๐Ÿ  Home BlogGitHub๐Ÿ“š Buy Me a Book
Edit

5. Android Dynamic Analysis

SSL Pinning

SSL pinning enhances SSL/TLS security in mobile apps by associating a specific SSL certificate or public key with a server. This mitigates Man-in-the-middle risks by ensuring communication only with servers presenting the expected and pinned certificates.

  • Even with the import of an Android user or root certificate, the app refuses to recognize it when SSL Pinning is active, preventing any attempts to intercept network traffic.

A pentester need to bypass Certificate Pinning to see live application traffic.

SSL Bypassing - Neelam Soni (Medium)

Proxyes

Android Interception Process

  1. Start the Proxy software and configure it

  2. Set proxy on the emulator/physical device network settings

  3. Intercept HTTP traffic

  4. Import CA Certificates and trust them in the Certificate Store

  5. Intercept HTTPS Traffic (failing with active SSL Pinning)

  6. Use Objection/Frida tools to bypass SSL Pinning and intercept HTTPS Traffic

MobSF Dynamic Analysis

๐Ÿ”— MobSF Dynamic Analyzer

  • Supports x86, x86_64 architecture Android 4.1 - 11.0, up to API 30

๐Ÿ”— Setting up MobSF dynamic analyzer for security testing of Android applications - Sarvesh Sharma

  • Start the Genymotion Android VM (e.g. API 29 - it uses Frida and works out of the box) before starting MobSF

    • Device identifier - 192.168.56.103:5555

  • (If MobSF Dynamic Analyzer doesnโ€™t detect the android device) Configure ANALYZER_IDENTIFIER as the VM's device identifier 192.168.56.103:5555 in the ~/docker/mobsf/config.py

  • Run MobSF via Docker

MobSF Dynamic Analyzer

  • Start Dynamic Analysis on the desired application

  • Try the various Dynamic Testers (Exported Activity, Activity, TLS/SSL) and check the outputs in the UI.

TLS/SSL Security Tester - b3nac.injuredandroid
Exported Activity Tester
Activity Tester

  • Check the Logcat Stream and Live API Monitor

  • Start Instrumentation with the selected Frida Scripts and check the Frida Logs

  • Generate Report with the Dynamic Analysis information

Frida Logs
API Monitor
Dynamic Analyzer Report

BurpSuite

๐Ÿ”— Configuring an Android device to work with Burp Suite

Install BurpSuite and use it to intercept application traffic.

  • Set a new Proxy Listener bind to port 8082 on All interfaces

  • Configure the device / emulator to use the proxy

    • Settings > Network & internet > Wi-Fi Network details

    • Modify the Advanced Options setting the Proxy to the host IP running BurpSuite (vboxnet LAN or Bridged LAN IP) and port 8082

  • Open Chrome and navigate to google.com

  • HTTPS Traffic cannot be intercepted because of the unknow certificate (PortSwigger CA)

  • Install the BurpSuite certificate on the Android device

    • Export BurpSuite certificate in DER format but renaming during saving into Burp_TCM.CER

    • Copy the certificate to the device

    • Install the certificate (Sony: Settings > Lock screen & security > Advanced > Encryption & credentials > Install from device memory/SD card)

  • In BurpSuite turn Proxy Intercept ON and on the device re-open Chrome and navigate to google.com

    • BurpSuite is accepting HTTPS traffic and Google website is working in Chrome

Frida & Objection

๐Ÿ”— Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers

๐Ÿ”— Objection - a runtime mobile exploration toolkit, powered by Frida

๐Ÿ”— Apktool

  • Install first Frida, then Objection. Check the Android Lab for instructions.

Patch the Android app with Objection by automating the patching process (using aapt, adb, jarsigner, apktool).

  • This command will determine the target architecture of your device using adb, extract the source APK, insert the INTERNET permission if it does not already exist, patch and embed the frida-gadget.so and repackage and sign a new APK for you.

In case of "Can't Decode Resources" error with Kotlin apps, use the command

Frida Manual Patching

๐Ÿ”—Using Frida on Android without root (Android App Patching)

Fridaโ€™s Gadget is a shared library meant to be loaded by programs to be instrumented when the Injected mode of operation isnโ€™t suitable. Gadget gets kickstarted as soon as the dynamic linker executes its constructor function.

  • With split apks, use patch-apk tool - An APK patcher, for use with objection, that supports Android app bundles/split APKs

  1. Decompile the apk

apktool d -r InjuredAndroid.apk

  1. Download frida native libraries (frida-gadget) for the CPU architecture of the physical/emulator device - Frida release page

  1. Add the frida-gadget into the APKโ€™s /lib folder for the correct architecture - e.g. InjuredAndroid/lib/arm64-v8a

  1. Inject frida-gadget into the bytecode (SMALI code) of the app, in a known exported activity or otherwise accessible Activity (usually MainActivity.smali, or OnboardingActivity.smali)

  1. Add the Internet permission to the manifest if not already there (necessary for Frida to open a socket).

  2. Repackage the application

  1. Sign the InjuredAndroid_repackaged.apk and zipalign the app

  1. Install the signed and aligned app

  1. Open the app and test Objection

Objection Usage

Frida Codeshare

๐Ÿ”— Frida CodeShare

Find various Frida scripts in the Frida CodeShare projects.

Additional Dynamic Analysis

App file system

Always check the /data/data/ directory of the analyzed app.

Logcat - Pidcat

Look through the logcat logs.

  • Check system and application logs with logcat or pidcat for unintended data leakage

Previous4. Android Static AnalysisNext6. Android Bug Bounty

Last updated

Was this helpful?