Supercharging Mobile Application Penetration Testing with Android Containers
Have you ever used browser containers in your penetration tests? If not, I’d like to shed some light on them. Containers allow users to create sandboxes within the same browser which comes in handy during a pentest when you need two separate accounts logged into a browser at the same time (mostly for authorization-related test cases). Cookies are separated by the container, allowing you to use the same web browser with multiple accounts. This is fairly easy when it comes to a web application pentest, but things become a little more complicated when you need something like this when you are performing a penetration test on a Mobile Application.
What if I tell you that it is possible to create containers with mobile applications using which you can be logged in using two separate accounts on the same Android device at the same time. This can help speed up a penetration test when you need two separate accounts with different privileges to be logged in at the same time. This article demonstrates my entire experience on how I-Landed this idea to execution.
What is Island?
Island is an application that helps users create a sandboxed environment inside an Android device. It uses the “managed profile feature” or “Android for work” to create an isolated sandbox for installed applications.
This application helps users create a dedicated work profile on their device in which applications can be cloned using Island and can run parallel alongside the original application. After installing this application, you will see a separate tab called “Work”. This tab represents the isolated space created by the Island. Once installed successfully, there will be two user spaces within the Android device.
Main Land — Contains all the applications present on the Android device.
Island — A dedicated environment provided by the application that facilitates the installation of apps within a secure sandbox. The user has the flexibility to choose which applications they want installed within this isolated space.
Pre-requisite: To proceed, ensure that Shizuku is installed and running on your device. This article does not cover the installation process for Shizuku, so please refer to online tutorials for instructions on how to install it.
The picture below shows a visual representation of the segregation of user space provided by the Island Application.
For the sake of the article, I will be using the words “Island”, “Work Profile”, and “Isolated Space” interchangeably, you can assume that they mean the same thing. To sum it up briefly, Island is an Android application that we can use to create an “Isolated Space” or a “Work Profile” within our Android device. Now, let’s proceed with the configuration of the application.
Setting up the Island:
- Once you have successfully installed the application, you will be able to a something like this. Tap on the “Accept” button to proceed.
2. Once you tap the “Accept & Continue button”, the application will create a work profile for your device.
3. This process will take some time and configure a separate isolated space called the “Island” on the device.
4. From here, users can start cloning or installing applications in the new isolated space that we created. Now let’s try to clone an existing application into our Island. Select the application that you want to clone, and tap on the icon in the bottom right corner as shown below.
5. You can clone it via any of the shown options (Shizuku or Playstore).
6. Once the process is completed, you will be able to see the application cloned into the Island.
Now that we have created the isolated space, let’s navigate to the certificate store on the device. You will see that the certificates are segregated into two separate profiles: one for the System Store and another for the User Store. In this instance, we already have the Portswigger certificate installed in the User Store. However, you can see that there are no certificates available for the isolated space (Work Profile) that we created.
Installing a user-supplied certificate is not as straightforward. In order to achieve this, we will need to clone the certificate that is already present in the Mainland profile via ADB. Before we dive into that, let’s explore the directory where Android stores the certificates. The above image demonstrates the directory of the user before we created the island.
The /cacerts-added/ directory contains the list of user-installed certificates.
Navigate to the /cacerts-added/ directory and you will be able to see the installed certificates in this directory. We will be copying this certificate to the new user’s space.
The below image shows a new directory that is present under the /data/misc/user. For this instance, `12` folder belongs to the isolated space and we will be copying our CA Certificate into this directory.
Installing User Certificates into the Work Profile:
- Access the shell of the device via adb and move to the following directory.
/data/misc/user/0/cacerts-added
2. Let’s create a similar folder in the second user’s directory using this command.
mkdir cacerts-added
3. Now copy the certificate from User 0’s Directory to User 12’s Directory using the CP command.
Note — You will need elevated privileges to perform this action, please ensure you are performing this operation with SU privileges. If for some reason this does not work, you can do it using any file explorer that allows access to the root partition.
cp /data/misc/user/0/<ca-certs-added> /data/misc/user/<user_id>/cacerts-added
4. Let’s go to the Certificate Store and check if the certificate has been installed successfully or not.
Note — If you are unable to see a certificate under the work profile, please ensure that you go back to Step 1 of the certificate installation.
Now that we have successfully installed the Certificate into our Work Profile, let’s go ahead with a sample application. The application is successfully cloned into the work profile, let’s proceed with the interception. You can use any application of your choosing for this. For the sake of this example, we will be considering the Chrome Application, the scenario in scope here is an application that does not have SSL Pinning and respects certificates from the User Store.
At this point, if the voice in your head goes -
- What if the application I want to test only accepts certificates from the System Store?
- What if there is SSL Pinning Implemented?
To that, I shall respond with a promise of a blog solely devoted to the subject! But for now, let’s kindly ask the inner voice to simmer down and join us in this whimsical journey into the simple scenario ahead.
Intercepting Traffic for Both Profiles
- Launch the application from the Mainland and try to visit any URL.
2. We are able to intercept the request since Chrome respects the User Certificate Store.
3. Now if you want to intercept requests that are sent by the application installed within the work profile, just launch the application from the work profile tab and start sending requests.
4. If everything is configured properly, you should be able to intercept the requests from the application.
This nifty trick can come to the rescue during those daring pentests, where you require not one, but two distinct accounts to be logged in on a single mobile device. I hope this is useful to you sometime in your next Mobile Application Pentest.
Before we part ways, I’m thrilled to tease what’s coming up in our next blog. Get ready for more exciting Island adventures, where we’ll explore how to make this tool play nice with applications that implement SSL Pinning. Plus, we’ll uncover some intriguing scenarios where isolation is your secret weapon! Stay tuned!!