SlideShare a Scribd company logo

idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf

idsecconf
idsecconf

Pembahasan ini bertujuan untuk memberikan edukasi tentang mekanisme perlindungan yang diterapkan pada aplikasi android seperti root detection, ssl pinning, anti emulation, tamper detection dan bagaimana teknik yang digunakan untuk melakukan mekanisme bypass proteksi yang diimplementasikan dengan bantuan reverse engineering menggunakan tool seperti frida, ghidra, objection, magisk, dan sebagainya.

Mobile
1 of 95
Download to read offline
By Aan @petruknisme Hide `n seek with Android App Protections & Beat `em
HELLO! I’m… Aan Wahyu a.k.a petruknisme ● Lead Security Consultant @ Horangi ● Infosec Enthusiast & Part-time coder ● Passionate with OSINT, RE, and Red Team
Background Along with the rapid development of mobile application technology meeting various needs and providing convenience to their users. In this case, significant developments are also needed in the security aspect that guarantees privacy and security, especially user data. Therefore, a penetration testing or application audit process is needed to ensure that an application is suitable for use by the public. If this is not done properly, there is a high possibility of data leakage resulting in losses on the user side and on the company.
Background To prevent modification, manipulation or hacking, it is not uncommon for developers to apply protection to applications. This aims to minimize losses that could occur. As someone who works as a penetration tester, For applications can be tested properly, it is often necessary to bypass the implemented protection so that the required tools or processes can run according to the predetermined penetration testing workflow.
Table of contents Root Detection 01 03 02 04 SSL Pinning Anti Emulation Frida Detection
01 Root Detection
Root Detection To prevent modifications or manipulations that impact the application, root detection is implemented. Basically, the application will check files that are indicated to be part of the rooted device and when it finds this indication, the application will prevent access or perform an exit/crash so that the application cannot run on a rooted device.
Checking the BUILD tag for test-keys Checking SU binary and installed root package Root Detection Methods Checking common root cloaking apps Checking permission for system directory Checking dangerous props Many more
Sample Root Detection
Sample Root Detection
Reverse Engineering Apk Process Several processes are required in reverse engineering an APK. Start by unpacking the APK using an archive extractor such as WinRAR, WinZip, etc. After that, the dex file will be disassembled and decompiled into java source which is still a java class file.
01.1 Bypassing root detection using manual modification of smali Manual Modification
Extracting Apk To bypass root detection using the smali patch method, the first step that must be done is to extract the content in the apk using apktool
Searching the right function Then we can search for the word isRooted with the help of a code editor. In this example case, the isRooted function is in the Rootbeer.smali file As you can see, isRooted function are calling other function for checking: 1. Su Binary 2. RW Paths 3. Root via Native Checks 4. Magisk Specific checks 5. etc
Bypassing checkForSuBinary In the checkForSuBinary() function, change move-result v0 to const/4 v0, 0x0 with the aim of making the value of the variable v0 false instead of to taking a dynamic value from the result of the checkForBinary() function .method public checkForSuBinary()Z .locals 1 const-string v0, "su" .line 160 invoke-virtual {p0, v0}, Lcom/scottyab/rootbeer/RootBeer;->checkForBinary(Ljava/lang/String;)Z const/4 v0, 0x0 <-- Edited return v0
Bypassing checkSuExist In the checkSuExist() function, change value of v0 to 0x0 after if-eqz v2
Bypassing checkForRWPaths In the checkForRWPaths() function, add return v1 at the end of the function so that the function always returns false because the v1 variable is already false.
Bypassing checkForRootNative In the checkForRootNative() function, change the v1 value at the end of the function to 0x0 so that the returned value is false. .method public checkForRootNative()Z ---------------------SNIPPET------------- if-lez v0, :cond_2 const/4 v1, 0x0 <-- Edited :catch_0 :cond_2 return v1 .end method
Bypassing checkForMagiskBinary In the checkForMagiskBinary() function, change move-result v0 to const/4 v0, 0x0 with the aim of making the value of the variable v0 false instead of taking a dynamic value from the result of the checkForBinary() function
Rebuild, sign and install
Result We are successfully bypassing root detection with manual modification of smali files
01.2 Bypassing root detection using frida instrumentation Frida Instrumentation
Frida Instrumentation As we know, we need to bypass these protection to be able to run the app in rooted device: ● SU Binary ● RW Paths ● Root via Native Checks ● Magisk Specific Checks I assume that we already know how to write frida script. For the first step, we will try to hook one of the function to make sure that our script is working
Frida Instrumentation
Final frida Script For the rest of functions, we just need to copy and modify with the function name that we will hook. But, for keeping it simple(KISS) and follow DRY principle, I’ve modified the script to be more simple, short, and easy to understand.
Result
01.3 Bypassing root detection using objection Objection
What? objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak. ● Supports both iOS and Android. ● Inspect and interact with container file systems. ● Bypass SSL pinning. ● Dump keychains. ● Perform memory related tasks, such as dumping & patching. ● Explore and manipulate objects on the heap. ● And much, much more… Installation Installation is simply a matter of pip3 install objection. This will give you the objection command. You can update an existing objection installation with pip3 install --upgrade objection.
What? https://github.com/sensepost/objection/wiki/Screenshots
No need script, only command line
No need script, only command line Partially success bypassing rootbeer checker with objection command “android root disable”
Hook & patch the right function Before patching the functions, we need to know the class first android hooking list class_methods com.example.app.class
Set return value After we know the right class_methods, we can set the return value android hooking set return_value com.app.example.class.method
01.4 Bypassing root detection using Magisk Zygisk Magisk Zygisk
Magisk In simple terms, Magisk is a tool to help users gain root access by patching the ROM. For further information regarding installation and configuration, please refer to https://github.com/topjohnwu/Magisk The easiest method is to rely on Zygisk Denylist in the Magisk application. To be able to enjoy Zygisk, Magisk version that must be installed is v24.1+.
Setup
Setup
Result
02 SSL Pinning
SSL Pinning SSL pinning is a technique that helps to prevent MiTM attacks by hardcoding the SSL/TLS certificate’s public key into the app or device. This means that when the app or device communicates with the server, it will compare the server’s SSL/TLS certificate’s public key with the one that is hardcoded into the app or device. https://www.indusface.com/learning/what-is-ssl-pinning-a-quick-walk-through/
02.1 Bypassing SSL Pinning using manual modification of smali Manual Modification
Manual In this discussion, I will start by explaining how we can bypass the SSL Pinning process by manually modifying smalis. The target that will be used in this case study is an android application that use Cordova Framework. When connecting to the server, the application refused the connection because the certificate on the device did not match, because I was intercept the traffic using Burp Suite. With the help of “adb logcat | logcat-color”, I can find out the error message given by the application when it refuses a connection to the server.
Manual As you can see, android certificate pinning is failing and complaining about mismatch certificate hash. Our peer certificate chain is for PortSwigger(BurpSuite), but the Pinned Certificate for a domain(masked) is defined in the android resource file.
Best Approach Decompile apk and search for the right string. In this case, the file containing the word is in resource/assets/www/pinning/ . After knowing which file is appropriate, the next step is to modify the string sha256/dGxxxxx to sha256/fKxxxxx referring to the previous error message.
Recompile
Result
02.2 Bypassing SSL Pinning using Objection Objection
Approach As in the discussion for bypassing root detection, we can also do the same thing with the help of objection. There are two methods that can be done, using the built-in objection feature or manual patching of the return_value from class_method. For the study case, we will use https://github.com/httptoolkit/android-s sl-pinning-demo/releases/download/v1. 3.1/pinning-demo.apk
Approach Error when intercepted with burpsuite
Objection
Debugging
Debugging
02.3 Bypassing SSL Pinning using Frida Frida
Frida For bypassing SSL Pinning with Frida, we can use frida codeshare or create our own script.
Frida-codeshare Bypassing previous ssl pinning protection that failed when using objection, we can use frida codeshare from https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
Frida scripting For manual approach, we can search the right function, hook, replace the return value same as in the bypassing root detection
02.4 Bypassing Flutter SSL Pinning Bypassing Flutter
Flutter One of the reasons it is difficult to bypass SSL Pinning in Flutter is because Flutter compiles the code into native machine code. This makes common techniques such as method hooking or code injection in SSL Pinning bypass unable to be carried out, even the experiments that we have carried out previously. Flutter ignores proxy settings on the device so that applications cannot be intercepted. If in the previous case the application would error when passing through the proxy without the SSL pinning bypass process, this does not apply to Flutter because the application will only make a direct connection to the server without passing through the proxy even though it has been set on the device.
02.4.1 Bypassing Flutter SSL Pinning using reFlutter reFlutter
reFlutter This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way. Key features: ● socket.cc is patched for traffic monitoring and interception; ● dart.cc is modified to print classes, functions and some fields; ● display absolute code offset for functions ● contains minor changes for successfull compilation; ● if you would like to implement your own patches, there is manual Flutter code change is supported using specially crafted Dockerfile
reFlutter
reFlutter
reFlutter
02.4.1 Bypassing Flutter SSL Pinning Ghidra & Frida pattern matching Frida Pattern Matching
Concepts Referring to the article https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-h ttps-dio-pinning/, to bypass SSL pinning on Flutter , we can use the pattern matching method after knowing the pattern of the SSL pinning checking offset address. In simple terms, the steps taken are: ● Find references to the string “x509.cc” and compare them to x509.cc to find session_verify_cert_chain ● Find references to the method you identified in order to identify ssl_verify_peer_cert
Concepts https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/
Concepts
Concepts Alternatively, we can use Frida’s pattern matching engine to search for functions that look very similar to the function from the demo app. The first bytes of a function are typically very stable, as long as the number of local variables and function arguments don’t change. Still, different compilers may generate different assembly code (e.g. usage of different registers or optimisations) so we do need to have some wildcards in our pattern. https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/
reFlutter
03 Emulator Detection
Emulator Detection Emulators are usually used to make it easier for reverse engineers, hackers or pentesters to run applications without needing to have the original device. Because usually, emulators can be easily created and deleted when there are errors or different needs, whereas the original device cannot. It is not uncommon for malware developers to use this check to ensure that their application is able to obtain or control the victim's original data or device. For this case study, we will use https://github.com/reveny/Android-Emulator-Detection/ The app detect emulator with this checks: ● checkHardware(); ● checkMounts(); ● checkModules(); ● checkCPU(); ● checkFiles(); ● checkCPUArchitecture();
Emulator Detection
Concepts Different from the previous discussion, this time our target is using the Java Native Interface. So, we can't do hooking like we did before. This is because all checking processes occur in libraries that have been compiled into objects. In this example, all the checks are in the libemulatordetector.so file. The first thing we have to do is find out what JNI functions are available, you can use Frida's help or use nm demangle.
Bypass To bypass, the first thing to do is tracing with frida-trace. In this case, I will specifically look for the dlopen function because this function is usually used to load shared libraries. It can be seen that what is used is android_dlopen_ext to load the shared library file libemulatordetector.so. So with this info, we can create code to hook Frida.
When we run Frida with this code, we can see that libemulatordetector.so is loaded from the android_dlopen_ext function
03 Frida Detection
Concepts In some cases, developers create protection so that the application checks the existence of Frida on the device. This is to prevent pentesters/hackers from being able to run Binary Instruments using Frida as in the previous discussion. There are several mechanisms used to detect the presence of frida, including: ● Detection of named pipes used by Frida ● Detect frida specific thread names ● Detect the port used by Frida ● Etc For this discussion, I used a customized application to detect frida existence
Concepts In some cases, developers create protection so that the application checks the existence of Frida on the device. This is to prevent pentesters/hackers from being able to run Binary Instruments using Frida as in the previous discussion. There are several mechanisms used to detect the presence of frida, including: ● Detection of named pipes used by Frida ● Detect frida specific thread names ● Detect the port used by Frida ● Etc For this discussion, I used a customized application to detect frida existence
Sample app
Frida-server detection The mechanism used by the application to detect frida-server is to check whether there are files in /data/local/tmp/frida-se rver.
Frida-server detection
/proc detection The mechanism used is to check /proc/self/maps to detect the presence of frida-agent
/proc detection
Default frida port detection Another mechanism is to check the default Frida port, if the default port can be accessed then that indicates Frida is running
Default frida port detection To bypass this protection, we can change the default port used when running frida-server with the following command
Default frida port detection
Frida Thread Detection The application detects the Frida thread by checking /proc/self/task/<PID>/status and comparing its contents with FRIDA_THREAD_GUM_JS_LOOP and FRIDA_THREAD_GMAIN.
Frida Thread Detection To bypass this protection, we can easily manipulate the strstr function every time we find the specified words
CREDITS: This presentation template was created by Slidesgo, and includes icons by Flaticon, and infographics & images by Freepik Thanks! me@petruknisme t.me/@petruknisme linkedin.com/in/aancw Do you have any questions? Please keep this slide for attribution

Recommended

idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf
 
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
Angel Boy
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 

Recommended

idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf
 
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
Angel Boy
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
SongchaiDuangpan
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
WEP/WPA attacks
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacks
Huda Seyam
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
CODE BLUE
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
CAS
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
Jorge Orchilles
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
Mazin Alwaaly
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in Essence
Satria Ady Pradana
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
Satria Ady Pradana
 

More Related Content

What's hot

Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
CODE BLUE
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
Jorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 

What's hot (20)

Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
WEP/WPA attacks
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacks
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 

Similar to idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf

Similar to idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf (20)

From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in Essence
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Mobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and MitigationMobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and Mitigation
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Pyramid tutorial
Pyramid tutorialPyramid tutorial
Pyramid tutorial
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
IRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security AssessmentIRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security Assessment
 

More from idsecconf

idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
idsecconf
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
idsecconf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
idsecconf
 
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
idsecconf
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdf
idsecconf
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
idsecconf
 

More from idsecconf (20)

idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfAli - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
 
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdf
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
 
Stream crime
Stream crime Stream crime
Stream crime
 
(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains
 
Mips router targeted worm botnet
Mips router targeted worm botnetMips router targeted worm botnet
Mips router targeted worm botnet
 
The achilles heel of GPN Card implementation
The achilles heel of GPN Card implementationThe achilles heel of GPN Card implementation
The achilles heel of GPN Card implementation
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpick
 

Recently uploaded

Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
nishasame66
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Cara Menggugurkan Kandungan 087776558899
 

Recently uploaded (8)

Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
 
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pureBromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
 
Mobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsMobile Application Development-Components and Layouts
Mobile Application Development-Components and Layouts
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
 
Mobile Application Development- Configuration and Android Installation
Mobile Application Development- Configuration and Android InstallationMobile Application Development- Configuration and Android Installation
Mobile Application Development- Configuration and Android Installation
 
Mobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsMobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s Tools
 
Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312
 
Android Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesAndroid Application Components with Implementation & Examples
Android Application Components with Implementation & Examples
 

idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf

  • 1. By Aan @petruknisme Hide `n seek with Android App Protections & Beat `em
  • 2. HELLO! I’m… Aan Wahyu a.k.a petruknisme ● Lead Security Consultant @ Horangi ● Infosec Enthusiast & Part-time coder ● Passionate with OSINT, RE, and Red Team
  • 3. Background Along with the rapid development of mobile application technology meeting various needs and providing convenience to their users. In this case, significant developments are also needed in the security aspect that guarantees privacy and security, especially user data. Therefore, a penetration testing or application audit process is needed to ensure that an application is suitable for use by the public. If this is not done properly, there is a high possibility of data leakage resulting in losses on the user side and on the company.
  • 4. Background To prevent modification, manipulation or hacking, it is not uncommon for developers to apply protection to applications. This aims to minimize losses that could occur. As someone who works as a penetration tester, For applications can be tested properly, it is often necessary to bypass the implemented protection so that the required tools or processes can run according to the predetermined penetration testing workflow.
  • 5. Table of contents Root Detection 01 03 02 04 SSL Pinning Anti Emulation Frida Detection
  • 7. Root Detection To prevent modifications or manipulations that impact the application, root detection is implemented. Basically, the application will check files that are indicated to be part of the rooted device and when it finds this indication, the application will prevent access or perform an exit/crash so that the application cannot run on a rooted device.
  • 8. Checking the BUILD tag for test-keys Checking SU binary and installed root package Root Detection Methods Checking common root cloaking apps Checking permission for system directory Checking dangerous props Many more
  • 11. Reverse Engineering Apk Process Several processes are required in reverse engineering an APK. Start by unpacking the APK using an archive extractor such as WinRAR, WinZip, etc. After that, the dex file will be disassembled and decompiled into java source which is still a java class file.
  • 12. 01.1 Bypassing root detection using manual modification of smali Manual Modification
  • 13. Extracting Apk To bypass root detection using the smali patch method, the first step that must be done is to extract the content in the apk using apktool
  • 14. Searching the right function Then we can search for the word isRooted with the help of a code editor. In this example case, the isRooted function is in the Rootbeer.smali file As you can see, isRooted function are calling other function for checking: 1. Su Binary 2. RW Paths 3. Root via Native Checks 4. Magisk Specific checks 5. etc
  • 15. Bypassing checkForSuBinary In the checkForSuBinary() function, change move-result v0 to const/4 v0, 0x0 with the aim of making the value of the variable v0 false instead of to taking a dynamic value from the result of the checkForBinary() function .method public checkForSuBinary()Z .locals 1 const-string v0, "su" .line 160 invoke-virtual {p0, v0}, Lcom/scottyab/rootbeer/RootBeer;->checkForBinary(Ljava/lang/String;)Z const/4 v0, 0x0 <-- Edited return v0
  • 16. Bypassing checkSuExist In the checkSuExist() function, change value of v0 to 0x0 after if-eqz v2
  • 17. Bypassing checkForRWPaths In the checkForRWPaths() function, add return v1 at the end of the function so that the function always returns false because the v1 variable is already false.
  • 18. Bypassing checkForRootNative In the checkForRootNative() function, change the v1 value at the end of the function to 0x0 so that the returned value is false. .method public checkForRootNative()Z ---------------------SNIPPET------------- if-lez v0, :cond_2 const/4 v1, 0x0 <-- Edited :catch_0 :cond_2 return v1 .end method
  • 19. Bypassing checkForMagiskBinary In the checkForMagiskBinary() function, change move-result v0 to const/4 v0, 0x0 with the aim of making the value of the variable v0 false instead of taking a dynamic value from the result of the checkForBinary() function
  • 20. Rebuild, sign and install
  • 21. Result We are successfully bypassing root detection with manual modification of smali files
  • 22. 01.2 Bypassing root detection using frida instrumentation Frida Instrumentation
  • 23. Frida Instrumentation As we know, we need to bypass these protection to be able to run the app in rooted device: ● SU Binary ● RW Paths ● Root via Native Checks ● Magisk Specific Checks I assume that we already know how to write frida script. For the first step, we will try to hook one of the function to make sure that our script is working
  • 25. Final frida Script For the rest of functions, we just need to copy and modify with the function name that we will hook. But, for keeping it simple(KISS) and follow DRY principle, I’ve modified the script to be more simple, short, and easy to understand.
  • 27. 01.3 Bypassing root detection using objection Objection
  • 28. What? objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak. ● Supports both iOS and Android. ● Inspect and interact with container file systems. ● Bypass SSL pinning. ● Dump keychains. ● Perform memory related tasks, such as dumping & patching. ● Explore and manipulate objects on the heap. ● And much, much more… Installation Installation is simply a matter of pip3 install objection. This will give you the objection command. You can update an existing objection installation with pip3 install --upgrade objection.
  • 30. No need script, only command line
  • 31. No need script, only command line Partially success bypassing rootbeer checker with objection command “android root disable”
  • 32. Hook & patch the right function Before patching the functions, we need to know the class first android hooking list class_methods com.example.app.class
  • 33. Set return value After we know the right class_methods, we can set the return value android hooking set return_value com.app.example.class.method
  • 34. 01.4 Bypassing root detection using Magisk Zygisk Magisk Zygisk
  • 35. Magisk In simple terms, Magisk is a tool to help users gain root access by patching the ROM. For further information regarding installation and configuration, please refer to https://github.com/topjohnwu/Magisk The easiest method is to rely on Zygisk Denylist in the Magisk application. To be able to enjoy Zygisk, Magisk version that must be installed is v24.1+.
  • 36. Setup
  • 37. Setup
  • 40. SSL Pinning SSL pinning is a technique that helps to prevent MiTM attacks by hardcoding the SSL/TLS certificate’s public key into the app or device. This means that when the app or device communicates with the server, it will compare the server’s SSL/TLS certificate’s public key with the one that is hardcoded into the app or device. https://www.indusface.com/learning/what-is-ssl-pinning-a-quick-walk-through/
  • 41. 02.1 Bypassing SSL Pinning using manual modification of smali Manual Modification
  • 42. Manual In this discussion, I will start by explaining how we can bypass the SSL Pinning process by manually modifying smalis. The target that will be used in this case study is an android application that use Cordova Framework. When connecting to the server, the application refused the connection because the certificate on the device did not match, because I was intercept the traffic using Burp Suite. With the help of “adb logcat | logcat-color”, I can find out the error message given by the application when it refuses a connection to the server.
  • 43. Manual As you can see, android certificate pinning is failing and complaining about mismatch certificate hash. Our peer certificate chain is for PortSwigger(BurpSuite), but the Pinned Certificate for a domain(masked) is defined in the android resource file.
  • 44. Best Approach Decompile apk and search for the right string. In this case, the file containing the word is in resource/assets/www/pinning/ . After knowing which file is appropriate, the next step is to modify the string sha256/dGxxxxx to sha256/fKxxxxx referring to the previous error message.
  • 47. 02.2 Bypassing SSL Pinning using Objection Objection
  • 48. Approach As in the discussion for bypassing root detection, we can also do the same thing with the help of objection. There are two methods that can be done, using the built-in objection feature or manual patching of the return_value from class_method. For the study case, we will use https://github.com/httptoolkit/android-s sl-pinning-demo/releases/download/v1. 3.1/pinning-demo.apk
  • 53. 02.3 Bypassing SSL Pinning using Frida Frida
  • 54. Frida For bypassing SSL Pinning with Frida, we can use frida codeshare or create our own script.
  • 55. Frida-codeshare Bypassing previous ssl pinning protection that failed when using objection, we can use frida codeshare from https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
  • 56. Frida scripting For manual approach, we can search the right function, hook, replace the return value same as in the bypassing root detection
  • 57. 02.4 Bypassing Flutter SSL Pinning Bypassing Flutter
  • 58. Flutter One of the reasons it is difficult to bypass SSL Pinning in Flutter is because Flutter compiles the code into native machine code. This makes common techniques such as method hooking or code injection in SSL Pinning bypass unable to be carried out, even the experiments that we have carried out previously. Flutter ignores proxy settings on the device so that applications cannot be intercepted. If in the previous case the application would error when passing through the proxy without the SSL pinning bypass process, this does not apply to Flutter because the application will only make a direct connection to the server without passing through the proxy even though it has been set on the device.
  • 59.
  • 60.
  • 61.
  • 62. 02.4.1 Bypassing Flutter SSL Pinning using reFlutter reFlutter
  • 63. reFlutter This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way. Key features: ● socket.cc is patched for traffic monitoring and interception; ● dart.cc is modified to print classes, functions and some fields; ● display absolute code offset for functions ● contains minor changes for successfull compilation; ● if you would like to implement your own patches, there is manual Flutter code change is supported using specially crafted Dockerfile
  • 67. 02.4.1 Bypassing Flutter SSL Pinning Ghidra & Frida pattern matching Frida Pattern Matching
  • 68. Concepts Referring to the article https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-h ttps-dio-pinning/, to bypass SSL pinning on Flutter , we can use the pattern matching method after knowing the pattern of the SSL pinning checking offset address. In simple terms, the steps taken are: ● Find references to the string “x509.cc” and compare them to x509.cc to find session_verify_cert_chain ● Find references to the method you identified in order to identify ssl_verify_peer_cert
  • 71. Concepts Alternatively, we can use Frida’s pattern matching engine to search for functions that look very similar to the function from the demo app. The first bytes of a function are typically very stable, as long as the number of local variables and function arguments don’t change. Still, different compilers may generate different assembly code (e.g. usage of different registers or optimisations) so we do need to have some wildcards in our pattern. https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/
  • 74. Emulator Detection Emulators are usually used to make it easier for reverse engineers, hackers or pentesters to run applications without needing to have the original device. Because usually, emulators can be easily created and deleted when there are errors or different needs, whereas the original device cannot. It is not uncommon for malware developers to use this check to ensure that their application is able to obtain or control the victim's original data or device. For this case study, we will use https://github.com/reveny/Android-Emulator-Detection/ The app detect emulator with this checks: ● checkHardware(); ● checkMounts(); ● checkModules(); ● checkCPU(); ● checkFiles(); ● checkCPUArchitecture();
  • 76. Concepts Different from the previous discussion, this time our target is using the Java Native Interface. So, we can't do hooking like we did before. This is because all checking processes occur in libraries that have been compiled into objects. In this example, all the checks are in the libemulatordetector.so file. The first thing we have to do is find out what JNI functions are available, you can use Frida's help or use nm demangle.
  • 77. Bypass To bypass, the first thing to do is tracing with frida-trace. In this case, I will specifically look for the dlopen function because this function is usually used to load shared libraries. It can be seen that what is used is android_dlopen_ext to load the shared library file libemulatordetector.so. So with this info, we can create code to hook Frida.
  • 78. When we run Frida with this code, we can see that libemulatordetector.so is loaded from the android_dlopen_ext function
  • 79.
  • 80.
  • 81.
  • 83. Concepts In some cases, developers create protection so that the application checks the existence of Frida on the device. This is to prevent pentesters/hackers from being able to run Binary Instruments using Frida as in the previous discussion. There are several mechanisms used to detect the presence of frida, including: ● Detection of named pipes used by Frida ● Detect frida specific thread names ● Detect the port used by Frida ● Etc For this discussion, I used a customized application to detect frida existence
  • 84. Concepts In some cases, developers create protection so that the application checks the existence of Frida on the device. This is to prevent pentesters/hackers from being able to run Binary Instruments using Frida as in the previous discussion. There are several mechanisms used to detect the presence of frida, including: ● Detection of named pipes used by Frida ● Detect frida specific thread names ● Detect the port used by Frida ● Etc For this discussion, I used a customized application to detect frida existence
  • 86. Frida-server detection The mechanism used by the application to detect frida-server is to check whether there are files in /data/local/tmp/frida-se rver.
  • 88. /proc detection The mechanism used is to check /proc/self/maps to detect the presence of frida-agent
  • 90. Default frida port detection Another mechanism is to check the default Frida port, if the default port can be accessed then that indicates Frida is running
  • 91. Default frida port detection To bypass this protection, we can change the default port used when running frida-server with the following command
  • 92. Default frida port detection
  • 93. Frida Thread Detection The application detects the Frida thread by checking /proc/self/task/<PID>/status and comparing its contents with FRIDA_THREAD_GUM_JS_LOOP and FRIDA_THREAD_GMAIN.
  • 94. Frida Thread Detection To bypass this protection, we can easily manipulate the strstr function every time we find the specified words
  • 95. CREDITS: This presentation template was created by Slidesgo, and includes icons by Flaticon, and infographics & images by Freepik Thanks! me@petruknisme t.me/@petruknisme linkedin.com/in/aancw Do you have any questions? Please keep this slide for attribution