The process behind analyzing mobile applications, specially Android ones, is still in a maturing stage requiring the penetration tester to run a series of long laborious tasks, especially when you are doing a blackbox test. In the absence of the application’s source code, knowing the nuances of the application’s behavior at runtime is quite costly and requires the knowledge of complex tools such as a debugger (eg. JDB).
Inpseckage, an open source tool that aims to help the consultant understand what the application is doing at runtime was developed to help mitigate such difficulties.
With simplicity in mind, Inspeckage was built with a friendly web interface with an embbeded HTTP server that allows the consultant to interact and observe the application’s behavior. Through hooks, several library calls that could compromise the security of the app, such as cryptography, data storage, network and IPC calls are intercepted, and sensitive information is collected. Such information is then displayed and updated almost in real time on the web interface.
Inspeckage also allows the consultant to interact with the app through calls to components (Activities and Providers) even the unexported ones! In the presentation, I will quickly address the concepts and methodologies adopted in a security analysis of Android applications, followed by a demonstration of how useful Inspeckage can be in such analysis and how to use it.