Successfully reported this slideshow.

Pentesting Android Apps using Frida (Beginners)

5

Share

Pentesting
Android Apps
using Frida
(Beginner level)
Some other titles
Instrumentation at the age of obfuscation
Pentesting Android Apps using Dynamic Binary
Instrumentation
I...
Agenda
- Introduction to Frida
- Android app basics
- Android app defences
- Using Frida to bypass basic defences
- Demo

YouTube videos are no longer supported on SlideShare

View original on YouTube

YouTube videos are no longer supported on SlideShare

View original on YouTube

YouTube videos are no longer supported on SlideShare

View original on YouTube

YouTube videos are no longer supported on SlideShare

View original on YouTube

Upcoming SlideShare
Introduction to Frida
Introduction to Frida
Loading in …3
×
1 of 40
1 of 40

Pentesting Android Apps using Frida (Beginners)

5

Share

Download to read offline

Description

Frida is an instrumentation framework which is greatly helpful for dynamic analysis. This presentation was a part of my talk at @Nullblr - https://null.co.in/event_sessions/2039-getting-started-with-frida-on-android-apps

Transcript

  1. 1. Pentesting Android Apps using Frida (Beginner level)
  2. 2. Some other titles Instrumentation at the age of obfuscation Pentesting Android Apps using Dynamic Binary Instrumentation It’s a secure Android app ! Let’s hook it up
  3. 3. Agenda - Introduction to Frida - Android app basics - Android app defences - Using Frida to bypass basic defences - Demo
  4. 4. What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
  5. 5. What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
  6. 6. What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
  7. 7. What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
  8. 8. Finally, What is Frida ? Frida is a toolkit which can be used to monitor / debug a process (app at runtime)
  9. 9. Frida - More than an instrumentation framework. - Injects scripts into processes. Only JavaScript - Portable. Multi-platform support. - Windows / Linux / Mac - Android / iOS - Bindings in multiple languages - NodeJS - Python - Swift bindings - .NET bindings - C API - Free. Complete code on GitHub
  10. 10. How does it work ? Version of server and client should match. Select the correct architecture.
  11. 11. Modes of Operation - Injected - Spawn an existing program (create and execute child process) - Attach/Hooking to running program - Hijack a process when its spawned - Requires Root/Admin priv - Embedded - Useful in non-jailbroken iOS / non-root Android - Preloaded
  12. 12. Frida Toolkit - frida : CLI tool - frida-discover : Tool to discover internal functions - frida-kill : Tool to kill processes - frida-ls-devices : Tool to list attached devices - frida-ps : CLI tool to list processes (useful for remote systems) - frida-trace : Tool for dynamically tracing function calls
  13. 13. Why do we need another debugger ? - More than a debugger - Apart from setting breakpoints, it helps injecting code - From security perspective, apps have been checking for the presence of debuggers since a long time. Mainly GDB “GDB in 2018 is prevented in 2018 different funny ways with different funny tricks” - Best suited for Android apps due to disadvantages in previous instrumentation framework - Xposed. (Restart required for every code change)
  14. 14. Android App Basics - Android apps were traditionally developed using Java, now moving to Kotlin - Each app runs as a user (user level isolation) - Activity - onCreate - initialization function - Compile it. Requires it to be signed. - Android had been using Dalvik VM, but now they are moving to Android RunTime (ART)
  15. 15. Java example
  16. 16. Java example Output: Good Morning, Null Comrades
  17. 17. Frida for Android
  18. 18. Frida Useful commands frida-ps -U frida -U com.target.app --no-pause frida -U -l ssl-pinning.js -f com.target.app --no-pause frida -U -c pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.target.app --no-pause
  19. 19. DEMO #1
  20. 20. Frida Template for Android - JavaScript Java.perform(function() { Java.enumerateLoadedClasses({ "onMatch":function(className){ if(className.includes("badshah")) { console.log(className) } }, "onComplete":function(){} } )})
  21. 21. Frida common API Java.use("android.util.Log") - Uses that particular class .implementation - Overrides the default implementation .overload - When polymorphism is used, this can be really useful
  22. 22. Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
  23. 23. Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
  24. 24. Security Through Obscurity - Hardcoded passwords are not very popular - Trend is Base64 encoded / Character / Buffer array - Even store in .so (shared object) files
  25. 25. Scenario: FTPConnector(pwd()) pwd() Internet
  26. 26. Code
  27. 27. DEMO #2
  28. 28. Anti Emulation / Anti-VM checks Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java
  29. 29. Scenario Sensitive Action Non-Sensitive Action StartAction() CheckVM() NOT VM VM
  30. 30. Code
  31. 31. DEMO #3
  32. 32. Anti Debug Check Change the command - as per root detection in Frida codeshare
  33. 33. Scenario Sensitive Action Non-Sensitive Action StartAction() CheckDebug() NO DEBUG DEBUG
  34. 34. Code
  35. 35. DEMO #4
  36. 36. THE END

Description

Frida is an instrumentation framework which is greatly helpful for dynamic analysis. This presentation was a part of my talk at @Nullblr - https://null.co.in/event_sessions/2039-getting-started-with-frida-on-android-apps

Transcript

  1. 1. Pentesting Android Apps using Frida (Beginner level)
  2. 2. Some other titles Instrumentation at the age of obfuscation Pentesting Android Apps using Dynamic Binary Instrumentation It’s a secure Android app ! Let’s hook it up
  3. 3. Agenda - Introduction to Frida - Android app basics - Android app defences - Using Frida to bypass basic defences - Demo
  4. 4. What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
  5. 5. What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
  6. 6. What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
  7. 7. What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
  8. 8. Finally, What is Frida ? Frida is a toolkit which can be used to monitor / debug a process (app at runtime)
  9. 9. Frida - More than an instrumentation framework. - Injects scripts into processes. Only JavaScript - Portable. Multi-platform support. - Windows / Linux / Mac - Android / iOS - Bindings in multiple languages - NodeJS - Python - Swift bindings - .NET bindings - C API - Free. Complete code on GitHub
  10. 10. How does it work ? Version of server and client should match. Select the correct architecture.
  11. 11. Modes of Operation - Injected - Spawn an existing program (create and execute child process) - Attach/Hooking to running program - Hijack a process when its spawned - Requires Root/Admin priv - Embedded - Useful in non-jailbroken iOS / non-root Android - Preloaded
  12. 12. Frida Toolkit - frida : CLI tool - frida-discover : Tool to discover internal functions - frida-kill : Tool to kill processes - frida-ls-devices : Tool to list attached devices - frida-ps : CLI tool to list processes (useful for remote systems) - frida-trace : Tool for dynamically tracing function calls
  13. 13. Why do we need another debugger ? - More than a debugger - Apart from setting breakpoints, it helps injecting code - From security perspective, apps have been checking for the presence of debuggers since a long time. Mainly GDB “GDB in 2018 is prevented in 2018 different funny ways with different funny tricks” - Best suited for Android apps due to disadvantages in previous instrumentation framework - Xposed. (Restart required for every code change)
  14. 14. Android App Basics - Android apps were traditionally developed using Java, now moving to Kotlin - Each app runs as a user (user level isolation) - Activity - onCreate - initialization function - Compile it. Requires it to be signed. - Android had been using Dalvik VM, but now they are moving to Android RunTime (ART)
  15. 15. Java example
  16. 16. Java example Output: Good Morning, Null Comrades
  17. 17. Frida for Android
  18. 18. Frida Useful commands frida-ps -U frida -U com.target.app --no-pause frida -U -l ssl-pinning.js -f com.target.app --no-pause frida -U -c pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.target.app --no-pause
  19. 19. DEMO #1
  20. 20. Frida Template for Android - JavaScript Java.perform(function() { Java.enumerateLoadedClasses({ "onMatch":function(className){ if(className.includes("badshah")) { console.log(className) } }, "onComplete":function(){} } )})
  21. 21. Frida common API Java.use("android.util.Log") - Uses that particular class .implementation - Overrides the default implementation .overload - When polymorphism is used, this can be really useful
  22. 22. Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
  23. 23. Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
  24. 24. Security Through Obscurity - Hardcoded passwords are not very popular - Trend is Base64 encoded / Character / Buffer array - Even store in .so (shared object) files
  25. 25. Scenario: FTPConnector(pwd()) pwd() Internet
  26. 26. Code
  27. 27. DEMO #2
  28. 28. Anti Emulation / Anti-VM checks Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java
  29. 29. Scenario Sensitive Action Non-Sensitive Action StartAction() CheckVM() NOT VM VM
  30. 30. Code
  31. 31. DEMO #3
  32. 32. Anti Debug Check Change the command - as per root detection in Frida codeshare
  33. 33. Scenario Sensitive Action Non-Sensitive Action StartAction() CheckDebug() NO DEBUG DEBUG
  34. 34. Code
  35. 35. DEMO #4
  36. 36. THE END

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

×