Dynamic Analysis

A guide to Mobile Penetration Testing (Dynamic Analysis) including SSL Pinning Bypass, Frida and Objection.

Detect Android Device's Architecture

• From ADB Shell, run the following command to detect the architecture of the device:

getprop ro.product.cpu.abi

References:

• ARM: Architecture of CPU ARMv7 or armeabi

• ARM64: Architecture of CPU Aarch64, arm64 or arm64-v8a

• x86: Architecture of CPU x86 or x86abi

Frida

• Download the latest (or custom) version of Frida Server and Gadget with fridaDownloader.

# with pip install
pip3 install fridadownloader
# or with pipx install
pipx install fridadownloader

• I.e.: for Frida Server on x86 architecture in its latest version:

python3 fridaDownloader.py --target server --architecture x86

• Frida CodeShare: https://codeshare.frida.re/

• Frida Releases: https://github.com/frida/frida/releases/

SSL Pinning Bypass

Using Frida Server

1. Move frida-server into Android Device with ADB and give it proper permissions for execution:

adb push ~/Downloads/frida-server-16.6.6-android-x86 /data/local/tmp/frida-server
adb shell "su -c 'chmod 755 /data/local/tmp/frida-server'"

1. Now to get ready to use Frida Server, it's just required to run the binary frida-server as root:

adb shell "su -c '/data/local/tmp/frida-server &'"

1. Run Frida script to disable SSL Pinning, Root detection, and many other techniques with Frida:

# Example for SSL Pinning Bypass using Frida Codeshare (public community-shared scripts)
# "-U" for USB Android Device connection. 
# "-f" for the application package name
frida --codeshare akabe1/frida-universal-pinning-bypasser -f com.google.android.youtube -U

Using Frida Gadget in /lib/ folder

1. Decompile the APK with apktool:

apktool d -rs base -o base-rs

1. Download and copy frida Gadget files in /lib/ (libraries) folders:

• https://github.com/frida/frida/releases

• fridaDownloader

cp frida-gadget-16.4.10-android-arm.so base-rs/lib/armeabi-v7a/libfrida-gadget.so

1. Compile again the APK with Frida Gadget injected:

apktool b base-rs -o base_fridaPatched.apk

1. Sign the APK/APKs with Objection or Uber Apk Signer

• Uber Apk Signer:

java -jar ./uber-apk-signer-1.3.0.jar -a base_fridaPatched.apk

• Objection:

objection signapk base_fridaPatched.apk

1. Finally, Install the APK with adb shell:

adb install base_fridaPatched-aligned-debugSigned.apk
# or as well
adb install-multiple base.objection.apk split_config.arm64_v8a.objection.apk

Using Objection and frida-gadget

• Generic command:

objection patchapk -s base.apk

• Useful command when standard command not works:

objection patchapk -s base.apk --use-aapt2 --skip-resources --ignore-nativelibs

• Install the APK with ADB:

adb install base.objection.apk

Root Detection Bypass

Using Frida Scripts

1. Detect current apps in execution with:

frida-ps -U

1. Run Frida with scripts to bypass Root Detection:

# Example for Root Bypass using Frida Codeshare (public community-shared scrips)
# "-U" for USB Android Device connection. 
# "-f" for the application package name
frida --codeshare dzonerzy/fridantiroot -f com.google.android.youtube -U

Using Objection

1. Detect current apps in execution with:

frida-ps -U

1. Now run the follows with objection:

objection -g {app-name-of-'frida-ps -U'} explore

• Disable SSL Pinning and Root detection

$: objection: android sslpinning disable 
$: objection: android root disable

All-in-one Docker container for Android Pentest (by hackermater)

hackermater/mobile-pentesting-setup

Mobile Android Pentesting Setup

Description

All-in-one setup in Ubuntu which provides the optimal setup/environment for android pentesting, including common tools such as Frida and Objection.

Running these tools in Docker has a lot of benefits, especially ensuring that there will be not error of dependencies using the tools as well python/pip packages.

Also supports ADB connection via USB and Wireless.

Features

• Included by default tools such as Frida and Objection using a Python environment.

• Customizable Ubuntu container.

• Latest version of every tool included by default in the image.

Installation

• Pull the latest version

docker pull hackermater/mobile-pentesting-setup:latest

Examples

• Run the container assigning the name of spotify-bug-bounty

docker run --name spotify-bug-bounty -it hackermater/mobile-pentesting-setup:latest

• Copy the folder with APKs inside the container

docker cp ~/Bug-Bounty/Spotify/APKs spotify-bug-bounty:/root

• Using ADB with USB Debugging

docker run --name spotify-bug-bounty-usb --device /dev/usb/<YOUR-DEVICE-NAME> --net host -it hackermater/mobile-pentesting-setup:latest

(mobile-setup-ubuntu) ➜  ~ adb devices
List of devices attached
R58W1234567	device

NOTE: Ensure first that in your local machine is active adb-server and it works correctly with your devices plugged.

Intercept HTTP/HTTPS traffic with Burp Suite

SSL Pinning must to be bypass in order to intercept traffic on apps. This last step for Intercept HTTPS traffic is intendend to be the final part for Dynamic Analysis once SSL Pinning (and Root Detection if it is required) was successfully bypass.

1. Export certificate in .cer (or .der if doesn't work) format from Burp Suite.

2. Move certificate to Android Device Storage:

adb push cacert.cer /storage/self/primary/Documents

1. From Settings > Privacy and Security > More security settings > Install CA Certificate from device storage (depends on each device): Install cacert.cer certificate as authority certificate. (This allows Android ecosystem to recognize Burp Suite as legitim Proxy).

2. From Wi-FI Settings on the Android Device go to your current Wi-Fi AP connected and set Manual Proxy to your local machine IP Address in the port 8081 or any one you want.

3. From Burp Suite go to Proxy > Proxy Settings > Proxy Listeners > Add > Specific Address (like 192.168.100.30) > Port 8081

4. All done! If SSL Pinning was bypassed and the Android Device is configured to proxy all traffic to our Burp Suite listener proxy, we will be able to intercept and manipulate the application's requests and responses and interact in detail.

---