SlideShare una empresa de Scribd logo

Pentesting Android Apps using Frida (Beginners)

C
Chandrapal Badshah

This document discusses using Frida, a dynamic instrumentation toolkit, to bypass security defenses in Android apps. It provides an introduction to Frida and how it works, describes common Android app defenses like anti-debugging and anti-emulation checks, and demonstrates how to use Frida to bypass some of these defenses through code injection and interception. The document contains code examples and promises a demo of using Frida to monitor and intercept methods in an Android app in real-time.

Tecnología
1 de 36
Descargar para leer sin conexión
Pentesting Android Apps using Frida (Beginner level)
Some other titles Instrumentation at the age of obfuscation Pentesting Android Apps using Dynamic Binary Instrumentation It’s a secure Android app ! Let’s hook it up
Agenda - Introduction to Frida - Android app basics - Android app defences - Using Frida to bypass basic defences - Demo
What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
Finally, What is Frida ? Frida is a toolkit which can be used to monitor / debug a process (app at runtime)
Frida - More than an instrumentation framework. - Injects scripts into processes. Only JavaScript - Portable. Multi-platform support. - Windows / Linux / Mac - Android / iOS - Bindings in multiple languages - NodeJS - Python - Swift bindings - .NET bindings - C API - Free. Complete code on GitHub
How does it work ? Version of server and client should match. Select the correct architecture.
Modes of Operation - Injected - Spawn an existing program (create and execute child process) - Attach/Hooking to running program - Hijack a process when its spawned - Requires Root/Admin priv - Embedded - Useful in non-jailbroken iOS / non-root Android - Preloaded
Frida Toolkit - frida : CLI tool - frida-discover : Tool to discover internal functions - frida-kill : Tool to kill processes - frida-ls-devices : Tool to list attached devices - frida-ps : CLI tool to list processes (useful for remote systems) - frida-trace : Tool for dynamically tracing function calls
Why do we need another debugger ? - More than a debugger - Apart from setting breakpoints, it helps injecting code - From security perspective, apps have been checking for the presence of debuggers since a long time. Mainly GDB “GDB in 2018 is prevented in 2018 different funny ways with different funny tricks” - Best suited for Android apps due to disadvantages in previous instrumentation framework - Xposed. (Restart required for every code change)
Android App Basics - Android apps were traditionally developed using Java, now moving to Kotlin - Each app runs as a user (user level isolation) - Activity - onCreate - initialization function - Compile it. Requires it to be signed. - Android had been using Dalvik VM, but now they are moving to Android RunTime (ART)
Java example
Java example Output: Good Morning, Null Comrades
Frida for Android
Frida Useful commands frida-ps -U frida -U com.target.app --no-pause frida -U -l ssl-pinning.js -f com.target.app --no-pause frida -U -c pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.target.app --no-pause
DEMO #1
Frida Template for Android - JavaScript Java.perform(function() { Java.enumerateLoadedClasses({ "onMatch":function(className){ if(className.includes("badshah")) { console.log(className) } }, "onComplete":function(){} } )})
Frida common API Java.use("android.util.Log") - Uses that particular class .implementation - Overrides the default implementation .overload - When polymorphism is used, this can be really useful
Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
Security Through Obscurity - Hardcoded passwords are not very popular - Trend is Base64 encoded / Character / Buffer array - Even store in .so (shared object) files
Scenario: FTPConnector(pwd()) pwd() Internet
Code
DEMO #2
Anti Emulation / Anti-VM checks Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java
Scenario Sensitive Action Non-Sensitive Action StartAction() CheckVM() NOT VM VM
Code
DEMO #3
Anti Debug Check Change the command - as per root detection in Frida codeshare
Scenario Sensitive Action Non-Sensitive Action StartAction() CheckDebug() NO DEBUG DEBUG
Code
DEMO #4
THE END

Recomendados

FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to FridaAbhishekJaiswal270
 
DBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse EngineeringDBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse EngineeringSahil Dhar
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeNSConclave
 
Hacking with frida
Hacking with fridaHacking with frida
Hacking with fridan|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usagen|u - The Open Security Community
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 

Recomendados

FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to FridaAbhishekJaiswal270
 
DBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse EngineeringDBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse EngineeringSahil Dhar
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeNSConclave
 
Hacking with frida
Hacking with fridaHacking with frida
Hacking with fridan|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usagen|u - The Open Security Community
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Android 10
Android 10Android 10
Android 10kpraveen_slideshare
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?Opersys inc.
 
Android Storage - Vold
Android Storage - VoldAndroid Storage - Vold
Android Storage - VoldWilliam Lee
 
Inside Android's UI
Inside Android's UIInside Android's UI
Inside Android's UIOpersys inc.
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPCheng Wig
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Xavier Hallade
 
Android's HIDL: Treble in the HAL
Android's HIDL: Treble in the HALAndroid's HIDL: Treble in the HAL
Android's HIDL: Treble in the HALOpersys inc.
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessNanik Tolaram
 
Android internals By Rajesh Khetan
Android internals By Rajesh KhetanAndroid internals By Rajesh Khetan
Android internals By Rajesh KhetanRajesh Khetan
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android OS Porting: Introduction
Android OS Porting: IntroductionAndroid OS Porting: Introduction
Android OS Porting: IntroductionJollen Chen
 
Android+init+process
Android+init+processAndroid+init+process
Android+init+processHong Jae Kwon
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Android audio system(audioflinger)
Android audio system(audioflinger)Android audio system(audioflinger)
Android audio system(audioflinger)fefe7270
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android InternalsNational Cheng Kung University
 
AndroidとSELinux
AndroidとSELinuxAndroidとSELinux
AndroidとSELinuxandroid sola
 
Android Binder: Deep Dive
Android Binder: Deep DiveAndroid Binder: Deep Dive
Android Binder: Deep DiveZafar Shahid, PhD
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Android's security architecture
Android's security architectureAndroid's security architecture
Android's security architectureOfer Rivlin, CISSP
 

Más contenido relacionado

La actualidad más candente

Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?Opersys inc.
 
Android Storage - Vold
Android Storage - VoldAndroid Storage - Vold
Android Storage - VoldWilliam Lee
 
Inside Android's UI
Inside Android's UIInside Android's UI
Inside Android's UIOpersys inc.
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPCheng Wig
 
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Xavier Hallade
 
Android's HIDL: Treble in the HAL
Android's HIDL: Treble in the HALAndroid's HIDL: Treble in the HAL
Android's HIDL: Treble in the HALOpersys inc.
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessNanik Tolaram
 
Android internals By Rajesh Khetan
Android internals By Rajesh KhetanAndroid internals By Rajesh Khetan
Android internals By Rajesh KhetanRajesh Khetan
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android OS Porting: Introduction
Android OS Porting: IntroductionAndroid OS Porting: Introduction
Android OS Porting: IntroductionJollen Chen
 
Android+init+process
Android+init+processAndroid+init+process
Android+init+processHong Jae Kwon
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Android audio system(audioflinger)
Android audio system(audioflinger)Android audio system(audioflinger)
Android audio system(audioflinger)fefe7270
 

La actualidad más candente (20)

Android 10
Android 10Android 10
Android 10
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?
 
Android Storage - Vold
Android Storage - VoldAndroid Storage - Vold
Android Storage - Vold
 
Inside Android's UI
Inside Android's UIInside Android's UI
Inside Android's UI
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSP
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
 
Android's HIDL: Treble in the HAL
Android's HIDL: Treble in the HALAndroid's HIDL: Treble in the HAL
Android's HIDL: Treble in the HAL
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting Process
 
Android internals By Rajesh Khetan
Android internals By Rajesh KhetanAndroid internals By Rajesh Khetan
Android internals By Rajesh Khetan
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Android OS Porting: Introduction
Android OS Porting: IntroductionAndroid OS Porting: Introduction
Android OS Porting: Introduction
 
Android+init+process
Android+init+processAndroid+init+process
Android+init+process
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Android audio system(audioflinger)
Android audio system(audioflinger)Android audio system(audioflinger)
Android audio system(audioflinger)
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android Internals
 
AndroidとSELinux
AndroidとSELinuxAndroidとSELinux
AndroidとSELinux
 
Android Binder: Deep Dive
Android Binder: Deep DiveAndroid Binder: Deep Dive
Android Binder: Deep Dive
 

Similar a Pentesting Android Apps using Frida (Beginners)

Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Android's security architecture
Android's security architectureAndroid's security architecture
Android's security architectureOfer Rivlin, CISSP
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfAdityamd4
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...Priyanka Aash
 
Android Programming made easy
Android Programming made easyAndroid Programming made easy
Android Programming made easyLars Vogel
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Introduction to Android Development Part 1
Introduction to Android Development Part 1Introduction to Android Development Part 1
Introduction to Android Development Part 1Kainda Kiniel Daka
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Giacomo Bergami
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Module-I_Introduction-to-Android.pptx
Module-I_Introduction-to-Android.pptxModule-I_Introduction-to-Android.pptx
Module-I_Introduction-to-Android.pptxlancelotlaytan1996
 
Building Android games using LibGDX
Building Android games using LibGDXBuilding Android games using LibGDX
Building Android games using LibGDXJussi Pohjolainen
 

Similar a Pentesting Android Apps using Frida (Beginners) (20)

Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Android's security architecture
Android's security architectureAndroid's security architecture
Android's security architecture
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdf
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Hybrid HTML5 Apps
Hybrid HTML5 AppsHybrid HTML5 Apps
Hybrid HTML5 Apps
 
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
 
Android Programming made easy
Android Programming made easyAndroid Programming made easy
Android Programming made easy
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Mind the gap
Mind the gapMind the gap
Mind the gap
 
Introduction to Android Development Part 1
Introduction to Android Development Part 1Introduction to Android Development Part 1
Introduction to Android Development Part 1
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Module-I_Introduction-to-Android.pptx
Module-I_Introduction-to-Android.pptxModule-I_Introduction-to-Android.pptx
Module-I_Introduction-to-Android.pptx
 
Building Android games using LibGDX
Building Android games using LibGDXBuilding Android games using LibGDX
Building Android games using LibGDX
 

Más de Chandrapal Badshah

Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Chandrapal Badshah
 
How to get started in InfoSec ?
How to get started in InfoSec ?How to get started in InfoSec ?
How to get started in InfoSec ?Chandrapal Badshah
 
OSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionChandrapal Badshah
 
OSINT Mindset to protect your Organization
OSINT Mindset to protect your OrganizationOSINT Mindset to protect your Organization
OSINT Mindset to protect your OrganizationChandrapal Badshah
 
Solving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using FridaSolving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using FridaChandrapal Badshah
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINTChandrapal Badshah
 

Más de Chandrapal Badshah (11)

Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)
 
How to get started in InfoSec ?
How to get started in InfoSec ?How to get started in InfoSec ?
How to get started in InfoSec ?
 
OSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet version
 
OSINT Mindset to protect your Organization
OSINT Mindset to protect your OrganizationOSINT Mindset to protect your Organization
OSINT Mindset to protect your Organization
 
Solving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using FridaSolving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using Frida
 
OWASP Serverless Top 10
OWASP Serverless Top 10OWASP Serverless Top 10
OWASP Serverless Top 10
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.sh
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 

Último

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 

Último (20)

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 

Pentesting Android Apps using Frida (Beginners)

  • 2. Some other titles Instrumentation at the age of obfuscation Pentesting Android Apps using Dynamic Binary Instrumentation It’s a secure Android app ! Let’s hook it up
  • 3. Agenda - Introduction to Frida - Android app basics - Android app defences - Using Frida to bypass basic defences - Demo
  • 4. What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
  • 5. What is Frida ? Dynamic instrumentation toolkit for developers, reverse- engineers, and security researchers.
  • 6. What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
  • 7. What is Dynamic Instrumentation ? Ability to monitor or measure the level of a product's performance, to diagnose errors and to write trace information. Includes code tracing, debugging, profiling, etc
  • 8. Finally, What is Frida ? Frida is a toolkit which can be used to monitor / debug a process (app at runtime)
  • 9. Frida - More than an instrumentation framework. - Injects scripts into processes. Only JavaScript - Portable. Multi-platform support. - Windows / Linux / Mac - Android / iOS - Bindings in multiple languages - NodeJS - Python - Swift bindings - .NET bindings - C API - Free. Complete code on GitHub
  • 10. How does it work ? Version of server and client should match. Select the correct architecture.
  • 11. Modes of Operation - Injected - Spawn an existing program (create and execute child process) - Attach/Hooking to running program - Hijack a process when its spawned - Requires Root/Admin priv - Embedded - Useful in non-jailbroken iOS / non-root Android - Preloaded
  • 12. Frida Toolkit - frida : CLI tool - frida-discover : Tool to discover internal functions - frida-kill : Tool to kill processes - frida-ls-devices : Tool to list attached devices - frida-ps : CLI tool to list processes (useful for remote systems) - frida-trace : Tool for dynamically tracing function calls
  • 13. Why do we need another debugger ? - More than a debugger - Apart from setting breakpoints, it helps injecting code - From security perspective, apps have been checking for the presence of debuggers since a long time. Mainly GDB “GDB in 2018 is prevented in 2018 different funny ways with different funny tricks” - Best suited for Android apps due to disadvantages in previous instrumentation framework - Xposed. (Restart required for every code change)
  • 14. Android App Basics - Android apps were traditionally developed using Java, now moving to Kotlin - Each app runs as a user (user level isolation) - Activity - onCreate - initialization function - Compile it. Requires it to be signed. - Android had been using Dalvik VM, but now they are moving to Android RunTime (ART)
  • 16. Java example Output: Good Morning, Null Comrades
  • 18. Frida Useful commands frida-ps -U frida -U com.target.app --no-pause frida -U -l ssl-pinning.js -f com.target.app --no-pause frida -U -c pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.target.app --no-pause
  • 20. Frida Template for Android - JavaScript Java.perform(function() { Java.enumerateLoadedClasses({ "onMatch":function(className){ if(className.includes("badshah")) { console.log(className) } }, "onComplete":function(){} } )})
  • 21. Frida common API Java.use("android.util.Log") - Uses that particular class .implementation - Overrides the default implementation .overload - When polymorphism is used, this can be really useful
  • 22. Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
  • 23. Android App Defences There are multiple defences that Android developers use to protect their apps from attackers. They include: - Security through Obscurity - Anti Emulation / Anti-VM checks - Anti-Debug checks - Root check - SSL Pinning - Tamper detection - Obfuscation - Packers
  • 24. Security Through Obscurity - Hardcoded passwords are not very popular - Trend is Base64 encoded / Character / Buffer array - Even store in .so (shared object) files
  • 26. Code
  • 28. Anti Emulation / Anti-VM checks Find more at: https://github.com/CalebFenton/AndroidEmulatorDetect/blob/master/app/src/main/java/org/cf/emulatordetect/Detector.java
  • 30. Code
  • 32. Anti Debug Check Change the command - as per root detection in Frida codeshare
  • 34. Code