Android
Mobile Android
Setup
Windows VM with Genymotion (make personal use account) & Android studio
In Android Studio install command line tools under Tools -> SDK Manager
ADB
Handling APKs
Unpacking
Reverse
bytecode-viewer
Repacking
Signing
Proxy
Set Proxy
Androidwifi (long press), Modify -> Proxy
Import Burp Certificate
ARM in Genymotion
Frida
Bypassing SSL-Pinning
Use Genymotion & Setup Burp + Proxy as usual (save burp ca-cert locally as well).
Download the appropriate Frida server release (probably x86). Also download this script: pcipolloni/universal-android-ssl-pinning-bypass-with-frida and store it as fridascript.js, then:
Run ps and note the app name you want to bypass it for:
Finally:
Checklist
unzip -d and apktool -d both (different outputs at time)
check for /assets and /res/raw (api keys, encryption keys)
sensitive files and external storage (world readable & writeable)
executables & log files on external storage
look at manifest (WRITE_EXTERNAL_STORAGE)., grep for "getExternal"
check for installed package "vnd.android.package-archive" (they want to install something)
hidden directories (.folder)
api keys saved as bytearray to obfuscate
identify crypto & understand it
webSettings.setJavaScriptEnabled(True); means we might be able to XSS
interesting options: "setAllowContent", "setAllowFileAccess", "setAllowFileAccessFromFileURILS", "setAllowUniversalAccessFromFileURLs", "setJavaScriptEnabled", "setPluginState", "setSavePassword"
overwriting ssl errors :facepalm:
xss might allow to call Runtime.getRuntime().exec() (CVE-2012-6636) <= Api17
use Mitm Proxy (mitm.it has the cert)
Last updated