International Journal of Applied Mathematics

Electronics and Computers

ISSN:2147-82282147-6799 http://dergipark.gov.tr/ijamec Original Research Paper

A Practical Approach to Android Mobile Application Security

Ahmet Caliskan 1, Sakir Tasdemir2,*

Accepted : 18/11/2018 Published: 27/12/2018 DOI: 10.18100/ ijamec.2018447400

Abstract: In parallel to rapid developments in computer technology, the number of mobile applications developed for the devices also
increases. Mobile applications make life easier, but also bring some risks. These applications may create some weaknesses due to mistakes
in the app development or use phase. In this study, a sample security test was performed for mobile application security awareness. This
paper related to phising attacks to Android mobile users and data storage security on Android device. The sample mobile application has
been decompiled. The malicious code was injected into the sample app. After the code was injected into the sample banking application
developed, the user interface was modified. In addition, when the application is open, the user's credit card information is requested. After
the user fills information, the credit card information is sent to a different phone number (attacker’s phone number) through an SMS. The
mobile user is at risk of stealing sensitive information. This study also shows that the data stored in the device can be accessed through the
Android Debug Bridge (ADB) shell commands. As a result, this paper shows that the application developer should be more careful during
the development phase and the device user should be more careful during the use phase.

Keywords: Android, Spyware, Reverse Engineering, Vulnerability, Phishing, Security

education, the exercises are based on Android Virtual Devices

1. Introduction (AVDs).
The paper, titled “Mobile Security Testing Approaches and
Depending on the advancement of technology, the use of smart
Challenges” [9] presents four security testing approaches for
devices such as phones and tablets is rapidly increasing. Digital
mobile security.
marketing agency We Are Social provides detailed information
The study, “An effective behavior-based Android malware
about mobile device usage. The report states that more than five detection system” [10] proposes a behavior-based malware
billion people use mobile devices in the world [1]. The usage rates detection system.
of operating systems can be displayed interactively on the official The study titled “Keyboard or Keylogger?: a security analysis of
website of Kantar Worldpanel [2]. As seen in the reports, the most
third-party keyboards on Android” [11] is shown that third-party
used operating system is the Android operating system. Therefore,
keyboard applications can work as keylogger.
in this study, the Android mobile operating system was preferred.
The study titled “Android Zararlı Yazılımlarını Tespit Etme, İmza
In the study "Android Applications and Security Breach" [3] some Oluşturma ve Sınıflandırma” [12], a new malware detection
types of cyber attacks and mobile threats that attackers perform to infrastructure, developed for the Android operating system,
steal user information are described. In addition, the Remote signature algorithms, correlation with other malware families and
Access Trojan example that called Dendroid was analyzed.
evaluation of proposed system are discussed.
In the study “Android Malware Detection & Protection: A Survey”
In the studies, titled “Mobil Yaşamda Siber Güvenlik Yaklaşımı”
[4], malware applications on Android are described.
[13] and titled “Android Keylogging Threat” [14], mobile security
In the paper that called “An Enhanced Security Framework for risks and measures are described.
Reliable Android Operating System” [5], an increase in the number The study, “Mobil Bankacılıkta Güvenlik Sorunlarının Analizi”
of applications installed as malware in the Android operating [15] mobile application security methods are described and
system has been mentioned.
presented.
The study, titled “An Android-based Trojan Spyware to Study the
In the studies, “Android Kötücül Yazılım Tespit Sistemleri
NotificationListener Service Vulnerability” [6], a trojan
İncelemesi” [16], “An Android Malware Detection Method Based
application, known as SMS backup, is developed to spy the on AndroidManifest File” [17] “Permission-Based Android
notifications of other applications. Malware Detection” [18] and “MAMA: Manifest Analysis for
The study, “Mobil Kötücül Yazılımlar ve Güvenlik Çözümleri Malware Detection in Android” [19], AndroidManifest.xml file
Üzerine Bir İnceleme” [7], it was targeted some researches on
has been seen that how important it is for application security.
security solutions for mobile devices to present a comprehensive
As seen in the literature, if there is not enough security on mobile
view.
devices, personal information of the users can be stolen, their
The study, titled “Android Security” [8], this thesis shows the privacy can be violated and the applications of the users can be
security-relevant structures of Android’s system and application disabled.
architecture. In order to provide infrastructure-independent In this study has been shown that malicious code can be injected
_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
into some applications because of the sensitive data obtained after
1
Kuveyt Türk Participation Bank Research & Development Center,
Kocaeli – 41420, TURKEY
reviewing the AndroidManifest.xml file. Some mobile
2
Computer Engg., Selcuk University, Konya – 42002, TURKEY applications on the non-rooted device have been reverse
* Corresponding Author: Email: [email protected]
International Journal of Applied Mathematics, Electronics and Computers IJAMEC, 2018, 6(4), 53–58 | 53
engineered. In addition, some applications were analyzed through
ADB terminal commands and it was shown that important
information stored on the device can be access.
After injecting new codes into the application in this study;
• Some UI changes (color changes, text changes etc.).
• The Toast message will be displayed every time the
application is opened.
• Dialog screen will be displayed. After users fill their
credit cards information and the users click the OK
button, user's credit cards information will be sent as
SMS to the attacker’s phone.
As a result of the changes, there is no malfunction in the
application.
Some risks arise as a result of carelessness during application
development and use. In order to draw attention to these risks, this Fig. 1. After decompiling APK file.
study was carried out entirely ethically. Also in the figures in this
study, information that is thought to remind any original The Android Smali Assembly Source Code (SMALI) files of the
application has been modified and censored. Very importantly, this classes used in the application are located in the smali folder.
study does not harm any application developer or company. The Important files to be used for code injection are in this folder. The
pentest (Penetration Test) was carried out entirely on the user's AndroidManifest.xml file has been examined to detect the
device. launcher Activity class of the application. As shown in Figure 2,
the launcher Activity class was detected. In this way, a new
2. Materials and Method Activity class with the same name will be created and then
embedded in the original application.
The smart phone using android operating system was preferred in
this paper.
Android is an open source operating system developed for mobile
devices [20, 21]. Android is Linux based and developed by Google.
Nowadays, Android has the largest share in mobile application
stores because it is the most widely used mobile operating system.
The tools and system requirements used in the study are as follows;
• Android Studio
Fig. 2. AndroidManifest.xml file.
• JDK – SDK
• ADB Another way to detect the launcher activity is to use the ADB
• Advanced APKTool logcat command. However, this method is difficult and laborious.
• dex2jar After the activity class has been detected, a new project is created
• JD-GUI in Android Studio. The path of the new launcher Activity class in
• Genymotion the new project must be the same as the path of the launcher
• Android (smart phone) device Activity class in the original application. The malicious code that
will run when the application is opened is written in this Activity
3. Reverse Engineering class. A new Activity class is created in the new project with the
3.1. Code Injection same name as the launcher Activity class in the original
application. A new application is developed to inject code by using
The Lenovo P2a42 (Android version 6.0.1) mobile device and this method.
Samsung Galaxy Tab A (Android version 5.1.1) were used for The new application's APK file is decompiled. After Decompile,
code injection. The operations performed on this device can also the SMALI file of the new Activity class is copied to the location
be performed on the Genymotion virtual device. Sample mobile of the SMALI files of the original application. Recompile is
banking application on the device has been reverse engineered. performed after making the necessary changes in the
First, the application APK (Android Package) name should be AndroidManifest.xml file of the original application. After the
detected by using ADB shell commands. Then the APK file must recompiling, this application is installed on the device. Figure 3
be transferred to the computer. shows the original screen of the application and the screen that
A connection is established between the computer and the device. after code injection. In this study, the user interfaces of the
After the connection, the APK name of the application should be application are censored.
known. Therefore, the list of all application packages in the
connected device is displayed by using ADB commands. After the
name of the application's APK file is detected in the list, it is
transferred to the computer. As shown in Figure 1, after the APK
file has been decompiled, important files such as the
AndroidManifest.xml file is appearing.

International Journal of Applied Mathematics, Electronics and Computers IJAMEC, 2018, 6(4), 53–58 | 54
 to obtain the user's information.
Figure 5 shows the layout HEX codes in the SMALI file. The code
shown in the marked field will be replaced by the layout HEX code
in the SMALI files of the Activity classes.

Fig. 3. Original screen and screen that after code injection.

In this study, two different examples were made for mobile

application security awareness. Injected codes may vary depending
on the intent and purpose of the attacker. For example, an ADB
logcat or a JD-GUI tool can be used to find other Activity and
classes. Important information on the device can be obtained by a
Service that is running when the application is opened.
Also, a sample phishing attack was carried out in the same mobile
application. The user interface of the mobile banking application
will be used in the user interface of the developed new application.
In addition to this, a dialog screen will appear for user’s credit card
information. After completing the information, the user will
proceed with the button "OK". However, the information entered
Fig. 5. HEX codes in SMALI file.
in the dialog screen will be sent as SMS to the number specified
(attacker's phone number) in the injected code after the button is After the user card information is entered, card information will be
pressed. sent to the phone number that embedded in the malware code.
For this code injection, it is necessary to access the Hexadecimal Figure 6 shows the dialog screen and a screenshot of the attacker's
(HEX) codes of the layout file within the SMALI files. The HEX phone. As shown in these figures, the entered card information was
code to be injected is replaced by the layout HEX code in the sent to another device through an SMS. The user will switch to the
original SMALI file. The icon of the mobile application is used in user interface of the original application after pressing the button
the dialog screen shown to the user for the phishing attack. The "OK". No errors were encountered in the application. The
AndroidManifest.xml file is also modified to send SMS. application continues to run successfully. There is no attack against
Figure 4 shows the user interface of the original application and the developer or application owner. All these operations are in the
the user interface of the phishing attack application. As seen in the device and only affect the owner of the device.
figure, phishing attack was carried out with the same screen design.

Fig. 6. User’s credit card information and attacker’s phone.

Fig 4. Original application UI and Phishing application UI.
3.2. Data Storage Security in Android Mobile Application
The interface of the phishing app is similar to the interface of the
original application. The user will think that this UI belongs to the This section shows that some application data stored in the device
original application. So the mobile user is at risk of stealing can be access. The purpose of this section is that application
sensitive information. In the previous example, it has been shown developers should be careful when storing data into the mobile
that the user interface can be modified by code injection. In the device. Especially, important information such as password, ID,
second example, malware is embedded in the original application etc. should be stored after it is encrypted. Firstly, a test was

International Journal of Applied Mathematics, Electronics and Computers IJAMEC, 2018, 6(4), 53–58 | 55
performed on the application in the Genymotion virtual device.
The connection was established after the Internet Protocol (IP)
address of the virtual device was detected by using the ADB shell
command.
/data/data/<appname> directory is accessed by using ADB
commands. This directory contains SQLite database tables and a
SharedPreferences storage file. There is a database in the
/data/data/databases directory. In Figure 7, the database name has
been detected by using ADB commands. Database contents will be
accessed using sqlite3 commands.

Fig. 9. Sensitive data in SharedPreferences.xml file.

Figure 10 and Figure 11 show that data of a social media

application installed on the virtual device can be accessed. The
user's e-mail address and the user's name etc. information has been
accessed.

Fig. 7. Database in Genymotion.

Fig. 10. Social media application data (Table and Column name) in
After learning database names, database table names are learned database.
by using sqlite3 commands. After the table names are detected, the
table can be examined with Structured Query Language (SQL)
“select” query. As shown in Figure 8, the data in the application
database is stored unencrypted. Thus sensitive data can be
accessed.

Fig. 8. Sensitive data in database.

Extensible Markup Language (XML) files are available in the

shared_prefs located in the application directory. In the
application, if there is data stored by using SharedPreferences, it
can be accessed. Figure 9 shows data stored by using Fig. 11. Social media application data (e-mail) in database.
SharedPreferences. <map> tags contain application data stored
using the “key-value” principle. In this social media application, data stored by using
SharedPreferences can be accessed. Information such as username,
ID has been accessed. There are many records in this XML file.
The file in which the user's name is stored is shown in figure 12.

International Journal of Applied Mathematics, Electronics and Computers IJAMEC, 2018, 6(4), 53–58 | 56
 application. Two different examples were shown after embedding
codesIn the first example, there are some design changes. For
example, in this malware application, the UI color was changed
and the Toast message was shown. In the second example, a
phishing attack was performed against the user.
The device user should be careful about Android permissions. In
the application development phase, especially application
developers should develop applications by considering the
weaknesses that attackers can use. A vulnerability of the
application may cause a great risk for personal safety.
As a result, the application developer should be more careful
during the development phase and the device user should be more
careful during the use phase. Users should not install applications
that require unnecessary permissions on the device. Otherwise,
user privacy may be violated.
Fig. 12. Social media application data (ID, user name etc.) in
SharedPreference.xml file. References
[1] WeAreSocial. 2018 02.12.2018]; Available from:
4. Conclusion and Recommedations
https://wearesocial.com/blog/2018/01/global-digital-report-2018.
This work was carried out for mobile application security [2] KantarWorldPanel. 2018 02.012.2018]; Available from:
awareness in the Android mobile operating system. In this study, https://www.kantarworldpanel.com/global/smartphone-os-market-
the Android operating system was preferred because has the largest share/.
share in the mobile application store. [3] Benítez-Mejía DGN, Sánchez-Pérez G, and Toscano-Medina LK.
As seen in the literature, studies are carried out for the detection of Android Applications and Security Breach. in 2016 Third International
malware applications. The number of malware applications is Conference on Digital Information Processing, Data Mining and
increasing every day. There are many academic studies in order to Wireless Communications (DIPDMWC). 2016.
detect malware applications. There are also academic studies in [4] Arshad S, et al., Android Malware Detection & Protection: A Survey.
which new approaches are presented. In the academic studies International Journal of Advanced Computer Science and
where malware detection is detected by a static analysis approach, Applications, 2016. 7(2): p. 463-475.
the AndroidManifest.xml file is examined in detail. In addition to [5] Park JH, et al., An Enhanced Security Framework for Reliable Android
these approaches, malware detection has been realized by Operating System. Security Comm. Networks, 2016. 9: p. 528-234.
classification algorithms. Also in the literature, malware [6] Abualola H, et al., An Android-based Trojan Spyware to Study the
applications developed to demonstrate security risks have been NotificationListener Service Vulnerability. Procedia Computer
tested in devices. Android malware applications can violate user Science, 2016. 83: p. 465-471.
privacy by using Android Service classes in order to obtain many [7] Utku A and Doğru İA, Mobil Kötücül Yazılımlar ve Güvenlik
important data on the device. Service is the classes that perform Çözümleri Üzerine Bir İnceleme. Gazi University Journal of Science,
the background operations in Android applications. It does not 2016. 4(2): p. 49-64.
provide a UI. Service may not have any interaction with the user. [8] Heinl M, Android Security, in Department of Media and Information
In this way, the attacker will steal the important information of the Technology. 2015, Offenburg University of Applied Sciences:
user without interaction. For this reason, it is useful for users to Almanya. p. 92.
periodically check the applications in the device and the services [9] Wang Y and Alshboul Y, Mobile Security Testing Approaches and
running in the background. Challenges, in First Conference On Mobile And Secure Services.
Another way to ensure security is to perform scans on the device 2015: Gainesville, Florida/USA.
with known reliable antivirus programs. [10] Zou S, Zhang J, and Lin X, An effective behavior-based Android
In the application development phase, the application developer malware detection system. Security and Communication Networks,
should consider the APK can be decompiled by attackers. 2015. 8(12): p. 2079-2089.
In this study, a security test was performed on the sample mobile [11] Cho J, Cho G, and Kim H. Keyboard or Keylogger?: a security analysis
applications to show the risks that application developers and users of third-party keyboards on Android. in 13th Annual Conference on
may face. In addition, this study was carried out ethically. The Privacy, Security and Trust (PST). 2015. İzmir.
security testing steps in this study may vary depending on the [12] Acar ÖF. Android Zararlı Yazılımlarını Tespit Etme, İmza Oluşturma
developer's knowledge, purpose. This study was carried out to ve Sınıflandırma. in 7. Uluslararası Bilgi Güvenliği ve Kriptoloji
show the basic concepts of reverse engineering and mobile Konferansı. 2014. İstanbul/Türkiye.
security. In addition, this study was carried out to guide application [13] Gökçe KG, Şahinaslan E, and Dincel S, Mobil Yaşamda Siber
developers and researchers who will work ethically in this regard. Güvenlik Yaklaşımı, in 7. Uluslararası Bilgi Güvenliği ve Kriptoloji
At the end of this study, it is described how the attackers can access Konferansı. 2014: İstanbul/Türki. p. 214-221.
the data stored on the device. It is also shown that the data stored [14] Mohsen F and Shehab M. Android Keylogging Threat. in 9th
using by the SQLite database and SharedPreferences can be International Conference Conference Collaborative Computing:
accessed. The developer must consider such risks when storing Networking, Applications and Worksharing (Collaboratecom). 2013.
data to the device during the application development phase. For [15] Kazancı T, Mobil Bankacılıkta Güvenlik Sorunlarının Analizi, in
example, sensitive data can be encrypted. İstanbul Üniversitesi Fen Bilimleri Enstitüsü. 2013, İstanbul
The sample mobile application on the non-root device was reverse Üniversitesi: İstanbul/Türkiye. p. 111.
engineered. In this study, malicious codes were embedded in the [16] Kiraz Ö and Doğru İA, Android Kötücül Yazılım Tespit Sistemleri

International Journal of Applied Mathematics, Electronics and Computers IJAMEC, 2018, 6(4), 53–58 | 57
 İncelemesi. Düzce Üniversitesi Bilim ve Teknoloji Dergisi, 2017. 5(1):
p. 281-298.
[17] Li X, et al. An Android Malware Detection Method Based on
AndroidManifest File. in Proceedings of CCIS2016. 2016. China.
[18] Aung Z and Zaw W, Permission-Based Android Malware Detection.
International Journal of Scientific & Technology Research, 2013. 2(3):
p. 228-234.
[19] Sanz B, et al., MAMA: Manifest Analysis for Malware Detection in
Android. Cybernetics and Systems, 2013. 44(6-7): p. 469-488.
[20] Narman AE, Android Programlama. 2013, İstanbul: Kodlab Yayın
Dağıtım Yazılım ve Eğitim Hizmetleri San. ve Tic. Ltd. Şti.
[21] Android. 2018 05.12.2018]; Available from:
https://www.android.com/everyone/.

International Journal of Applied Mathematics, Electronics and Computers IJAMEC, 2018, 6(4), 53–58 | 58