# Dynamic Analysis

Dynamic Analysis is done running the program.

## How to install applications with adb?

`adb install apkfilename.apk`

## How to intercept traffic of the application?

**Burp Suite:** Is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

### [Configure the Burp Proxy listener](https://support.portswigger.net/customer/portal/articles/1841101-configuring-an-android-device-to-work-with-burp)

```bash
openssl x509 -inform PEM -subject_hash -in BurpCA.pem | head -1

cat BurpCA.pem > 9a5ba580.0

openssl x509 -inform PEM -text -in BurpCA.pem -out /dev/null >> 9a5ba580.0

adb root

abd remount

adb push 9a5ba580.0 /system/etc/security/cacerts/

adb shell "chmod 644 /system/etc/security/cacerts/9a5ba580.0"

adb shell "reboot"
```

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2FAGix21RG9e056pX0Os8h%2FScreen-Shot-2017-10-03-at-17.30.00.webp?alt=media&#x26;token=6b838f3d-3885-4530-bee0-979177b76d7d" alt=""><figcaption></figcaption></figure>

### [PID Cat](https://github.com/JakeWharton/pidcat)

Tool for shows log entries for a specific application package when debug=true is enable in the app.

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2F15eOgW1uDFyyEcowvIuN%2Fscreen.png?alt=media&#x26;token=b1e0471e-505e-433b-88fe-97f66573e37b" alt=""><figcaption></figcaption></figure>

### [Drozer](https://github.com/FSecureLABS/drozer)

drozer helps to provide confidence that Android apps and devices being developed by, or deployed across, your organisation do not pose an unacceptable level of risk. By allowing you to interact with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use and share public exploits for Android. For remote exploits, it can generate shellcode to help you to deploy the drozer Agent as a remote administrator tool, with maximum leverage on the device.

drozer is a comprehensive security audit and attack framework for Android.

Basic example, Abusing unprotected activities:

The requirement for this is you have install drozer in your computer and drozer agent in your emulator or devices.&#x20;

#### Commands:

* `adb forward tcp:31415 tcp:31415`
* `drozer console connect`

Now download and install [apk](https://github.com/as0ler/Android-Examples/raw/master/sieve.apk) for this example

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2FWMr4W0KecfANmDQdnyB6%2Fdro1.png?alt=media&#x26;token=7b6f64f5-7211-40d7-a7ad-7f0e9b3e6278" alt=""><figcaption></figcaption></figure>

Retrieving package information:

`run app.package.list -> see all the packages installed`&#x20;

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2FcPe8v9eSsiOEdA4yak95%2Fdro2.png?alt=media&#x26;token=ba43da5f-cbef-4796-af0c-132670ffef0a" alt=""><figcaption></figcaption></figure>

`run app.package.info -a -> view package information`&#x20;

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2FrJIR4REm9YTH11mAZLrD%2Fdro3.png?alt=media&#x26;token=135c1c3a-f13f-40bb-b20a-d31c2ad4dc57" alt=""><figcaption></figcaption></figure>

Identifying the attack surface -> activities unprotected and more....

`run app.package.attacksurface package_name`&#x20;

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2FyADdTdc4OpEy2h1QaBHJ%2Fdro4.png?alt=media&#x26;token=7c5a2c8c-5434-4727-8bec-42bcd03c55af" alt=""><figcaption></figcaption></figure>

View what activities can be exploited.

`run app.activity.info -f package_name`&#x20;

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2FLWhVXkWjqUn1UabBcrRD%2Fdro5.png?alt=media&#x26;token=3ddedef5-3273-496f-afd4-ced258bc1709" alt=""><figcaption></figcaption></figure>

Start activities unprotected !

`run app.activity.start --component package name component_name`&#x20;

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2Fn1lHzJAEfTOGTPjuwrAF%2Fdro6.png?alt=media&#x26;token=80c023df-3dc3-49a5-994e-170738971378" alt=""><figcaption></figcaption></figure>

#### Drozer Cheatsheet

Exploiting Content Provider

```bash
run app.provider.info -a package_name

run scanner.provider.finduris -a package_name

run app.provider.query uri

run app.provider.update uri --selection conditions selection_arg column data

run scanner.provider.sqltables -a package_name

run scanner.provider.injection -a package_name

run scanner.provider.traversal -a package_name
```

Exploiting Service

```
run app.service.info -a package_name

run app.service.start --action action --component package_name component_name

run app.service.send package_name component_name --msg what arg1 arg2 --extra type key value --bundle-as-obj
```