Application security

Improving Mobile Security with Santoku

Hari Krishnan
September 12, 2012 by
Hari Krishnan

Mobile security has been gaining popularity in recent times. Many mobile-based attacks are being discovered as the mobile industry grows more complex and new technology is implemented. Recently the pattern unlock mechanism, designed by Google, has been cracked by hackers without even rooting the phone. Malicious users can access the phone using the ADB push method, thus bypassing the pattern unlock mechanism which appeared to be one of the secured mechanisms. Similarly, if you look into android-based malware, most of the android-based applications are packed with malicious payloads. According to the researchers, more than 35% of Android malware enclose platform-level exploits to escalate privileges.

The below image shows the stats of mobile-based malware according to McAfee.

So in this article, we will learn about an operating system named Santoku Community Edition, which is a pre-configured, bootable Linux environment. It's an .iso image which contains a variety of packages, drivers, and applications. Santoku is a free linux distribution mainly for mobile forensics, mobile malware analysis and assessment of mobile security.

Santoku comes with a number of open source tools which can make our job in mobile forensics, malware analysis, and security testing easy. The tools are categorized in the following lists.

Development Tools:

  • Android SDK Manager
  • AXMLPrinter2
  • Fastboot
  • Heimdall
  • SBF Flash

Device Forensics:

  • AFLogical Open Source Edition
  • Android Brute Force Encryption
  • lib-iMobile
  • Sleuth Kit

Wireless Analyzers:

  • DNS Chef
  • DNS Sniff
  • TCP Dump
  • Wireshark
  • Wireshark (As Root)

Penetration Testing:

  • Burp Suite
  • EttercapNmap
  • SSL Strip
  • ZAP
  • Zenmap (As Root)

Reverse Engineering:

  • Androguard
  • APK Tool
  • Baksmali
  • Dex2Jar
  • JD-GUI
  • Mercury
  • Smali

You can download the iso image from the following link:

The installation is similar to other VMware images we use. Once it has been installed, you will see the screen as shown below. You will find all the tools under the option Santoku. Let's see how to use one of the tools in this operating system. In devices that run Android 3.0 or newer, the standard Linux dm-crypt encryption is used. These devices make use of the same password to unlock/login to the device and for encrypting and decrypting data. It uses brute-force attack to achieve this.

Brute-force attack is theoretically a strategy than can break any data encryption method. When any other possible weakness in an encryption algorithm cannot be exploited, a brute-force attack may be put to use.

ViaExtract has the capability to bypass Pattern/PIN lock and decrypt Android data. It also offers guided data extraction and flexible reporting.

The initial release of viaExtract supports the Samsung Galaxy Nexus and Galaxy Nexus S and the device must have an unlocked bootloader running Android 4.0 or higher. It is not recommended to use viaExtract on a locked bootloader as a successful attempt may wipe the device.

You can download viaExtract from

Follow the below mentioned steps to crack Android encryption using brute-force attack:

1. Put the device into fastboot mode. Switch off the device, hold the volume down button and press and hold the power button to get the fastboot mode. In some devices, instead of holding the volume down button, pressing both the volume up and down buttons and then pressing and holding the power button only works.

2. Pass the device to the VM by selecting Device -> USB Devices -> "Fastboot Device".

3. Open a case; select 'New' -> 'Encryption Brute Force'

4. Now, with the device in fastboot mode, select "Automatically download footer and header from device". Click "Forward".

5. After the above window shows 'Complete', click "Forward". If successful, the pin will be displayed as follows:

In order to complete this manually and upload your own header and footer files, the following commands can be made use of:

For Nexus S:


adb shell dd if=/dev/block/mmcblk0p2 of=tmp_header bs=512 count=1

adb pull tmp_header


adb shell mount -t yaffs2 /dev/block/mtdblock6 /root

adb pull /root/userdata_footer tmp_footer


For Nexus:


adb shell dd if=/dev/block/mmcblk0p12 of=tmp_header bs=512 count=1

adb pull tmp_header


adb shell dd if=/dev/block/mmcblk0p13 of=tmp_footer

adb pull tmp_footer


After issuing these commands, return to the VM, select "Encryption Brute Force" and select "Decrypt from header and footer file". Select the location where the header and footer files are stored. Click "Forward" and follow the prompts to decrypt the passcode. Depending on the length and complexity of the passcode, it may take from a few minutes to a few hours to decrypt it. The completion level of the attack can be seen from the progress indicator. Now in the article, we have seen how to crack the android pattern-based lock. In future, we will discuss more about other tools and how to use them in detail.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

Hari Krishnan
Hari Krishnan

Hari Krishnan works as a security and bug researcher for a private firm, as well as InfoSec Institute. His interests largely encompass web application security issues. Hari is also an organizer for Defcon Chennai (