SlideShare a Scribd company logo
Pwning Mobile Apps
Without Root or Jailbreak
> Abraham Aranguren
> abraham@7asecurity.com
> @7asecurity
> @7a_
+ 7asecurity.com
CureCon 2018, Berlin
Agenda
• Motivation
• Repackaging & Instrumentation examples
• Android
• iOS
• Q&A
• Director at 7ASecurity, check out our public reports, presentations, etc:
7asecurity.com/#publications
• Author of Practical Web Defense, a hands-on attack & defense course:
www.elearnsecurity.com/PWD
• Founder and leader of OWASP OWTF, an OWASP flagship project:
owtf.org
• Some presentations: www.slideshare.net/abrahamaranguren/presentations
• Some sec certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE: Security,
MCSA: Security, Security+
• Some dev certs: ZCE PHP 5, ZCE PHP 4, Oracle PL/SQL Developer Certified
Associate, MySQL 5 CMDev, MCTS SQL Server 2005
Who am I
Motivation
● iOS jailbreaks are not always available:
○ The app requires iOS version X, without a public jailbreak available
● iOS/Android jailbreak/root detection might take too long to bypass
○ Example: root/jailbreak detection via obfuscated binary
● Test an app on a device you don’t want to root/jailbreak
● Avoid ptrace/debugging app checks due to tampered environment
Repackaging: Android - Problem: App filesystem access
Problem:
● When using the Android emulator/Genymotion you have a root shell
● BUT sometimes the app will only work on a real phone
● A non-rooted phone won’t give you a root shell
● A non-rooted phone won’t give you access to application files in
/data/data/…
● The app often has backups disabled too
Repackaging Solution:
● Modify the APK, enable backups
Repackaging: Android - Problem: Debugging
Problem:
● Some apps enable debugging features, such as Webview debugging or other
useful information in logcat, etc., when the app has debugging enabled
Repackaging Solution:
● Modify the APK, enable debugging
Step 1: Disassemble APK - apktool d some_app.apk -o some_app_disassembled
Step 2: Edit AndroidManifest.xml
Change: <application android:allowBackup="false"
To: <application android:allowBackup="true" android:debuggable="true"
Step 3: Repackage APK - apktool b some_app_disassembled -o
some_app_debug.apk
Step 4: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore
my-release-key.keystore some_app_debug.apk alias_name
Step 5: Install - adb install some_app_debug.apk
Example: Backups + Debugging
Example: Backups + Debugging
Now we have access to app files via adb backup:
Step 1: Backup app files
adb backup some.app.com
Step 2: Make the backup useful
( printf "x1fx8bx08x00x00x00x00x00" ; tail -c +25 backup.ab ) | tar xfvz -
Step 3: Review files :)
Yay file access!
Repackaging: Android - Problem: Pinning
● Often a problem at the start of the test as you try to MitM :)
● We can modify the APK to skip certificate pinning checks
Repackaging: Android - Problem: Pinning Examp
Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled
Step 2: Find file to modify - grep -Ir checkServerTrusted *
Step 3: Modify the file
.method public final
checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)
V
[...] return-void # Pinning bypass
Steps 4-6: Repackage, Sign & Install :)
Wait, is it that easy?
Repackaging: Android - Problem: Root detection
● Sometimes apps refuse to run when your phone is rooted
● Repackaging often allows us to bypass these checks and enjoy root powers
:D
Android repackaging - Root detection bypass example 1
Step 1: Disassemble - apktool d some.apk -o some_disassembled
Step 2: Remove check from app
Java Code: if (isRooted()) [...]
Related Smali Code: if-eqz v0, :cond_0
Change Smali Code to: if-nez v0, :cond_0
NOTE: The if-nez opcode inverts the condition, hence bypassing the check
Steps 3-5: Repackage, Sign & Install :)
Android repackaging - Root detection bypass example 2
Step 1: Disassemble - apktool d some.apk -o some_disassembled
Step 2: Remove check from app, return “False” from isRooted
.method public isRooted()Z
const/4 v0, 0x0 # False
return v0 # Return false
[...]
Steps 3-5: Repackage, Sign & Install :)
So this is awesome, right?
Limitations of apktool-style Android repackaging
● Limited to changes in smali code:
○ We can only modify Java code disassembled as smali
○ If the app loads and runs code from a binary we cannot modify that (at
least not as easily :D)
● Changes are static
○ If you notice later that you need further changes you need to:
■ Disassemble
■ Modify
■ Repackage, Sign and Install
■ … For each modification! :P
Further reading
Must-use tool for Android repackaging:
https://ibotpeaches.github.io/Apktool/
Cool smali opcode references:
http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
https://source.android.com/devices/tech/dalvik/dalvik-bytecode
What is Frida? - https://www.frida.re/
● Dynamic Instrumentation Toolkit
● Allows hooking and observing/modifying any app function:
○ Crypto APIs
○ Proprietary functions
○ Even functionality in binaries
● Lets you inject snippets of JavaScript into native apps that run on Windows,
Mac, Linux, iOS and Android
In short:
Frida Gadgets allow root-like access on apps from not-rooted/jailbroken devices
How to add Frida to an APK so we can run it without root?
Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled
Step 2: Add the frida-gadget binaries to the APK - For the correct architecture! :)
https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi
d-x86.so.xz
https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi
d-x86_64.so.xz
https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi
d-arm.so.xz
https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi
d-arm64.so.xz
How do I know the architecture?
ADB Command:
adb shell getprop ro.product.cpu.abi
Example Output (Genymotion):
x86
Step 2: Adding the Frida-Gadget to the APK - (ARM 32bits)
Download:
wget
https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-a
ndroid-arm.so.xz
Uncompress: unxz frida-gadget-12.0.8-android-arm.so.xz
Copy:
cp frida-gadget-12.0.8-android-arm.so
some_disassembled/lib/armeabi/libfrida-gadget.so
Step 3: Make the APK load the Gadget
Find main activity:
find . | grep -i main | grep smali$
Add the following smali code to the constructor:
const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
Corresponding Java Code:
System.loadLibrary("frida-gadget")
Step 4: Ensure network permissions in AndroidManifest.xml
We will talk to Frida over the network so the app needs to use the internet, most
apps do but worth double checking:
File:
AndroidManifest.xml
Make sure it has:
<uses-permission android:name="android.permission.INTERNET" />
Repackage, Sign & Install
Step 5: Repackage APK - apktool b some_app_disassembled -o
some_app_debug.apk
Step 6: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore
my-release-key.keystore some_app_debug.apk alias_name
Step 7: Install - adb install some_app_debug.apk
Basic Frida usage
Logcat - Frida: Listening on TCP port 27042
The PID will show Gadget instead of the original package name:
Command:
$ frida-ps –U
Output:
PID Name
----- ------
16071 Gadget
Basic Frida usage – Interactive Instrumentation Shell
Command:
frida -U Gadget --no-pause
Output:
Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
[USB::Android Emulator 5556::['com.android.chrome']]-> Java.androidVersion
"7.1.1"
Basic Frida usage – Public script example: Root Bypass
https://github.com/0xdea/frida-scripts/blob/master/android-snippets/raptor_frida
_android_bypass.js
Usage (Frida Server): frida -U -f com.xxx.yyy -l raptor_frida_android.js
--no-pause
Usage (Frida Gadget): frida -U Gadget -l raptor_frida_android.js --no-pause
Basic Frida usage – Public script example: Root Bypass
setTimeout(function() { // avoid java.lang.ClassNotFoundException
Java.perform(function() {// Root detection bypass example
var hook = Java.use("com.target.utils.RootCheck");
hook.isRooted.overload().implementation = function() {
console.log("info: entered target method");
var retval = this.isRooted.overload().call(this); //old retval
console.log("old ret value: " + retval);
var retnew = false; // set new retval
console.log("new ret value: " + retnew);
return retnew;
}
});
}, 0);
Basic Frida usage – Crypto Hooks
https://gitlab.com/roxanagogonea/frida-scripts/blob/master/cryptography/crypt
ography.js
setImmediate(function() {
Java.perform(function() {
var keyGenerator = Java.use("javax.crypto.KeyGenerator");
keyGenerator.generateKey.implementation = function () {
console.log("[*] Generate symmetric key called. ");
return this.generateKey();
};
});
});
Basic Frida usage – Crypto Hooks
setImmediate(function() {
Java.perform(function() {
var keyGenerator = Java.use("javax.crypto.KeyGenerator");
keyGenerator.getInstance.overload('java.lang.String').implementation =
function (var0) {
console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 +
"n");
return this.getInstance(var0);
};
});
});
Basic Frida usage – Crypto Hooks
setImmediate(function() {
Java.perform(function() {
var keyGenerator = Java.use("javax.crypto.KeyGenerator");
keyGenerator.getInstance.overload('java.lang.String',
'java.lang.String').implementation = function (var0, var1) {
console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 + "
and provider: " + var1 + "n");
return this.getInstance(var0, var1);
};
});
});
Basic Frida usage – Shared Preferences
setImmediate(function() {
Java.perform(function() {
var contextWrapper = Java.use("android.content.ContextWrapper");
var sharedPreferencesEditor =
Java.use("android.app.SharedPreferencesImpl$EditorImpl");
sharedPreferencesEditor.putString.overload('java.lang.String',
'java.lang.String').implementation = function(var0, var1) {
console.log("[*] Added a new String value to SharedPreferences with key: " +
var0 + " and value " + var1 + "n");
var editor = this.putString(var0, var1);
return editor;
}});});
Basic Frida usage – SQLite query hooks
setImmediate(function() {
Java.perform(function() {
var sqliteDatabase = Java.use("android.database.sqlite.SQLiteDatabase");
sqliteDatabase.execSQL.overload('java.lang.String').implementation =
function(var0) {
console.log("[*] SQLiteDatabase.exeqSQL called with query: " + var0 + "n");
var execSQLRes = this.execSQL(var0);
return execSQLRes;
};});});
https://gitlab.com/roxanagogonea/frida-scripts/blob/master/data-storage/sqlite-d
atabase.js
Further reading & Frida script examples
https://www.frida.re/docs/gadget/
https://koz.io/using-frida-on-android-without-root/
https://www.codemetrix.net/hacking-android-apps-with-frida-1/
https://github.com/iddoeldor/frida-snippets
https://github.com/poxyran/misc
https://gitlab.com/roxanagogonea/frida-scripts/blob/master/
Can this be automated?
Here are some attempts:
https://github.com/dpnishant/appmon/tree/master/apk_builder
BUT BUT BUT … What about iOS????
iOS Reversing 101
Usual approach overview:
● Decrypt IPA with Clutch - https://github.com/KJCracks/Clutch
● Generate Objective-C headers with class-dump -
https://github.com/nygard/class-dump
● Disassemble with Hopper - https://www.hopperapp.com/index.html
Explained by filedescriptor ☺
https://blog.innerht.ml/page/2/
iOS Repackaging Guides
https://labs.mwrinfosecurity.com/blog/repacking-and-resigning-ios-applications/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/octo
ber/ios-instrumentation-without-jailbreak/
https://github.com/sensepost/objection/wiki/Patching-iOS-Applications
iOS Repackaging - Step 1: Add Apple ID to XCode
Add an Apple ID to Xcode: Xcode / Preferences / Accounts / Add Apple ID
iOS Repackaging - Step 2: Manage Certificates
iOS Repackaging - Step 2: Manage Certificates – iOS Dev
iOS Repackaging - Step 2: Manage Certificates – Done
iOS Repackaging - Step 2: Verify Code Signing Certificate
Command:
security find-identity -p codesigning -v
Output:
1) xxx[…] "iPhone Developer: abraham+1@cure53.de ([…]XX)"
1 valid identities found
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
Just login :D
iOS Repackaging - Step 3: Create mobileprovision file
● Plug your iPhone
● Select the iPhone as the target device on Xcode
● Hit the “Play” button
● Verify the mobileprovision file has been created:
find ~/Library/Developer/Xcode/DerivedData/ -name
embedded.mobileprovision
iOS Repackaging - Step 3: Create mobileprovision file
Do we have to do all this nonsense every time?
iOS Repackaging - Step 3: Create mobileprovision file
From here, each time we will “only” need to:
● Create a blank app
● Deploy it to an iDevice
This will create a new, valid provisioning file
iOS Repackaging - Step 4: IPA Patching Dependencies
● objection – from: https://github.com/sensepost/objection/wiki/Installation
● applesign - from: https://github.com/nowsecure/node-applesign
● insert_dylib - from: https://github.com/Tyilo/insert_dylib
● security, codesign, xcodebuild` - macOS/XCode commands
● zip & unzip - builtin, or just installed using homebrew
● 7z - installed using homebrew with brew install p7zip
iOS Repackaging - Step 4: IPA Patching Dependencies
Objection Installation:
pip3 install -U objection
More details and options:
https://github.com/sensepost/objection/wiki/Installation
iOS Repackaging - Step 4: IPA Patching Dependencies
applesign Installation:
npm install -g applesign.
If npm is missing:
brew install npm
iOS Repackaging - Step 4: IPA Patching Dependencies
insert_dylib installation:
Compile from source like so:
git clone https://github.com/Tyilo/insert_dylib
cd insert_dylib
xcodebuild
cp build/Release/insert_dylib /usr/local/bin/insert_dylib
iOS Repackaging - Step 4: IPA Patching
Command:
objection patchipa --source my-app.ipa --codesign-signature xxxx
iOS Repackaging - Step 5: Running the patched IPA
More dependencies :D
Install ios-deploy:
npm install -g ios-deploy
iOS Repackaging - Step 5: Running the patched IPA
Installing and running the app:
unzip my-app.ipa # Creates a Payload/ directory.
Unlock iDevice and plug via USB to your Mac
Run ios-deploy:
ios-deploy --bundle Payload/my-app.app -W -d
More intel and Linux instructions:
https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications
iOS Repackaging - Step 6: Using Frida ☺
So now we can run Frida scripts:
frida -U Gadget -l <frida_script> --no-pause
Some nice examples for iOS inspiration:
https://github.com/iddoeldor/frida-snippets
https://github.com/0xdea/frida-scripts/tree/master/ios-snippets
Frida Examples – Filesystem access
https://github.com/nowsecure/frida-fs
const fs = require('frida-fs');
fs.createReadStream('/etc/hosts').pipe(networkStream);
Frida Examples – Grab iOS Screenshots
https://github.com/nowsecure/frida-screenshot
const screenshot = require('frida-screenshot');
const png = yield screenshot();
send({
name: '+screenshot',
payload: {
timestamp: Date.now()
}}, png);
Frida Examples – iOS instance member values
ObjC.choose(ObjC.classes[clazz], {
onMatch: function (obj) {
console.log('onMatch: ', obj);
Object.keys(obj.$ivars).forEach(function(v) {
console.log('t', v, '=', obj.$ivars[v]);
}); },
onComplete: function () { console.log('onComplete', arguments.length); }});
https://github.com/iddoeldor/frida-snippets
Frida Examples – iOS extract cookies
var cookieJar = [];
var cookies =
ObjC.classes.NSHTTPCookieStorage.sharedHTTPCookieStorage().cookies();
for (var i = 0, l = cookies.count(); i < l; i++) {
var cookie = cookies['- objectAtIndex:'](i);
cookieJar.push(cookie.Name() + '=' + cookie.Value());
}
console.log(cookieJar.join("; "));
https://github.com/iddoeldor/frida-snippets
Frida Examples – iOS monitor file access
Interceptor.attach(ObjC.classes.NSFileManager['-
fileExistsAtPath:'].implementation, {
onEnter: function (args) {
console.log('open' , ObjC.Object(args[2]).toString());
}
});
https://github.com/iddoeldor/frida-snippets
What is Objection?
● Wrapper around Frida
● Automates a lot of stuff via Frida hooks
● Works for iOS and Android
https://github.com/sensepost/objection/wiki
Demos from the author of objection
https://www.youtube.com/watch?v=zkxSFERFuBw
https://www.youtube.com/watch?v=AqqPGXa4nO8
https://www.youtube.com/watch?v=t3nRDELo_fY
https://www.youtube.com/watch?v=aL8Z2PctBFE
https://www.youtube.com/watch?v=Mhf92DeRk8c
> abraham@7asecurity.com
@7asecurity | + 7asecurity.com
@7a_
OWASP OWTF:
@owtfp | + owtf.org
Q & A
Thank you for your time

More Related Content

What's hot

Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
Chandrapal Badshah
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
SecuRing
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
Peter Yaworski
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2  Multiplayer Red Teaming Against macOSReady player 2  Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
Cody Thomas
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
Himanshu Kumar Das
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
Orange Tsai
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
GreenD0g
 

What's hot (20)

Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2  Multiplayer Red Teaming Against macOSReady player 2  Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 

Similar to Pwning mobile apps without root or jailbreak

FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
Ron Munitz
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
Roshan Kumar Gami
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
Hafez Kamal
 
Modifying Android Apps Without Source Code with Microsoft Visual Studio Code
Modifying Android Apps Without Source Code with Microsoft Visual Studio CodeModifying Android Apps Without Source Code with Microsoft Visual Studio Code
Modifying Android Apps Without Source Code with Microsoft Visual Studio Code
Ronillo Ang
 
Is Your App Hackable for droidcon Berlin 2015
Is Your App Hackable for droidcon Berlin 2015Is Your App Hackable for droidcon Berlin 2015
Is Your App Hackable for droidcon Berlin 2015
Licel
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdf
Adityamd4
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
Amazon Web Services
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida  Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida  Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSP
Cheng Wig
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_final
NAVER D2
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
Mohammed Adam
 
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays
 

Similar to Pwning mobile apps without root or jailbreak (20)

FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Modifying Android Apps Without Source Code with Microsoft Visual Studio Code
Modifying Android Apps Without Source Code with Microsoft Visual Studio CodeModifying Android Apps Without Source Code with Microsoft Visual Studio Code
Modifying Android Apps Without Source Code with Microsoft Visual Studio Code
 
Is Your App Hackable for droidcon Berlin 2015
Is Your App Hackable for droidcon Berlin 2015Is Your App Hackable for droidcon Berlin 2015
Is Your App Hackable for droidcon Berlin 2015
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdf
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida  Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida  Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSP
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_final
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
 

More from Abraham Aranguren

Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
Abraham Aranguren
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
Abraham Aranguren
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
Abraham Aranguren
 

More from Abraham Aranguren (8)

Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
 

Recently uploaded

Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
MarceloMiranda38200
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
Vijayananda Mohire
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
ScrumGathering New Orleans 2024 Catherine Louis.pdf
ScrumGathering New Orleans 2024  Catherine Louis.pdfScrumGathering New Orleans 2024  Catherine Louis.pdf
ScrumGathering New Orleans 2024 Catherine Louis.pdf
Global Agile Consulting- CLL-Group, LLC
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
Yevgen Sysoyev
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAIApplying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
ssuserd4e0d2
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
Lidia A.
 
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
WriteMe
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
Toru Tamaki
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
ArgaBisma
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Mydbops
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 

Recently uploaded (20)

Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
ScrumGathering New Orleans 2024 Catherine Louis.pdf
ScrumGathering New Orleans 2024  Catherine Louis.pdfScrumGathering New Orleans 2024  Catherine Louis.pdf
ScrumGathering New Orleans 2024 Catherine Louis.pdf
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAIApplying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
 
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
BEGINNER’S GUIDE TO AI AGENTS (1).pptx...
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 

Pwning mobile apps without root or jailbreak

  • 1. Pwning Mobile Apps Without Root or Jailbreak > Abraham Aranguren > abraham@7asecurity.com > @7asecurity > @7a_ + 7asecurity.com CureCon 2018, Berlin
  • 2. Agenda • Motivation • Repackaging & Instrumentation examples • Android • iOS • Q&A
  • 3. • Director at 7ASecurity, check out our public reports, presentations, etc: 7asecurity.com/#publications • Author of Practical Web Defense, a hands-on attack & defense course: www.elearnsecurity.com/PWD • Founder and leader of OWASP OWTF, an OWASP flagship project: owtf.org • Some presentations: www.slideshare.net/abrahamaranguren/presentations • Some sec certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE: Security, MCSA: Security, Security+ • Some dev certs: ZCE PHP 5, ZCE PHP 4, Oracle PL/SQL Developer Certified Associate, MySQL 5 CMDev, MCTS SQL Server 2005 Who am I
  • 4. Motivation ● iOS jailbreaks are not always available: ○ The app requires iOS version X, without a public jailbreak available ● iOS/Android jailbreak/root detection might take too long to bypass ○ Example: root/jailbreak detection via obfuscated binary ● Test an app on a device you don’t want to root/jailbreak ● Avoid ptrace/debugging app checks due to tampered environment
  • 5. Repackaging: Android - Problem: App filesystem access Problem: ● When using the Android emulator/Genymotion you have a root shell ● BUT sometimes the app will only work on a real phone ● A non-rooted phone won’t give you a root shell ● A non-rooted phone won’t give you access to application files in /data/data/… ● The app often has backups disabled too Repackaging Solution: ● Modify the APK, enable backups
  • 6. Repackaging: Android - Problem: Debugging Problem: ● Some apps enable debugging features, such as Webview debugging or other useful information in logcat, etc., when the app has debugging enabled Repackaging Solution: ● Modify the APK, enable debugging
  • 7. Step 1: Disassemble APK - apktool d some_app.apk -o some_app_disassembled Step 2: Edit AndroidManifest.xml Change: <application android:allowBackup="false" To: <application android:allowBackup="true" android:debuggable="true" Step 3: Repackage APK - apktool b some_app_disassembled -o some_app_debug.apk Step 4: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore some_app_debug.apk alias_name Step 5: Install - adb install some_app_debug.apk Example: Backups + Debugging
  • 8. Example: Backups + Debugging Now we have access to app files via adb backup: Step 1: Backup app files adb backup some.app.com Step 2: Make the backup useful ( printf "x1fx8bx08x00x00x00x00x00" ; tail -c +25 backup.ab ) | tar xfvz - Step 3: Review files :)
  • 10. Repackaging: Android - Problem: Pinning ● Often a problem at the start of the test as you try to MitM :) ● We can modify the APK to skip certificate pinning checks
  • 11. Repackaging: Android - Problem: Pinning Examp Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled Step 2: Find file to modify - grep -Ir checkServerTrusted * Step 3: Modify the file .method public final checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;) V [...] return-void # Pinning bypass Steps 4-6: Repackage, Sign & Install :)
  • 12. Wait, is it that easy?
  • 13. Repackaging: Android - Problem: Root detection ● Sometimes apps refuse to run when your phone is rooted ● Repackaging often allows us to bypass these checks and enjoy root powers :D
  • 14. Android repackaging - Root detection bypass example 1 Step 1: Disassemble - apktool d some.apk -o some_disassembled Step 2: Remove check from app Java Code: if (isRooted()) [...] Related Smali Code: if-eqz v0, :cond_0 Change Smali Code to: if-nez v0, :cond_0 NOTE: The if-nez opcode inverts the condition, hence bypassing the check Steps 3-5: Repackage, Sign & Install :)
  • 15. Android repackaging - Root detection bypass example 2 Step 1: Disassemble - apktool d some.apk -o some_disassembled Step 2: Remove check from app, return “False” from isRooted .method public isRooted()Z const/4 v0, 0x0 # False return v0 # Return false [...] Steps 3-5: Repackage, Sign & Install :)
  • 16. So this is awesome, right?
  • 17. Limitations of apktool-style Android repackaging ● Limited to changes in smali code: ○ We can only modify Java code disassembled as smali ○ If the app loads and runs code from a binary we cannot modify that (at least not as easily :D) ● Changes are static ○ If you notice later that you need further changes you need to: ■ Disassemble ■ Modify ■ Repackage, Sign and Install ■ … For each modification! :P
  • 18. Further reading Must-use tool for Android repackaging: https://ibotpeaches.github.io/Apktool/ Cool smali opcode references: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html https://source.android.com/devices/tech/dalvik/dalvik-bytecode
  • 19. What is Frida? - https://www.frida.re/ ● Dynamic Instrumentation Toolkit ● Allows hooking and observing/modifying any app function: ○ Crypto APIs ○ Proprietary functions ○ Even functionality in binaries ● Lets you inject snippets of JavaScript into native apps that run on Windows, Mac, Linux, iOS and Android In short: Frida Gadgets allow root-like access on apps from not-rooted/jailbroken devices
  • 20. How to add Frida to an APK so we can run it without root? Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled Step 2: Add the frida-gadget binaries to the APK - For the correct architecture! :) https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-x86.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-x86_64.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-arm.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-arm64.so.xz
  • 21. How do I know the architecture? ADB Command: adb shell getprop ro.product.cpu.abi Example Output (Genymotion): x86
  • 22. Step 2: Adding the Frida-Gadget to the APK - (ARM 32bits) Download: wget https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-a ndroid-arm.so.xz Uncompress: unxz frida-gadget-12.0.8-android-arm.so.xz Copy: cp frida-gadget-12.0.8-android-arm.so some_disassembled/lib/armeabi/libfrida-gadget.so
  • 23. Step 3: Make the APK load the Gadget Find main activity: find . | grep -i main | grep smali$ Add the following smali code to the constructor: const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V Corresponding Java Code: System.loadLibrary("frida-gadget")
  • 24. Step 4: Ensure network permissions in AndroidManifest.xml We will talk to Frida over the network so the app needs to use the internet, most apps do but worth double checking: File: AndroidManifest.xml Make sure it has: <uses-permission android:name="android.permission.INTERNET" />
  • 25. Repackage, Sign & Install Step 5: Repackage APK - apktool b some_app_disassembled -o some_app_debug.apk Step 6: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore some_app_debug.apk alias_name Step 7: Install - adb install some_app_debug.apk
  • 26. Basic Frida usage Logcat - Frida: Listening on TCP port 27042 The PID will show Gadget instead of the original package name: Command: $ frida-ps –U Output: PID Name ----- ------ 16071 Gadget
  • 27. Basic Frida usage – Interactive Instrumentation Shell Command: frida -U Gadget --no-pause Output: Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit [USB::Android Emulator 5556::['com.android.chrome']]-> Java.androidVersion "7.1.1"
  • 28. Basic Frida usage – Public script example: Root Bypass https://github.com/0xdea/frida-scripts/blob/master/android-snippets/raptor_frida _android_bypass.js Usage (Frida Server): frida -U -f com.xxx.yyy -l raptor_frida_android.js --no-pause Usage (Frida Gadget): frida -U Gadget -l raptor_frida_android.js --no-pause
  • 29. Basic Frida usage – Public script example: Root Bypass setTimeout(function() { // avoid java.lang.ClassNotFoundException Java.perform(function() {// Root detection bypass example var hook = Java.use("com.target.utils.RootCheck"); hook.isRooted.overload().implementation = function() { console.log("info: entered target method"); var retval = this.isRooted.overload().call(this); //old retval console.log("old ret value: " + retval); var retnew = false; // set new retval console.log("new ret value: " + retnew); return retnew; } }); }, 0);
  • 30. Basic Frida usage – Crypto Hooks https://gitlab.com/roxanagogonea/frida-scripts/blob/master/cryptography/crypt ography.js setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.generateKey.implementation = function () { console.log("[*] Generate symmetric key called. "); return this.generateKey(); }; }); });
  • 31. Basic Frida usage – Crypto Hooks setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.getInstance.overload('java.lang.String').implementation = function (var0) { console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 + "n"); return this.getInstance(var0); }; }); });
  • 32. Basic Frida usage – Crypto Hooks setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.getInstance.overload('java.lang.String', 'java.lang.String').implementation = function (var0, var1) { console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 + " and provider: " + var1 + "n"); return this.getInstance(var0, var1); }; }); });
  • 33. Basic Frida usage – Shared Preferences setImmediate(function() { Java.perform(function() { var contextWrapper = Java.use("android.content.ContextWrapper"); var sharedPreferencesEditor = Java.use("android.app.SharedPreferencesImpl$EditorImpl"); sharedPreferencesEditor.putString.overload('java.lang.String', 'java.lang.String').implementation = function(var0, var1) { console.log("[*] Added a new String value to SharedPreferences with key: " + var0 + " and value " + var1 + "n"); var editor = this.putString(var0, var1); return editor; }});});
  • 34. Basic Frida usage – SQLite query hooks setImmediate(function() { Java.perform(function() { var sqliteDatabase = Java.use("android.database.sqlite.SQLiteDatabase"); sqliteDatabase.execSQL.overload('java.lang.String').implementation = function(var0) { console.log("[*] SQLiteDatabase.exeqSQL called with query: " + var0 + "n"); var execSQLRes = this.execSQL(var0); return execSQLRes; };});}); https://gitlab.com/roxanagogonea/frida-scripts/blob/master/data-storage/sqlite-d atabase.js
  • 35. Further reading & Frida script examples https://www.frida.re/docs/gadget/ https://koz.io/using-frida-on-android-without-root/ https://www.codemetrix.net/hacking-android-apps-with-frida-1/ https://github.com/iddoeldor/frida-snippets https://github.com/poxyran/misc https://gitlab.com/roxanagogonea/frida-scripts/blob/master/
  • 36. Can this be automated? Here are some attempts: https://github.com/dpnishant/appmon/tree/master/apk_builder
  • 37. BUT BUT BUT … What about iOS????
  • 38. iOS Reversing 101 Usual approach overview: ● Decrypt IPA with Clutch - https://github.com/KJCracks/Clutch ● Generate Objective-C headers with class-dump - https://github.com/nygard/class-dump ● Disassemble with Hopper - https://www.hopperapp.com/index.html Explained by filedescriptor ☺ https://blog.innerht.ml/page/2/
  • 40. iOS Repackaging - Step 1: Add Apple ID to XCode Add an Apple ID to Xcode: Xcode / Preferences / Accounts / Add Apple ID
  • 41. iOS Repackaging - Step 2: Manage Certificates
  • 42. iOS Repackaging - Step 2: Manage Certificates – iOS Dev
  • 43. iOS Repackaging - Step 2: Manage Certificates – Done
  • 44. iOS Repackaging - Step 2: Verify Code Signing Certificate Command: security find-identity -p codesigning -v Output: 1) xxx[…] "iPhone Developer: abraham+1@cure53.de ([…]XX)" 1 valid identities found
  • 45. iOS Repackaging - Step 3: Create mobileprovision file
  • 46. iOS Repackaging - Step 3: Create mobileprovision file
  • 47. iOS Repackaging - Step 3: Create mobileprovision file
  • 48. iOS Repackaging - Step 3: Create mobileprovision file
  • 49. iOS Repackaging - Step 3: Create mobileprovision file
  • 50. iOS Repackaging - Step 3: Create mobileprovision file Just login :D
  • 51. iOS Repackaging - Step 3: Create mobileprovision file ● Plug your iPhone ● Select the iPhone as the target device on Xcode ● Hit the “Play” button ● Verify the mobileprovision file has been created: find ~/Library/Developer/Xcode/DerivedData/ -name embedded.mobileprovision
  • 52. iOS Repackaging - Step 3: Create mobileprovision file Do we have to do all this nonsense every time?
  • 53. iOS Repackaging - Step 3: Create mobileprovision file From here, each time we will “only” need to: ● Create a blank app ● Deploy it to an iDevice This will create a new, valid provisioning file
  • 54. iOS Repackaging - Step 4: IPA Patching Dependencies ● objection – from: https://github.com/sensepost/objection/wiki/Installation ● applesign - from: https://github.com/nowsecure/node-applesign ● insert_dylib - from: https://github.com/Tyilo/insert_dylib ● security, codesign, xcodebuild` - macOS/XCode commands ● zip & unzip - builtin, or just installed using homebrew ● 7z - installed using homebrew with brew install p7zip
  • 55. iOS Repackaging - Step 4: IPA Patching Dependencies Objection Installation: pip3 install -U objection More details and options: https://github.com/sensepost/objection/wiki/Installation
  • 56. iOS Repackaging - Step 4: IPA Patching Dependencies applesign Installation: npm install -g applesign. If npm is missing: brew install npm
  • 57. iOS Repackaging - Step 4: IPA Patching Dependencies insert_dylib installation: Compile from source like so: git clone https://github.com/Tyilo/insert_dylib cd insert_dylib xcodebuild cp build/Release/insert_dylib /usr/local/bin/insert_dylib
  • 58. iOS Repackaging - Step 4: IPA Patching Command: objection patchipa --source my-app.ipa --codesign-signature xxxx
  • 59. iOS Repackaging - Step 5: Running the patched IPA More dependencies :D Install ios-deploy: npm install -g ios-deploy
  • 60. iOS Repackaging - Step 5: Running the patched IPA Installing and running the app: unzip my-app.ipa # Creates a Payload/ directory. Unlock iDevice and plug via USB to your Mac Run ios-deploy: ios-deploy --bundle Payload/my-app.app -W -d More intel and Linux instructions: https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications
  • 61. iOS Repackaging - Step 6: Using Frida ☺ So now we can run Frida scripts: frida -U Gadget -l <frida_script> --no-pause Some nice examples for iOS inspiration: https://github.com/iddoeldor/frida-snippets https://github.com/0xdea/frida-scripts/tree/master/ios-snippets
  • 62. Frida Examples – Filesystem access https://github.com/nowsecure/frida-fs const fs = require('frida-fs'); fs.createReadStream('/etc/hosts').pipe(networkStream);
  • 63. Frida Examples – Grab iOS Screenshots https://github.com/nowsecure/frida-screenshot const screenshot = require('frida-screenshot'); const png = yield screenshot(); send({ name: '+screenshot', payload: { timestamp: Date.now() }}, png);
  • 64. Frida Examples – iOS instance member values ObjC.choose(ObjC.classes[clazz], { onMatch: function (obj) { console.log('onMatch: ', obj); Object.keys(obj.$ivars).forEach(function(v) { console.log('t', v, '=', obj.$ivars[v]); }); }, onComplete: function () { console.log('onComplete', arguments.length); }}); https://github.com/iddoeldor/frida-snippets
  • 65. Frida Examples – iOS extract cookies var cookieJar = []; var cookies = ObjC.classes.NSHTTPCookieStorage.sharedHTTPCookieStorage().cookies(); for (var i = 0, l = cookies.count(); i < l; i++) { var cookie = cookies['- objectAtIndex:'](i); cookieJar.push(cookie.Name() + '=' + cookie.Value()); } console.log(cookieJar.join("; ")); https://github.com/iddoeldor/frida-snippets
  • 66. Frida Examples – iOS monitor file access Interceptor.attach(ObjC.classes.NSFileManager['- fileExistsAtPath:'].implementation, { onEnter: function (args) { console.log('open' , ObjC.Object(args[2]).toString()); } }); https://github.com/iddoeldor/frida-snippets
  • 67. What is Objection? ● Wrapper around Frida ● Automates a lot of stuff via Frida hooks ● Works for iOS and Android https://github.com/sensepost/objection/wiki
  • 68. Demos from the author of objection https://www.youtube.com/watch?v=zkxSFERFuBw https://www.youtube.com/watch?v=AqqPGXa4nO8 https://www.youtube.com/watch?v=t3nRDELo_fY https://www.youtube.com/watch?v=aL8Z2PctBFE https://www.youtube.com/watch?v=Mhf92DeRk8c
  • 69. > abraham@7asecurity.com @7asecurity | + 7asecurity.com @7a_ OWASP OWTF: @owtfp | + owtf.org Q & A Thank you for your time