Android Penetration Tools Walkthrough Series: AppMon
AppMon is a suite of Python scripts that make gathering information on and penetration testing Android and iOS apps easier. AppMon integrates with the popular Frida dynamic instrumentation toolkit that provides access to information and capabilities similar to debugging an app.
With the Frida toolkit running as a service on an Android device, it can easily be accessed and intruded upon over ADB with AppMon. Frida opens the door. AppMon brings the tools to make the most of the opportunity.
For Android testing, AppMon can be run on any operating system equipped with ADB and Python, though the experience tends to be smoothest from Linux. This guide is based on a Debian-based Linux install, so adjust accordingly in your own testing.
What Can It Do?
AppMon has three primary tools for Android; Sniffer, Intruder, and Tracer. Each tool serves its own unique purpose and broadens the range of capabilities that you have when testing Android apps.
The Android Sniffer reads and logs API calls from a selected app. Those calls are logged to a database and displayed through a convenient web interface that AppMon spins up automatically.
AppMon also provides a utility to trace function calls within Android apps. The Android Tracer allows you to trace method calls by class within an Android app. The script displays those calls in the terminal in real time.
Once you’ve collected the data you need about your apps, you can use the Android Intruder to carry out an actual test. The Intruder executes custom scripts on the app of your choosing. You can use your scripts to execute actual Java within a running app to change its behavior or gather information.
What You Need
There are two basic components that you’ll need to test with AppMon. First, you’ll need a computer to act as the host. AppMon is mostly written Python, so Unix-like systems will always work best. It is possible to test with Windows, but this guide is going to focus on Linux since Google’s tools were designed for the platform.
Next, you’re going to need an Android device to test. This part is entirely up to you. An older physical device or a spare will usually be best. They’re generally more reliable, and they provide real-world test results. However, if you happen to be short on devices, an emulator will work as well.
In either case, you need to root the device. There is a non-rooted version of this procedure that requires you to build modified versions of each APK that you wish to test. The script to build those APKs is also included with AppMon.
Set Up the Linux Host
To begin working with the Linux host machine, you’re going to need to install a few packages to get set up and interact with the Android device. They’re all available from both the Debian and Ubuntu repositories, so there’s no need to track them down.
$ sudo apt install git virtualenv android-tools-adb android-tools-fastboot
Once you have your packages installed, pick a location to create a Python virtual environment. A virtual environment is a better option than installing Python packages system-wide because it allows you to compartmentalize and use different package versions for different tasks. It also enables you to work without elevating your privileges.
Choose a location and use the virtualenv package that you just installed to create a new virtual environment. AppMon is only compatible with Python 2. Remember to specify that.
$ virtualenv -p python2 appmon
It won’t take long for virtualenv to configure your directory. Change to it.
$ cd appmon
Now, you’re ready to clone AppMon from its Github repository. The process should take a few seconds, depending on your connection.
$ git clone https://github.com/dpnishant/appmon.git
Before you can finish the setup, you’re going to need to activate your virtual environment. Doing so will switch your path for Python to the local version within the environment directory. The prompt will change to indicate that you’re using the virtual environment.
When you’re done working within the virtual environment, you can use the “deactivate” command to return to normal. You’re going to need the environment enabled the entire time you’re working with AppMon.
$ source bin/activate
With your virtual environment activated, you can install the Frida client along with all AppMon’s other dependencies. Remember that these will only install locally within the context of the environment.
(appmon)$ pip install argparse frida flask termcolor dataset htmlentities –upgrade
Finally, enter your newly cloned AppMon directory.
(appmon)$ cd appmon
Set Up the Android Device
Android setup begins on the Linux host machine and continues onto Android over ADB. If you’re not too familiar with ADB, it’s a debugging bridge for Android devices that you can think of like SSH, allowing you to exchange files and execute commands from another machine. You already installed ADB in the last section, so you’re ready to begin using it.
Open up the browser on your Linux machine, and navigate to the Frida project’s release page. Download the latest version of the Frida server.
Navigate to the directory where the server downloaded and unpack it with tar.
$ cd ~/Downloads
$ tar xJpf frida-server-*.tar.xz
Rename the resulting file to make it easier to work with.
$ mv frida-server-XX frida-server
Once you have your “frida-server,” you’re ready to push it onto your Android device over ADB. Connect your device up to your computer and enable USB debugging in its settings. Use ADB’s “push” command to copy “frida-server” into the temporary directory on your Android device.
$ adb push frida-server /data/local/tmp/
Change the permissions of the file to make it executable.
$ adb shell “chmod 755 /data/local/tmp/frida-server”
Frida must be run as root on the Android device. Otherwise, the server will only be able to see itself, instead of being able to collect data about every app running on the system. You can escalate the privileges of the ADB shell and execute the Frida server as a service running in the background of the Android system.
$ adb shell su
To be sure that Frida is running as indented on your Android device, run the following command in a different terminal from Linux. Just make sure that you’re using your virtual environment, or you’ll just get an error. The command should successfully list out the apps running on Android.
(appmon)$ frida-ps -U
There are three basic tools for Android included with AppMon. The setup process that you just followed gives you access to all of them. Each one is a Python script, and most are in their own folders. Being part of the same suite, they all also follow the same basic syntax.
Before you carry out any kind of test, you’re going to need to gather information. AppMon’s primary tool for information gathering is the Sniffer. It traces API calls from within a selected app and logs that information in a .db file. It also displays that information in real time on a convenient locally hosted web interface which it spins up automatically when run.
Start by finding an app that you want to test. You listed them out before directly with Frida, but there’s a way to list them with AppMon too.
(appmon)$ python appmon.py -p android -ls 1
That will print out a list of all the running apps. The process names on Android follow a specific pattern. You’re looking for entries like, “org.mozilla.firefox.” That’s the format that AppMon recognizes too.
Pick an app that you want to analyze. Run the same script as before, but tell it which app to sniff out, and which scripts to use.
(appmon)$ python appmon.py -p android -s scripts/Android -a “org.mozilla.firefox”
AppMon will start running its analysis of the Firefox app. It won’t stop until you tell it to with “CTRL+C.” At this point, you can also open the web interface in your browser at localhost:5000.
The first page that you land on asks you to select the app that you want to display. Select it.
The calls are timestamped and listed chronologically. Each entry will also tell you which operation was performed, the method that was called, and which module the functionality is from. The final column, Artifact, contains the actual data from the call.
The web interface includes some great tools for finding and sorting the data that you’re gathering too. There is a search function to filter your data, and the sorting controls can help you isolate particular patterns that you wish to focus on.
AppMon’s Intruder script does exactly what its name suggests. It lets you break into Android apps and modify their behavior. It’s important to note here, that the script itself doesn’t have any real functionality in the way of modifying Android apps. It grants access and runs specified scripts. For better or worse, you need to provide the scripts. The functionality might not be turn-key, but it does allow you virtually infinite flexibility.
Intruder has its own folder. It’s in the directory that you’re already in, so change into it now.
(appmon)$ cd intruder
From there, you can run the appintruder.py script. It takes very similar options to the Sniffer script. You need to tell it which platform you’re testing, which scripts it needs to execute, and which app it’ll be intruding on.
(appmon)$ python appintruder.py -p android -a “org.mozilla.firefox” -s scripts/Android/yourFFScript.js
Notice that the script path is somewhat different. Intruder requires you to create your own scripts, and you will probably be using a specific script each time you run Intruder.
There is one demo script that comes with AppMon. It blocks a specified app from gaining root privileges or running the ‘su’ command altogether. To test it out, pick a root checker app, and install it on your device. Then, open the app.
Run AppMon’s command to list out the apps running on the device. Locate your root checker.
(appmon)$ python ../appmon.py -p android -ls 1
Once you have it, close the app, and rerun intruder.
(appmon)$ python appintruder.py -p android -s scripts/Android -a “com.joeykrim.rootcheck”
With Intruder running, open the app again. Check for root access. It will fail because the script running through Intruder will block it from running ‘su.’ Feel free to check out the script to see how it actually works. It’s probably your best resource in writing your own scripts going forward.
While this one sounds like it would make an interesting Overwatch skin, the Android Tracer is actually a powerful debugging and analysis tool that enables you to see into the inner workings of an Android app by tracing the path of method calls.
The Tracer directory is within the AppMon root directory. Change into it.
(appmon)$ cd tracer
Inside the Tracer directory, you’ll find the script itself, android_tracer.py. This script takes slightly different arguments. You still need to tell it which app to work with, but you also need to give this script a class and method to look out for.
AppMon assumes that you know a bit about Android programming. You’re going to need some form of reference for Android classes and methods that you can search for. Google provides a reference that you can use to dig up the classes and methods that you want to trace.
After you have the information you need, you can construct your command, and run the Tracer script.
(appmon)$ python android_tracer.py -a “org.mozilla.firefox” -c “SQLiteDatabase” -m “query”
Start using the app to begin the trace. You’ll start to see the terminal populate with results.
AppMon is a fantastic set of tools to perform complete tests on Android applications. By working in tandem with the Frida server, it provides access to crucial information that you can use to construct tests and ultimately attacks that can exploit an app’s behavior.
AppMon goes a step further by also providing the utilities necessary to easily construct and execute scripts that interact with and modify the behavior of apps in real time. It gets you to the exact point where you only need to worry about your scripts, not any of the setup.
If you’re looking to pentest on Android, you should make AppMon part of your toolkit.