PROGRESS
0%
Beginner Android Penetration Testing
Mission Briefing - Android's Security Model 0/1 Setting Up Your Arsenal - Building a Pentesting Lab 0/1 First Recon - Understanding the Target 0/1 Traffic Analysis 0/1 Attacking the Database - SQLite Injection 0/1 Final Challenge: Hack a Real-World Vulnerable Android App 0/1
← Beginner Android Penetration Testing

First Recon - Understanding the Target

Task 1 Understanding the Target (Static Analysis)

Introduction

Static analysis is inspecting the app without running it. We'll take an APK file and pull out its secrets: what permissions it uses, what components it has, and even its source code.

Target App

For this room, we will use a deliberately vulnerable app, "Diva" (Damn Insecure and Vulnerable App) or "InsecureBankv2". You can download the APK for Diva from GitHub 

Practical Tasks

Task 1: Manual Unzipping

  1. Rename diva-beta.apk to diva-beta.zip.
  2. Extract the zip file.
  3. Explore the folders: res/, META-INF/. Try to open AndroidManifest.xml and classes.dex – they are not human-readable.

Task 2: Using apktool for Manifest & Resources

  1. Decode the APK:

    apktool d diva-beta.apk

  2. Navigate to the output directory (diva-beta/).

  3. Open AndroidManifest.xml in a text editor. It's now readable!

  4. Your Mission: Find the following in the AndroidManifest.xml:

    • The package name.
    • The android:debuggable flag (is it true or false?).
    • All <uses-permission> tags.
    • Any <activity> with android:exported="true".

Task 3: Using dex2jar & JD-GUI for Java Source

  1. Convert classes.dex to a .jar file:

    # Assuming dex2jar is in your PATH
d2j-dex2jar.bat diva-beta.apk
# OR, point directly to the classes.dex
d2j-dex2jar.bat diva-beta/classes.dex

  2. This creates a file like diva-beta-dex2jar.jar.

  3. Open JD-GUI. Drag and drop the .jar file into it.

  4. Your Mission: Browse the package structure. Find the onClick method for the "Hardcoding Issues" exercise. Can you find the hardcoded password?

Task 4: Introduction to Smali

  • smali is the human-readable assembly language for Android's DEX format.
  • When apktool decodes an app, it creates a smali/ folder.
  • Navigate to diva-beta/smali/. You'll see .smali files.
  • Open one. It looks complex, but you'll see references to methods and strings. This is what advanced reverse engineers modify to crack apps.

Summary

  • apktool decodes resources and gives you smali code and a readable AndroidManifest.xml.
  • dex2jar + JD-GUI gives you near-original Java source code, perfect for understanding app logic.