Android Dynamic Anaylsis

Lecture Notes

Analyzing Android using Dynamic Analysis and Instrumentation with frida

Download here

A simple application is feature in the slides. Get it here.

Practical Tasks

Exercise 1

The purpose of this exercise is to inspect the behavior of an application, by inspecting the traffic it exchanges with external servers. For this purpose we will be using an Android emulator and a proxy software, and both will need to be configured in an adequate way. Specifically we will require root access. If using LDPlayer9 the setting is available on the Other Settings -> Root Permission.

If using the standard emulator, in a command line interface, go to the folder where the android emulator resides (On Windows, it should be inside %USERPROFILE%\AppData\Local\Android\Sdk) and locate the emulator.exe file. You can also use the Android Studio interface to access the Android Virtual Devices.

Then list the available AVDs:

emulator -list-avds 

Select the correct AVD and execute it with the -writable-system option. We will need an AVD without Google Play in order to enable root access.

emulator -avd "AVDNAME" -writable-system -selinux permissive 

This will enable us to write to the system partition. Further steps are required in order to have full interception capabilities.

In both cases, we need to add further certificates to the filesystem.

When the AVD boots, issue:

adb root 
adb shell 
mkdir /data/local/tmp/cacerts 
cp /system/etc/security/cacerts/* /data/local/tmp/cacerts 
mount -t tmpfs -o size=15M tmpfs /system/etc/security/cacerts 
cp /data/local/tmp/cacerts/* /system/etc/security/cacerts/ 
exit 

Then, we need to install a proxy software. In our case we use OWASP ZAP, burp or mitmproxy are also adequate.

Go to ZAP -> Tools -> Options -> Dynamic SSL Certificates and download the Root CA certificate to your Desktop. Then issue the following commands:

cd ~
cd Desktop
openssl x509 -inform PEM -subject_hash_old -in owasp_zap_root_ca.cer | head –n 1
cp owasp_zap_root_ca.cer XXXXXX.0 

Replace XXXXXX with the value provided by the openssl... head command. In my case I got 61b342ca. Then we install the certificate as a trusted Root CA in the ADV. This will effectively allow OWASP ZAP to generate certificates for external servers and intercept communications.

adb push XXXXXX.0 /system/etc/security/cacerts 

Go to the android emulator and configure a proxy to the address of your computer, port 8080. You can find this in the configurations for the network device.

Go to the application store and install the Aveiro Explorer application. Other applications may be adequate, as we are looking for applications which communicate with external servers. Almost any application will have ads and tracking. Install the application and check the output of the OWASP ZAP window. Do not tamper with the applications and endpoints. The objective is only to observe the capability for intercepting communications.

Inspect which URLs are accessed and if they are secure or not. If the application allows it, login, and see what other URLs are called.

Install the Instagram application, try to login, and check what happens. Decompile Instagram and check why the behavior is different.

Q: Can you revert this defense?

Exercise 2

We need to identify where the code obtains the password, create routine to intercept a relevant function and obtain the flags. For this purpose we will be using Frida. The software allows instrumenting the smartphone with great detail. The way we will be using it, we need to have super user capabilities.

To install frida in your computer, issue this in a terminal:

pip install --user frida-tools 

Then you need to install Frida in the smartphone/AVD:

Download frida-server from https://github.com/frida/frida/releases

Take care of using a version (frida --version) that is similar to version of frida-tools. You will also need to obtain a file adequate to your architecture. In my case I got frida-server-16.2.1-android-x86.xz.

Decompress the file, rename it to frida-server, push it to the device, and run it there.

xz -d frida-server-16.2.1-android-x86.xz
mv frida-server-16.2.1-android-x86 frida-server
adb root 
adb push frida-server /data/local/tmp 
adb shell 
cd /data/local/tmp 
chmod +x frida-server 
frida-server 

The terminal will hang while frida-server is running.

On your computer, you can test if everything is correct by issuing a command like frida-ps –U, which should provide information such as:

 PID  Name
----  ---------------------------------------------------------------------------
4327  Files
2687  Maps
3689  Settings
3565  abb
3338  adbd
1320  android.ext.services
 221  android.hardware.atrace@1.0-service
 303  android.hardware.audio.service.ranchu
 304  android.hardware.authsecret@1.0-service
 470  android.hardware.biometrics.face@1.0-service.example
 473  android.hardware.biometrics.fingerprint@2.1-service
 305  android.hardware.bluetooth@1.1-service.sim
 306  android.hardware.camera.provider@2.4-service
 307  android.hardware.camera.provider@2.6-service-google
 ...

We will Frida with the CyberTruck Challenge 2019, which had an interesting set of Android challenges. The APK is here: https://github.com/nowsecure/cybertruckchallenge19/tree/master/apk

Install it to the emulator and go for the challenges. Use jadx and analyze the application structure as some can be solved directly.

The challenges are the following:

  • Challenge1 to unlock car1. “DES key: Completely Keyless. Completely safe”

    • 50pts: There is a secret used to create a DES key. Can you tell me which one?
    • 100pts: There is a token generated at runtime to unlock the carid=1. Can you get it? (flag must be submitted in hexa all lowercase)
  • Challenge2 to unlock car2: “AES key: Your Cell Mobile Is Your Key”

    • 50pts: This challenge has been obfuscated with ProGuard, therefore you will not recover the AES key.
    • 100pts: There is a token generated at runtime to unlock the carid=2. Can you get it? (flag must be submitted in hexa all lowercase)
  • Challenge3 to unlock car3. “Mr Truck: Unlock me Baby!”

    • 50pts: There is an interesting string in the native code. Can you catch it?
    • 100pts: Get the secret generated at runtime to unlock the carid=3. Security by obscurity is not a great design. Use real crypto! (hint: check the length when submitting the secret!)

The solutions are here: https://github.com/nowsecure/cybertruckchallenge19/tree/master/solutions

Apply each solution independently and check the result. The solutions will be written to the log (use adb logcat) Document what is the challenge, what was the strategy to bypass it and the results obtained.

Exercise 3

In Exercise 1 you found that the application can be intercepted using a proxy for Man-in-the-middle. However, frida can also be used for that purpose if it intercepts methods related with communication.

Write a snippet allowing to log data send/received by the application to the remote servers. You can also find examples for TCP tracing in the Frida Codeshare.

Exercise 4

Repeat Exercise 1 but applying a snippet available at https://codeshare.frida.re with the aim of bypassing certificate pinning.

Exercise 5

OWASP Mobile Security Testing Guide has several CrackMe applications for training purposes. These are well known vulnerable applications created explicitly for being reversed, and can be analyzed with the tools we presented. Especially when using Binary Instrumentation.

Can you try to address them? The solutions can be found online, but do not use them directly. Take notes as you go.

Tools

Previous
Next