Android Dynamic Anaylsis

Lecture Notes

Analyzing Android using Dynamic Analysis and Instrumentation with frida

Download here

A simple application is feature in the slides. Get it here.

Practical Tasks

Exercise 1

The purpose of this exercise is to inspect the behavior of an application, by inspecting the traffic it exchanges with external servers. For this purpose we will be using an Android emulator and a proxy software, and both will need to be configured in an adequate way.

In a command line interface, go to the folder where the android emulator resides (On Windows, it should be inside %USERPROFILE%\AppData\Local\Android\Sdk) and locate the emulator.exe file. You can also use the Android Studio interface to access the Android Virtual Devices.

Then list the available AVDs:

$ emulator -list-avds 

Select the correct AVD and execute it with the -writable-system option. We will need an AVD without Google Play in order to enable root access.

$ emulator -avd "AVDNAME" -writable-system -selinux permissive 

This will enable us to write to the system partition. Further steps are required in order to have full interception capabilities.

When the AVD boots, issue:

$ adb root 
$ adb shell 
$ mkdir /data/local/tmp/cacerts 
$ cp /system/etc/security/cacerts/* /data/local/tmp/cacerts 
$ mount -t tmpfs -o size=15M tmpfs /system/etc/security/cacerts 
$ cp /data/local/tmp/cacerts/* /system/etc/security/cacerts/ 
$ exit 

Then, we need to install a proxy software. In our case we use OWASP ZAP, burp or mitmproxy are also adequate.

Go to ZAP -> Tools -> Options -> Dynamic SSL Certificates and download the Root CA certificate to your Desktop. Then issue the following commands:

$ cd ~
$ cd Desktop
$ openssl x509 -inform PEM -subject_hash_old -in owasp_zap_root_ca.cer | head –n 1
$ cp owasp_zap_root_ca.cer XXXXXX.0 

Replace XXXXXX with the value provided by the openssl... head command. In my case I got 61b342ca. Then we install the certificate as a trusted Root CA in the ADV. This will effectively allow OWASP ZAP to generate certificates for external servers and intercept communications.

$ adb push XXXXXX.0 /system/etc/security/cacerts 

Go to the android emulator and configure a proxy to the address of your computer, port 8080. You can find this in the configurations for the network device.

Go to the application store and install the Aveiro Explorer application. Other applications may be adequate, as we are looking for applications which communicate with external servers. Almost any application will have ads and tracking. Install the application and check the output of the OWASP ZAP window. Do not tamper with the applications and endpoints. The objective is only to observe the capability for intercepting communications.

Inspect which URLs are accessed and if they are secure or not. If the application allows it, login, and see what other URLs are called.

Install the Instagram application, try to login, and check what happens. Decompile Instagram and check why the behavior is different.

Q: Can you revert this defense?

Exercise 2

The NahamCon 2021 CTF Ferris Wheel application is a mobile challenge where binary instrumentation may come handy and it deals with a JNI function. You can use instrumentation to intercept calls and get the flag.

We can identify where the code obtains the password, create routine to intercept a relevant function and obtain the flag. For this purpose we will be using Frida. The software allows instrumenting the smartphone with great detail. The way we will be using it, we need to have super user capabilities, and so we are restricted to the AVD.

To install frida in your computer, issue this in a terminal:

$ pip install --user frida-tools 

Then you need to install Frida in the smartphone/AVD:

Download frida-server from https://github.com/frida/frida/releases

Take care of using a version (frida --version) that is similar to version of frida-tools. You will also need to obtain a file adequate to your architecture. In my case I got frida-server-15.1.17-android-x86.xz.

Uncompress the file, rename it to frida-server, push it to the device, and run it there.

$ xz -d frida-server-15.1.17-android-x86.xz
$ mv frida-server-15.1.17-android-x86 frida-server
$ adb root 
$ adb push frida-server /data/local/tmp 
$ adb shell 
$ cd /data/local/tmp 
$ chmod +x frida-server 
$ frida-server 

The terminal will hang while frida-server is running

On your computer, you can test if everything is correct by issuing a command like frida-ps –U, which should provide information such as:

 PID  Name
----  ---------------------------------------------------------------------------
4327  Files
2687  Maps
3689  Settings
3565  abb
3338  adbd
1320  android.ext.services
 221  android.hardware.atrace@1.0-service
 303  android.hardware.audio.service.ranchu
 304  android.hardware.authsecret@1.0-service
 470  android.hardware.biometrics.face@1.0-service.example
 473  android.hardware.biometrics.fingerprint@2.1-service
 305  android.hardware.bluetooth@1.1-service.sim
 306  android.hardware.camera.provider@2.4-service
 307  android.hardware.camera.provider@2.6-service-google
 ...

Now head to the application, instrument it and get the flag!

The code loads the ferriswheel library, which contains the checkPassword function.

    public final native boolean checkPassword(String str);

    @Override
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(R.layout.activity_main);
        System.loadLibrary("ferriswheel");
    }

    public final void checkHandler(View view) {
        Intrinsics.checkParameterIsNotNull(view, "view");
        View findViewById = findViewById(R.id.password_input);
        Intrinsics.checkExpressionValueIsNotNull(findViewById, "findViewById<EditText>(R.id.password_input)");
        if (checkPassword(((EditText) findViewById).getText().toString())) {
            startActivity(new Intent(this, ferriswheel.class));
        } else {
            Toast.makeText(this, "Incorrect!", 1).show();
        }
    }

Override the checkPassword function to return True and get to the ferriswheel activity.

Exercise 3

In Exercise 1 you found that the application can be intercepted using a proxy for Man-in-the-middle. However, frida can also be used for that purpose if it intercepts methods related with communication.

Write a snippet allowing to log data send/received by the application to the remote servers. You can also find examples for TCP tracing in the Frida Codeshare.

Exercise 4

Repeat Exercise 1 but applying a snippet available at https://codeshare.frida.re with the aim of bypassing certificate pinning.

Exercise 5

OWASP Mobile Security Testing Guide has several CrackMe applications for training purposes. These are well known vulnerable applications created explicitelly for being reversed, and can be analysed with the tools we presented. Especially when using Binary Instrumentation.

Can you try to address them? The solutions can be found online, but do not use them directly. Take notes as you go.

Tools

Previous
Next