Steps to Penetration Test Android OS and Devices
- Obtain the IP address of the Android device(s).
- Run an NMAP scan to see the services that are running on those devices.
- For suspicious devices (e.g., rooted devices), capture and analyze packets through Wireshark.
- If device is deemed compromised, use utilities like busybox to explore device internals (which processes are running, etc.) and for forensics.
- Perform a static analysis of the source code of the libraries and OS. Specifically look for codes contributed by vendors such as HTC. Code should be reviewed for the following type of issues: resource leaks, null pointer references, illegal access operations, and control flow issues, which can potentially bypass security checks.
- Review configuration files and code for plain text passwords and other sensitive data that is being stored without appropriate security considerations.
Things to consider while pen testing an Android application include attack surface, interactions with other components (internally and externally), communications, and storage.
Pen Testing should provide an application benchmark against the following best practices:
- Timely patching libraries and applications as vulnerabilities are identified.
- Sensitive information (e.g., SSN) is not passed as a parameter through a URL. Information in a URL is accessed through the GET request, and this can be logged at multiple places. A POST request solves this problem. However, although information through a POST request is not visible in a URL, a POST request can still reveal this information in the request-header. For truly sensitive information, one should always use an HTTPS connection.
- Brute force attacks are not possible due to a limited number of attempts to authenticate.
- A Secure Sockets Layer (SSL) is used pervasively to request resources.
- Session identifiers are not sent in URLs.
- Tokens are not easily guessable.
- Password complexity is enforced.
- Log files do not contain sensitive information and are protected appropriately.
- Files are encrypted on local and external storage.
- Proper data validation is performed to prevent XSS, SQLi, command injection, etc.