About Phone option generally near the bottom of the list. Then tap the Build Number option 7 times to enable Developer Mode.

Android Debug Bridge (ADB) Cheat Sheet – Automate The Planet

www.automatetheplanet.com

Title: Most Complete ADB Cheat Sheet Author: Automate The Planet Created Date: 20210210091827Z

Most Complete ADB Cheat Sheet – Automate The Planet

www.automatetheplanet.com

The next article from the mobile test automation series will be dedicated to the ADB. All you need to to know- the most basic operations to the most advanced configurations. ADB, Android Debug Bridge, is a command-line utility included with Google’s …

Java Decompiler

java-decompiler.github.io

The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions. JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstruc…

pxb1988/dex2jar: Tools to work with android .dex and java .class files – GitHub

github.com

Tools to work with android .dex and java .class files. dex-reader/writer: Read/write the Dalvik Executable (.dex) file. It has a light weight API similar with ASM.; d2j-dex2jar: Convert .dex file to .class files (zipped as jar)

Decompile an Android Application with Dex2jar and Jd-GUI

www.yeahhub.com

For decompiling an android application, the open source tool which we’ll use is “dex2jar“.. Download Link – Dex2jar.zip (Extract in any location) Sample Application – yeahhub.apk (Download & Extract/Move into dex2jar folder) About the yeahhub.apk App…

Apktool – Documentation – GitHub Pages

ibotpeaches.github.io

The decode option on Apktool can be invoked either from d or decode like shown below. $ apktool d foo.jar // decodes foo.jar to foo.jar.out folder $ apktool decode foo.jar // decodes foo.jar to foo.jar.out folder $ apktool d bar.apk // decodes bar.ap…

Apktool – How to Install – GitHub Pages

ibotpeaches.github.io

Install Instructions Quick Check. Is at least Java 1.8 installed? Does executing java -version on command line / command prompt return 1.8 or greater?; If not, please …

Configuring an iOS Device to Work With Burp – PortSwigger

portswigger.net

Application Security Testing See how our software enables the world to secure the web. DevSecOps Catch critical bugs; ship more secure software, more quickly. Penetration Testing Accelerate penetration testing – find more bugs, more quickly. Automate…

Configuring an Android Device to Work With Burp

portswigger.net

Configuring an Android Device to Work With Burp To test web applications using an Android device you need to configure your Burp Proxy listener to accept …

Document – GitHub Pages

mobsf.github.io

Mobile Security Framework – MobSF Documentation. Getting Started. Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of perfor…

Leave a Reply

Your email address will not be published. Required fields are marked *