Enumerating Android devices for Fun and Profit

Saturday, March 18, 2017

Enumerating Android devices for Fun and Profit


I mess around with android devices quite a bit. Poking around its internals trying to figure out what services and process are running, which apps are installed, what the binaries and libraries are responsible for and maybe if i can mess around with them.

Given that i have quite a handful of devices to play around with, going through them one by one became repetitive and boring. I also stumbled into the following challenges.

Problem statement

  • Device file system enumeration was a slow, repetitive and tedious process
  • I was unable to quickly pull the device info, files and binaries from a device. 
  • I wanted to be able to pull the above info from any android device without having to worry about the changes at each android platform level. 
  • Wanted as much info and data i could get on a device to assist with some exploit development insight
The next question was, how do i want to solve this problem?? I simply wanted to;
  • Make my work a bit easier with regards to reverse engineering apps, binaries and libraries. 
  • Automate the slow, repetitive and tedious process
  • Head to the fridge and grab some food while the script runs :p
Disclaimer: I honestly don't like doing repetitive tasks the same way, over and over again. I'd rather automate it if i can. Yup! I get bored that quickly :-( 

Googling

It was now time to attend a session at Google university. After a couple of minutes of googling, i found a couple of linux enumeration scripts and blog posts but nothing much on Android. It's worthwhile to mention that i found a few really neat linux enumeration scripts i.e. LinEnum, linuxprivchecker and unix-privesc-check.

At this point i decided to try out the linux tools i found, just to see how they work and get some insight. These scripts pulled quite a ton of useful info from a Linux machine i was testing the scripts on. I also found g0tmi1k's excellent blog post on Basic Linux Privilege Escalation which has some really good pointers on what to look out for when you intend to enumerate a linux machine. 

The light bulb moment

At this point, is when i got a light bulb moment of porting such a script to android, given that linux and Android share a few similarities. I figured i could try make something that i could easily use to sort out my problems because i couldn't find any tool for android specifically that could perform the tasks at hand.  

So i decided to develop a tool to perform the device enumeration automatically provided i have plugged it into the computer via the Android Debug Bridge (adb). If you are unfamiliar with adb and what it is or does, you can read up on it over here. 

Before even working on the tool, i had to review the android internals on each of the devices i had access to, that were running android 4.2, 4.3, 4.4, 5.x, 6.x and 7.x and then proceed to validate if the info i wanted can actually be extracted. From then on, i could try identify any issues i could potentially run into. 

Some more challenges :( 

There are a couple of things that came up as i started going through the devices. Mostly to do with the android internals structure. I basically had to:
  • Run adb commands on multiple devices and comparing the output
  • Map the platform hardening measures across the various android versions
  • Compare the  amount of info i can extract per android version
  • Validate the approach i am using to collect data per platform. The regular apps and the app library locations on android 4.2 - 4.4 and 5.x are in different locations.
The main challenge being that, Android across 4.x to 7.x have subtle differences on where certain apps are located and what access is provided to their libraries.

This meant that the tool had to automatically figure out the android version running on the device and enumerate accordingly. Not to mention that it has to ensure that it focuses on the data it can pull as opposed to trying to extract everything from the device.

Getting down and dirty!!!

Now having a lot of great insight on what needs to be done and what challenges i am working with, i got right into it and after lots and lots of trial and error, i finally managed to pull the device info, file system paths, files and binaries from each device, just the way i wanted, in order i needed. 

As i was pulling data from the device, i found out that shell output from android 5.x and above gave me the output in  DOS/Windows newline (CRLF). This was a huge problem for me because i was working from Kali Linux and i needed the shell output in Unix newline (\n) so that my bash script can manipulate it accordingly. It took a few workarounds using both tr and sed to clean up the shell output, after quite a bit of googling. 

It took a few days, to get the script up and running as expected. All the hustle was finally a success. I present to you Twiga, an android device enumeration tool. It currently supports android 4.2 to android 7.1.1. I have uploaded a video here, if you would like to check out Twiga in action.


There are a few more features that i still need to add to Twiga, to make it more efficient and further improve its use case and value. These are:
  • Support for enumeration on a rooted device
  • Support enumeration on multiple devices at a time
  • Generate PDF report on the enumeration data

Conclusion

Working on this project really helped firm up my understanding of the Android internals cutting right across the various versions from 4.x to 7.1.1. It gave me the opportunity to learn a lot about bash commands. Not to mention, trying to figure out how to convert DOS/Windows newline (CRLF) to Unix newline (\n) in Bash. Most importantly, i had both fun and frustrating moments while working on this project.

One very important lesson, i learnt is that it's very important to clearly outline what you would like a tool to do beforehand and design a logical diagram before starting to code. Basically just follow the Systems Development Life Cycle (SDLC). I ran into some scope creep, and had to push forward some features for an update sometime in future, not to mention wasting some time simply because i hadn't really thought through some of the capabilities i wanted to develop and their limitations.

Anyway, i worked on this tool out of necessity to solve some of the problems i was facing, the best way i knew how.  Maybe this tool could be useful to you and in your research. So i figured i might as well share it with the infosec community. Have fun enumerating Droids :-)

Credit

I would like to thank Chrispus, Ruby, Charles and Gav for their feedback on Twiga. The beta testing across the various device make, model and android versions really helped validate how well the tool works. This is alongside the necessary feedback that assisted in figuring out what to fix and improve on, in future. 

References