Frida is an instrumentation framework which is greatly helpful for dynamic analysis. This presentation was a part of my talk at @Nullblr - https://null.co.in/event_sessions/2039-getting-started-with-frida-on-android-apps
2. Some other titles
Instrumentation at the age of obfuscation
Pentesting Android Apps using Dynamic Binary
Instrumentation
It’s a secure Android app ! Let’s hook it up
3. Agenda
- Introduction to Frida
- Android app basics
- Android app defences
- Using Frida to bypass basic defences
- Demo
4. What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.
5. What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.
6. What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc
7. What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc
8. Finally, What is Frida ?
Frida is a toolkit which can be used to monitor / debug a
process (app at runtime)
9. Frida
- More than an instrumentation framework.
- Injects scripts into processes. Only JavaScript
- Portable. Multi-platform support.
- Windows / Linux / Mac
- Android / iOS
- Bindings in multiple languages
- NodeJS
- Python
- Swift bindings
- .NET bindings
- C API
- Free. Complete code on GitHub
10. How does it work ?
Version of server and client should match. Select the correct architecture.
11. Modes of Operation
- Injected
- Spawn an existing program (create and execute child process)
- Attach/Hooking to running program
- Hijack a process when its spawned
- Requires Root/Admin priv
- Embedded
- Useful in non-jailbroken iOS / non-root Android
- Preloaded
12. Frida Toolkit
- frida : CLI tool
- frida-discover : Tool to discover internal functions
- frida-kill : Tool to kill processes
- frida-ls-devices : Tool to list attached devices
- frida-ps : CLI tool to list processes (useful for remote systems)
- frida-trace : Tool for dynamically tracing function calls
13. Why do we need another debugger ?
- More than a debugger
- Apart from setting breakpoints, it helps injecting code
- From security perspective, apps have been checking for the presence of
debuggers since a long time. Mainly GDB
“GDB in 2018 is prevented in 2018 different funny ways with different funny
tricks”
- Best suited for Android apps due to disadvantages in previous
instrumentation framework - Xposed.
(Restart required for every code change)
14. Android App Basics
- Android apps were traditionally developed using Java, now moving to
Kotlin
- Each app runs as a user (user level isolation)
- Activity
- onCreate - initialization function
- Compile it. Requires it to be signed.
- Android had been using Dalvik VM, but now they are moving to Android
RunTime (ART)
21. Frida common API
Java.use("android.util.Log") - Uses that particular class
.implementation - Overrides the default implementation
.overload - When polymorphism is used, this can be really useful
22. Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers
23. Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers
24. Security Through Obscurity
- Hardcoded passwords are not very popular
- Trend is Base64 encoded / Character / Buffer array
- Even store in .so (shared object) files
28. Anti Emulation / Anti-VM checks
Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java