Professional Documents
Culture Documents
MASPTv2.5 NotesList
MASPTv2.5 NotesList
NotesList LAB
LAB Topics
Dynamic Code Analysis
You are allowed to use all the tools in your toolkit to extract critical application information.
In addition, you are allowed to perform both static and dynamic code analysis activities.
Remember, any dynamic code analysis activities should be performed through ADB
commands only.
LAB OBJECTIVES
The objective of this lab is to highlight the importance of dynamic code analysis while
performing a mobile application penetration test. You can learn a lot through performing
dynamic code analysis, ranging from direct access to restricted application areas and
sensitive application data, to the ability the remotely execute system commands on a device.
In addition, a lot of critical information can be extracted through dynamic code analysis that
can be used to perform more elaborate attacks against the application.
LEARNING OBJECTIVES
The learning objective of this lab is to provide hands-on experience in performing dynamic
code analysis. Specifically, in this lab. you will get accustomed to performing dynamic source
code analysis using ADB commands and the Activity Manager.
RECOMMENDED CONFIGURATION
Setting up your testing environment for this lab
1. Windows 10 Machine:
Running:
2. Preferred device
TASKS
TASK 1. INSTALL THE SUPPLIED APK
Install the supplied APK in your device using any method you want.
apktool d NotesList.apk
From the manifest file above, you know that the activity named NotesList has the action
MAIN (the default intent that will be called if you tap the icon in the launcher). This is what
you would like to run via an ADB command, as a first example of interacting with the
application through ADB.
When analyzing the application’s manifest file in depth you will also come across the
following.
Before you interact with this activity, first try to understand what data you need to send to
it.
Note that the <data> element specifies the mimeType and the URI to use with the intent
filter. Also, note that the type is ‘vnd.android.cursor.item’ instead of dir.
For the second example of interacting with the application through ADB, try to start an
activity to edit a specific note using only ADB. Please note that you must already have a
note stored.
The –d option specifies the DATA_URI to send. Its structure is depicted below.