SlideShare a Scribd company logo

Pwning mobile apps without root or jailbreak

Abraham Aranguren
Abraham Aranguren

With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.

Technology
1 of 69
Download to read offline
Pwning Mobile Apps Without Root or Jailbreak > Abraham Aranguren > abraham@7asecurity.com > @7asecurity > @7a_ + 7asecurity.com CureCon 2018, Berlin
Agenda • Motivation • Repackaging & Instrumentation examples • Android • iOS • Q&A
• Director at 7ASecurity, check out our public reports, presentations, etc: 7asecurity.com/#publications • Author of Practical Web Defense, a hands-on attack & defense course: www.elearnsecurity.com/PWD • Founder and leader of OWASP OWTF, an OWASP flagship project: owtf.org • Some presentations: www.slideshare.net/abrahamaranguren/presentations • Some sec certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE: Security, MCSA: Security, Security+ • Some dev certs: ZCE PHP 5, ZCE PHP 4, Oracle PL/SQL Developer Certified Associate, MySQL 5 CMDev, MCTS SQL Server 2005 Who am I
Motivation ● iOS jailbreaks are not always available: ○ The app requires iOS version X, without a public jailbreak available ● iOS/Android jailbreak/root detection might take too long to bypass ○ Example: root/jailbreak detection via obfuscated binary ● Test an app on a device you don’t want to root/jailbreak ● Avoid ptrace/debugging app checks due to tampered environment
Repackaging: Android - Problem: App filesystem access Problem: ● When using the Android emulator/Genymotion you have a root shell ● BUT sometimes the app will only work on a real phone ● A non-rooted phone won’t give you a root shell ● A non-rooted phone won’t give you access to application files in /data/data/… ● The app often has backups disabled too Repackaging Solution: ● Modify the APK, enable backups
Repackaging: Android - Problem: Debugging Problem: ● Some apps enable debugging features, such as Webview debugging or other useful information in logcat, etc., when the app has debugging enabled Repackaging Solution: ● Modify the APK, enable debugging
Step 1: Disassemble APK - apktool d some_app.apk -o some_app_disassembled Step 2: Edit AndroidManifest.xml Change: <application android:allowBackup="false" To: <application android:allowBackup="true" android:debuggable="true" Step 3: Repackage APK - apktool b some_app_disassembled -o some_app_debug.apk Step 4: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore some_app_debug.apk alias_name Step 5: Install - adb install some_app_debug.apk Example: Backups + Debugging
Example: Backups + Debugging Now we have access to app files via adb backup: Step 1: Backup app files adb backup some.app.com Step 2: Make the backup useful ( printf "x1fx8bx08x00x00x00x00x00" ; tail -c +25 backup.ab ) | tar xfvz - Step 3: Review files :)
Yay file access!
Repackaging: Android - Problem: Pinning ● Often a problem at the start of the test as you try to MitM :) ● We can modify the APK to skip certificate pinning checks
Repackaging: Android - Problem: Pinning Examp Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled Step 2: Find file to modify - grep -Ir checkServerTrusted * Step 3: Modify the file .method public final checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;) V [...] return-void # Pinning bypass Steps 4-6: Repackage, Sign & Install :)
Wait, is it that easy?
Repackaging: Android - Problem: Root detection ● Sometimes apps refuse to run when your phone is rooted ● Repackaging often allows us to bypass these checks and enjoy root powers :D
Android repackaging - Root detection bypass example 1 Step 1: Disassemble - apktool d some.apk -o some_disassembled Step 2: Remove check from app Java Code: if (isRooted()) [...] Related Smali Code: if-eqz v0, :cond_0 Change Smali Code to: if-nez v0, :cond_0 NOTE: The if-nez opcode inverts the condition, hence bypassing the check Steps 3-5: Repackage, Sign & Install :)
Android repackaging - Root detection bypass example 2 Step 1: Disassemble - apktool d some.apk -o some_disassembled Step 2: Remove check from app, return “False” from isRooted .method public isRooted()Z const/4 v0, 0x0 # False return v0 # Return false [...] Steps 3-5: Repackage, Sign & Install :)
So this is awesome, right?
Limitations of apktool-style Android repackaging ● Limited to changes in smali code: ○ We can only modify Java code disassembled as smali ○ If the app loads and runs code from a binary we cannot modify that (at least not as easily :D) ● Changes are static ○ If you notice later that you need further changes you need to: ■ Disassemble ■ Modify ■ Repackage, Sign and Install ■ … For each modification! :P
Further reading Must-use tool for Android repackaging: https://ibotpeaches.github.io/Apktool/ Cool smali opcode references: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html https://source.android.com/devices/tech/dalvik/dalvik-bytecode
What is Frida? - https://www.frida.re/ ● Dynamic Instrumentation Toolkit ● Allows hooking and observing/modifying any app function: ○ Crypto APIs ○ Proprietary functions ○ Even functionality in binaries ● Lets you inject snippets of JavaScript into native apps that run on Windows, Mac, Linux, iOS and Android In short: Frida Gadgets allow root-like access on apps from not-rooted/jailbroken devices
How to add Frida to an APK so we can run it without root? Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled Step 2: Add the frida-gadget binaries to the APK - For the correct architecture! :) https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-x86.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-x86_64.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-arm.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-arm64.so.xz
How do I know the architecture? ADB Command: adb shell getprop ro.product.cpu.abi Example Output (Genymotion): x86
Step 2: Adding the Frida-Gadget to the APK - (ARM 32bits) Download: wget https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-a ndroid-arm.so.xz Uncompress: unxz frida-gadget-12.0.8-android-arm.so.xz Copy: cp frida-gadget-12.0.8-android-arm.so some_disassembled/lib/armeabi/libfrida-gadget.so
Step 3: Make the APK load the Gadget Find main activity: find . | grep -i main | grep smali$ Add the following smali code to the constructor: const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V Corresponding Java Code: System.loadLibrary("frida-gadget")
Step 4: Ensure network permissions in AndroidManifest.xml We will talk to Frida over the network so the app needs to use the internet, most apps do but worth double checking: File: AndroidManifest.xml Make sure it has: <uses-permission android:name="android.permission.INTERNET" />
Repackage, Sign & Install Step 5: Repackage APK - apktool b some_app_disassembled -o some_app_debug.apk Step 6: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore some_app_debug.apk alias_name Step 7: Install - adb install some_app_debug.apk
Basic Frida usage Logcat - Frida: Listening on TCP port 27042 The PID will show Gadget instead of the original package name: Command: $ frida-ps –U Output: PID Name ----- ------ 16071 Gadget
Basic Frida usage – Interactive Instrumentation Shell Command: frida -U Gadget --no-pause Output: Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit [USB::Android Emulator 5556::['com.android.chrome']]-> Java.androidVersion "7.1.1"
Basic Frida usage – Public script example: Root Bypass https://github.com/0xdea/frida-scripts/blob/master/android-snippets/raptor_frida _android_bypass.js Usage (Frida Server): frida -U -f com.xxx.yyy -l raptor_frida_android.js --no-pause Usage (Frida Gadget): frida -U Gadget -l raptor_frida_android.js --no-pause
Basic Frida usage – Public script example: Root Bypass setTimeout(function() { // avoid java.lang.ClassNotFoundException Java.perform(function() {// Root detection bypass example var hook = Java.use("com.target.utils.RootCheck"); hook.isRooted.overload().implementation = function() { console.log("info: entered target method"); var retval = this.isRooted.overload().call(this); //old retval console.log("old ret value: " + retval); var retnew = false; // set new retval console.log("new ret value: " + retnew); return retnew; } }); }, 0);
Basic Frida usage – Crypto Hooks https://gitlab.com/roxanagogonea/frida-scripts/blob/master/cryptography/crypt ography.js setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.generateKey.implementation = function () { console.log("[*] Generate symmetric key called. "); return this.generateKey(); }; }); });
Basic Frida usage – Crypto Hooks setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.getInstance.overload('java.lang.String').implementation = function (var0) { console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 + "n"); return this.getInstance(var0); }; }); });
Basic Frida usage – Crypto Hooks setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.getInstance.overload('java.lang.String', 'java.lang.String').implementation = function (var0, var1) { console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 + " and provider: " + var1 + "n"); return this.getInstance(var0, var1); }; }); });
Basic Frida usage – Shared Preferences setImmediate(function() { Java.perform(function() { var contextWrapper = Java.use("android.content.ContextWrapper"); var sharedPreferencesEditor = Java.use("android.app.SharedPreferencesImpl$EditorImpl"); sharedPreferencesEditor.putString.overload('java.lang.String', 'java.lang.String').implementation = function(var0, var1) { console.log("[*] Added a new String value to SharedPreferences with key: " + var0 + " and value " + var1 + "n"); var editor = this.putString(var0, var1); return editor; }});});
Basic Frida usage – SQLite query hooks setImmediate(function() { Java.perform(function() { var sqliteDatabase = Java.use("android.database.sqlite.SQLiteDatabase"); sqliteDatabase.execSQL.overload('java.lang.String').implementation = function(var0) { console.log("[*] SQLiteDatabase.exeqSQL called with query: " + var0 + "n"); var execSQLRes = this.execSQL(var0); return execSQLRes; };});}); https://gitlab.com/roxanagogonea/frida-scripts/blob/master/data-storage/sqlite-d atabase.js
Further reading & Frida script examples https://www.frida.re/docs/gadget/ https://koz.io/using-frida-on-android-without-root/ https://www.codemetrix.net/hacking-android-apps-with-frida-1/ https://github.com/iddoeldor/frida-snippets https://github.com/poxyran/misc https://gitlab.com/roxanagogonea/frida-scripts/blob/master/
Can this be automated? Here are some attempts: https://github.com/dpnishant/appmon/tree/master/apk_builder
BUT BUT BUT … What about iOS????
iOS Reversing 101 Usual approach overview: ● Decrypt IPA with Clutch - https://github.com/KJCracks/Clutch ● Generate Objective-C headers with class-dump - https://github.com/nygard/class-dump ● Disassemble with Hopper - https://www.hopperapp.com/index.html Explained by filedescriptor ☺ https://blog.innerht.ml/page/2/
iOS Repackaging Guides https://labs.mwrinfosecurity.com/blog/repacking-and-resigning-ios-applications/ https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/octo ber/ios-instrumentation-without-jailbreak/ https://github.com/sensepost/objection/wiki/Patching-iOS-Applications
iOS Repackaging - Step 1: Add Apple ID to XCode Add an Apple ID to Xcode: Xcode / Preferences / Accounts / Add Apple ID
iOS Repackaging - Step 2: Manage Certificates
iOS Repackaging - Step 2: Manage Certificates – iOS Dev
iOS Repackaging - Step 2: Manage Certificates – Done
iOS Repackaging - Step 2: Verify Code Signing Certificate Command: security find-identity -p codesigning -v Output: 1) xxx[…] "iPhone Developer: abraham+1@cure53.de ([…]XX)" 1 valid identities found
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file Just login :D
iOS Repackaging - Step 3: Create mobileprovision file ● Plug your iPhone ● Select the iPhone as the target device on Xcode ● Hit the “Play” button ● Verify the mobileprovision file has been created: find ~/Library/Developer/Xcode/DerivedData/ -name embedded.mobileprovision
iOS Repackaging - Step 3: Create mobileprovision file Do we have to do all this nonsense every time?
iOS Repackaging - Step 3: Create mobileprovision file From here, each time we will “only” need to: ● Create a blank app ● Deploy it to an iDevice This will create a new, valid provisioning file
iOS Repackaging - Step 4: IPA Patching Dependencies ● objection – from: https://github.com/sensepost/objection/wiki/Installation ● applesign - from: https://github.com/nowsecure/node-applesign ● insert_dylib - from: https://github.com/Tyilo/insert_dylib ● security, codesign, xcodebuild` - macOS/XCode commands ● zip & unzip - builtin, or just installed using homebrew ● 7z - installed using homebrew with brew install p7zip
iOS Repackaging - Step 4: IPA Patching Dependencies Objection Installation: pip3 install -U objection More details and options: https://github.com/sensepost/objection/wiki/Installation
iOS Repackaging - Step 4: IPA Patching Dependencies applesign Installation: npm install -g applesign. If npm is missing: brew install npm
iOS Repackaging - Step 4: IPA Patching Dependencies insert_dylib installation: Compile from source like so: git clone https://github.com/Tyilo/insert_dylib cd insert_dylib xcodebuild cp build/Release/insert_dylib /usr/local/bin/insert_dylib
iOS Repackaging - Step 4: IPA Patching Command: objection patchipa --source my-app.ipa --codesign-signature xxxx
iOS Repackaging - Step 5: Running the patched IPA More dependencies :D Install ios-deploy: npm install -g ios-deploy
iOS Repackaging - Step 5: Running the patched IPA Installing and running the app: unzip my-app.ipa # Creates a Payload/ directory. Unlock iDevice and plug via USB to your Mac Run ios-deploy: ios-deploy --bundle Payload/my-app.app -W -d More intel and Linux instructions: https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications
iOS Repackaging - Step 6: Using Frida ☺ So now we can run Frida scripts: frida -U Gadget -l <frida_script> --no-pause Some nice examples for iOS inspiration: https://github.com/iddoeldor/frida-snippets https://github.com/0xdea/frida-scripts/tree/master/ios-snippets
Frida Examples – Filesystem access https://github.com/nowsecure/frida-fs const fs = require('frida-fs'); fs.createReadStream('/etc/hosts').pipe(networkStream);
Frida Examples – Grab iOS Screenshots https://github.com/nowsecure/frida-screenshot const screenshot = require('frida-screenshot'); const png = yield screenshot(); send({ name: '+screenshot', payload: { timestamp: Date.now() }}, png);
Frida Examples – iOS instance member values ObjC.choose(ObjC.classes[clazz], { onMatch: function (obj) { console.log('onMatch: ', obj); Object.keys(obj.$ivars).forEach(function(v) { console.log('t', v, '=', obj.$ivars[v]); }); }, onComplete: function () { console.log('onComplete', arguments.length); }}); https://github.com/iddoeldor/frida-snippets
Frida Examples – iOS extract cookies var cookieJar = []; var cookies = ObjC.classes.NSHTTPCookieStorage.sharedHTTPCookieStorage().cookies(); for (var i = 0, l = cookies.count(); i < l; i++) { var cookie = cookies['- objectAtIndex:'](i); cookieJar.push(cookie.Name() + '=' + cookie.Value()); } console.log(cookieJar.join("; ")); https://github.com/iddoeldor/frida-snippets
Frida Examples – iOS monitor file access Interceptor.attach(ObjC.classes.NSFileManager['- fileExistsAtPath:'].implementation, { onEnter: function (args) { console.log('open' , ObjC.Object(args[2]).toString()); } }); https://github.com/iddoeldor/frida-snippets
What is Objection? ● Wrapper around Frida ● Automates a lot of stuff via Frida hooks ● Works for iOS and Android https://github.com/sensepost/objection/wiki
Demos from the author of objection https://www.youtube.com/watch?v=zkxSFERFuBw https://www.youtube.com/watch?v=AqqPGXa4nO8 https://www.youtube.com/watch?v=t3nRDELo_fY https://www.youtube.com/watch?v=aL8Z2PctBFE https://www.youtube.com/watch?v=Mhf92DeRk8c
> abraham@7asecurity.com @7asecurity | + 7asecurity.com @7a_ OWASP OWTF: @owtfp | + owtf.org Q & A Thank you for your time

Recommended

Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
DBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse EngineeringDBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse Engineering
Sahil Dhar
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to Frida
AbhishekJaiswal270
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 

Recommended

Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
DBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse EngineeringDBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse Engineering
Sahil Dhar
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to Frida
AbhishekJaiswal270
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Building a REST Service in minutes with Spring Boot
Building a REST Service in minutes with Spring BootBuilding a REST Service in minutes with Spring Boot
Building a REST Service in minutes with Spring Boot
Omri Spector
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
Chandrapal Badshah
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora
 
Digital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker ContainersDigital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker Containers
Deep Shankar Yadav
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking tool
Md. Raquibul Hoque
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
Ron Munitz
 

More Related Content

What's hot

Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 

What's hot (20)

Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Building a REST Service in minutes with Spring Boot
Building a REST Service in minutes with Spring BootBuilding a REST Service in minutes with Spring Boot
Building a REST Service in minutes with Spring Boot
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Digital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker ContainersDigital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker Containers
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking tool
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 

Similar to Pwning mobile apps without root or jailbreak

Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_final
NAVER D2
 

Similar to Pwning mobile apps without root or jailbreak (20)

FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Modifying Android Apps Without Source Code with Microsoft Visual Studio Code
Modifying Android Apps Without Source Code with Microsoft Visual Studio CodeModifying Android Apps Without Source Code with Microsoft Visual Studio Code
Modifying Android Apps Without Source Code with Microsoft Visual Studio Code
 
Is Your App Hackable for droidcon Berlin 2015
Is Your App Hackable for droidcon Berlin 2015Is Your App Hackable for droidcon Berlin 2015
Is Your App Hackable for droidcon Berlin 2015
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdf
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSP
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_final
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
 
Appium- part 1
Appium- part 1Appium- part 1
Appium- part 1
 
Phonegap Development & Debugging
Phonegap Development & DebuggingPhonegap Development & Debugging
Phonegap Development & Debugging
 

More from Abraham Aranguren

More from Abraham Aranguren (8)

Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
 

Recently uploaded

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
UXDXConf
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 

Recently uploaded (20)

Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 

Pwning mobile apps without root or jailbreak

  • 1. Pwning Mobile Apps Without Root or Jailbreak > Abraham Aranguren > abraham@7asecurity.com > @7asecurity > @7a_ + 7asecurity.com CureCon 2018, Berlin
  • 2. Agenda • Motivation • Repackaging & Instrumentation examples • Android • iOS • Q&A
  • 3. • Director at 7ASecurity, check out our public reports, presentations, etc: 7asecurity.com/#publications • Author of Practical Web Defense, a hands-on attack & defense course: www.elearnsecurity.com/PWD • Founder and leader of OWASP OWTF, an OWASP flagship project: owtf.org • Some presentations: www.slideshare.net/abrahamaranguren/presentations • Some sec certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE: Security, MCSA: Security, Security+ • Some dev certs: ZCE PHP 5, ZCE PHP 4, Oracle PL/SQL Developer Certified Associate, MySQL 5 CMDev, MCTS SQL Server 2005 Who am I
  • 4. Motivation ● iOS jailbreaks are not always available: ○ The app requires iOS version X, without a public jailbreak available ● iOS/Android jailbreak/root detection might take too long to bypass ○ Example: root/jailbreak detection via obfuscated binary ● Test an app on a device you don’t want to root/jailbreak ● Avoid ptrace/debugging app checks due to tampered environment
  • 5. Repackaging: Android - Problem: App filesystem access Problem: ● When using the Android emulator/Genymotion you have a root shell ● BUT sometimes the app will only work on a real phone ● A non-rooted phone won’t give you a root shell ● A non-rooted phone won’t give you access to application files in /data/data/… ● The app often has backups disabled too Repackaging Solution: ● Modify the APK, enable backups
  • 6. Repackaging: Android - Problem: Debugging Problem: ● Some apps enable debugging features, such as Webview debugging or other useful information in logcat, etc., when the app has debugging enabled Repackaging Solution: ● Modify the APK, enable debugging
  • 7. Step 1: Disassemble APK - apktool d some_app.apk -o some_app_disassembled Step 2: Edit AndroidManifest.xml Change: <application android:allowBackup="false" To: <application android:allowBackup="true" android:debuggable="true" Step 3: Repackage APK - apktool b some_app_disassembled -o some_app_debug.apk Step 4: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore some_app_debug.apk alias_name Step 5: Install - adb install some_app_debug.apk Example: Backups + Debugging
  • 8. Example: Backups + Debugging Now we have access to app files via adb backup: Step 1: Backup app files adb backup some.app.com Step 2: Make the backup useful ( printf "x1fx8bx08x00x00x00x00x00" ; tail -c +25 backup.ab ) | tar xfvz - Step 3: Review files :)
  • 10. Repackaging: Android - Problem: Pinning ● Often a problem at the start of the test as you try to MitM :) ● We can modify the APK to skip certificate pinning checks
  • 11. Repackaging: Android - Problem: Pinning Examp Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled Step 2: Find file to modify - grep -Ir checkServerTrusted * Step 3: Modify the file .method public final checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;) V [...] return-void # Pinning bypass Steps 4-6: Repackage, Sign & Install :)
  • 12. Wait, is it that easy?
  • 13. Repackaging: Android - Problem: Root detection ● Sometimes apps refuse to run when your phone is rooted ● Repackaging often allows us to bypass these checks and enjoy root powers :D
  • 14. Android repackaging - Root detection bypass example 1 Step 1: Disassemble - apktool d some.apk -o some_disassembled Step 2: Remove check from app Java Code: if (isRooted()) [...] Related Smali Code: if-eqz v0, :cond_0 Change Smali Code to: if-nez v0, :cond_0 NOTE: The if-nez opcode inverts the condition, hence bypassing the check Steps 3-5: Repackage, Sign & Install :)
  • 15. Android repackaging - Root detection bypass example 2 Step 1: Disassemble - apktool d some.apk -o some_disassembled Step 2: Remove check from app, return “False” from isRooted .method public isRooted()Z const/4 v0, 0x0 # False return v0 # Return false [...] Steps 3-5: Repackage, Sign & Install :)
  • 16. So this is awesome, right?
  • 17. Limitations of apktool-style Android repackaging ● Limited to changes in smali code: ○ We can only modify Java code disassembled as smali ○ If the app loads and runs code from a binary we cannot modify that (at least not as easily :D) ● Changes are static ○ If you notice later that you need further changes you need to: ■ Disassemble ■ Modify ■ Repackage, Sign and Install ■ … For each modification! :P
  • 18. Further reading Must-use tool for Android repackaging: https://ibotpeaches.github.io/Apktool/ Cool smali opcode references: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html https://source.android.com/devices/tech/dalvik/dalvik-bytecode
  • 19. What is Frida? - https://www.frida.re/ ● Dynamic Instrumentation Toolkit ● Allows hooking and observing/modifying any app function: ○ Crypto APIs ○ Proprietary functions ○ Even functionality in binaries ● Lets you inject snippets of JavaScript into native apps that run on Windows, Mac, Linux, iOS and Android In short: Frida Gadgets allow root-like access on apps from not-rooted/jailbroken devices
  • 20. How to add Frida to an APK so we can run it without root? Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled Step 2: Add the frida-gadget binaries to the APK - For the correct architecture! :) https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-x86.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-x86_64.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-arm.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-arm64.so.xz
  • 21. How do I know the architecture? ADB Command: adb shell getprop ro.product.cpu.abi Example Output (Genymotion): x86
  • 22. Step 2: Adding the Frida-Gadget to the APK - (ARM 32bits) Download: wget https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-a ndroid-arm.so.xz Uncompress: unxz frida-gadget-12.0.8-android-arm.so.xz Copy: cp frida-gadget-12.0.8-android-arm.so some_disassembled/lib/armeabi/libfrida-gadget.so
  • 23. Step 3: Make the APK load the Gadget Find main activity: find . | grep -i main | grep smali$ Add the following smali code to the constructor: const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V Corresponding Java Code: System.loadLibrary("frida-gadget")
  • 24. Step 4: Ensure network permissions in AndroidManifest.xml We will talk to Frida over the network so the app needs to use the internet, most apps do but worth double checking: File: AndroidManifest.xml Make sure it has: <uses-permission android:name="android.permission.INTERNET" />
  • 25. Repackage, Sign & Install Step 5: Repackage APK - apktool b some_app_disassembled -o some_app_debug.apk Step 6: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore some_app_debug.apk alias_name Step 7: Install - adb install some_app_debug.apk
  • 26. Basic Frida usage Logcat - Frida: Listening on TCP port 27042 The PID will show Gadget instead of the original package name: Command: $ frida-ps –U Output: PID Name ----- ------ 16071 Gadget
  • 27. Basic Frida usage – Interactive Instrumentation Shell Command: frida -U Gadget --no-pause Output: Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit [USB::Android Emulator 5556::['com.android.chrome']]-> Java.androidVersion "7.1.1"
  • 28. Basic Frida usage – Public script example: Root Bypass https://github.com/0xdea/frida-scripts/blob/master/android-snippets/raptor_frida _android_bypass.js Usage (Frida Server): frida -U -f com.xxx.yyy -l raptor_frida_android.js --no-pause Usage (Frida Gadget): frida -U Gadget -l raptor_frida_android.js --no-pause
  • 29. Basic Frida usage – Public script example: Root Bypass setTimeout(function() { // avoid java.lang.ClassNotFoundException Java.perform(function() {// Root detection bypass example var hook = Java.use("com.target.utils.RootCheck"); hook.isRooted.overload().implementation = function() { console.log("info: entered target method"); var retval = this.isRooted.overload().call(this); //old retval console.log("old ret value: " + retval); var retnew = false; // set new retval console.log("new ret value: " + retnew); return retnew; } }); }, 0);
  • 30. Basic Frida usage – Crypto Hooks https://gitlab.com/roxanagogonea/frida-scripts/blob/master/cryptography/crypt ography.js setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.generateKey.implementation = function () { console.log("[*] Generate symmetric key called. "); return this.generateKey(); }; }); });
  • 31. Basic Frida usage – Crypto Hooks setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.getInstance.overload('java.lang.String').implementation = function (var0) { console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 + "n"); return this.getInstance(var0); }; }); });
  • 32. Basic Frida usage – Crypto Hooks setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.getInstance.overload('java.lang.String', 'java.lang.String').implementation = function (var0, var1) { console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 + " and provider: " + var1 + "n"); return this.getInstance(var0, var1); }; }); });
  • 33. Basic Frida usage – Shared Preferences setImmediate(function() { Java.perform(function() { var contextWrapper = Java.use("android.content.ContextWrapper"); var sharedPreferencesEditor = Java.use("android.app.SharedPreferencesImpl$EditorImpl"); sharedPreferencesEditor.putString.overload('java.lang.String', 'java.lang.String').implementation = function(var0, var1) { console.log("[*] Added a new String value to SharedPreferences with key: " + var0 + " and value " + var1 + "n"); var editor = this.putString(var0, var1); return editor; }});});
  • 34. Basic Frida usage – SQLite query hooks setImmediate(function() { Java.perform(function() { var sqliteDatabase = Java.use("android.database.sqlite.SQLiteDatabase"); sqliteDatabase.execSQL.overload('java.lang.String').implementation = function(var0) { console.log("[*] SQLiteDatabase.exeqSQL called with query: " + var0 + "n"); var execSQLRes = this.execSQL(var0); return execSQLRes; };});}); https://gitlab.com/roxanagogonea/frida-scripts/blob/master/data-storage/sqlite-d atabase.js
  • 35. Further reading & Frida script examples https://www.frida.re/docs/gadget/ https://koz.io/using-frida-on-android-without-root/ https://www.codemetrix.net/hacking-android-apps-with-frida-1/ https://github.com/iddoeldor/frida-snippets https://github.com/poxyran/misc https://gitlab.com/roxanagogonea/frida-scripts/blob/master/
  • 36. Can this be automated? Here are some attempts: https://github.com/dpnishant/appmon/tree/master/apk_builder
  • 37. BUT BUT BUT … What about iOS????
  • 38. iOS Reversing 101 Usual approach overview: ● Decrypt IPA with Clutch - https://github.com/KJCracks/Clutch ● Generate Objective-C headers with class-dump - https://github.com/nygard/class-dump ● Disassemble with Hopper - https://www.hopperapp.com/index.html Explained by filedescriptor ☺ https://blog.innerht.ml/page/2/
  • 40. iOS Repackaging - Step 1: Add Apple ID to XCode Add an Apple ID to Xcode: Xcode / Preferences / Accounts / Add Apple ID
  • 41. iOS Repackaging - Step 2: Manage Certificates
  • 42. iOS Repackaging - Step 2: Manage Certificates – iOS Dev
  • 43. iOS Repackaging - Step 2: Manage Certificates – Done
  • 44. iOS Repackaging - Step 2: Verify Code Signing Certificate Command: security find-identity -p codesigning -v Output: 1) xxx[…] "iPhone Developer: abraham+1@cure53.de ([…]XX)" 1 valid identities found
  • 45. iOS Repackaging - Step 3: Create mobileprovision file
  • 46. iOS Repackaging - Step 3: Create mobileprovision file
  • 47. iOS Repackaging - Step 3: Create mobileprovision file
  • 48. iOS Repackaging - Step 3: Create mobileprovision file
  • 49. iOS Repackaging - Step 3: Create mobileprovision file
  • 50. iOS Repackaging - Step 3: Create mobileprovision file Just login :D
  • 51. iOS Repackaging - Step 3: Create mobileprovision file ● Plug your iPhone ● Select the iPhone as the target device on Xcode ● Hit the “Play” button ● Verify the mobileprovision file has been created: find ~/Library/Developer/Xcode/DerivedData/ -name embedded.mobileprovision
  • 52. iOS Repackaging - Step 3: Create mobileprovision file Do we have to do all this nonsense every time?
  • 53. iOS Repackaging - Step 3: Create mobileprovision file From here, each time we will “only” need to: ● Create a blank app ● Deploy it to an iDevice This will create a new, valid provisioning file
  • 54. iOS Repackaging - Step 4: IPA Patching Dependencies ● objection – from: https://github.com/sensepost/objection/wiki/Installation ● applesign - from: https://github.com/nowsecure/node-applesign ● insert_dylib - from: https://github.com/Tyilo/insert_dylib ● security, codesign, xcodebuild` - macOS/XCode commands ● zip & unzip - builtin, or just installed using homebrew ● 7z - installed using homebrew with brew install p7zip
  • 55. iOS Repackaging - Step 4: IPA Patching Dependencies Objection Installation: pip3 install -U objection More details and options: https://github.com/sensepost/objection/wiki/Installation
  • 56. iOS Repackaging - Step 4: IPA Patching Dependencies applesign Installation: npm install -g applesign. If npm is missing: brew install npm
  • 57. iOS Repackaging - Step 4: IPA Patching Dependencies insert_dylib installation: Compile from source like so: git clone https://github.com/Tyilo/insert_dylib cd insert_dylib xcodebuild cp build/Release/insert_dylib /usr/local/bin/insert_dylib
  • 58. iOS Repackaging - Step 4: IPA Patching Command: objection patchipa --source my-app.ipa --codesign-signature xxxx
  • 59. iOS Repackaging - Step 5: Running the patched IPA More dependencies :D Install ios-deploy: npm install -g ios-deploy
  • 60. iOS Repackaging - Step 5: Running the patched IPA Installing and running the app: unzip my-app.ipa # Creates a Payload/ directory. Unlock iDevice and plug via USB to your Mac Run ios-deploy: ios-deploy --bundle Payload/my-app.app -W -d More intel and Linux instructions: https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications
  • 61. iOS Repackaging - Step 6: Using Frida ☺ So now we can run Frida scripts: frida -U Gadget -l <frida_script> --no-pause Some nice examples for iOS inspiration: https://github.com/iddoeldor/frida-snippets https://github.com/0xdea/frida-scripts/tree/master/ios-snippets
  • 62. Frida Examples – Filesystem access https://github.com/nowsecure/frida-fs const fs = require('frida-fs'); fs.createReadStream('/etc/hosts').pipe(networkStream);
  • 63. Frida Examples – Grab iOS Screenshots https://github.com/nowsecure/frida-screenshot const screenshot = require('frida-screenshot'); const png = yield screenshot(); send({ name: '+screenshot', payload: { timestamp: Date.now() }}, png);
  • 64. Frida Examples – iOS instance member values ObjC.choose(ObjC.classes[clazz], { onMatch: function (obj) { console.log('onMatch: ', obj); Object.keys(obj.$ivars).forEach(function(v) { console.log('t', v, '=', obj.$ivars[v]); }); }, onComplete: function () { console.log('onComplete', arguments.length); }}); https://github.com/iddoeldor/frida-snippets
  • 65. Frida Examples – iOS extract cookies var cookieJar = []; var cookies = ObjC.classes.NSHTTPCookieStorage.sharedHTTPCookieStorage().cookies(); for (var i = 0, l = cookies.count(); i < l; i++) { var cookie = cookies['- objectAtIndex:'](i); cookieJar.push(cookie.Name() + '=' + cookie.Value()); } console.log(cookieJar.join("; ")); https://github.com/iddoeldor/frida-snippets
  • 66. Frida Examples – iOS monitor file access Interceptor.attach(ObjC.classes.NSFileManager['- fileExistsAtPath:'].implementation, { onEnter: function (args) { console.log('open' , ObjC.Object(args[2]).toString()); } }); https://github.com/iddoeldor/frida-snippets
  • 67. What is Objection? ● Wrapper around Frida ● Automates a lot of stuff via Frida hooks ● Works for iOS and Android https://github.com/sensepost/objection/wiki
  • 68. Demos from the author of objection https://www.youtube.com/watch?v=zkxSFERFuBw https://www.youtube.com/watch?v=AqqPGXa4nO8 https://www.youtube.com/watch?v=t3nRDELo_fY https://www.youtube.com/watch?v=aL8Z2PctBFE https://www.youtube.com/watch?v=Mhf92DeRk8c
  • 69. > abraham@7asecurity.com @7asecurity | + 7asecurity.com @7a_ OWASP OWTF: @owtfp | + owtf.org Q & A Thank you for your time