5. Android Dynamic Analysis

Previous4. Android Static Analysis Next6. Android Bug Bounty

Last updated 1 year ago

Was this helpful?

5. Android Dynamic Analysis

SSL Pinning

SSL pinning enhances SSL/TLS security in mobile apps by associating a specific SSL certificate or public key with a server. This mitigates Man-in-the-middle risks by ensuring communication only with servers presenting the expected and pinned certificates.

Even with the import of an Android user or root certificate, the app refuses to recognize it when SSL Pinning is active, preventing any attempts to intercept network traffic.

A pentester need to to see live application traffic.

Proxyes

Android Interception Process

Start the Proxy software and configure it
Set proxy on the emulator/physical device network settings
Intercept HTTP traffic
Import CA Certificates and trust them in the Certificate Store
Intercept HTTPS Traffic (failing with active SSL Pinning)
Use Objection/Frida tools to bypass SSL Pinning and intercept HTTPS Traffic

MobSF Dynamic Analysis

Supports x86, x86_64 architecture Android 4.1 - 11.0, up to API 30

Start the Genymotion Android VM (e.g. API 29 - it uses Frida and works out of the box) before starting MobSF
- Device identifier - 192.168.56.103:5555
(If MobSF Dynamic Analyzer doesn’t detect the android device) Configure ANALYZER_IDENTIFIER as the VM's device identifier 192.168.56.103:5555 in the ~/docker/mobsf/config.py

ANALYZER_IDENTIFIER = '192.168.56.103:5555'

Run MobSF via Docker

docker run -it --rm --name mobsf -p 8000:8000 -v ~/docker/mobsf:/home/mobsf/.MobSF opensecurity/mobile-security-framework-mobsf:latest

Start Dynamic Analysis on the desired application

Try the various Dynamic Testers (Exported Activity, Activity, TLS/SSL) and check the outputs in the UI.

Check the Logcat Stream and Live API Monitor
Start Instrumentation with the selected Frida Scripts and check the Frida Logs
Generate Report with the Dynamic Analysis information

BurpSuite

Install BurpSuite and use it to intercept application traffic.

# Kali Linux Install
sudo apt update && sudo apt install -y burpsuite

Set a new Proxy Listener bind to port 8082 on All interfaces

Configure the device / emulator to use the proxy
- Settings > Network & internet > Wi-Fi Network details
- Modify the Advanced Options setting the Proxy to the host IP running BurpSuite (vboxnet LAN or Bridged LAN IP) and port 8082
Open Chrome and navigate to google.com
HTTPS Traffic cannot be intercepted because of the unknow certificate (PortSwigger CA)

- Export BurpSuite certificate in DER format but renaming during saving into Burp_TCM.CER
- Copy the certificate to the device
```
cd ~/tcm/mapt
adb push Burp_TCM.CER /sdcard/
```
- Install the certificate (Sony: Settings > Lock screen & security > Advanced > Encryption & credentials > Install from device memory/SD card)
In BurpSuite turn Proxy Intercept ON and on the device re-open Chrome and navigate to google.com
- BurpSuite is accepting HTTPS traffic and Google website is working in Chrome

Frida & Objection

This command will determine the target architecture of your device using adb, extract the source APK, insert the INTERNET permission if it does not already exist, patch and embed the frida-gadget.so and repackage and sign a new APK for you.

unset _JAVA_OPTIONS # may be necessary

objection patchapk --source InjuredAndroid.apk

# if no device connected, specify the target architecture using the --architecture flag.

# Uninstall the original app and install the patched one
adb uninstall b3nac.injuredandroid
adb install InjuredAndroid.objection.apk

In case of "Can't Decode Resources" error with Kotlin apps, use the command
objection patchapk --source InjuredAndroid.apk --use-aapt2

Frida Manual Patching

Frida’s Gadget is a shared library meant to be loaded by programs to be instrumented when the Injected mode of operation isn’t suitable. Gadget gets kickstarted as soon as the dynamic linker executes its constructor function.

Decompile the apk

cd ~/apks
apktool d -r InjuredAndroid.apk
# -r does not decompile resources

# Get CPU architecture
adb shell getprop ro.product.cpu.abi
	arm64-v8a
adb shell cat /proc/cpuinfo

Add the frida-gadget into the APK’s /lib folder for the correct architecture - e.g. InjuredAndroid/lib/arm64-v8a

cd ~/apks/InjuredAndroid/lib/arm64-v8a # depends on the CPU architecture

wget -qO - https://github.com/frida/frida/releases/download/16.1.10/frida-gadget-16.1.10-android-arm64.so.xz | xz -d -c > libfrida-gadget.so

Inject frida-gadget into the bytecode (SMALI code) of the app, in a known exported activity or otherwise accessible Activity (usually MainActivity.smali, or OnboardingActivity.smali)

nano ~/apks/InjuredAndroid/smali/b3nac/injuredandroid/MainActivity.smali

# add the following lines in the ".method public constructor"

const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

Add the Internet permission to the manifest if not already there (necessary for Frida to open a socket).
Repackage the application

apktool b -o InjuredAndroid_repackaged.apk InjuredAndroid/

Sign the InjuredAndroid_repackaged.apk and zipalign the app

# Create a Keystore
keytool -genkey -v -keystore demo.keystore -alias demokeys -keyalg RSA -keysize 2048 -validity 10000

# Sign the APK
jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore demo.keystore -storepass demopw InjuredAndroid_repackaged.apk demokeys

# Check the signing status
jarsigner -verify --verbose InjuredAndroid_repackaged.apk

# zipalign the APK
zipalign -v 4 InjuredAndroid_repackaged.apk InjuredAndroid_repackaged-final.apk

Install the signed and aligned app

adb uninstall b3nac.injuredandroid
adb install InjuredAndroid_repackaged-final.apk

Open the app and test Objection

frida-ps -Uai
objection -g b3nac.injuredandroid explore

Objection Usage

objection -g b3nac.injuredandroid explore

# Some objection commands
android sslpinning disable
android clipboard monitor
memory dump all /tmp/dumped
android keystore list
android keystore watch
android root disable
android root simulate

Frida Codeshare

Find various Frida scripts in the Frida CodeShare projects.

e.g.

# Run it with
frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f b3nac.injuredandroid

frida -U --codeshare dzonerzy/fridantiroot -f b3nac.injuredandroid

frida -U --codeshare dki/ios-app-info -f b3nac.injuredandroid

# Or copy the code into a .js file and use it with frida/objection
frida -U -f b3nac.injuredandroid -l fridantiroot.js

# Objection
objection -g b3nac.injuredandroid explore --startup-script fridantiroot.js

objection -g b3nac.injuredandroid explore -s "android root disable"

Additional Dynamic Analysis

App file system

Always check the /data/data/ directory of the analyzed app.

Logcat - Pidcat

Look through the logcat logs.

# Logcat
adb logcat | grep "$(adb shell ps | grep <package-name> | awk '{print $2}')"

adb logcat -d -b all -v long -e b3nac.injuredandroid

# Pidcat
sudo apt install pidcat

pidcat b3nac.injuredandroid

Previous4. Android Static Analysis Next6. Android Bug Bounty

Last updated 1 year ago

Was this helpful?