Android Dynamic Anaylsis

Lecture Notes

Analyzing Android using Dynamic Analysis and Instrumentation with frida

Download here

A simple application is feature in the slides. Get it here.

Practical Tasks

Exercise 1 - Passive Listening

For this exercise you will need an Android Emulator. For further information on this, check the previous laboratory guide. On the host, you will need the Wireshark application. This will enable you to inspect the traffic between the emulator and remote websites.

Go to the application store and install the Aveiro Explorer application. Other applications may be adequate, as we are looking for applications which communicate with external servers. . Do not tamper with the applications and endpoints. The objective is only to observe the capability for listening communications.

If you are using LDPlayer, enable Network Bridging in the Network Settings. You may set it to a real outside interface, or to a local bridge can you created.

Tasks:

  • Start Wireshark in the host
  • Start the application inside the emulator and listen for its traffic, by selecting the adequate interface.
  • It may help to filter for the IP Address of the emulator. You can check it in the Android Wifi Properties inside the emulator.

Exercise 2 - Interception with a Proxy

The purpose of this exercise is to inspect the behavior of an application, by intercepting the traffic it exchanges with external servers. For this purpose we will be using an Android emulator and a proxy software, and both will need to be configured in an adequate way. Specifically we will require root access. If using LDPlayer9 the setting is available on the Other Settings -> Root Permission.

You will also need OWASP ZAP, which will act as a HTTP proxy to intercept traffic. Access the Wifi settings inside the emulator and set a proxy to the IP address of your host and port (8080).

Almost any application will have ads and tracking. Open the previous application, or start a new application and check the output of the OWASP ZAP window. You will get some traffic, but also errors with HTTPS traffic. This happens because OWASP ZAP will generate new TLS certificates for the different hosts, but the Android system will not trust the Certification Authorities uses. Lets fix this!

If using the standard emulator, in a command line interface, go to the folder where the android emulator resides (On Windows, it should be inside %USERPROFILE%\AppData\Local\Android\Sdk) and locate the emulator.exe file. You can also use the Android Studio interface to access the Android Virtual Devices.

Then list the available AVDs:

emulator -list-avds

Select the correct AVD and execute it with the -writable-system option. We will need an AVD without Google Play in order to enable root access.

emulator -avd "AVDNAME" -writable-system -selinux permissive

This will enable us to write to the system partition. Further steps are required in order to have full interception capabilities.

In both cases, we need to add further certificates to the filesystem.

When the AVD boots, issue:

adb shell 
adb su
mkdir /data/local/tmp/cacerts 
cp /system/etc/security/cacerts/* /data/local/tmp/cacerts 
mount -t tmpfs -o size=15M tmpfs /system/etc/security/cacerts 
cp /data/local/tmp/cacerts/* /system/etc/security/cacerts/ 
exit

Then, we need to install a proxy software. In our case we use OWASP ZAP, burp or mitmproxy are also adequate.

Go to ZAP -> Tools -> Options -> Dynamic SSL Certificates and download the Root CA certificate to your Desktop. Then issue the following commands:

cd ~
cd Desktop
openssl x509 -inform PEM -subject_hash_old -in owasp_zap_root_ca.cer | head –n 1
cp owasp_zap_root_ca.cer XXXXXX.0

Replace XXXXXX with the value provided by the openssl... head command. In my case I got 61b342ca. Then we install the certificate as a trusted Root CA in the ADV. This will effectively allow OWASP ZAP to generate certificates for external servers and intercept communications.

adb push XXXXXX.0 /system/etc/security/cacerts

Go to the application store and install the Aveiro Explorer application. Other applications may be adequate, as we are looking for applications which communicate with external servers. Almost any application will have ads and tracking. Install the application and check the output of the OWASP ZAP window. Do not tamper with the applications and endpoints. The objective is only to observe the capability for intercepting communications.

Task:

  • Inspect which URLs are accessed and if they are secure or not. If the application allows it, login, and see what other URLs are called.

As an alternative, you can create a fake server with a specific remote IP address, where you have a simple Web server. With this it becomes possible to mimick external hosts, while keeping the application out of the internet. Typical methods involve creating a Virtual Machine with the target remote IP Address, or use systems such as fakenet-ng or even containerlab.

Exercise 3

To install frida in your computer, issue this in a terminal:

virtualenv venv
source venv/bin/activate
pip install --user frida-tools

Then you need to install Frida in the smartphone/AVD:

Download frida-server from https://github.com/frida/frida/releases

Take care of using a version (frida --version) that is similar to version of frida-tools. You will also need to obtain a file adequate to your architecture. In my case I got frida-server-16.2.1-android-x86.xz.

Decompress the file, rename it to frida-server, push it to the device, and run it there. The following example applies to an Android running in LDPlayer9.

xz -d frida-server-16.6.6-android-x86_64.xz
mv frida-server-16.6.6-android-x86_64 frida-server
adb root 
adb push frida-server /data/local/tmp 
adb shell 
cd /data/local/tmp 
chmod +x frida-server 
frida-server

The terminal will hang while frida-server is running.

On your computer, you can test if everything is correct by issuing a command like frida-ps –U, which should provide information such as:

 PID  Name
----  ---------------------------------------------------------------------------
4327  Files
2687  Maps
3689  Settings
3565  abb
3338  adbd
1320  android.ext.services
 221  android.hardware.atrace@1.0-service
 303  android.hardware.audio.service.ranchu
 304  android.hardware.authsecret@1.0-service
 470  android.hardware.biometrics.face@1.0-service.example
 473  android.hardware.biometrics.fingerprint@2.1-service
 305  android.hardware.bluetooth@1.1-service.sim
 306  android.hardware.camera.provider@2.4-service
 307  android.hardware.camera.provider@2.6-service-google
 ...

Exercise 4

In Exercise 1 you found that the application can be intercepted using a proxy for Man-in-the-middle. However, frida can also be used for that purpose if it intercepts methods related with communication.

Task:

  • Write a snippet allowing to log data send/received by the application to the remote servers. You can find examples for TCP tracing in the Frida Codeshare.
  • One example would be: frida --codeshare mame82/android-tcp-trace -U -f app

Exercise 5

Repeat Exercise 1 but applying a snippet available at https://codeshare.frida.re with the aim of bypassing certificate pinning, on a well known application.

Exercise 6

We will use Frida with the CyberTruck Challenge 2019, which had an interesting set of Android challenges. The APK is here: https://github.com/nowsecure/cybertruckchallenge19/tree/master/apk

Install it to the emulator and go for the challenges. Use jadx and analyze the application structure as some can be solved directly.

The challenges are the following:

  • Challenge1 to unlock car1. “DES key: Completely Keyless. Completely safe”

    • 50pts: There is a secret used to create a DES key. Can you tell me which one?
    • 100pts: There is a token generated at runtime to unlock the carid=1. Can you get it? (flag must be submitted in hexa all lowercase)

  • Challenge2 to unlock car2: “AES key: Your Cell Mobile Is Your Key”

    • 50pts: This challenge has been obfuscated with ProGuard, therefore you will not recover the AES key.
    • 100pts: There is a token generated at runtime to unlock the carid=2. Can you get it? (flag must be submitted in hexa all lowercase)

  • Challenge3 to unlock car3. “Mr Truck: Unlock me Baby!”

    • 50pts: There is an interesting string in the native code. Can you catch it?
    • 100pts: Get the secret generated at runtime to unlock the carid=3. Security by obscurity is not a great design. Use real crypto! (hint: check the length when submitting the secret!)

The solutions are here: https://github.com/nowsecure/cybertruckchallenge19/tree/master/solutions

Apply each solution independently and check the result. The solutions will be written to the log (use adb logcat) Document what is the challenge, what was the strategy to bypass it and the results obtained.

Exercise 7

OWASP Mobile Security Testing Guide has several CrackMe applications for training purposes. These are well known vulnerable applications created explicitly for being reversed, and can be analyzed with the tools we presented. Especially when using Binary Instrumentation.

  • Level 1: A secret string is hidden somewhere in this app. Find a way to extract it.
  • Level 2: This app holds a secret inside. May include traces of native code.
  • Level 3: The crackme from hell! A secret string is hidden somewhere in this app. Find a way to extract it.

Can you try to address them? The solutions can be found online, but do not use them directly. Take notes as you go.

Tools

Previous
Next

Last updated on 6 Mar 2025