What is GoatDroid?
OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, etc.
OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.
GoatDroid is composed of the following components:
– GUI application used to present information, interact with the SDK and control the web services
– Android applications containing horrifically vulnerable code
– Embedded Jetty web server
– Embedded Derby database
Download application in here:
Extract the contents:
Goatdroid apps contains two vulnerable apps:
We will be installing these two apps in the AVD. Also, goatdroid-0.9.jar will launch the server for these two apps to communicate with.
Let us launch goatdroid-0.9.jar:
You can specify the location of the virtual device and the SDK path in order to identify the virtual device that this application is going to access.
Menu bar -> Configure -> Edit Configuration
Select your virtual devices Path and SDK path:
Within the GoatDroid GUI, select an app and then press the “Start Web Service” button.
Check devices connected with adb:
Push the app of your choice either by using the GoatDroid GUI option or by using the following command: ./adb install path-to-app/package.apk
Launch the application:
Press the menu button and select Destination Info:
Enter the IP address of the host where the web service is listening, which should he your computer’s IP address. This is not 127.0.0.1. The default port is 9888 for HTTPS.
Optionally, configure the IP address for a proxy. If you wish to use an intercepting proxy to test the web services, you will want to use this.
In this post, I use Burp Suite.
Config Burp Suite Proxy:
First, we will configure Burp Suite to listen on external interfaces. In Proxy → Options → Proxy Listeners → Edit → Binding select “Specific address” or you can also select it to listen on “All interfaces.” This will allow the virtual device to connect to Burp Suite.
To connect to Burp Suite inside the virtual device, go to Settings → Wireless and networks → more →VPN → Mobile networks →Access Point Names → Select the default APN of the device and Edit Access point. Set the proxy and port as the IP of the main system and the port on which Burp is running. Refer to the screenshot below:
This will allow Burp Suite to intercept all the requests generated by this virtual device. As you can see in the screenshot below, when we launched the browser, the request generated to Google was intercepted by the Burp Suite proxy in the middle, which confirms that our settings are correct and are working fine.
Now, log into the application with the default credentials. In most GoatDroid apps, you may be able to register for new accounts as well.
Here I introduced the GoatDroid Lab to you. Please practice with the rest of the lab. Leave a comment if you have any difficulty during the practice.