This document discusses using Frida, a dynamic instrumentation toolkit, to bypass security defenses in Android apps. It provides an introduction to Frida and how it works, describes common Android app defenses like anti-debugging and anti-emulation checks, and demonstrates how to use Frida to bypass some of these defenses through code injection and interception. The document contains code examples and promises a demo of using Frida to monitor and intercept methods in an Android app in real-time.

1. Pentesting
Android Apps
using Frida
(Beginner level)

2. Some other titles
Instrumentation at the age of obfuscation
Pentesting Android Apps using Dynamic Binary
Instrumentation
It’s a secure Android app ! Let’s hook it up

3. Agenda
- Introduction to Frida
- Android app basics
- Android app defences
- Using Frida to bypass basic defences
- Demo

4. What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.

5. What is Frida ?
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers.

6. What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc

7. What is Dynamic Instrumentation ?
Ability to monitor or measure the level of a product's
performance, to diagnose errors and to write trace
information.
Includes code tracing, debugging, profiling, etc

8. Finally, What is Frida ?
Frida is a toolkit which can be used to monitor / debug a
process (app at runtime)

9. Frida
- More than an instrumentation framework.
- Injects scripts into processes. Only JavaScript
- Portable. Multi-platform support.
- Windows / Linux / Mac
- Android / iOS
- Bindings in multiple languages
- NodeJS
- Python
- Swift bindings
- .NET bindings
- C API
- Free. Complete code on GitHub

10. How does it work ?
Version of server and client should match. Select the correct architecture.

11. Modes of Operation
- Injected
- Spawn an existing program (create and execute child process)
- Attach/Hooking to running program
- Hijack a process when its spawned
- Requires Root/Admin priv
- Embedded
- Useful in non-jailbroken iOS / non-root Android
- Preloaded

12. Frida Toolkit
- frida : CLI tool
- frida-discover : Tool to discover internal functions
- frida-kill : Tool to kill processes
- frida-ls-devices : Tool to list attached devices
- frida-ps : CLI tool to list processes (useful for remote systems)
- frida-trace : Tool for dynamically tracing function calls

13. Why do we need another debugger ?
- More than a debugger
- Apart from setting breakpoints, it helps injecting code
- From security perspective, apps have been checking for the presence of
debuggers since a long time. Mainly GDB
“GDB in 2018 is prevented in 2018 different funny ways with different funny
tricks”
- Best suited for Android apps due to disadvantages in previous
instrumentation framework - Xposed.
(Restart required for every code change)

14. Android App Basics
- Android apps were traditionally developed using Java, now moving to
Kotlin
- Each app runs as a user (user level isolation)
- Activity
- onCreate - initialization function
- Compile it. Requires it to be signed.
- Android had been using Dalvik VM, but now they are moving to Android
RunTime (ART)

15. Java example

16. Java example
Output: Good Morning, Null Comrades

17. Frida for Android

18. Frida Useful commands
frida-ps -U
frida -U com.target.app --no-pause
frida -U -l ssl-pinning.js -f com.target.app --no-pause
frida -U -c pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f
com.target.app --no-pause

19. DEMO #1

20. Frida Template for Android - JavaScript
Java.perform(function() {
Java.enumerateLoadedClasses({
"onMatch":function(className){
if(className.includes("badshah")) {
console.log(className) }
},
"onComplete":function(){}
}
)})

21. Frida common API
Java.use("android.util.Log") - Uses that particular class
.implementation - Overrides the default implementation
.overload - When polymorphism is used, this can be really useful

22. Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers

23. Android App Defences
There are multiple defences that Android developers use to protect their apps
from attackers. They include:
- Security through Obscurity
- Anti Emulation / Anti-VM checks
- Anti-Debug checks
- Root check
- SSL Pinning
- Tamper detection
- Obfuscation
- Packers

24. Security Through Obscurity
- Hardcoded passwords are not very popular
- Trend is Base64 encoded / Character / Buffer array
- Even store in .so (shared object) files

25. Scenario:
FTPConnector(pwd())
pwd()
Internet

26. Code

27. DEMO #2

28. Anti Emulation / Anti-VM checks
Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java

29. Scenario
Sensitive Action
Non-Sensitive
Action
StartAction()
CheckVM()
NOT VM VM

30. Code

31. DEMO #3

32. Anti Debug Check
Change the command - as per root detection in Frida codeshare

33. Scenario
Sensitive Action
Non-Sensitive
Action
StartAction()
CheckDebug()
NO DEBUG DEBUG

34. Code

35. DEMO #4

36. THE END