The document discusses dynamic binary instrumentation (DBI) and the use of the Frida toolkit for runtime exploitation without the need for rooting or jailbreaking devices. It highlights methods to bypass security measures such as root detection and SSL pinning, along with case studies and countermeasures for mobile banking applications. Additionally, it provides references and automation scripts for injecting libraries into apps for security analysis.

1. Prathan Phongthiproek
KPMG Thailand
TheHookshot:RuntimeExploitation

2. @zeq3ul
• Just a guy who is passionate in
(offensive)security ~ 10 years+
• Dota2 SEA MMR ~ 3k+
• Rainbow Six Siege LVL ~ 100+
“Keep farming (Self-study)
and
Challenge the Roshan (Get certificate)”
tanprathan
pprathan
prathan

3. TL;DR
• Motivation
• Dynamic binary instrumentation
• FRIDA
• DBI without rooting / jailbreaking
• Unleash the power of Frida
• Case study for runtime exploitation
• Countermeasure
• References

4. Motivation
• Root / Jailbreak Detection
• SSL Pinning Implementation
• End-to-end encryption on top of TLS
• Cellular network (4G) restriction

5. Dynamic binary instrumentation
• A method of analyzing the behavior of a binary application at
runtime through the injection of instrumentation code.
• DBI can :
• Access process memory
• Overwrite functions while the application is running
• Call functions from imported classes
• Find object instances on the heap and use them
• Hook, trace and intercept functions etc.

6. FRIDA
• Dynamic code instrumentation toolkit allowing you to hook into
applications while running, inject your own JavaScript while getting
complete access to the memory and functions.
• With Frida, we got the power to :
• Bypass Root / Jailbreak Detection
• Bypass SSL Pinning
• Modify the encrypted traffic over TLS
• Pwn the application without using proxy
• Bypass local authentication
• Subvert business logic
• Increase game gems without purchasing

7. FRIDA
Client Server
https://www.frida.re/docs/installation/

8. Tip!! How to root/jailbreak device
• Android
• https://www.xda-developers.com/root/
• iOS
• https://canijailbreak.com
Jailbreak Type Processor iOS Version Duration
Untethered jailbreak
32 bit
7.0.0-7.1.2 September 18, 2013 - September 16, 2014
8.0-8.4 September 17, 2014 - August 12, 2015
64 bit 9.0-9.1 September 16 2015 - December 7, 2015
Semi untethered jailbreak
32 bit
8.4.1 August 13, 2015 - September 15, 2015
9.1-9.3.5 October 21, 2015 - September 12, 2016
64 bit 9.2-9.3.3 December 8, 2015 - August 3, 2016
Unstable (Don’t work on i7) 64 bit 10.0 - 10.2 September 13, 2016- January 22, 2017

9. FRIDA
Bypass local authentication on Android
https://vimeo.com/235930373

10. FRIDA
Bypass Jailbreak Detection on iOS
https://vimeo.com/236043814

11. DBI without rooting / jailbreaking

12. Library Injection
• Re-route application control during library initialization
• Be able to conduct Runtime analysis
without rooting or jailbreaking the device
• Bypass Root/Jailbreak detection

13. Library Injection on Android app

14. Library Injection on Android app

15. Library Injection on Android app
Dissemble the app using apktool
Insert the Frida native library ("frida-gadget") into the APK’s /lib folder
Inject a System.loadLibrary ("frida-gadget") call into the bytecode of the app
(Main application activity)
Add the Internet permission to the manifest, so that Frida gadget can open a
socket
Repackage the app, Resign the updated APK using your own keys and
zipalign

16. Library Injection on Android app
• An automated script for unpacking,
patching (Insert the frida library into
binary), re-packaging, re-signing and
deploying apps on non-rooted device.
• https://github.com/dpnishant/appmon/
tree/master/apk_builder

17. Dynamic Library (DYLIB) Injection on iOS app
Mach-O File Structure

18. Dynamic Library (DYLIB) Injection on iOS app

19. Dynamic Library (DYLIB) Injection on iOS app

20. Dynamic Library (DYLIB) Injection on iOS app
Create a developer profile, provision profile and Certificate
Insert the Frida library (FridaGadget.dylib) to the application container, Insert
the load command on the load commands section of the binary
Increment the load command counter on the header section, Increase the
size binary number on the header section
Re-package the application by replacing the provision profile, re-sign both the
main executable and FridaGadget.dylib with the certificate listed in the
profile
Deploy all set of application container and run the application on device as
debug mode

21. Dynamic Library (DYLIB) Injection on iOS app
• An automated script for unpacking,
patching (Insert the load command
into binary), re-signing and deploying
apps on non-jailbroken device.
https://github.com/tanprathan/Fridpa

22. Unleash the power of Frida
https://codeshare.frida.re

23. Unleash the power of Frida
• Objection uses Frida to inject objects
into an applications runtime and
executes them within that applications
security context to perform various
tasks.
https://github.com/sensepost/objection
• An automated framework for
monitoring and tampering system API
calls of native MacOS, iOS and
Android apps.
https://github.com/dpnishant/appmon

24. Unleash the power of Frida
Using FRIDA without Jailbreaking
https://vimeo.com/236055614

25. • Mobile banking application (Android, iOS) that:
• Conducted source code review from commercial tools
• Be able to detect Root/Jailbreak
• Implemented SSL Pinning
• Implemented end-to-end encryption
Case study for runtime exploitation

26. • Mobile banking application (Android, iOS) that:
• Conducted source code review from commercial tools
• Be able to detect Root/Jailbreak
• Implemented SSL Pinning
• Implemented end-to-end encryption
Case study for runtime exploitation
tsprotector
TrustKiller

27. Case study for runtime exploitation
• Decrypted the app and performed reverse engineering
• Analyzed the app classes and methods
• Found some interesting class name and method
• Created script to intercept the class and method
• Customized script to manipulate the argument
• Bypassed the business logic on the app coz they didn’t validate at server-side
NOOB SPOTTED !!

28. Case study for runtime exploitation

29. Countermeasures
Defense in depth and Fix root causes
MSTG and MASVS

30. References
• http://www.ninoishere.com/frida-learn-by-example/
• https://www.slideshare.net/andreaskurtz/pentesting-i-os-apps-deepsec-2012-andreas-kurtz-15423426
• https://www.notsosecure.com/pentesting-android-apps-using-frida/
• http://blog.attify.com/2017/05/06/bypass-jailbreak-detection-frida-ios-applications/
• https://github.com/interference-security/frida-scripts/blob/master/iOS/frida_python_script.py
• https://koz.io/using-frida-on-android-without-root/
• https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/october/ios-instrumentation-without-jailbreak/
• https://www.vantagepoint.sg/blog/85-patching-and-re-signing-ios-apps