Android Dynamic Anaylsis
Lecture Notes
Analyzing Android using Dynamic Analysis and Instrumentation with frida
Download here
A simple application is feature in the slides. Get it here.
Practical Tasks
Exercise 1
The purpose of this exercise is to inspect the behavior of an application, by inspecting the traffic it exchanges with external servers. For this purpose we will be using an Android emulator and a proxy software, and both will need to be configured in an adequate way.
In a command line interface, go to the folder where the android emulator resides (On Windows, it should be inside %USERPROFILE%\AppData\Local\Android\Sdk
) and locate the emulator.exe
file. You can also use the Android Studio interface to access the Android Virtual Devices.
Then list the available AVDs:
$ emulator -list-avds
Select the correct AVD and execute it with the -writable-system
option. We will need an AVD without Google Play
in order to enable root
access.
$ emulator -avd "AVDNAME" -writable-system -selinux permissive
This will enable us to write to the system partition. Further steps are required in order to have full interception capabilities.
When the AVD boots, issue:
$ adb root
$ adb shell
$ mkdir /data/local/tmp/cacerts
$ cp /system/etc/security/cacerts/* /data/local/tmp/cacerts
$ mount -t tmpfs -o size=15M tmpfs /system/etc/security/cacerts
$ cp /data/local/tmp/cacerts/* /system/etc/security/cacerts/
$ exit
Then, we need to install a proxy software. In our case we use OWASP ZAP, burp or mitmproxy are also adequate.
Go to ZAP -> Tools -> Options -> Dynamic SSL Certificates
and download the Root CA certificate to your Desktop. Then issue the following commands:
$ cd ~
$ cd Desktop
$ openssl x509 -inform PEM -subject_hash_old -in owasp_zap_root_ca.cer | head –n 1
$ cp owasp_zap_root_ca.cer XXXXXX.0
Replace XXXXXX
with the value provided by the openssl... head
command. In my case I got 61b342ca
.
Then we install the certificate as a trusted Root CA in the ADV. This will effectively allow OWASP ZAP to generate certificates for external servers and intercept communications.
$ adb push XXXXXX.0 /system/etc/security/cacerts
Go to the android emulator and configure a proxy to the address of your computer, port 8080. You can find this in the configurations for the network device.
Go to the application store and install the Aveiro Explorer application. Other applications may be adequate, as we are looking for applications which communicate with external servers. Almost any application will have ads and tracking. Install the application and check the output of the OWASP ZAP window. Do not tamper with the applications and endpoints. The objective is only to observe the capability for intercepting communications.
Inspect which URLs are accessed and if they are secure or not. If the application allows it, login, and see what other URLs are called.
Install the Instagram application, try to login, and check what happens. Decompile Instagram and check why the behavior is different.
Q: Can you revert this defense?
Exercise 2
The NahamCon 2021 CTF Ferris Wheel application is a mobile challenge where binary instrumentation may come handy and it deals with a JNI
function. You can use instrumentation to intercept calls and get the flag.
We can identify where the code obtains the password, create routine to intercept a relevant function and obtain the flag. For this purpose we will be using Frida. The software allows instrumenting the smartphone with great detail. The way we will be using it, we need to have super user capabilities, and so we are restricted to the AVD
.
To install frida in your computer, issue this in a terminal:
$ pip install --user frida-tools
Then you need to install Frida in the smartphone/AVD:
Download frida-server
from https://github.com/frida/frida/releases
Take care of using a version (frida --version
) that is similar to version of frida-tools
. You will also need to obtain a file adequate to your architecture. In my case I got frida-server-15.1.17-android-x86.xz
.
Uncompress the file, rename it to frida-server
, push it to the device, and run it there.
$ xz -d frida-server-15.1.17-android-x86.xz
$ mv frida-server-15.1.17-android-x86 frida-server
$ adb root
$ adb push frida-server /data/local/tmp
$ adb shell
$ cd /data/local/tmp
$ chmod +x frida-server
$ frida-server
The terminal will hang while frida-server
is running
On your computer, you can test if everything is correct by issuing a command like frida-ps –U
, which should provide information such as:
PID Name
---- ---------------------------------------------------------------------------
4327 Files
2687 Maps
3689 Settings
3565 abb
3338 adbd
1320 android.ext.services
221 android.hardware.atrace@1.0-service
303 android.hardware.audio.service.ranchu
304 android.hardware.authsecret@1.0-service
470 android.hardware.biometrics.face@1.0-service.example
473 android.hardware.biometrics.fingerprint@2.1-service
305 android.hardware.bluetooth@1.1-service.sim
306 android.hardware.camera.provider@2.4-service
307 android.hardware.camera.provider@2.6-service-google
...
Now head to the application, instrument it and get the flag!
The code loads the ferriswheel
library, which contains the checkPassword
function.
public final native boolean checkPassword(String str);
@Override
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
setContentView(R.layout.activity_main);
System.loadLibrary("ferriswheel");
}
public final void checkHandler(View view) {
Intrinsics.checkParameterIsNotNull(view, "view");
View findViewById = findViewById(R.id.password_input);
Intrinsics.checkExpressionValueIsNotNull(findViewById, "findViewById<EditText>(R.id.password_input)");
if (checkPassword(((EditText) findViewById).getText().toString())) {
startActivity(new Intent(this, ferriswheel.class));
} else {
Toast.makeText(this, "Incorrect!", 1).show();
}
}
Override the checkPassword
function to return True
and get to the ferriswheel
activity.
Exercise 3
In Exercise 1 you found that the application can be intercepted using a proxy for Man-in-the-middle. However, frida can also be used for that purpose if it intercepts methods related with communication.
Write a snippet allowing to log data send/received by the application to the remote servers. You can also find examples for TCP tracing
in the Frida Codeshare.
Exercise 4
Repeat Exercise 1 but applying a snippet available at https://codeshare.frida.re with the aim of bypassing certificate pinning.
Exercise 5
OWASP Mobile Security Testing Guide has several CrackMe applications for training purposes. These are well known vulnerable applications created explicitelly for being reversed, and can be analysed with the tools we presented. Especially when using Binary Instrumentation.
Can you try to address them? The solutions can be found online, but do not use them directly. Take notes as you go.
Tools
- Frida: https://frida.re/
- Frida Github: https://github.com/frida/frida/releases
- Frida Codeshare: https://codeshare.frida.re
- Android Studio: https://developer.android.com/studio
- ADB: https://developer.android.com/studio/command-line/adb
- OWASP ZAP: https://www.zaproxy.org/
- mitmproxy: https://mitmproxy.org/
- Ghidra: https://ghidra-sre.org/
- jni_all.gdt: https://github.com/Areizen/ghidra_utils/blob/master/JNIAnalyzer/src/main/resources/jni_all.gdt
- JNIAnalyzer: https://github.com/Areizen/ghidra_utils/tree/master/JNIAnalyzer
- jadx: https://github.com/skylot/jadx