1.
Pentesting
Android Apps
using Frida
(Beginner level)

2.
Some other titles
Instrumentation at the age of obfuscation
Pentesting Android Apps using Dynamic Binary
Instrumentation
It’s a secure Android app ! Let’s hook it up

3.
Agenda
- Introduction to Frida
- Android app basics
- Android app defences
- Using Frida to bypass basic defences
- Demo

4.
What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.

5.
What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.

6.
What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc

7.
What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc

8.
Finally, What is Frida ?
Frida is a toolkit which can be used to monitor / debug a
process (app at runtime)

9.
Frida
- More than an instrumentation framework.
- Injects scripts into processes. Only JavaScript
- Portable. Multi-platform support.
- Windows / Linux / Mac
- Android / iOS
- Bindings in multiple languages
- NodeJS
- Python
- Swift bindings
- .NET bindings
- C API
- Free. Complete code on GitHub

10.
How does it work ?
Version of server and client should match. Select the correct architecture.

11.
Modes of Operation
- Injected
- Spawn an existing program (create and execute child process)
- Attach/Hooking to running program
- Hijack a process when its spawned
- Requires Root/Admin priv
- Embedded
- Useful in non-jailbroken iOS / non-root Android
- Preloaded

12.
Frida Toolkit
- frida : CLI tool
- frida-discover : Tool to discover internal functions
- frida-kill : Tool to kill processes
- frida-ls-devices : Tool to list attached devices
- frida-ps : CLI tool to list processes (useful for remote systems)
- frida-trace : Tool for dynamically tracing function calls

13.
Why do we need another debugger ?
- More than a debugger
- Apart from setting breakpoints, it helps injecting code
- From security perspective, apps have been checking for the presence of
debuggers since a long time. Mainly GDB
“GDB in 2018 is prevented in 2018 different funny ways with different funny
tricks”
- Best suited for Android apps due to disadvantages in previous
instrumentation framework - Xposed.
(Restart required for every code change)

14.
Android App Basics
- Android apps were traditionally developed using Java, now moving to
Kotlin
- Each app runs as a user (user level isolation)
- Activity
- onCreate - initialization function
- Compile it. Requires it to be signed.
- Android had been using Dalvik VM, but now they are moving to Android
RunTime (ART)

15.
Java example

16.
Java example
Output: Good Morning, Null Comrades

17.
Frida for Android

18.
Frida Useful commands
frida-ps -U
frida -U com.target.app --no-pause
frida -U -l ssl-pinning.js -f com.target.app --no-pause
frida -U -c pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f
com.target.app --no-pause

19.
DEMO #1

20.
Frida Template for Android - JavaScript
Java.perform(function() {
Java.enumerateLoadedClasses({
"onMatch":function(className){
if(className.includes("badshah")) {
console.log(className) }
},
"onComplete":function(){}
}
)})

21.
Frida common API
Java.use("android.util.Log") - Uses that particular class
.implementation - Overrides the default implementation
.overload - When polymorphism is used, this can be really useful

22.
Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers

23.
Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers

24.
Security Through Obscurity
- Hardcoded passwords are not very popular
- Trend is Base64 encoded / Character / Buffer array
- Even store in .so (shared object) files

25.
Scenario:
FTPConnector(pwd())
pwd()
Internet

26.
Code

27.
DEMO #2

28.
Anti Emulation / Anti-VM checks
Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java

29.
Scenario
Sensitive Action
Non-Sensitive
Action
StartAction()
CheckVM()
NOT VM VM

30.
Code

31.
DEMO #3

32.
Anti Debug Check
Change the command - as per root detection in Frida codeshare

33.
Scenario
Sensitive Action
Non-Sensitive
Action
StartAction()
CheckDebug()
NO DEBUG DEBUG

34.
Code

35.
DEMO #4

36.
THE END