SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 30 day free trial to unlock unlimited reading.
Frida is an instrumentation framework which is greatly helpful for dynamic analysis. This presentation was a part of my talk at @Nullblr - https://null.co.in/event_sessions/2039-getting-started-with-frida-on-android-apps
Transcript
1.
Pentesting
Android Apps
using Frida
(Beginner level)
2.
Some other titles
Instrumentation at the age of obfuscation
Pentesting Android Apps using Dynamic Binary
Instrumentation
It’s a secure Android app ! Let’s hook it up
3.
Agenda
- Introduction to Frida
- Android app basics
- Android app defences
- Using Frida to bypass basic defences
- Demo
4.
What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.
5.
What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.
6.
What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc
7.
What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc
8.
Finally, What is Frida ?
Frida is a toolkit which can be used to monitor / debug a
process (app at runtime)
9.
Frida
- More than an instrumentation framework.
- Injects scripts into processes. Only JavaScript
- Portable. Multi-platform support.
- Windows / Linux / Mac
- Android / iOS
- Bindings in multiple languages
- NodeJS
- Python
- Swift bindings
- .NET bindings
- C API
- Free. Complete code on GitHub
10.
How does it work ?
Version of server and client should match. Select the correct architecture.
11.
Modes of Operation
- Injected
- Spawn an existing program (create and execute child process)
- Attach/Hooking to running program
- Hijack a process when its spawned
- Requires Root/Admin priv
- Embedded
- Useful in non-jailbroken iOS / non-root Android
- Preloaded
12.
Frida Toolkit
- frida : CLI tool
- frida-discover : Tool to discover internal functions
- frida-kill : Tool to kill processes
- frida-ls-devices : Tool to list attached devices
- frida-ps : CLI tool to list processes (useful for remote systems)
- frida-trace : Tool for dynamically tracing function calls
13.
Why do we need another debugger ?
- More than a debugger
- Apart from setting breakpoints, it helps injecting code
- From security perspective, apps have been checking for the presence of
debuggers since a long time. Mainly GDB
“GDB in 2018 is prevented in 2018 different funny ways with different funny
tricks”
- Best suited for Android apps due to disadvantages in previous
instrumentation framework - Xposed.
(Restart required for every code change)
14.
Android App Basics
- Android apps were traditionally developed using Java, now moving to
Kotlin
- Each app runs as a user (user level isolation)
- Activity
- onCreate - initialization function
- Compile it. Requires it to be signed.
- Android had been using Dalvik VM, but now they are moving to Android
RunTime (ART)
21.
Frida common API
Java.use("android.util.Log") - Uses that particular class
.implementation - Overrides the default implementation
.overload - When polymorphism is used, this can be really useful
22.
Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers
23.
Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers
24.
Security Through Obscurity
- Hardcoded passwords are not very popular
- Trend is Base64 encoded / Character / Buffer array
- Even store in .so (shared object) files
28.
Anti Emulation / Anti-VM checks
Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java
29.
Scenario
Sensitive Action
Non-Sensitive
Action
StartAction()
CheckVM()
NOT VM VM
Frida is an instrumentation framework which is greatly helpful for dynamic analysis. This presentation was a part of my talk at @Nullblr - https://null.co.in/event_sessions/2039-getting-started-with-frida-on-android-apps
Transcript
1.
Pentesting
Android Apps
using Frida
(Beginner level)
2.
Some other titles
Instrumentation at the age of obfuscation
Pentesting Android Apps using Dynamic Binary
Instrumentation
It’s a secure Android app ! Let’s hook it up
3.
Agenda
- Introduction to Frida
- Android app basics
- Android app defences
- Using Frida to bypass basic defences
- Demo
4.
What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.
5.
What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.
6.
What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc
7.
What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc
8.
Finally, What is Frida ?
Frida is a toolkit which can be used to monitor / debug a
process (app at runtime)
9.
Frida
- More than an instrumentation framework.
- Injects scripts into processes. Only JavaScript
- Portable. Multi-platform support.
- Windows / Linux / Mac
- Android / iOS
- Bindings in multiple languages
- NodeJS
- Python
- Swift bindings
- .NET bindings
- C API
- Free. Complete code on GitHub
10.
How does it work ?
Version of server and client should match. Select the correct architecture.
11.
Modes of Operation
- Injected
- Spawn an existing program (create and execute child process)
- Attach/Hooking to running program
- Hijack a process when its spawned
- Requires Root/Admin priv
- Embedded
- Useful in non-jailbroken iOS / non-root Android
- Preloaded
12.
Frida Toolkit
- frida : CLI tool
- frida-discover : Tool to discover internal functions
- frida-kill : Tool to kill processes
- frida-ls-devices : Tool to list attached devices
- frida-ps : CLI tool to list processes (useful for remote systems)
- frida-trace : Tool for dynamically tracing function calls
13.
Why do we need another debugger ?
- More than a debugger
- Apart from setting breakpoints, it helps injecting code
- From security perspective, apps have been checking for the presence of
debuggers since a long time. Mainly GDB
“GDB in 2018 is prevented in 2018 different funny ways with different funny
tricks”
- Best suited for Android apps due to disadvantages in previous
instrumentation framework - Xposed.
(Restart required for every code change)
14.
Android App Basics
- Android apps were traditionally developed using Java, now moving to
Kotlin
- Each app runs as a user (user level isolation)
- Activity
- onCreate - initialization function
- Compile it. Requires it to be signed.
- Android had been using Dalvik VM, but now they are moving to Android
RunTime (ART)
21.
Frida common API
Java.use("android.util.Log") - Uses that particular class
.implementation - Overrides the default implementation
.overload - When polymorphism is used, this can be really useful
22.
Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers
23.
Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers
24.
Security Through Obscurity
- Hardcoded passwords are not very popular
- Trend is Base64 encoded / Character / Buffer array
- Even store in .so (shared object) files
28.
Anti Emulation / Anti-VM checks
Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java
29.
Scenario
Sensitive Action
Non-Sensitive
Action
StartAction()
CheckVM()
NOT VM VM