Close Menu
Trending
Android

Android Supply Chain Validation Cheat Sheet

thedailyposting.comBy No Comments

[ad_1]

Android allows you to use several different tools and techniques to enumerate software and configurations, and begin validating the software on your device. This cheat sheet is based on work performed on an Android TV device (we documented the steps in the article “Android TV Devices: Owned Supply Chain Security Threats”).

This information collected by the command below does not automatically validate the supply chain, but provides data that can be used for manual validation. Because Android has many versions and device configurations, the commands below may not work exactly as described here. Some of the data collected is highly dependent on whether you can “root” your Android device.

Adb (Android debugger) commands

$ adb connection 192.168.1.150
Connected to 192.168.1.150:5555

$ adb devices -l
List of connected devices
192.168.1.150:5555 Device Product:walleye Model:MBOX Device:walleye Transport_id:1

$ adb shell
Walleye:/ $

$ adb root
Restart adbd as root

$ adb shell
Walleye:/ #

$ adb shell pm list package -f

Package:/system/app/TvdVideo/TvdVideo.apk=com.softwinner.TvdVideo
Package:/system/priv-app/CtsShimPrivPrebuilt/CtsShimPrivPrebuilt.apk=com.android.cts.priv.ctsshim
Package:/system/priv-app/GoogleExtServices/GoogleExtServices.apk=com.google.android.ext.services
Package:/data/app/com.google.android.katniss-cge_xXeW17WhrGeW3nufDg==/base.apk=com.google.android.katniss
Package:/system/priv-app/TelephonyProvider/TelephonyProvider.apk=com.android.providers.telephony
Package:/system/priv-app/DynamicSysteminstallationService/DynamicSysteminstallationService.apk=com.android.dynsystem
Package:/system/priv-app/CalendarProvider/CalendarProvider.apk=com.android.providers.calendar

$ adb shell pm list package

$ adbshellpmlistpackages -f #See related files.

$ adb shell pm list Packages -d #Filter to show only invalid packages.

$ adb shell pm list Packages -e #Filter to display only valid packages.

$ adb shell pm list package -s #Filter to show only system packages.

$ adb shell pm list package -3 #Filter to show only third-party packages.

$ adb shell pm list package -i #See installer for packages.

$ adb shell pm list package -u #Include uninstalled packages.

$ adbshell pmlistpackages –user #Userspace to query.

Source: https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/adb-commands

Dump flash over the network.

$ adb forward tcp:5555 tcp:5555
$ adb shell
$ sudo nc -l -p 5555 -e dd if=/dev/block/mmcblk0

Run the following command in a new terminal:

$ mkdir ~/dump
$ cd ~/dump
$ North Carolina 127.0.0.1 5555 | pv -i 0.5 > mydump.img

Mount the device disk image

Display partition list

$ sudo split mydump.img print

List all mountable partitions. They will be listed in File Explorer and you can click on the partition to mount it.

$ sudo kpartx -a -v mydump.img

Remove the device mapper and make sure all mounted partitions are unmounted.

$ sudo kpartx -d -v mydump.img

Scan your network for Android debugging (adb) ports

$ nmap -sV -p 5555 –open 192.168.1.0/24

Nmap scan report for 192.168.1.148
Host is booting (delay 0.12 seconds).

Port state service version
5555/tcp open freeciv?
One service was not recognized even though it returned data. If you know the service/version, please submit the following fingerprint to https://nmap.org/cgi-bin/submit.cgi?new-service.
SF-Port5555-TCP:V=7.94%I=7%D=1/23%Time=65AFEA8D%P=x86_64-pc-linux-gnu%r(ad
SF:bConnect,2C,”AUTH\x01\0\0\0\0\0\0\0\x14\0\0\0\x9f\t\0\0\xbe\xaa\xab\xb7
SF:\x94\xde\x92\xbd\0\^\x14c\xc0UDkPB\xb9\xf7\x80\xe7\x12\x8a”);

Get device properties

Get all properties.

$ adb shell getprop

Get the Android release number.

$ adb shell getprop ro.build.version.release

Obtain the build fingerprint from the vendor.

$ adb shell getprop ro.vendor.build.fingerprint

Get the device model.

$ adb shell getprop ro.product.model

Get the release name.

$ adb shell getprop ro.product.device

Get running apps.

$ adb shell ps | grep u0_

Service list:

$ adb shell service list

List app permissions:

$ adb shell pm list permissions -g -f

pull a log

$ adb logcat
$ adb logcat -d -f /sdcard/log.txt
$ adb pull /sdcard/log.txt

Tools and references

  • Autopsy – The Android Analyzer module hasn’t been updated in a while, but parsing some items from Android devices is still supported. It also provides faster access to file system directory trees than commercially available tools. Most tools, but not Autopsy, will make you wait until the file system is visible during analysis. Also, the keyword search and engraving are top notch.
  • Jadx – Android app decompiler
  • Mobexler (commercial) – “Mobexler is a customized virtual machine designed to help with penetration testing of Android and iOS applications.”
  • MobSF – Mobile App Static Analyzer
  • Androidqf – Automates and simplifies most of the commands presented here in one utility (creating backups, logging, downloading applications, etc.).
  • Apk sh – “apk.sh is a Bash script that facilitates reverse engineering Android apps and automates repetitive tasks such as pulling, decoding, rebuilding, and patching APKs.”
  • Missing signs: How some brands forgot to protect critical parts of Android
  • Analyze installed Android applications for security risks with Termux

The post Android Supply Chain Validation Cheatsheet appeared first on Eclypsium | Supply chain security for modern enterprises.

*** This is a syndicated blog from the Security Bloggers Network brought to you by Eclypsium | “Supply Chain Security for the Modern Enterprise” by Chris Garland. Read the original post: https://eclypsium.com/blog/android-supply-chain-validation-cheat-sheet/

[ad_2]

Source link

Related Posts

Leave A Reply