In this guide, I will explain the basics to set up an Android mobile pentesting lab. iOS apps are also susceptible to analysis but it is more accessible to set up an Android lab. Probably in the future, I will write a guide about how to set up and iOS mobile pentesting lab. Anyway, let’s start!!
In order to set up our lab we will need the following elements:
Android has multiple free emulators, one of the most used is the one shipped with Android Studio, Android Virtual Device (AVD). But I do not recommend to use AVD. AVD images are not rooted by default, and a rooted emulator can give us greater capabilities. You can always root AVD images but it is easiest to use a rooted emulator.
Two of the most popular options for rooted emulators are Genymotion and Nox Player. In my case, I going to chose Nox Player but you can use whatever you want.
After instaling Nox Player, root the device is as easiest as choosing the option inside System settings.
Nox configuration settings
The most common process involves unlock the bootloader, install a custom bootloader and then use Magisk to provide root access. But again every device is different.
There are two possibilities to install ADB, perform a minimal installation of ADB or install Android Studio. A minimal installation consists of download the ADB binary into our computer. Either way, after having ADB in your system I recommend add the binary to your path for easier access.
If everything is working you could run some basics ADB commands without trouble:
adb devices
If you are using Nox another extra step is needed, adb connect to the emulator.
adb connect 127.0.0.1:62001
After doing this your devices should appear after typing adb devices.
This means that adb is successfully connected whit our android device.
adb shell
Due to the fact that we are root we can interact with every folder of the system, our shell is #, not $.
We can also launch commands without the need of using an interactive shell.
adb shell pm list packages
Listing apps installed
Or copy an APK installed in our device to our computer.
adb shell pm path com.whatsapp
adb pull /data/app/com.whatsapp-1/base.apk Documents
ADB offers a lot of capabilities just check the documentation because there are a lot of options and commands.
First, we will need to start our proxy in the same network as our emulator. Burp Proxy starts in localhost and our Android would not be able to reach it. One easy solution is to enable our proxy in all interfaces or a specific address reachable by the Android device.
Once our Proxy is started we can configure it in our device, just go to your network settings -> modify network and add the proxy info.
Reaching this point our proxy is running but SSL/TLS traffic it is going to cause problems because our CA is not recognised by the mobile phone. You can export the certificate and push it with adb or go to http://burpsuite and download the CA Certificate.
A cacert.der will be downloaded in our Android device but we will need to rename to cacert.cer. Android only support .cer extension.
And then we only need to install it in our system. From Settings -> Security -> Install from SD card we can select cacert.cer and install it.
If we open our browser and visit any SSL/TLS we will be able to intercept and modify the information.
But what about apps? If we are doing all this process it is to examine mobile apps and their requests. If you open Twitter or other mobile apps it is most than probable that you would not be able to see anything in Burp. Mmm, what? Is the proxy not working?
The proxy is working but mobile apps usually incorporate SSL Certificate Pinning in their code. In a nutshell, Certificate Pinning it is a security technique that allows applications to ignore system CAs and just trust some specific certificates. This technique was designed to avoid MiTM attacks and indeed it is working against us.
The first thing we need to do is install FRIDA in our host system. I am using conda with Python3.9 but any Python latest 3.x installation it is valid. Just type pip install frida-tools
pip install frida-tools
Once Frida is installed in our computer, we will need to set up a frida-server inside our Android device/emulator. There are multiple frida servers for different architecture or devices. I am using an emulator so I will need frida-server-14.2.2-android-x86.xz, but if you are using a mobile you will need the ARM version. After downloading the last frida server from https://github.com/frida/frida/releases we need to uncompress it and push it into our Android device. One easy way to copy the file is using adb push.
adb push frida-server /data/local/tmp
Finally, thereafter pushing the binary we need to give running permissions to the frida-server and run it.
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
Now we have FRIDA running in our Android device and we communicate with it. One easy test is to list Android running processes using frida-ps.
frida-ps -U
frida-ps will show us all running process susceptible to injection, to modify their behaviour or analyse their information.
To use any of these scripts we just need to download it in our host and then launch it.
frida -U -f [APP_ID] -l frida_multiple_unpinning.js --no-pause
Bypassing Twitter SSL Pinning
After launching Frida the app process will be spawned and we will start seeing the app petitions in our proxy.
Twitter app petition intercepted by Burp Proxy
Its installation is as easiest as running a pip install:
pip3 install objection
And then we can start to use it. For example, to attach it to an application and use interactive commands.
objection --gadget "com.twitter.android" explore
You can disable SSL pinning using objection too:
android-sslpinning-disable
Or list interesting directories related to the application:
There are other useful functionalities like listing all of the Activities that the application has. Just check their Github wiki for more information.
android hooking list activities
I am aware that I am not covering reversing and static analysis, probably I write another post about that. Static analysis on iOS apps it is more difficult but Android allow to do a lot of things.
Hope you like my post ;) and let me know if you prefer other tools or techniques that I did not mention in this post.
https://medium.com/tag/android?sour...b4efbd---------------android-----------------
In order to set up our lab we will need the following elements:
- A rooted smartphone or emulator
- A proxy, like Zap Proxy or Burp Suite
- A dynamic instrumentation toolkit, FRIDA
Rooted smartphone or emulator
Once of reasons because it is easier to set up an Android pentesting lab is because you have freely accessible emulators. There are also emulators for iOS but in order to perform security analysis, you will need a jailbroken device/emulator.
Android has multiple free emulators, one of the most used is the one shipped with Android Studio, Android Virtual Device (AVD). But I do not recommend to use AVD. AVD images are not rooted by default, and a rooted emulator can give us greater capabilities. You can always root AVD images but it is easiest to use a rooted emulator.
Two of the most popular options for rooted emulators are Genymotion and Nox Player. In my case, I going to chose Nox Player but you can use whatever you want.
After instaling Nox Player, root the device is as easiest as choosing the option inside System settings.
Nox configuration settings
Root device
If you prefer to use a physical device you will need to root it. Take into account that in the process of rooting your phone probably you are going to need to perform a factory reset, in order to unlock the bootloader. Furthermore, I recommend using Magisk to root your device but there is not a generic way for root Android devices. There a lot of models with different security measures so the best way to root an Android device is to look up in XDA or Google a guide about rooting your specific model.
The most common process involves unlock the bootloader, install a custom bootloader and then use Magisk to provide root access. But again every device is different.
Interact with your rooted device
Android has a command-line tool called Android Debug Bridge (adb) that allows us to communicate with Android devices. ADB can perform a lot of operations, from give us a shell, install applications or copy files. But in order to use ADB, we will need to install it.
There are two possibilities to install ADB, perform a minimal installation of ADB or install Android Studio. A minimal installation consists of download the ADB binary into our computer. Either way, after having ADB in your system I recommend add the binary to your path for easier access.
If everything is working you could run some basics ADB commands without trouble:
adb devices
ADB and Nox emulator
Take into account that if you are using Nox emulator or a physical Android device, first you will need to enable USB Debugging. You can enable USB Debugging from the Developer options menu. Remember that in order to access this menu you need to click twelve times over your build number.
If you are using Nox another extra step is needed, adb connect to the emulator.
adb connect 127.0.0.1:62001
After doing this your devices should appear after typing adb devices.
This means that adb is successfully connected whit our android device.
ADB Basic commands
One of the most useful commands in adb shell, this command will prompt a shell inside our device.
adb shell
Due to the fact that we are root we can interact with every folder of the system, our shell is #, not $.
We can also launch commands without the need of using an interactive shell.
adb shell pm list packages
Listing apps installed
Or copy an APK installed in our device to our computer.
adb shell pm path com.whatsapp
adb pull /data/app/com.whatsapp-1/base.apk Documents
ADB offers a lot of capabilities just check the documentation because there are a lot of options and commands.
Proxy
After already connect to our root device it is always interesting to involve a proxy to check or modify the traffic. Here there are multiple possibilities like Burp Proxy, Zap Proxy or mitmproxy. But regardless of which proxy we are going to use, we will need to install a custom Certificate Authority (CA). This will allow us to intercept SSL/TLS traffic as we did in my other post related to MiTM in WiFi networks.
First, we will need to start our proxy in the same network as our emulator. Burp Proxy starts in localhost and our Android would not be able to reach it. One easy solution is to enable our proxy in all interfaces or a specific address reachable by the Android device.
Once our Proxy is started we can configure it in our device, just go to your network settings -> modify network and add the proxy info.
Reaching this point our proxy is running but SSL/TLS traffic it is going to cause problems because our CA is not recognised by the mobile phone. You can export the certificate and push it with adb or go to http://burpsuite and download the CA Certificate.
A cacert.der will be downloaded in our Android device but we will need to rename to cacert.cer. Android only support .cer extension.
And then we only need to install it in our system. From Settings -> Security -> Install from SD card we can select cacert.cer and install it.
If we open our browser and visit any SSL/TLS we will be able to intercept and modify the information.
But what about apps? If we are doing all this process it is to examine mobile apps and their requests. If you open Twitter or other mobile apps it is most than probable that you would not be able to see anything in Burp. Mmm, what? Is the proxy not working?
The proxy is working but mobile apps usually incorporate SSL Certificate Pinning in their code. In a nutshell, Certificate Pinning it is a security technique that allows applications to ignore system CAs and just trust some specific certificates. This technique was designed to avoid MiTM attacks and indeed it is working against us.
Frida
So, how to bypass SSL Certificate pinning?. Here is where Frida come to the rescue. Frida is a dynamic instrumentation toolkit that allows us to interact with apps. We can hook functions or check memory values. In this case, we are going to use Frida to inject some SSL pinning bypass scripts inside Android apps.The first thing we need to do is install FRIDA in our host system. I am using conda with Python3.9 but any Python latest 3.x installation it is valid. Just type pip install frida-tools
pip install frida-tools
Once Frida is installed in our computer, we will need to set up a frida-server inside our Android device/emulator. There are multiple frida servers for different architecture or devices. I am using an emulator so I will need frida-server-14.2.2-android-x86.xz, but if you are using a mobile you will need the ARM version. After downloading the last frida server from https://github.com/frida/frida/releases we need to uncompress it and push it into our Android device. One easy way to copy the file is using adb push.
adb push frida-server /data/local/tmp
Finally, thereafter pushing the binary we need to give running permissions to the frida-server and run it.
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
Now we have FRIDA running in our Android device and we communicate with it. One easy test is to list Android running processes using frida-ps.
frida-ps -U
frida-ps will show us all running process susceptible to injection, to modify their behaviour or analyse their information.
SSL-Bypass
There a lot of possible uses for Frida, some code examples are available at Frida Codeshare. Two of the most used scripts for bypassing SSL Pinning are universal-android-ssl-pinning-bypass-with-frida and frida-multiple-unpinning. Depending on the app that you are analysing both or neither of them will work. It is necessary to take into account that there are multiples ways to force SSL Pinning into an application so we will need to analyze each case individually.To use any of these scripts we just need to download it in our host and then launch it.
frida -U -f [APP_ID] -l frida_multiple_unpinning.js --no-pause
Bypassing Twitter SSL Pinning
After launching Frida the app process will be spawned and we will start seeing the app petitions in our proxy.
Twitter app petition intercepted by Burp Proxy
objection — Runtime Mobile Exploration
Nevertheless, Frida can be operated successfully as we saw I really like a tool called objection. Objection is a runtime mobile exploration toolkit, powered by Frida and developed by Sensepost. It basically allows us to perform some Frida operations easily.Its installation is as easiest as running a pip install:
pip3 install objection
And then we can start to use it. For example, to attach it to an application and use interactive commands.
objection --gadget "com.twitter.android" explore
You can disable SSL pinning using objection too:
android-sslpinning-disable
Or list interesting directories related to the application:
There are other useful functionalities like listing all of the Activities that the application has. Just check their Github wiki for more information.
android hooking list activities
Conclusions
All of these tools and environment will allow us to perform some live analysis of any application. There are always other possibilities but I just listed my preferred and most popular tools related to app mobile pentesting.I am aware that I am not covering reversing and static analysis, probably I write another post about that. Static analysis on iOS apps it is more difficult but Android allow to do a lot of things.
Hope you like my post ;) and let me know if you prefer other tools or techniques that I did not mention in this post.
https://medium.com/tag/android?sour...b4efbd---------------android-----------------
