đ These study notes serve as a concise reference, capturing the essential insights, guidelines, and best practices for securing mobile applications, based on the OWASP MASTG (Mobile Application Security Testing) Standard - Techniques.
# USBadbdevices-ladbshelladb-s<device_ID>shellsu# WiFi (same network)# Set a listener on the device (via USB)adbtcpip5555# Disconnect USB and run from host pc (same network)adbconnect<device_IP>adbdevicesadbshell# SSH# On device > Setup Termux (default port 8022)sshd# On Host pcssh-p8022<device_IP># "SSH for Magisk" Module can be used too
Data transfer
using Android Studio device file explorer
using adb
adbpull<remote><local>adbpush<local><remote>
objection - runtime mobile exploration toolkit for security testing on non-rooted devices. Injects the Frida gadget into an application by repackaging it, disable SSL pinning methods, access app storage, execute custom Frida scripts, list activities/services/broadcast receivers, start activities, ecc
On rooted device with frida-server configured, Objection can connect directly to it without app repackage.
Interact with it via Objection REPL
The ability to perform advanced dynamic analysis on non-jailbroken devices is one of the features that makes Objection incredibly useful.
# Connect to a patched APKobjectionexplore# Connect to a specific appfrida-ps-Ua|grep-itelegramobjection--gadget="org.telegram.messenger"explorecd..lsfiledownload<file_name>
adbshellpmlistpackagesadbshellpmlistpackages-3-fadbshellpmpath<app_package_id># Get all installed apps on USB device & # List running appsfrida-ps-Uaiadbshellps
# On Android phonetcpdump# Remote sniff Android phone's network traffictcpdump-iwlan0-s0-w-|nc-l-p11111# On host, listen to traffic using Wiresharkadbforwardtcp:11111tcp:11111nclocalhost11111|wireshark-k-S-i-
Export cert from BurpSuite in DER format (or download the cert from the http://burpsuite page after setting the Proxy on the device)
opensslx509-informDER-inburp-ad-outburp.pemadbpushburp.pem/sdcard/# Install burp.pem in the user certificate store# Move User Certificates to rot store / System CAs (using Magisk module Movecert)
Set Proxy on device WiFi Network
Host with BurpSuite must be on the same WiFi network
This module will automatically add all user-installed CA certificates to the list of the system trusted CAs (reboot is necessary)
Manual
Not always working
adbshellmount-orw,remount/system# mount -o rw,remount -t ext4 /systemopensslx509-informDER-incacert.der-outcacert.pemopensslx509-informPEM-subject_hash_old-incacert.pem|head-1mvcacert.pem<hash>.0mv<hash>.0/system/etc/security/cacertschmod644<hash>.0
đ Starting with Android 7.0 (API level 24), the Android OS will no longer trust user CA certificates by default, unless specified in the application
Obstacles
Security controls such as root detection, certificate pinning
# Intercept traffic in WiFis with Client Isolation# Configure Android device proxy to point to 127.0.0.1:8080# Connect device via USB to host PC# Make a reverse port forwardingadbreversetcp:8080tcp:8080
Non-proxy-aware apps: e.g. Xamarin, or the app verifies if proxy is set and doesn't allow any traffic if it is set
# Enable "Support invisible proxying" in Burp Proxy request handling options# iptables - redirect Android traffic to interception proxyiptables-tnat-AOUTPUT-ptcp--dport80-jDNAT--to-destination<Your-Proxy-IP>:8080iptables-tnat-L# Reset iptablesiptables-tnat-F# bettercap - target and host on same networksudobettercap-eval"set arp.spoof.targets <ANDROID-IP>; arp.spoof on; set arp.spoof.internal true; set arp.spoof.fullduplex true;"
keytool-importcert-v-trustcacerts-fileproxy.cer-aliasaliascert-keystore"res/raw/truststore.bks"-providerorg.bouncycastle.jce.provider.BouncyCastleProvider-providerpath"providerpath/bcprov-jdk15on-164.jar"-storetypeBKS-storepasspassword# proxy.cer - proxy's certificate# aliascert - alias for proxy's cert# BouncyCastle Provider jar file# password - keystore pw, from decompiled app code# List BKS truststore certskeytool-list-keystore"res/raw/truststore.bks"-providerorg.bouncycastle.jce.provider.BouncyCastleProvider-providerpath"providerpath/bcprov-jdk15on-164.jar"-storetypeBKS-storepasspassword# Repackage the app and install it on device
Dynamic
More convenient and faster to perform.
Find the correct method to hook by searching for strings and licences files, identifying the used library. Examine the source code (SMALI code) to find methods suited for dynamic instrumentation.
# Search for all methods that take a string and a variable list of strings as args and return a complex objectgrep-rijava/lang/String;\[Ljava/lang/String;)L ./
Hook each method with Frida and print the arguments. Find the one that prints out a domain name and a cert hash. Modify the arguments to circumvent the implemented pinning.