An Introduction to the Xposed Framework for Android Penetration Testing

by Sumit Bhattacharya on July 30, 2018

When it comes to the Pen Testing of Android-based applications, the main focus and attention of the Pen Tester is to live in the mindset of the Cyber attacker literally. The Pen Tester must then carry out an attack to see how the software code can be manipulated, what the weak spots of the app are, if there are any backdoors in which private and confidential can be hijacked, or even if there this an unseen “hole” in the app to see if a Trojan Horse can be installed and launch a Botnet style attack.

A Pen Tester can conduct both static and dynamic analyses. With the former, one can try to reverse engineer the app with a tool called “smali,” and with the former, Android Hooking and runtime analyses can be conducted.

This is where the “XPOSED” framework comes into play and is further discussed in this article.

The Android Runtime

The overall Android Runtime architecture is illustrated in the diagram below:

Sponsorships Available

As one can see, when the Android device is first activated, it goes through a number of key iterations, summarized as follows:

The Boot Loader:

This launches the Android OS kernel and initiates the first process known as the “Init”
The Init Process:

This activates the various components which run behind the Android OS.
The Zygote Process:

Once the Init step has been executed, the Zygote Process is then launched, which is at the heart of the Android OS runtime functionality and invokes the required classes.
The Dalvik VM:

The Dalvik VM is the next process to be executed and is responsible for running the mobile apps on the Android device.
The BOOT_COMPLETED:

This is a broadcast-based message simply stating that the entire bootup process has been completed from within the Android device after it was first (Read more...)