0xk4k45h1

homepage

Contact

Copyright © 2024 | Yankos
Contents

Home > Mobile Pentesting > Android > Android Dynamic Analysis

Android Dynamic Analysis
Mobile Pentesting 2024-07-18 -
Android Mobile Pentesting

Dynamic Analysis

It’s about testing and evaluating a program while software is running.

SSL pinning

Security methodology to ensure that app’s traffic isn’t being intercepted (prevent from Man In The Middle)
Traffic is verified using certificate
Even if we can import certificate into phone the apps may not trust this certificate

  • Proxies
    • Burpsuite (common)
    • Proxyman (used on MACOS only)

even when you configure the proxy and add the certificate, some apps may not work.
because apps won’t be able to authenticate the server (which is burp in this case)

There are many ways to bypass SSL like Frida, objection.

Frida

In the smart for there’s JVM (Java Virtual Machine) and all the app code is stored there.
any class code is loaded from JVM when it’s used.
Frida is hooking into this JVM and manipulates the run time data, so the code can be changed dynamically from there.

Frida consists of FRIDA SERVER on the smart phone and FRIDA CLIENT on our laptop.
We can communicate with these instances using JavaScript or python.

The Frida server hooks into the JVM using JS and the server now can modify the code in the memory, we get access to those classes, methods, etc…

Installation of FRIDA

  • Frida client on our laptop
    • pip3 install frida-tools
  • Frida server on the mobile or emulator
    • install the server from here
    • decompress frida server file and move it to the emulator using adp push <path to frida server> /data/local/tmp
    • /data/local/tmp is the target path and we choosed it because it’s where we can ran executables
    • chmod +x frida server in the emulator (adb shell)
    • run frida binary and now the server is running (need root privileges)

you have frida server running we can test the connection from the client using frida-ps which will list the processes running on the smart phone and send the output to the client.

hooking

It’s the process of overriding method as example and this is why frida so powerful
first we will start with a basic example of hooking an activity and overriding onResume() method to print anything.

onResume() is method called when we move the app to background and return it to foreground again

we will use this script

Java.perform(function() {
  const Activity = Java.use('android.app.Activity');
  Activity.onResume.implementation = function () {
    send('onResume() got called! Let\'s call the original implementation');
    this.onResume();
  };
});

and we will break it down later, but uptil now It manipulates onResume() method by making it send a specific message
So this message will be sent when we go to background and start the app again in the foreground.
hooking