Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Pentesting Android Apps using Frida (Beginner level)
Some other titles Instrumentation at the age of obfuscation Pentesting Android Apps using Dynamic Binary Instrumentation I...
Agenda - Introduction to Frida - Android app basics - Android app defences - Using Frida to bypass basic defences - Demo
What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors a...
What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors a...
Finally, What is Frida ? Frida is a toolkit which can be used to monitor / debug a process (app at runtime)
Frida - More than an instrumentation framework. - Injects scripts into processes. Only JavaScript - Portable. Multi-platfo...
How does it work ? Version of server and client should match. Select the correct architecture.
Modes of Operation - Injected - Spawn an existing program (create and execute child process) - Attach/Hooking to running p...
Frida Toolkit - frida : CLI tool - frida-discover : Tool to discover internal functions - frida-kill : Tool to kill proces...
Why do we need another debugger ? - More than a debugger - Apart from setting breakpoints, it helps injecting code - From ...
Android App Basics - Android apps were traditionally developed using Java, now moving to Kotlin - Each app runs as a user ...
Java example
Java example Output: Good Morning, Null Comrades
Frida for Android
Frida Useful commands frida-ps -U frida -U com.target.app --no-pause frida -U -l ssl-pinning.js -f com.target.app --no-pau...
DEMO #1
Frida Template for Android - JavaScript Java.perform(function() { Java.enumerateLoadedClasses({ "onMatch":function(classNa...
Frida common API Java.use("android.util.Log") - Uses that particular class .implementation - Overrides the default impleme...
Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They in...
Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They in...
Security Through Obscurity - Hardcoded passwords are not very popular - Trend is Base64 encoded / Character / Buffer array...
Scenario: FTPConnector(pwd()) pwd() Internet
Code
DEMO #2
Anti Emulation / Anti-VM checks Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/mai...
Scenario Sensitive Action Non-Sensitive Action StartAction() CheckVM() NOT VM VM
Code
DEMO #3
Anti Debug Check Change the command - as per root detection in Frida codeshare
Scenario Sensitive Action Non-Sensitive Action StartAction() CheckDebug() NO DEBUG DEBUG
Code
DEMO #4
THE END
Upcoming SlideShare
Loading in …5
×
Technology
5,758 views
Jun. 28, 2018

Pentesting Android Apps using Frida (Beginners)

Frida is an instrumentation framework which is greatly helpful for dynamic analysis. This presentation was a part of my talk at @Nullblr - https://null.co.in/event_sessions/2039-getting-started-with-frida-on-android-apps

no profile picture user

  • Be the first to comment

Pentesting Android Apps using Frida (Beginners)

  1. 1. Pentesting Android Apps using Frida (Beginner level)
  2. 2. Some other titles Instrumentation at the age of obfuscation Pentesting Android Apps using Dynamic Binary Instrumentation It’s a secure Android app ! Let’s hook it up
  3. 3. Agenda - Introduction to Frida - Android app basics - Android app defences - Using Frida to bypass basic defences - Demo
  4. 4. What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
  5. 5. What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
  6. 6. What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
  7. 7. What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
  8. 8. Finally, What is Frida ? Frida is a toolkit which can be used to monitor / debug a process (app at runtime)
  9. 9. Frida - More than an instrumentation framework. - Injects scripts into processes. Only JavaScript - Portable. Multi-platform support. - Windows / Linux / Mac - Android / iOS - Bindings in multiple languages - NodeJS - Python - Swift bindings - .NET bindings - C API - Free. Complete code on GitHub
  10. 10. How does it work ? Version of server and client should match. Select the correct architecture.
  11. 11. Modes of Operation - Injected - Spawn an existing program (create and execute child process) - Attach/Hooking to running program - Hijack a process when its spawned - Requires Root/Admin priv - Embedded - Useful in non-jailbroken iOS / non-root Android - Preloaded
  12. 12. Frida Toolkit - frida : CLI tool - frida-discover : Tool to discover internal functions - frida-kill : Tool to kill processes - frida-ls-devices : Tool to list attached devices - frida-ps : CLI tool to list processes (useful for remote systems) - frida-trace : Tool for dynamically tracing function calls
  13. 13. Why do we need another debugger ? - More than a debugger - Apart from setting breakpoints, it helps injecting code - From security perspective, apps have been checking for the presence of debuggers since a long time. Mainly GDB “GDB in 2018 is prevented in 2018 different funny ways with different funny tricks” - Best suited for Android apps due to disadvantages in previous instrumentation framework - Xposed. (Restart required for every code change)
  14. 14. Android App Basics - Android apps were traditionally developed using Java, now moving to Kotlin - Each app runs as a user (user level isolation) - Activity - onCreate - initialization function - Compile it. Requires it to be signed. - Android had been using Dalvik VM, but now they are moving to Android RunTime (ART)
  15. 15. Java example
  16. 16. Java example Output: Good Morning, Null Comrades
  17. 17. Frida for Android
  18. 18. Frida Useful commands frida-ps -U frida -U com.target.app --no-pause frida -U -l ssl-pinning.js -f com.target.app --no-pause frida -U -c pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.target.app --no-pause
  19. 19. DEMO #1
  20. 20. Frida Template for Android - JavaScript Java.perform(function() { Java.enumerateLoadedClasses({ "onMatch":function(className){ if(className.includes("badshah")) { console.log(className) } }, "onComplete":function(){} } )})
  21. 21. Frida common API Java.use("android.util.Log") - Uses that particular class .implementation - Overrides the default implementation .overload - When polymorphism is used, this can be really useful
  22. 22. Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
  23. 23. Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
  24. 24. Security Through Obscurity - Hardcoded passwords are not very popular - Trend is Base64 encoded / Character / Buffer array - Even store in .so (shared object) files
  25. 25. Scenario: FTPConnector(pwd()) pwd() Internet
  26. 26. Code
  27. 27. DEMO #2
  28. 28. Anti Emulation / Anti-VM checks Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java
  29. 29. Scenario Sensitive Action Non-Sensitive Action StartAction() CheckVM() NOT VM VM
  30. 30. Code
  31. 31. DEMO #3
  32. 32. Anti Debug Check Change the command - as per root detection in Frida codeshare
  33. 33. Scenario Sensitive Action Non-Sensitive Action StartAction() CheckDebug() NO DEBUG DEBUG
  34. 34. Code
  35. 35. DEMO #4
  36. 36. THE END

×