Preface
If you work with Mobile Pentest or have performed occasional penetration tests, you have surely faced the situation of not having access to the application you need to test. And when that happens, it is common to receive the following message from the client: "But aren't you the hacker? So find a way to get the app!"
This situation is quite common, but it is important to remember that there are specific methods and techniques to ensure the integrity of the application during the acquisition process. Although it may be tempting to resort to sites that offer quick and easy apk or ipa downloads, they often add unwanted surprises within the apps. Therefore, in this post, we will address safe and reliable ways to obtain the necessary application for Mobile Pentest.
Methods of Acquisition
As mentioned in the prologue, the main ways to acquire an application are:
Installing the application via the Google Play Store on a physical or emulated device:
- A reliable and secure process, but it requires the analyst to set aside a few minutes to prepare the environment and download the application..
Using third-party sites to download the application:
- An unreliable process that can result in the infection of the application and consequently the infection of the test environment.
Acquisition via Google Play Store
Since the first option is more reliable and secure, we will now show you step by step how to acquire an application through the Google Play Store using an emulated device.
Setting up the virtual environment
Before anything else, it is necessary to create a virtual device using an image that contains the Google Play Store. In the example below, we will use Android 12.0 (Google Play) in API Level 31 of ABI x86_64.
After starting the virtual device, access the Google Play Store and install the desired application.
For this example, we selected WhatsApp Messenger.
After installation, access the Google Play Store website and search for the desired application.
Note that the package name is displayed in the URL after the "ID" parameter. Take note of this information as we will use it later.
In case you don’t wat to search for the package via Google Play Store utilize the command
adb shell 'pm list packages' | sed 's/.*://g'to list all packages installed.
All applications in the Android environment are saved in the path /data/app/package_name/. However, regular users do not have permission to list the information contained within this directory. Therefore, to extract the complete path of the application, execute the following command:
adb shell pm path com.whatsapp
Replace the string "com.whatsapp" with the package name identified in the Google Play Store URL.
Copy the resulting path from the above command and download the application to your local machine.
adb pull "/data/app/~~Y28-2Gnz_hlc4bdSHvLJOA==/com.whatsapp-u_k5sTjhJ-nREe6L_e8YzQ==/base.apk" teste.apk
From that point, we already have the application to carry out the tests. Just launch the rooted virtual device and go through the installation process as normal.
adb install teste.apk
It is important to emphasize that Hacking Force does not support the execution of security tests in uncontrolled environments without prior permission and consent from the application owners. We believe that conducting security tests should be done in an ethical and responsible manner, in compliance with applicable policies and regulations.
