Learn Penetration Testing And Ethical Hacking Online.


  • Facebook
  • Popular Posts

    Mobile Security Framework (MobSF) is an open source all-in-one mobile application (Android / iOS) capable of performing static and dynamic automated analysis. CuckooDroid is an extension of the Cuckoo Sandbox open source software analysis framework for automating the analysis of suspicious malware files. On the other hand, AppMon is an automated framework based on Frida for the tracking and manipulation of calls to the API of the native application system in MacOS, iOS and Android.

    Static code analysis, this is the audit of applications in Android. An application on Android is programmed in JAVA so you might think (wrongly) that in essence the code analysis is a traditional analysis of JAVA. This is not so since both Android architecture (Intents, Broadcast, States, etc.) and the SDK API for interaction with devices (GPS functions, SMS, 3G, SD Writing, etc) must be taken into account. That is, they change two fundamental aspects with respect to the traditional analysis of JAVA: the sinks and the dataflow. 
    Very few applications in the official Market are OpenSource, so the code is not available. However, if we can access the apk files, since they are copied to the devices in the path " / data / apk"


    APKtool, is a tool for the reverse engineering of Android application binaries. You can decode the resources in an almost original way and reconstruct them, after making some modifications, which makes it possible to debug smali code step by step. It also makes it easier to work with the application due to the structure of files in projects and with the automation of some repetitive tasks like the construction of apk. 

    Main features of Apktool:

    • Dismantling resources in an almost original way (including resources.arsc, classes.dex, 9.png. And XMLs).
    • Reconstruction of decoded resources back to binary APK / JAR.
    • Organization and management of APKs that depend on the resources of the Framework.
    • Smali Debugging (Eliminated in 2.1.0 in favor of IdeaSmali).
    • Help with repetitive tasks with task automation components.
    So we have access to the apk application, what's the use? the extension apk is a variant of jar, so we can extract it with the great tool apktool . For this we will follow the following steps:

    • 1. Obtaining the file AndroidManifest.xml
      To obtain this file through the apk we use the tool apktool with option b. 
      This file contains essential information about the application. For our task, the part that interests us is the one referring to the permits required, contained in the uses-permission section . For a complete understanding I recommend reading the extensive official documentation about it .
    • 2. Acquire the jar file
      For this we use the dex2jar tool The operation of this tool is as follows: translate the .dex file (dalvik byetcode executable) to a current jar file.
    • 3. Extract the jar file
      It is as simple as using a normal and current decompressor.
    • 4. Access to the source code
    By following step three we will have a directory with JAVA .class files, which can be translated into their corresponding .java files through tools such as JAD , or even directly visualized using tools such as JD-GUI . It should be noted that when doing the decompilation, a lot of information is lost, such as variable names, which makes it difficult to manually analyze the code. Normally, we usually start by identifying certain functions susceptible to misuse (sink functions) and follow the dataflow manually through development environments (Eclipse, NetBeans, etc). 

    Android applications use code and resources found in the Android operating system itself. These are known as Framework resources and Apktool relies on these to decode correctly and build apks. Each version of Apktool internally contains the most up-to-date AOSP framework. This allows you to decode and build most of the apk files without any problem. However, manufacturers add their own Framework files in addition to regular AOSPs. To use Apktool against these application manufacturers you must first install the manufacturer's framework files. 

    Mobile-Security-Framework (MobSF)

    It can be used for fast and effective security analysis of Android and iOS applications and is compatible with binaries (APK and IPA) and compressed source code. MobSF can also perform the Web API Security Tests with its Fuzzer API that can do information gathering, security header analysis, identify specific vulnerabilities of the mobile API such as XXE, FRSS, routing, IDOR, and others. Logical issues related to the session and the speed limitation API.

    Mobile Security Framework, is an open source tool to perform automated penetration test in Android and iOS applications, capable of performing static and dynamic analysis. This tool tries to minimize the time, that with a set of tools it would take to realize: the decoding, the purification, revision of code and the test of penetration. Mobile Security Framework can be used forfast and efficient security analysis , being compatible with binaries (APK and IPA) and compressed source code. Mobile Security Framework performs two types of analysis:

    • The static analyzer is capable of performing: automatic code review, detection of insecure settings and permissions, detecting insecure SSL code, SSL derivation, weak encryption, obfuscated codes, incorrect permissions, coded secrets, the misuse of dangerous APIs, leakage of sensitive information and the storage of insecure files.
    • The dynamic analyzer runs the application in a virtual machine or on a configured device and detects the problems at runtime. A more detailed analysis is performed on the network packets captured by decoding: HTTPS traffic, log reports, error reports, debugging information and stack tracking. About the assets of applications such as: configuration files, preferences and databases. 

    Mobile Security Framework is highly scalable, allows you to add custom rules with ease. It allows to generate reports at the end of the penetration test in a quick and concise way.

    More information and download of Mobile Security Framework: 

    AndroL4b is a virtual machine oriented to the security aspects in Android based on ubuntu-mate, which includes the collection of the latest framework, tutorials and labs, security, for reverse engineering and malware analysis in Android applications. 

    AndroL4b Tools

    • APKStudio Cross-platform Qt5 based IDE for reverse-engineering android applications
    • ByteCodeViewer Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)
    • Mobile Security Framework (MobSF) (Android / iOS) Automated Pentesting Framework (Just Static Analysis in this VM)
    • Drozer Security Assessment Framework for Android Applications
    • APKtool Reverse Engineering Android Apks
    • AndroidStudio IDE For Android Application Development
    • ClassyShark Android executable browser
    • BurpSuite Assessing Application Security
    • Wireshark Network Protocol Analyzer
    • MARA Mobile Application Reverse Engineering and Analysis Framework
    • FindBugs-IDEA Static byte code analysis to look for bugs in Java code
    • AndroBugs Framework Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications

    APK analysis with AppMon

    This application makes use of a powerful multiplatform dynamic instrumentation environment, which we have spoken about on previous occasions: Frida. Based on this platform, AppMon includes a series of scripts that will allow analysts to spy on the events that the studied application generates in the system, whose results can then be visualized through a web interface with search and sort filters.

    In addition, AppMon includes scripts that allow an intrusion inside the application modifying its normal course of action, as shown in the following video. Of course, each analyst can also include their own scripts in the tool.

    It also allows applications to be implemented in both Android and iOS and, inheriting the flexibility of Frida, it can be executed in different platforms (Linux, Mac OS, and Windows with some changes to the code).

    The Android Manifest of the application tells us that the package name is com.baseapp. We will need this data to be able to indicate to AppMon which process to intercept.

    The prerequisites for running AppMon are obviously to install Frida and also some python modules, which can be done with the following command:

    sudo -H pip install argparse frida flask termcolor

    Then we can copy the project from the repository in Github or download the corresponding compressed file. If you are working on a Windows computer, you must also modify the absolute path defined in the variable merge_script_pathof the file appmon.py to point to the temporary folder in the Windows file system or another folder that the user wants. For example, it could be as follows:

    merge_script_path = ‘C:/Users//AppData/Local/Temp/merged.js’

    We will have to create our emulator with a version of Android 4.4.x since Frida has only been shown stable for these versions, to later transfer Frida's files and start the server, as we have done previously in the tutorial to implement apps .

     Now we must install the application we want to analyze. It is best to do it via adb since some emulators initialize the application when it is installed via drag and drop and if we are not ready to run the AppMon command, we may miss out on registering critical functionality.

    AppMon creates a simple server with python that by default is initialized in port 5000, where we can then access the filtering web interface, but only after we see the indication by console that something has been dump .

    It will open an event log in which we can see some operations that took place in the system in the short execution time.

    After using the application for a while we can see the results in the browser, among which we find the complete detail of the network packets that have been sent with the HTTP protocol.


    CuckooDroid is an extension of Cuckoo Sandbox open source software analysis framework for automating the analysis of suspicious malware files. It is an automated, multiplatform system for emulation and analysis based on the popular Cuckoo test zone and several other open source projects. Providing both static and dynamic APK inspection, as well as evading certain techniques such as: virtual environment detection, encryption key extraction, SSL inspection, API call trail, basic behavior signatures and many other features. The framework is highly customizable and extensible taking advantage of the power of the large Cuckoo community.

    Cuckoo Sandbox is an open source malware scanning system. This application allows you to analyze any suspicious file and in a matter of seconds, Cuckoo will provide detailed results that describe what would result when running within an isolated environment.

    Malware is the main tool of cybercriminals and the main cyber attacks in business organizations. In these times the detection and elimination of malware is not enough: it is vital to understand: how they work, what they would do in the systems when it is deployed, understand the context, the motivations and the objectives of the attack. In this way understand the facts and respond more effectively to protect yourself in the future. There are countless contexts in which a limited environment may need to be implemented, from analyzing an internal violation, collecting actionable data and analyzing possible threats. 
    Cuckoo generates a handful of different raw data, which include:

    • Native functions and Windows API called fingerprints.
    • Copies of files created and deleted from the file system.
    • Dump of the memory of the selected process.
    • Full memory dump of the analysis machine.
    • Screenshots of the desktop during the execution of malware analysis.
    • Network dump generated by the machine that is used for the analysis.
    In order for these results to be better interpreted by the end users, Cuckoo is able to process and generate different types of reports, which could include: 
    • JSON report.
    • HTML report.
    • MAEC report.
    • MongoDB interface.
    • HPFeeds interface.
    The most interesting thing is that thanks to the wide modular structure of the Cuckoo, it is possible to customize both the processing and the reporting phase. Cuckoo provides all the requirements to easily integrate an isolated environment with existing systems, with the data you want, in the way you want and with the format you want. 

    More information and download CuckooDroid: 
    More information and download Cuckoo Sandbox: 
    Documentation Cuckoo Sandbox: