Security Bloggers Network 
SBN

Android Supply Chain Validation Cheat Sheet

by Chris Garland on March 28, 2024

Several different tools and techniques are available for Android to enumerate software and configurations, allowing you to begin to validate the software on devices. This cheat sheet is based on the work performed on Android TV devices (we documented our steps in the post Android TV Devices: Pre-0wned Supply Chain Security Threats).

This information gathered with the commands below does not automatically validate the supply chain, but provides data that can be used for manual validation. As there are many versions of Android and device configurations, the commands below may not work exactly as described here. Some of the collected data will greatly depend on whether or not you are able to “root” the Android device.

Adb (Android Debugger) Commands

$ adb connect 192.168.1.150
connected to 192.168.1.150:5555

$ adb devices -l
List of devices attached
192.168.1.150:5555     device product:walley model:MBOX device:walleye transport_id:1

$ adb shell
walleye:/ $ 

$ adb root
restarting adbd as root

$ adb shell
walleye:/ # 

$ adb shell pm list packages -f

package:/system/app/TvdVideo/TvdVideo.apk=com.softwinner.TvdVideo
package:/system/priv-app/CtsShimPrivPrebuilt/CtsShimPrivPrebuilt.apk=com.android.cts.priv.ctsshim
package:/system/priv-app/GoogleExtServices/GoogleExtServices.apk=com.google.android.ext.services
package:/data/app/com.google.android.katniss-cge_xXeW17WhrGeW3nufDg==/base.apk=com.google.android.katniss
package:/system/priv-app/TelephonyProvider/TelephonyProvider.apk=com.android.providers.telephony
package:/system/priv-app/DynamicSystemInstallationService/DynamicSystemInstallationService.apk=com.android.dynsystem
package:/system/priv-app/CalendarProvider/CalendarProvider.apk=com.android.providers.calendar

$ adb shell pm list packages <FILTER-STR>

$ adb shell pm list packages -f <FILTER-STR> #See their associated file.

$ adb shell pm list packages -d <FILTER-STR> #Filter to only show disabled packages.

$ adb shell pm list packages -e <FILTER-STR> #Filter to only show enabled packages.

$ adb shell pm list packages -s <FILTER-STR> #Filter to only show system packages.

$ adb shell pm list packages -3 <FILTER-STR> #Filter to only show third party packages.

$ adb shell pm list packages -i <FILTER-STR> #See the installer for the packages.

$ adb shell pm list packages -u <FILTER-STR> #Also include uninstalled packages.

$ adb shell pm list packages –user <USER_ID> <FILTER-STR> #The user space to query.

Source: https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/adb-commands 

Dumping the flash over the network:

$ adb forward tcp:5555 tcp:5555
$ adb shell
$ sudo nc -l -p 5555 -e dd if=/dev/block/mmcblk0

In a new terminal execute these commands :

$ mkdir ~/dump
$ cd ~/dump
$ nc 127.0.0.1 5555 | pv -i 0.5 > mydump.img 

Mount Device Disk Images

View partition list

$ sudo parted mydump.img print 

List all mountable partitions. They will be listed on Files Explorer allowing you to click on a partition to mount it:

$ sudo kpartx -a -v mydump.img 

Delete device mappers, and make sure all mounted partitions have been unmounted:

$ sudo kpartx -d -v mydump.img

Scan The Network For Android Debugging (adb) Ports

$ nmap -sV -p 5555 –open 192.168.1.0/24

Nmap scan report for 192.168.1.148
Host is up (0.12s latency).

PORT     STATE SERVICE  VERSION
5555/tcp open  freeciv?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5555-TCP:V=7.94%I=7%D=1/23%Time=65AFEA8D%P=x86_64-pc-linux-gnu%r(ad
SF:bConnect,2C,”AUTH\x01\0\0\0\0\0\0\0\x14\0\0\0\x9f\t\0\0\xbe\xaa\xab\xb7
SF:\x94\xde\x92\xbd\0\^\x14c\xc0UDkPB\xb9\xf7\x80\xe7\x12\x8a”);

Get Device Properties

Get all properties:

$ adb shell getprop

Get the Android release number:

$ adb shell getprop ro.build.version.release

Get the build fingerprint from the vendor:

$ adb shell getprop ro.vendor.build.fingerprint

Get the device model:

$ adb shell getprop ro.product.model

Get the release name:

$ adb shell getprop ro.product.device

Get the running Apps:

$ adb shell ps | grep u0_

Service listing:

$ adb shell service list

List App permissions:

$ adb shell pm list permissions -g -f

Pull The Logs

$ adb logcat 
$ adb logcat -d -f /sdcard/log.txt
$ adb pull /sdcard/log.txt

Tools and References

  • Autopsy – The Android Analyzer module hasn’t been updated in a while, but it still supports parsing some items from Android devices. It also gives you access to the File System directory tree faster than any commercial tool out there. Most tools make you wait to see the file system during parsing – not Autopsy. Also, keyword searching and carvers are top-notch.
  • Jadx– Android App decompiler
  • Mobexler (Commercial) – “Mobexler is a customized virtual machine, designed to help in penetration testing of Android & iOS applications.”
  • MobSF – Mobile App static analyzer
  • Androidqf – Automates and simplifies most of the commands presented here in one utility (Makes backups, downloads logs, and applications, etc..)
  • Apk sh“apk.sh is a Bash script that makes reverse engineering Android apps easier, automating some repetitive tasks like pulling, decoding, rebuilding and patching an APK.”
  • Missing signs: how several brands forgot to secure a key piece of Android
  • Analyze installed Android applications for security risks in Termux

The post Android Supply Chain Validation Cheat Sheet appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

*** This is a Security Bloggers Network syndicated blog from Eclypsium | Supply Chain Security for the Modern Enterprise authored by Chris Garland. Read the original post at: https://eclypsium.com/blog/android-supply-chain-validation-cheat-sheet/

Chris Garland