Dynamic Analysis
A guide to Mobile Penetration Testing (Dynamic Analysis) including SSL Pinning Bypass, Frida and Objection.
Detect Android Device's Architecture
From ADB Shell, run the following command to detect the architecture of the device:
getprop ro.product.cpu.abiReferences:
ARM: Architecture of CPU ARMv7 or armeabi
ARM64: Architecture of CPU Aarch64, arm64 or arm64-v8a
x86: Architecture of CPU x86 or x86abi
Frida
Download the latest (or custom) version of Frida Server and Gadget with fridaDownloader.
# with pip install
pip3 install fridadownloader
# or with pipx install
pipx install fridadownloaderI.e.: for Frida Server on x86 architecture in its latest version:
python3 fridaDownloader.py --target server --architecture x86Frida CodeShare: https://codeshare.frida.re/
Frida Releases: https://github.com/frida/frida/releases/
SSL Pinning Bypass
Using Frida Server
Move
frida-serverinto Android Device with ADB and give it proper permissions for execution:
adb push ~/Downloads/frida-server-16.6.6-android-x86 /data/local/tmp/frida-server
adb shell "su -c 'chmod 777 /data/local/tmp/frida-server'"Now to get ready to use Frida Server, it's just required to run the binary
frida-serveras root:
adb shell "su -c '/data/local/tmp/frida-server &'"Run Frida script to disable SSL Pinning, Root detection, and many other techniques with Frida:
# Example for SSL Pinning Bypass using Frida Codeshare (public community-shared scripts)
# "-U" for USB Android Device connection.
# "-f" for the application package name
frida --codeshare akabe1/frida-universal-pinning-bypasser -f com.google.android.youtube -UUsing Frida Gadget in /lib/ folder
/lib/ folderDecompile the APK with apktool:
apktool d -rs base -o base-rsDownload and copy frida Gadget files in
/lib/(libraries) folders:
cp frida-gadget-16.4.10-android-arm.so base-rs/lib/armeabi-v7a/libfrida-gadget.soCompile again the APK with Frida Gadget injected:
apktool b base-rs -o base_fridaPatched.apkSign the APK/APKs with Objection or Uber Apk Signer
Uber Apk Signer:
java -jar ./uber-apk-signer-1.3.0.jar -a base_fridaPatched.apkObjection:
objection signapk base_fridaPatched.apkFinally, Install the APK with adb shell:
adb install base_fridaPatched-aligned-debugSigned.apk
# or as well
adb install-multiple base.objection.apk split_config.arm64_v8a.objection.apkUsing Objection and frida-gadget
frida-gadgetGeneric command:
objection patchapk -s base.apkUseful command when standard command not works:
objection patchapk -s base.apk --use-aapt2 --skip-resources --ignore-nativelibsInstall the APK with ADB:
adb install base.objection.apkRoot Detection Bypass
Using Frida Scripts
Detect current apps in execution with:
frida-ps -URun Frida with scripts to bypass Root Detection:
# Example for Root Bypass using Frida Codeshare (public community-shared scrips)
# "-U" for USB Android Device connection.
# "-f" for the application package name
frida --codeshare dzonerzy/fridantiroot -f com.google.android.youtube -UUsing Objection
Detect current apps in execution with:
frida-ps -UNow run the follows with objection:
objection -g {app-name-of-'frida-ps -U'} exploreDisable SSL Pinning and Root detection
$: objection: android sslpinning disable
$: objection: android root disableAll-in-one Docker container for Android Pentest (by hackermater)
hackermater/mobile-pentesting-setup
Mobile Android Pentesting Setup
Description
All-in-one setup in Ubuntu which provides the optimal setup/environment for android pentesting, including common tools such as Frida and Objection.
Running these tools in Docker has a lot of benefits, especially ensuring that there will be not error of dependencies using the tools as well python/pip packages.
Also supports ADB connection via USB and Wireless.
Features
Included by default tools such as Frida and Objection using a Python environment.
Customizable Ubuntu container.
Latest version of every tool included by default in the image.
Installation
Pull the latest version
docker pull hackermater/mobile-pentesting-setup:latestExamples
Run the container assigning the name of
spotify-bug-bounty
docker run --name spotify-bug-bounty -it hackermater/mobile-pentesting-setup:latestCopy the folder with APKs inside the container
docker cp ~/Bug-Bounty/Spotify/APKs spotify-bug-bounty:/rootUsing ADB with USB Debugging
docker run --name spotify-bug-bounty-usb --device /dev/usb/<YOUR-DEVICE-NAME> --net host -it hackermater/mobile-pentesting-setup:latest(mobile-setup-ubuntu) ➜ ~ adb devices
List of devices attached
R58W1234567 deviceNOTE: Ensure first that in your local machine is active adb-server and it works correctly with your devices plugged.
Intercept HTTP/HTTPS traffic with Burp Suite
SSL Pinning must to be bypass in order to intercept traffic on apps. This last step for Intercept HTTPS traffic is intendend to be the final part for Dynamic Analysis once SSL Pinning (and Root Detection if it is required) was successfully bypass.
Export certificate in
.cer(or.derif doesn't work) format from Burp Suite.Move certificate to Android Device Storage:
adb push cacert.cer /storage/self/primary/DocumentsFrom
Settings > Privacy and Security > More security settings > Install CA Certificate from device storage(depends on each device): Installcacert.cercertificate as authority certificate. (This allows Android ecosystem to recognize Burp Suite as legitim Proxy).From Wi-FI Settings on the Android Device go to your current Wi-Fi AP connected and set Manual Proxy to your local machine IP Address in the port 8081 or any one you want.
From Burp Suite go to
Proxy > Proxy Settings > Proxy Listeners > Add > Specific Address (like 192.168.100.30) > Port 8081All done! If SSL Pinning was bypassed and the Android Device is configured to proxy all traffic to our Burp Suite listener proxy, we will be able to intercept and manipulate the application's requests and responses and interact in detail.
Last updated
Was this helpful?