[Recap] Setting up Android Penetration Testing and Reverse Engineering for Linux Environment

Hello everyone, welcome back to a new article. Today, we'll be recapping our recent learnings. In our previous sessions, we set up a lab environment for Android Mobile Penetration Testing and Reverse Engineering.

Inside this Article:

• Setting up an Android Virtual Device within a Virtual Machine
• Installing Scrcpy on Kali Linux
• Installing Android SDK Toolkit on Kali Linux
• Downgrade the Java to JDK-8

We covered the installation of Android Studio and setting up an Android Virtual Device (AVD). We also introduced tools like APKTool, Dex2jar, JD-GUI, and Dozer, which are valuable for future Android Penetration Testing and Reverse Engineering endeavors.

Setting Up a Lab for Penetration Testing

This guide provides instructions on how to set up a lab environment for penetration testing. A well-structured lab is essential for safely practicing and honing penetration testing skills on various systems and applications.

In those previous articles, I haven't covered the process of setting them up in a Linux environment, and I've also not discussed the common challenges that arise with Android Virtual Devices (AVDs) . Android Studio demands a dedicated graphics card for smooth AVD operation, implying the need for high-end hardware to ensure seamless performance.

However, the main emphasis of this article is directed toward crafting a lab environment that caters to the capabilities of low-end devices. This configuration holds significant importance for engaging in Android app penetration testing and reverse engineering activities.

To begin, we'll initiate the process of setting up an Android Virtual Device within a Virtual Machine. 

Setting up an Android Virtual Device within a Virtual Machine

While there are various Android ISO images available for manual installation, you won't need to follow those steps. You can conveniently download the required files from the link I've provided in my blog.

Click Here to Download: 

Here, on my screen, you'll notice an " Android.ova " file. 

This particular file can be directly configured and launched without encountering any complications. Once you've got it, fire up VirtualBox. 

Click " File," and select " Import Appliance ." 

Import the downloaded OVA file. Locate the file on your computer, then click " Next ." 

Review the settings or customize them as needed. Hit " Finish " to begin the import process.

After the import is done, you'll spot the "Android" virtual machine in the VirtualBox Manager. 

Choose it, click on "Settings,"

 And switch the network adapter to " Host-only adapter ."

With that done, we're ready to kick-start the VM. Android is up and running! 

You can now use the Android VM just like you would on an actual Android phone. It's a great alternative to the Android Emulator.

Access Android VM from Kali Linux

To access the Android VM, we'll be using Kali Linux. If you're not familiar with Kali Linux, take a look at my article on the blog.

Kali Linux Hands-On: Choosing the Right Version

This guide provides hands-on information on how to choose the right version of Kali Linux for your needs. Kali Linux is a powerful penetration testing platform, and selecting the appropriate version is crucial for effective security testing.

Alright, Kali Linux is good to go. First, we need the IP address of the Android VM. Run the following command: 

┌──(kali㉿kali)-[~]

└─$ sudo netdiscover -i eth1

 Currently scanning: 192.168.103.0/16   |   Screen View: Unique Hosts                     

 4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240  

 _____________________________________________________________________________

   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      

 -----------------------------------------------------------------------------

 192.168.95.101  08:00:27:0b:49:6e      2     120  PCS Systemtechnik GmbH 

 192.168.95.116  0a:00:27:00:00:0e      1      60  Unknown vendor 

 192.168.95.118  08:00:27:fc:ad:b9      1      60  PCS Systemtechnik GmbH 

The result will show the IP address, such as 192.168.95.118.

Now that we have the IP address, we need the Port ID to connect via adb. Let's scan the network using Nmap.

┌──(kali㉿kali)-[~]

└─$ nmap -A -p- 192.168.95.118

Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-16 15:25 EDT

Nmap scan report for 192.168.95.118

Host is up (0.00094s latency).

Not shown: 65534 closed tcp ports (conn-refused)

PORT     STATE SERVICE VERSION

5555/tcp open  adb     Android Debug Bridge device (name: android_x86_64; model: VirtualBox; device: x86_64; features: cmd,stat_v2,shell_v2)

Service Info: OS: Android; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 28.94 seconds

                                                                                                                                  

┌──(kali㉿kali)-[~]

└─$ 

Upon scanning, we'll spot an open Port that we need. This running server is adb, which facilitates communication between different network services over a network.

If you've read this article, you have a basic understanding of ADB installation on Windows. If not, make sure to catch up.

ADB: Android Debugging Bridge

This guide provides information about ADB (Android Debugging Bridge), a versatile command-line tool that facilitates communication with Android devices for debugging, installing apps, and other tasks. ADB is essential for Android developers and enthusiasts.

ADB doesn't come pre-installed on Kali Linux, so we have to install it. To install it, run the following command:

┌──(kali㉿kali)-[~]

└─$ sudo apt-get install adb

With the installation completed, we're all set to establish a connection with the Android Virtual Machine.

To connect to the Android Virtual Machine, employ the following command, making sure to input the IP of the Android VM, followed by specifying the open Port.

┌──(kali㉿kali)-[~]

└─$ adb connect 192.168.95.118:5555 

* daemon not running; starting now at tcp:5037

* daemon started successfully

connected to 192.168.95.118:5555

 

┌──(kali㉿kali)-[~]

└─$ 

Once connected, run adb devices, to list the devices connected to the workstation. 

┌──(kali㉿kali)-[~]

└─$ adb devices                    

List of devices attached

192.168.95.118:5555     device                                                             

┌──(kali㉿kali)-[~]

└─$ 

For a list of basic adb commands and their usage, check out my blog. 

Installing Scrcpy on Kali Linux

For showcasing the Android VM, we'll utilize Scrcpy. If you've followed along with this article, you're already familiar with how we've set up Scrcpy on Windows .

Scrcpy: Display and Control of Android Devices

This guide provides information about Scrcpy, a tool that allows you to display and control your Android device from your computer. Scrcpy offers a convenient way to interact with your Android device's screen for various purposes.

Similar to ADB, Scrcpy isn't included by default in Kali Linux. After conducting a Google search, I came across the official documentation provided by Genymotion. As I scrolled down, I discovered the installation steps tailored for Linux. 

Scrcpy Linux Documentation

This link directs you to the Linux documentation of Scrcpy, a tool that allows you to display and control your Android device from your computer. The documentation provides information about using Scrcpy on Linux operating systems.

Scrcpy is packaged in several distributions and package managers:

apt install scrcpy                                      # Debian/Ubuntu

pacman -S scrcpy                                              # Arch Linux

dnf copr enable zeno/scrcpy && dnf install scrcpy      # Fedora

emerge scrcpy                                                  # Gentoo

snap install scrcpy                                        # Snap

I attempted to execute the provided command but encountered an " unable to locate package " error, indicating that it didn't work as intended.

┌──(kali㉿kali)-[~]

└─$ sudo apt install scrcpy

[sudo] password for kali:

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

E: Unable to locate package scrcpy

┌──(kali㉿kali)-[~]

└─$ 

To overcome this, I decided to proceed with the manual installation steps . 

Referring to the installation instructions on Scrcpy's GitHub repository , I started by installing the necessary packages. Copy and paste it into the terminal, following which I responded with "y" to proceed.

┌──(kali㉿kali)-[~]

└─$ # for Debian/Ubuntu

sudo apt install ffmpeg libsdl2-2.0-0 adb wget \

                 gcc git pkg-config meson ninja-build libsdl2-dev \

                 libavcodec-dev libavdevice-dev libavformat-dev libavutil-dev \

                 libswresample-dev libusb-1.0-0 libusb-1.0-0-dev

Once the necessary packages are installed, copy the second command and paste it on the terminal. 

┌──(kali㉿kali)-[~]

└─$ git clone https://github.com/Genymobile/scrcpy

cd scrcpy

./install_release.sh

This command will clone the repository and execute the installation script automatically. This phase required some time to complete.

Upon a successful installation, we are now prepared to run Scrcpy, enabling to display and control of an Android virtual machine on the computer screen. To verify its functionality, execute the Scrcpy command and observe its behavior.

┌──(kali㉿kali)-[~]

└─$ scrcpy

Installing Android SDK Toolkit on Kali Linux

Certain essential applications are missing from the Kali Linux distribution, such as the Android SDK tools, which encompass the Android build tools. 

While adb is often associated with Platform tools, SDK tools play a crucial role in manual Android applications and DEX file creation. 

To install the Android SDK on Kali Linux, first, we have to update the repository using the command sudo apt-get update. 

┌──(kali㉿kali)-[~]

└─$ sudo apt-get update                  

[sudo] password for kali: 

Get:1 http://kali.download/kali kali-rolling InRelease [41.2 kB]

Get:2 http://kali.download/kali kali-rolling/main amd64 Packages [19.4 MB]

Get:3 http://kali.download/kali kali-rolling/main amd64 Contents (deb) [45.6 MB]                                                

Get:4 http://kali.download/kali kali-rolling/contrib amd64 Packages [115 kB]                                                    

Get:5 http://kali.download/kali kali-rolling/contrib amd64 Contents (deb) [220 kB]                                              

Get:6 http://kali.download/kali kali-rolling/non-free amd64 Packages [218 kB]                                                   

Get:7 http://kali.download/kali kali-rolling/non-free amd64 Contents (deb) [908 kB]                                             

Fetched 66.4 MB in 15min 42s (70.6 kB/s)                                                                                        

Reading package lists... Done

                                                                                                                                 

┌──(kali㉿kali)-[~]

└─$

After this, proceed to install the SDK manager. You can achieve this by running sudo apt-get install sdkmanager.

┌──(kali㉿kali)-[~]

└─$ sudo apt-get install sdkmanager

Once the SDK manager is successfully installed, the next step involves downloading Platform-tools and Build Tools onto Kali Linux. Execute the following command:

┌──(kali㉿kali)-[~]

└─$ sudo sdkmanager "platform-tools" "build-tools; 30.0.3" "platform; android-30"

This will facilitate the automatic download of platform tools and build tools, with the target platform set to version 30.

[sudo] password for kali:

Downloading https://dl.google.com/android/repository/platform-tools_r34.0.4-linux.zip into /root/.cache/sdkmanager/platformtools_r34.0.4-linux.zip

Unzipping to /tmp/.sdkmanager-jtmxk5cj

Installing into /opt/android-sdk/platform-tools

Downloading https://dl.google.com/android/repository/build-tools_r30.0.3-linux.zip into /root/.cache/sdkmanager/build-tools_r30.0.3-linux.zip

Unzipping to /tmp/.sdkmanager-p9cmbtb

Installing into /opt/android-sdk/build-tools/30.0.3

Downloading https://dl.google.com/android/repository/platform-30_r03.zip into /root/.cache/sdkmanager/platformtools_r34.0.4-linux.zip

Unzipping to /tmp/.sdkmanager-_143jsym

Installing into /opt/android-sdk/platforms/android-30

┌──(kali㉿kali)-[~]

└─$ 

You have the flexibility to adjust the targeted platform value according to your preferences. Once the installation is complete, you can easily identify the storage location of the build tools. 

To verify the successful installation of these build tools, simply check the designated installation directory. 

┌──(kali㉿kali)-[~]

└─$ cd /opt/android-sdk/build-tools/30.0.3

                                                                                                                                 

┌──(kali㉿kali)-[/opt/android-sdk/build-tools/30.0.3]

└─$ ls -al                                

total 18412

drwxr-xr-x 6 root root    4096 Aug 26 05:58 .

drwxr-xr-x 3 root root    4096 Aug 26 05:58 ..

-rwxr-xr-x 1 root root 1543856 Aug 26 05:58 aapt

-rwxr-xr-x 1 root root 5833176 Aug 26 05:58 aapt2

-rw-r--r-- 1 root root     343 Aug 26 05:58 aarch64-linux-android-ld

-rwxr-xr-x 1 root root 3599152 Aug 26 05:58 aidl

-rwxr-xr-x 1 root root    2959 Aug 26 05:58 apksigner

-rw-r--r-- 1 root root     343 Aug 26 05:58 arm-linux-androideabi-ld

-rwxr-xr-x 1 root root   39488 Aug 26 05:58 bcc_compat

-rw-r--r-- 1 root root   18159 Aug 26 05:58 core-lambda-stubs.jar

-rwxr-xr-x 1 root root    2598 Aug 26 05:58 d8

-rwxr-xr-x 1 root root 4097872 Aug 26 05:58 dexdump

-rwxr-xr-x 1 root root    2577 Aug 26 05:58 dx

-rw-r--r-- 1 root root     343 Aug 26 05:58 i686-linux-android-ld

drwxr-xr-x 2 root root    4096 Aug 26 05:58 lib

drwxr-xr-x 2 root root    4096 Aug 26 05:58 lib64

-rwxr-xr-x 1 root root     647 Aug 26 05:58 lld

drwxr-xr-x 2 root root    4096 Aug 26 05:58 lld-bin

-rwxr-xr-x 1 root root 1093784 Aug 26 05:58 llvm-rs-cc

-rwxr-xr-x 1 root root    4732 Aug 26 05:58 mainDexClasses

-rw-r--r-- 1 root root     310 Aug 26 05:58 mainDexClassesNoAapt.rules

-rw-r--r-- 1 root root     758 Aug 26 05:58 mainDexClasses.rules

-rw-r--r-- 1 root root     343 Aug 26 05:58 mipsel-linux-android-ld

-rw-r--r-- 1 root root  766452 Aug 26 05:58 NOTICE.txt

-rw-r--r-- 1 root root   17806 Aug 26 05:58 package.xml

drwxr-xr-x 5 root root    4096 Aug 26 05:58 renderscript

-rw-r--r-- 1 root root      17 Aug 26 05:58 runtime.properties

-rw-r--r-- 1 root root      63 Aug 26 05:58 source.properties

-rwxr-xr-x 1 root root 1502920 Aug 26 05:58 split-select

-rw-r--r-- 1 root root     343 Aug 26 05:58 x86_64-linux-android-ld

-rwxr-xr-x 1 root root  232120 Aug 26 05:58 zipalign

                                                                                                                                 

┌──(kali㉿kali)-[/opt/android-sdk/build-tools/30.0.3]

└─$ 

Within this directory, you'll discover a comprehensive assortment of invaluable tools that play a pivotal role throughout the entire Android APK building process.

Downgrade the Java to JDK-8

An important point to keep in mind is that Java plays a significant role in Android app reverse engineering. 

While Kali Linux does come with Java pre-installed, it's worth noting that the latest version of Java might not function optimally with various Android build applications. As a result, it becomes necessary to downgrade Java to an earlier version. 

In my case, I've chosen to work with JDK-8 for this purpose. During my attempt to install JDK-8 using the command, sudo apt-install openjdk-8-jdk, I encountered an error stating " Unable to locate package ." 

┌──(kali㉿kali)-[~]

└─$ sudo apt install openjdk-8-jdk

[sudo] password for kali: 

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

E: Unable to locate package openjdk-8-jdk

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$

To address this issue, I'll guide you through the manual installation of JDK-8. You can apply similar steps to install other versions as well.

Open your preferred web browser, and navigate to this URL. 

Oracle Java 8 - Download

This link provides access to download Oracle Java 8. Java 8 is a widely used version of the Java programming language, known for its stability and compatibility with many applications.

This webpage will offer access to the installation and archive files for JDK-8. 

We'll specifically target the Linux version for installation. However, you'll notice various architecture options available. To determine your system's architecture, execute the command " uname -a " in your terminal. 

┌──(kali㉿kali)-[~]

└─$ uname -a

Linux kali 6.3.0-kali1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.3.7-1kali1 (2023-06-29) x86_64 GNU/Linux

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$

Upon checking the result, I discovered that my system employs the x86_64 architecture. Consequently, I will download the x64 archive file. After completing the download, the next step is to prepare for the installation of JDK-8. 

Navigate to the directory where the download is located. 

Once there, extract the downloaded file. 

After extraction, rename the folder to, " jdk-8 ." 

To proceed, move this renamed folder to the /usr/lib/jvm directory. Open a new terminal, and navigate to the download directory and Execute the "mv" command to relocate the folder to its new destination.

┌──(kali㉿kali)-[~]

└─$ cd Downloads                  

                                                                                                                               

┌──(kali㉿kali)-[~/Downloads]

└─$ sudo mv jdk-8 /usr/lib/jvm 

                                                                                                                               

┌──(kali㉿kali)-[~/Downloads]

└─$ 

Now, let's execute the following command: 

┌──(kali㉿kali)-[~/Downloads]

└─$ sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/jdk-8/bin/java 1

This command instructs the system to add a new alternative for the Java executable. It designates the new alternative's location as ` /usr/lib/jvm/jdk-8/bin/java ` and assigns it a priority of 1. This means that if other alternatives for the `java` command exist, the system will give preference to the one specified in this command with a priority value of 1. This approach proves valuable for managing multiple versions of a program and seamlessly switching between them.

Similarly, we proceed to add new alternatives for other executables. Replace the word "java" with " javac " to add a new alternative for the Java compiler.

┌──(kali㉿kali)-[~/Downloads]

└─$ sudo update-alternatives --install /usr/bin/javac javac /usr/lib/jvm/jdk-8/bin/javac 1

                               

┌──(kali㉿kali)-[~/Downloads]

└─$

And then repeat the process for the "jar" command.

┌──(kali㉿kali)-[~/Downloads]

└─$ sudo update-alternatives --install /usr/bin/jar jar /usr/lib/jvm/jdk-8/bin/jar 1

                                                                                                                               

┌──(kali㉿kali)-[~/Downloads]

└─$

Having successfully installed Java 8, the next step is to configure it as the default Java runtime environment (JRE) interactively. This configuration is especially handy when dealing with multiple installed Java versions, and you wish to designate one as the default.

To achieve this, enter the command ` sudo update-alternatives --config java ` in the terminal. 

┌──(kali㉿kali)-[~/Downloads]

└─$ sudo update-alternatives --config java 

There are 2 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                         Priority   Status

------------------------------------------------------------

* 0            /usr/lib/jvm/java-17-openjdk-amd64/bin/java   1711      auto mode

  1            /usr/lib/jvm/java-17-openjdk-amd64/bin/java   1711      manual mode

  2            /usr/lib/jvm/jdk-8/bin/java                   1         manual mode

Press <enter> to keep the current choice[*], or type selection number:

This command prompts the system to present you with two alternative options for Java. You'll need to choose the number corresponding to the location of jdk-8 and press "Enter."

Press <enter> to keep the current choice[*], or type selection number: 2

update-alternatives: using /usr/lib/jvm/jdk-8/bin/java to provide /usr/bin/java (java) in manual mode

                                                                                                                                

┌──(kali㉿kali)-[~/Downloads]

└─$

By following this step, you'll effectively update Kali Linux to use Java 8. In case you wish to revert to the previous Java version, simply execute a similar command and select the desired alternative.

┌──(kali㉿kali)-[~/Downloads]

└─$ java -version                         

java version "1.8.0_381"

Java(TM) SE Runtime Environment (build 1.8.0_381-b09)

Java HotSpot(TM) 64-Bit Server VM (build 25.381-b09, mixed mode)

                                                                                                                                

┌──(kali㉿kali)-[~/Downloads]

└─$ 

These steps provide a robust mechanism for managing different Java versions of your system.

┌──(kali㉿kali)-[~]

└─$ javac -version

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

javac 17.0.8

                                                                                                                                

┌──(kali㉿kali)-[~]

└─$ 

However, the Java compiler has not yet been updated to version 8. To achieve this, run the same command as before, but replace "java" with "javac." Then select the alternative "javac" option when prompted.

┌──(kali㉿kali)-[~]

└─$ sudo update-alternatives --config javac

There are 2 choices for the alternative javac (providing /usr/bin/javac).

  Selection    Path                                          Priority   Status

------------------------------------------------------------

* 0            /usr/lib/jvm/java-17-openjdk-amd64/bin/javac   1711      auto mode

  1            /usr/lib/jvm/java-17-openjdk-amd64/bin/javac   1711      manual mode

  2            /usr/lib/jvm/jdk-8/bin/javac                   1         manual mode

Press <enter> to keep the current choice[*], or type selection number: 2

update-alternatives: using /usr/lib/jvm/jdk-8/bin/javac to provide /usr/bin/javac (javac) in manual mode

                                                                                                                                

┌──(kali㉿kali)-[~]

└─$ javac -version

javac 1.8.0_381

                                                                                                                                

┌──(kali㉿kali)-[~]

└─$ 

Likewise, proceed to update the path for the jar file. 

┌──(kali㉿kali)-[~]

└─$ sudo update-alternatives --config jar 

There are 2 choices for the alternative jar (providing /usr/bin/jar).

  Selection    Path                                        Priority   Status

------------------------------------------------------------

* 0            /usr/lib/jvm/java-17-openjdk-amd64/bin/jar   1711      auto mode

  1            /usr/lib/jvm/java-17-openjdk-amd64/bin/jar   1711      manual mode

  2            /usr/lib/jvm/jdk-8/bin/jar                   1         manual mode

Press <enter> to keep the current choice[*], or type selection number: 2

update-alternatives: using /usr/lib/jvm/jdk-8/bin/jar to provide /usr/bin/jar (jar) in manual mode

                                                                                                                                

┌──(kali㉿kali)-[~]

└─$ 

Once these changes are made, you can verify them by checking the version:

┌──(kali㉿kali)-[~/Downloads]

└─$ java -version                         

java version "1.8.0_381"

Java(TM) SE Runtime Environment (build 1.8.0_381-b09)

Java HotSpot(TM) 64-Bit Server VM (build 25.381-b09, mixed mode)

                                                                                                                                

┌──(kali㉿kali)-[~]

└─$ javac -version

javac 1.8.0_381

                                                                                                                                

┌──(kali㉿kali)-[~]

└─$ 

There is some additional information that I have provided you in this video that can prove valuable for testing Android applications during Penetration Testing and Reverse Engineering. If you have any uncertainties or questions, please feel free to leave them in the comment section below.