5. Android Dynamic Analysis
Last updated
Last updated
SSL pinning enhances SSL/TLS security in mobile apps by associating a specific SSL certificate or public key with a server. This mitigates Man-in-the-middle risks by ensuring communication only with servers presenting the expected and pinned certificates.
Even with the import of an Android user or root certificate, the app refuses to recognize it when SSL Pinning is active, preventing any attempts to intercept network traffic.
A pentester need to bypass Certificate Pinning to see live application traffic.
Proxyman (available only on macOS)
Android Interception Process
Start the Proxy software and configure it
Set proxy on the emulator/physical device network settings
Intercept HTTP traffic
Import CA Certificates and trust them in the Certificate Store
Intercept HTTPS Traffic (failing with active SSL Pinning)
Use Objection/Frida tools to bypass SSL Pinning and intercept HTTPS Traffic
Supports x86, x86_64 architecture Android 4.1 - 11.0, up to API 30
🔗 Setting up MobSF dynamic analyzer for security testing of Android applications - Sarvesh Sharma
Start the Genymotion Android VM (e.g. API 29 - it uses Frida and works out of the box) before starting MobSF
Device identifier - 192.168.56.103:5555
(If MobSF Dynamic Analyzer doesn’t detect the android device) Configure ANALYZER_IDENTIFIER as the VM's device identifier 192.168.56.103:5555 in the ~/docker/mobsf/config.py
Run MobSF via Docker
Navigate to http://0.0.0.0:8000/dynamic_analysis/ and click on MobSFy Android Runtime then MobSFy! button
Start Dynamic Analysis on the desired application
Try the various Dynamic Testers (Exported Activity, Activity, TLS/SSL) and check the outputs in the UI.
Check the Logcat Stream and Live API Monitor
Start Instrumentation with the selected Frida Scripts and check the Frida Logs
Generate Report with the Dynamic Analysis information
Install BurpSuite and use it to intercept application traffic.
Set a new Proxy Listener bind to port 8082 on All interfaces
Configure the device / emulator to use the proxy
Settings > Network & internet > Wi-Fi Network details
Modify the Advanced Options setting the Proxy to the host IP running BurpSuite (vboxnet LAN or Bridged LAN IP) and port 8082
Open Chrome and navigate to google.com
HTTPS Traffic cannot be intercepted because of the unknow certificate (PortSwigger CA)
Install the BurpSuite certificate on the Android device
Export BurpSuite certificate in DER format but renaming during saving into Burp_TCM.CER
Copy the certificate to the device
Install the certificate (Sony: Settings > Lock screen & security > Advanced > Encryption & credentials > Install from device memory/SD card)
In BurpSuite turn Proxy Intercept ON and on the device re-open Chrome and navigate to google.com
BurpSuite is accepting HTTPS traffic and Google website is working in Chrome
🔗 Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers
🔗 Objection - a runtime mobile exploration toolkit, powered by Frida
🔗 Apktool
Install first Frida, then Objection. Check the Android Lab for instructions.
Patch the Android app with Objection by automating the patching process (using aapt, adb, jarsigner, apktool).
This command will determine the target architecture of your device using adb, extract the source APK, insert the INTERNET permission if it does not already exist, patch and embed the frida-gadget.so and repackage and sign a new APK for you.
In case of "Can't Decode Resources" error with Kotlin apps, use the command
Frida’s Gadget is a shared library meant to be loaded by programs to be instrumented when the Injected mode of operation isn’t suitable. Gadget gets kickstarted as soon as the dynamic linker executes its constructor function.
With split apks, use patch-apk tool - An APK patcher, for use with objection, that supports Android app bundles/split APKs
Decompile the apk
Download frida native libraries (frida-gadget) for the CPU architecture of the physical/emulator device - Frida release page
Add the frida-gadget into the APK’s /lib folder for the correct architecture - e.g. InjuredAndroid/lib/arm64-v8a
Inject frida-gadget into the bytecode (SMALI code) of the app, in a known exported activity or otherwise accessible Activity (usually MainActivity.smali, or OnboardingActivity.smali)
Add the Internet permission to the manifest if not already there (necessary for Frida to open a socket).
Repackage the application
Sign the InjuredAndroid_repackaged.apk and zipalign the app
Install the signed and aligned app
Open the app and test Objection
Find various Frida scripts in the Frida CodeShare projects.
Always check the /data/data/ directory of the analyzed app.
Look through the logcat logs.
Check system and application logs with logcat or pidcat for unintended data leakage
