Introduction on Testing Mobile Application (Android)

By
Hi guys,

Today I will share some of the tools used by me when testing Mobile Application for Android. These are the application that you might need when testing Mobile Application.

Currently I'm using physical device (Nexus 5x). The apps used and how to use them might differ depending on whether you are using physical device or emulator.

Below are the apps used:-


  1. Magisk Manager - to root phone or hide root from application
  2. Root Checker - to check root status
  3. RootCloak - to hide root status from application
  4. apk-signer - to sign apk after compile/decompile process
  5. SSLUnpinning - to bypass SSL pinning on application
  6. APK Editor - to edit the apk to bypass SSL pinning or root detection
  7. Xposed Framework - to add modules
  8. sqlite (Titanium Backup) - to read local database
  9. All-in-one "Frida" - multipurpose superb application that covers most of the above functions

Most of the time, we need rooted device to install all of the above application. So, you must learn how to root a phone or use emulator which can easily use root mode.

For bypassing root detection, you can use Magisk Hide or RootCloak. There are times that these application still cannot bypass the root detection. If you cannot bypass it, you can use Frida which also can bypass root detection.

For bypassing SSL pinning, you can use SSLUnpinning or APK Editor. SSLUnpinning is as simple as adding the application to bypass. APK Editor is used to edit Manifest.xml and downgrade the SDK version to bypass SSL pinning. If you cannot bypass it, you can use Frida which also has a lot of script available to bypass SSL pinning.

So, it is either installing those apps or just using Frida which covers all on your needs. Normally I would use those apps 1st then use Frida if none of it works because the apps simplify my works a lot.

Lastly, just go get your Frida and you are good to go. Haha. 

That's all for now. Till next time.


Cheers.

Comments

  1. Lucid OutsourcingDecember 15, 2022 at 8:20 PM

    Thanks for sharing the useful information about the Mobile Application Testing. If you are looking for Mobile App Development Company In India, then you can go with Lucid Outsourcing Solutions. They have team of experts who deliver the on-demand applications to the small to large scale business.

    ReplyDelete

Post a Comment

Popular posts from this blog

Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.

By
Image
Hi All, Today I will share POC on vulnerability found during pentest. As per the title, I recently found SQL Injection vulnerability on a thick client.  To read more about thick client, click here :  https://techterms.com/definition/thickclient Thick clients, also called heavy clients, are full-featured computers that are connected to a network.  While a thick client is fully functional without a network connection, it is only a "client" when it is connected to a server. The server may provide the thick client with programs and files that are not stored on the local machine's hard drive.   Exploit Title:   Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form. Details & Description :   SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL
Read more

Setting up MobSF in Ubuntu 18.04

By
Image
Hi guys, It's been a while since I last updated the blog. Been busy. So, for today I will be giving guide on how to setup MobSF in Ubuntu 18.04 . There is a lot of guide out there about how to setup MobSF. I'm here to give out step by step guide to set it up as per my own experience. The main reason of using Ubuntu 18.04 is because it has a built-in Python 3.6 and pip3 version 9.0.1 which is the requirements to setup MobSF. It's pretty much simplify the process of setting up MobSF. *Note that this is a guide to setup MobSF for static analysis. For dynamic analysis, you can refer to MobSF page in github. MobSF also known as Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing. Can further read about MobSF here:  https://github.com/MobSF/Mobile-Security-Framework-MobSF For Ubuntu 18.04 can be downloaded
Read more

Setting up RMS in Ubuntu 18.04

By
Image
Hi peeps, It's been a while since my last post. Been busy. So, for today I would like to share on how to setup RMS (Runtime Security Mobile) in Ubuntu 18.04. RMS -  https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security "Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime." "You can easily dump all the loaded classes and relative methods, hook everything on the fly, trace methods args and return value, load custom scripts and many other useful stuff." This is a continuation of my post here  https://faudhzanrahman.blogspot.com/2019/09/setting-up-mobsf-in-ubuntu-1804.html  where I did a setup on MobSF.  I'm currently trying to set a box where it contains all sort of testing tools specifically for mobile . Now I have both MobSF and RMS setup in this box which is the Ubuntu 18.04. The same reason of setting RMS in this box is because the requirements fits Ubuntu 18.04. T
Read more