Cybersecurity Android Apps

LEVEL: ADVANCED

When we are performing a pentest on an Android app, sometimes is useful to get the parameters that the application is sending through a function or even hijack some specific function to return other values.

Let’s see in this article how we can intercept and even hijack any method from a given Android APK.

First, you can retrieve the package name with this command:

adb shell pm list packages

The method that you are interested to hijack, you can retrieve it doing reverse engineering, targeting for a specific common method or even getting it from adb logcat.

The following frida standalone script will intercept and dump any call to the internal function javax.crypto.Mac.doFinal. In this example, we only dump the parameters and after that redirect the program flow to the original function.

Usage:

Usage: %0 <package name> <method>
Example: %0 com.android...... javax.crypto.Mac.doFinal
#!/usr/bin/python3
# Intercepts and dumps all parameters of method given in the command line
# DEFENSAHACKER Academy

import frida, sys

CODE = r'''
Java.perform(() => {
    // We overload javax.crypto.Mac.doFinal()

    const method = Java.use('javax.crypto.Mac');
    method.doFinal.overloads.forEach(f => {
        f.implementation = function(...args) {
            var hexkey= "";
            console.log(`[*] [${new Date().toString()}] javax.crypto.Mac.doFinal() called! Args: ${args.join(', ')}`);
            console.log("[-] Number of args: " + args.length);
            console.log("[-] length(args[0])= " + args[0].length);
            for (var i = 0; i < args[0].length; i++) {
                hexkey = hexkey + String.fromCharCode(args[0][i]);
            }
            console.log("[-] input string= " + hexkey);
            console.log('');
            // We develop an original method.
            f.call(this, ...args);
        }
    })
})
'''

if __name__ == '__main__':
    if len(sys.argv) != 3:
        print ("Usage: %0 <package name> <method>" %sys.argv[0])
        print ("Example: %0 com.android...... javax.crypto.Mac.doFinal" %sys.argv[0])
        sys.exit(1)
    package= sys.argv[1]
    method=  sys.argv[2];
    device = frida.get_usb_device()
    print("[*] Spawing process %s\n" %package)
    pid = device.spawn([package])
    session = device.attach(pid)
    session.enable_jit()
    script = session.create_script(CODE)
    device.resume(pid)
    script.load()
    sys.stdin.read()

From the above code, feel free to change the call we are intercepting to any other you are researching.

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply