# Dynamic Analysis

## Detect Android Device's Architecture

* From ADB Shell, run the following command to detect the architecture of the device:

```sh
getprop ro.product.cpu.abi
```

References:

* **ARM**: Architecture of CPU ARMv7 or armeabi
* **ARM64**: Architecture of CPU Aarch64, arm64 or arm64-v8a
* **x86**: Architecture of CPU x86 or x86abi

## Frida

* Download the latest (or custom) version of Frida Server and Gadget with [fridaDownloader](https://github.com/mateofumis/fridaDownloader).

```bash
# with pip install
pip3 install fridadownloader
# or with pipx install
pipx install fridadownloader
```

* I.e.: for Frida Server on x86 architecture in its latest version:

```bash
python3 fridaDownloader.py --target server --architecture x86
```

* Frida CodeShare: <https://codeshare.frida.re/>
* Frida Releases: <https://github.com/frida/frida/releases/>

## SSL Pinning Bypass

### Using Frida Server

1. Move `frida-server` into Android Device with **ADB** and give it proper permissions for execution:

```bash
adb push ~/Downloads/frida-server-16.6.6-android-x86 /data/local/tmp/frida-server
adb shell "su -c 'chmod 755 /data/local/tmp/frida-server'"
```

2. Now to get ready to use Frida Server, it's just required to run the binary `frida-server` as root:

```bash
adb shell "su -c '/data/local/tmp/frida-server &'"
```

3. Run Frida script to disable SSL Pinning, Root detection, and many other techniques with Frida:

```bash
# Example for SSL Pinning Bypass using Frida Codeshare (public community-shared scripts)
# "-U" for USB Android Device connection. 
# "-f" for the application package name
frida --codeshare akabe1/frida-universal-pinning-bypasser -f com.google.android.youtube -U
```

### Using Frida Gadget in `/lib/` folder

1. Decompile the APK with **apktool**:

```bash
apktool d -rs base -o base-rs
```

2. Download and copy frida Gadget files in `/lib/` *(libraries)* folders:

* [https://github.com/frida/frida/releases](https://github.com/frida/frida/release)
* [fridaDownloader](https://github.com/mateofumis/fridaDownloader)

```bash
cp frida-gadget-16.4.10-android-arm.so base-rs/lib/armeabi-v7a/libfrida-gadget.so
```

3. Compile again the **APK** with **Frida Gadget injected**:

```bash
apktool b base-rs -o base_fridaPatched.apk
```

4. Sign the APK/APKs with Objection or [Uber Apk Signer](https://github.com/patrickfav/uber-apk-signer)

* Uber Apk Signer:

```bash
java -jar ./uber-apk-signer-1.3.0.jar -a base_fridaPatched.apk
```

* Objection:

```bash
objection signapk base_fridaPatched.apk
```

5. Finally, Install the APK with adb shell:

```bash
adb install base_fridaPatched-aligned-debugSigned.apk
# or as well
adb install-multiple base.objection.apk split_config.arm64_v8a.objection.apk
```

### Using Objection and `frida-gadget`

* Generic command:

```bash
objection patchapk -s base.apk
```

* Useful command when standard command not works:

```bash
objection patchapk -s base.apk --use-aapt2 --skip-resources --ignore-nativelibs
```

* Install the APK with **ADB**:

```bash
adb install base.objection.apk
```

## Root Detection Bypass

### Using Frida Scripts

1. Detect current apps in execution with:

```bash
frida-ps -U
```

2. Run Frida with scripts to bypass Root Detection:

```bash
# Example for Root Bypass using Frida Codeshare (public community-shared scrips)
# "-U" for USB Android Device connection. 
# "-f" for the application package name
frida --codeshare dzonerzy/fridantiroot -f com.google.android.youtube -U
```

### Using Objection

1. Detect current apps in execution with:

```bash
frida-ps -U
```

2. Now run the follows with objection:

```bash
objection -g {app-name-of-'frida-ps -U'} explore
```

* Disable SSL Pinning and Root detection

```bash
$: objection: android sslpinning disable 
$: objection: android root disable
```

## All-in-one Docker container for Android Pentest (by hackermater)

[hackermater/mobile-pentesting-setup](https://hub.docker.com/r/hackermater/mobile-pentesting-setup)

### Mobile Android Pentesting Setup

#### Description

All-in-one setup in Ubuntu which provides the optimal setup/environment for android pentesting, including common tools such as Frida and Objection.

Running these tools in Docker has a lot of benefits, especially ensuring that there will be not error of dependencies using the tools as well python/pip packages.

Also supports ADB connection via USB and Wireless.

#### Features

* Included by default tools such as Frida and Objection using a Python environment.
* Customizable Ubuntu container.
* Latest version of every tool included by default in the image.

#### Installation

* Pull the latest version

```bash
docker pull hackermater/mobile-pentesting-setup:latest
```

#### Examples

* Run the container assigning the name of `spotify-bug-bounty`

```bash
docker run --name spotify-bug-bounty -it hackermater/mobile-pentesting-setup:latest
```

* Copy the folder with APKs inside the container

```bash
docker cp ~/Bug-Bounty/Spotify/APKs spotify-bug-bounty:/root
```

* Using ADB with USB Debugging

```bash
docker run --name spotify-bug-bounty-usb --device /dev/usb/<YOUR-DEVICE-NAME> --net host -it hackermater/mobile-pentesting-setup:latest
```

```bash
(mobile-setup-ubuntu) ➜  ~ adb devices
List of devices attached
R58W1234567	device
```

**NOTE**: Ensure first that in your local machine is active adb-server and it works correctly with your devices plugged.

## Intercept HTTP/HTTPS traffic with Burp Suite

> SSL Pinning must to be bypass in order to intercept traffic on apps. This last step for Intercept HTTPS traffic is intendend to be the final part for Dynamic Analysis once SSL Pinning (and Root Detection if it is required) was successfully bypass.

1. Export certificate in `.cer` (or `.der` if doesn't work) format from Burp Suite.
2. Move certificate to Android Device Storage:

```bash
adb push cacert.cer /storage/self/primary/Documents
```

3. From `Settings > Privacy and Security > More security settings > Install CA Certificate from device storage` (depends on each device): Install `cacert.cer` certificate as authority certificate. (This allows Android ecosystem to recognize Burp Suite as legitim Proxy).
4. From Wi-FI Settings on the Android Device go to your current Wi-Fi AP connected and set Manual Proxy to your local machine IP Address in the port 8081 or any one you want.
5. From Burp Suite go to `Proxy > Proxy Settings > Proxy Listeners > Add > Specific Address (like 192.168.100.30) > Port 8081`
6. All done! If **SSL Pinning** was bypassed and the Android Device is configured to **proxy all traffic** to our **Burp Suite** listener proxy, we will be able to **intercept and manipulate** the application's **requests and responses** and interact in detail.

***

[![Ko-Fi](https://storage.ko-fi.com/cdn/brandasset/kofi_button_stroke.png)](https://ko-fi.com/hackermater)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hackermater.gitbook.io/pentesting-notes/mobile-pentesting/dynamic-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.