Pentesting Android Apps using Frida (Beginners)

Pentesting
Android Apps
using Frida
(Beginner level)
Some other titles
Instrumentation at the age of obfuscation
Pentesting Android Apps using Dynamic Binary
Instrumentation
It’s a secure Android app ! Let’s hook it up
Agenda
- Introduction to Frida
- Android app basics
- Android app defences
- Using Frida to bypass basic defences
- Demo
What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.
What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.
What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc
What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc
Finally, What is Frida ?
Frida is a toolkit which can be used to monitor / debug a
process (app at runtime)
Frida
- More than an instrumentation framework.
- Injects scripts into processes. Only JavaScript
- Portable. Multi-platform support.
- Windows / Linux / Mac
- Android / iOS
- Bindings in multiple languages
- NodeJS
- Python
- Swift bindings
- .NET bindings
- C API
- Free. Complete code on GitHub
How does it work ?
Version of server and client should match. Select the correct architecture.
Modes of Operation
- Injected
- Spawn an existing program (create and execute child process)
- Attach/Hooking to running program
- Hijack a process when its spawned
- Requires Root/Admin priv
- Embedded
- Useful in non-jailbroken iOS / non-root Android
- Preloaded
Frida Toolkit
- frida : CLI tool
- frida-discover : Tool to discover internal functions
- frida-kill : Tool to kill processes
- frida-ls-devices : Tool to list attached devices
- frida-ps : CLI tool to list processes (useful for remote systems)
- frida-trace : Tool for dynamically tracing function calls
Why do we need another debugger ?
- More than a debugger
- Apart from setting breakpoints, it helps injecting code
- From security perspective, apps have been checking for the presence of
debuggers since a long time. Mainly GDB
“GDB in 2018 is prevented in 2018 different funny ways with different funny
tricks”
- Best suited for Android apps due to disadvantages in previous
instrumentation framework - Xposed.
(Restart required for every code change)
Android App Basics
- Android apps were traditionally developed using Java, now moving to
Kotlin
- Each app runs as a user (user level isolation)
- Activity
- onCreate - initialization function
- Compile it. Requires it to be signed.
- Android had been using Dalvik VM, but now they are moving to Android
RunTime (ART)
Java example
Java example
Output: Good Morning, Null Comrades
Frida for Android
Frida Useful commands
frida-ps -U
frida -U com.target.app --no-pause
frida -U -l ssl-pinning.js -f com.target.app --no-pause
frida -U -c pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f
com.target.app --no-pause
DEMO #1
Frida Template for Android - JavaScript
Java.perform(function() {
Java.enumerateLoadedClasses({
"onMatch":function(className){
if(className.includes("badshah")) {
console.log(className) }
},
"onComplete":function(){}
}
)})
Frida common API
Java.use("android.util.Log") - Uses that particular class
.implementation - Overrides the default implementation
.overload - When polymorphism is used, this can be really useful
Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers
Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers
Security Through Obscurity
- Hardcoded passwords are not very popular
- Trend is Base64 encoded / Character / Buffer array
- Even store in .so (shared object) files
Scenario:
FTPConnector(pwd())
pwd()
Internet
Code
DEMO #2
Anti Emulation / Anti-VM checks
Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java
Scenario
Sensitive Action
Non-Sensitive
Action
StartAction()
CheckVM()
NOT VM VM
Code
DEMO #3
Anti Debug Check
Change the command - as per root detection in Frida codeshare
Scenario
Sensitive Action
Non-Sensitive
Action
StartAction()
CheckDebug()
NO DEBUG DEBUG
Code
DEMO #4
THE END
1 of 36

Recommended

Introduction to Frida by
Introduction to FridaIntroduction to Frida
Introduction to FridaAbhishekJaiswal270
449 views32 slides
FRIDA 101 Android by
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
1.2K views20 slides
Hacking with frida by
Hacking with fridaHacking with frida
Hacking with fridan|u - The Open Security Community
1.3K views9 slides
DBI-Assisted Android Application Reverse Engineering by
DBI-Assisted Android Application Reverse EngineeringDBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse EngineeringSahil Dhar
2.1K views35 slides
Mobile security part 1(Android Apps Pentesting)- Romansh yadav by
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
820 views70 slides
Android pentesting by
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
459 views33 slides

More Related Content

What's hot

Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde by
Frida  Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida  Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeNSConclave
839 views29 slides
Pentesting Android Applications by
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
8.2K views36 slides
Frida - Objection Tool Usage by
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usagen|u - The Open Security Community
558 views12 slides
iOS Application Penetration Testing by
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
3.9K views16 slides
Mobile Application Penetration Testing by
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
6.9K views173 slides
Hacking and securing ios applications by
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
15K views46 slides

What's hot(20)

Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde by NSConclave
Frida  Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida  Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave839 views
Pentesting Android Applications by Cláudio André
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André8.2K views
Hacking and securing ios applications by Satish b
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b15K views
Pwning mobile apps without root or jailbreak by Abraham Aranguren
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren12.2K views
Android pentesting the hackers-meetup by kunwaratul hax0r
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r577 views
Android Security by Arqum Ahmad
Android SecurityAndroid Security
Android Security
Arqum Ahmad4.4K views
Android security by Mobile Rtpl
Android securityAndroid security
Android security
Mobile Rtpl1.9K views
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016 by Frans Rosén
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén9.2K views
iOS Application Penetration Testing for Beginners by RyanISI
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI8.5K views
Android reverse engineering: understanding third-party applications. OWASP EU... by Internet Security Auditors
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...
Defending against Java Deserialization Vulnerabilities by Luca Carettoni
 Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni18.4K views
Android security and penetration testing | DIVA | Yogesh Ojha by Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha394 views

Similar to Pentesting Android Apps using Frida (Beginners)

Null Dubai Humla_Romansh_Yadav_Android_app_pentesting by
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
110 views55 slides
Android's security architecture by
Android's security architectureAndroid's security architecture
Android's security architectureOfer Rivlin, CISSP
178 views49 slides
MobSecCon 2015 - Dynamic Analysis of Android Apps by
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
137 views30 slides
Outsmarting smartphones by
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
901 views33 slides
Hybrid HTML5 Apps by
Hybrid HTML5 AppsHybrid HTML5 Apps
Hybrid HTML5 AppsHugo Rodrigues
2.5K views78 slides
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi... by
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...Priyanka Aash
407 views19 slides

Similar to Pentesting Android Apps using Frida (Beginners)(20)

Null Dubai Humla_Romansh_Yadav_Android_app_pentesting by Romansh Yadav
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav110 views
MobSecCon 2015 - Dynamic Analysis of Android Apps by Ron Munitz
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
Ron Munitz137 views
Outsmarting smartphones by SensePost
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
SensePost901 views
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi... by Priyanka Aash
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
Priyanka Aash407 views
Android Programming made easy by Lars Vogel
Android Programming made easyAndroid Programming made easy
Android Programming made easy
Lars Vogel4.9K views
Null Mumbai Meet_Android Reverse Engineering by Samrat Das by nullowaspmumbai
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai984 views
Getting started with android by Vandana Verma
Getting started with androidGetting started with android
Getting started with android
Vandana Verma57 views
Getting started with Android pentesting by Minali Arora
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora340 views
Android Internals (This is not the droid you’re loking for...) by Giacomo Bergami
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)
Giacomo Bergami3.8K views
Building Custom Android Malware BruCON 2013 by Stephan Chenette
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette7.5K views
Intro to Building Android Games using libGDX by Jussi Pohjolainen
Intro to Building Android Games using libGDXIntro to Building Android Games using libGDX
Intro to Building Android Games using libGDX
Jussi Pohjolainen2.9K views
Android Development in a Nutshell by Aleix Solé
Android Development in a NutshellAndroid Development in a Nutshell
Android Development in a Nutshell
Aleix Solé2.8K views
Begining Android Development by Hayi Nukman
Begining Android DevelopmentBegining Android Development
Begining Android Development
Hayi Nukman1.5K views
Extending Android's Platform Toolsuite by Opersys inc.
Extending Android's Platform ToolsuiteExtending Android's Platform Toolsuite
Extending Android's Platform Toolsuite
Opersys inc.1.1K views

More from Chandrapal Badshah

Dangling DNS records takeover at scale by
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
536 views25 slides
Detecting secrets in code committed to gitlab (in real time) by
Detecting secrets in code committed to gitlab (in real time)Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Chandrapal Badshah
846 views28 slides
How to get started in InfoSec ? by
How to get started in InfoSec ?How to get started in InfoSec ?
How to get started in InfoSec ?Chandrapal Badshah
568 views31 slides
OSINT mindset to protect your organization - Null monthly meet version by
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionChandrapal Badshah
363 views52 slides
OSINT Mindset to protect your Organization by
OSINT Mindset to protect your OrganizationOSINT Mindset to protect your Organization
OSINT Mindset to protect your OrganizationChandrapal Badshah
118 views24 slides
Solving OWASP MSTG CrackMe using Frida by
Solving OWASP MSTG CrackMe using FridaSolving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using FridaChandrapal Badshah
585 views20 slides

More from Chandrapal Badshah(11)

Recently uploaded

Generative AI: Shifting the AI Landscape by
Generative AI: Shifting the AI LandscapeGenerative AI: Shifting the AI Landscape
Generative AI: Shifting the AI LandscapeDeakin University
78 views55 slides
Netmera Presentation.pdf by
Netmera Presentation.pdfNetmera Presentation.pdf
Netmera Presentation.pdfMustafa Kuğu
22 views50 slides
"Package management in monorepos", Zoltan Kochan by
"Package management in monorepos", Zoltan Kochan"Package management in monorepos", Zoltan Kochan
"Package management in monorepos", Zoltan KochanFwdays
37 views18 slides
Choosing the Right Flutter App Development Company by
Choosing the Right Flutter App Development CompanyChoosing the Right Flutter App Development Company
Choosing the Right Flutter App Development CompanyFicode Technologies
13 views9 slides
Measuring User on the web with the core web vitals - by @theafolayan.pptx by
Measuring User on the web with the core web vitals - by @theafolayan.pptxMeasuring User on the web with the core web vitals - by @theafolayan.pptx
Measuring User on the web with the core web vitals - by @theafolayan.pptxOluwaseun Raphael Afolayan
14 views13 slides
The Role of Patterns in the Era of Large Language Models by
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language ModelsYunyao Li
104 views65 slides

Recently uploaded(20)

"Package management in monorepos", Zoltan Kochan by Fwdays
"Package management in monorepos", Zoltan Kochan"Package management in monorepos", Zoltan Kochan
"Package management in monorepos", Zoltan Kochan
Fwdays37 views
The Role of Patterns in the Era of Large Language Models by Yunyao Li
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language Models
Yunyao Li104 views
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De... by Moses Kemibaro
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Moses Kemibaro38 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays38 views
What is Authentication Active Directory_.pptx by HeenaMehta35
What is Authentication Active Directory_.pptxWhat is Authentication Active Directory_.pptx
What is Authentication Active Directory_.pptx
HeenaMehta3515 views
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023 by BookNet Canada
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
BookNet Canada46 views
Optimizing Communication to Optimize Human Behavior - LCBM by Yaman Kumar
Optimizing Communication to Optimize Human Behavior - LCBMOptimizing Communication to Optimize Human Behavior - LCBM
Optimizing Communication to Optimize Human Behavior - LCBM
Yaman Kumar39 views
Measurecamp Brussels - Synthetic data.pdf by Human37
Measurecamp Brussels - Synthetic data.pdfMeasurecamp Brussels - Synthetic data.pdf
Measurecamp Brussels - Synthetic data.pdf
Human37 27 views
The Power of Heat Decarbonisation Plans in the Built Environment by IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE85 views
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdf by ThomasBronack
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdfBronack Skills - Risk Management and SRE v1.0 12-3-2023.pdf
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdf
ThomasBronack31 views
AIM102-S_Cognizant_CognizantCognitive by PhilipBasford
AIM102-S_Cognizant_CognizantCognitiveAIM102-S_Cognizant_CognizantCognitive
AIM102-S_Cognizant_CognizantCognitive
PhilipBasford23 views
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... by ShapeBlue
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
ShapeBlue120 views
LLMs in Production: Tooling, Process, and Team Structure by Aggregage
LLMs in Production: Tooling, Process, and Team StructureLLMs in Production: Tooling, Process, and Team Structure
LLMs in Production: Tooling, Process, and Team Structure
Aggregage65 views
Future of AR - Facebook Presentation by Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty66 views
Digital Personal Data Protection (DPDP) Practical Approach For CISOs by Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash171 views
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdf by MichaelOLeary82
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdfAdopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
MichaelOLeary8213 views

Pentesting Android Apps using Frida (Beginners)

  • 2. Some other titles Instrumentation at the age of obfuscation Pentesting Android Apps using Dynamic Binary Instrumentation It’s a secure Android app ! Let’s hook it up
  • 3. Agenda - Introduction to Frida - Android app basics - Android app defences - Using Frida to bypass basic defences - Demo
  • 4. What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
  • 5. What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
  • 6. What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
  • 7. What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
  • 8. Finally, What is Frida ? Frida is a toolkit which can be used to monitor / debug a process (app at runtime)
  • 9. Frida - More than an instrumentation framework. - Injects scripts into processes. Only JavaScript - Portable. Multi-platform support. - Windows / Linux / Mac - Android / iOS - Bindings in multiple languages - NodeJS - Python - Swift bindings - .NET bindings - C API - Free. Complete code on GitHub
  • 10. How does it work ? Version of server and client should match. Select the correct architecture.
  • 11. Modes of Operation - Injected - Spawn an existing program (create and execute child process) - Attach/Hooking to running program - Hijack a process when its spawned - Requires Root/Admin priv - Embedded - Useful in non-jailbroken iOS / non-root Android - Preloaded
  • 12. Frida Toolkit - frida : CLI tool - frida-discover : Tool to discover internal functions - frida-kill : Tool to kill processes - frida-ls-devices : Tool to list attached devices - frida-ps : CLI tool to list processes (useful for remote systems) - frida-trace : Tool for dynamically tracing function calls
  • 13. Why do we need another debugger ? - More than a debugger - Apart from setting breakpoints, it helps injecting code - From security perspective, apps have been checking for the presence of debuggers since a long time. Mainly GDB “GDB in 2018 is prevented in 2018 different funny ways with different funny tricks” - Best suited for Android apps due to disadvantages in previous instrumentation framework - Xposed. (Restart required for every code change)
  • 14. Android App Basics - Android apps were traditionally developed using Java, now moving to Kotlin - Each app runs as a user (user level isolation) - Activity - onCreate - initialization function - Compile it. Requires it to be signed. - Android had been using Dalvik VM, but now they are moving to Android RunTime (ART)
  • 16. Java example Output: Good Morning, Null Comrades
  • 18. Frida Useful commands frida-ps -U frida -U com.target.app --no-pause frida -U -l ssl-pinning.js -f com.target.app --no-pause frida -U -c pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.target.app --no-pause
  • 20. Frida Template for Android - JavaScript Java.perform(function() { Java.enumerateLoadedClasses({ "onMatch":function(className){ if(className.includes("badshah")) { console.log(className) } }, "onComplete":function(){} } )})
  • 21. Frida common API Java.use("android.util.Log") - Uses that particular class .implementation - Overrides the default implementation .overload - When polymorphism is used, this can be really useful
  • 22. Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
  • 23. Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
  • 24. Security Through Obscurity - Hardcoded passwords are not very popular - Trend is Base64 encoded / Character / Buffer array - Even store in .so (shared object) files
  • 26. Code
  • 28. Anti Emulation / Anti-VM checks Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java
  • 30. Code
  • 32. Anti Debug Check Change the command - as per root detection in Frida codeshare
  • 34. Code