xct's notes
Search…
Android

Mobile Android

Setup

Windows VM with Genymotion (make personal use account) & Android studio
In Android Studio install command line tools under Tools -> SDK Manager
1
setx PATH "%PATH%;C:\Users\xct\AppData\Local\Android\Sdk\platform-tools"
2
C:\Users\xct\AppData\Local\Android\Sdk\platform-tools\adb.exe
Copied!

ADB

1
adb connect <ip>
2
adb devices
3
adb shell (get shell on device)
4
adb push/pull <filename> <targetpath>
5
adb install <name of app>
6
am start -a android.intent.action.VIEW http://google.com (start action via activity manager)
7
adb shell ps
8
adb logcat | grep -I <psid from above>
Copied!

Handling APKs

Unpacking

1
unzip -d
2
apktool d <apk>
3
dexdump to dump .dex files or 010 Editor with templates
Copied!

Reverse

  • bytecode-viewer

Repacking

1
apktool b folder -o name.apk
Copied!

Signing

1
jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my_release_key.keystore name.apk alias_name
Copied!

Proxy

Set Proxy

Androidwifi (long press), Modify -> Proxy

Import Burp Certificate

1
openssl x509 -inform DER -in cacert.der -out cacert.pem
2
openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1
3
mv cacert.pem <hash>.0
4
adb push path /sdcard/
5
adb remount
6
mv /sdcard/9a5ba575.0 /system/etc/security/cacerts
7
chmod 644 on that file
8
adb reboot
Copied!

ARM in Genymotion

Frida

1
adb push frida-server /data/local/tmp/frida-server
2
adb shell chmod 777 /data/local/tmp/frida-server
3
adb shell /data/local/tmp/frida-server &
Copied!

Bypassing SSL-Pinning

Use Genymotion & Setup Burp + Proxy as usual (save burp ca-cert locally as well).
1
pip install Frida objection frida-tools
Copied!
Download the appropriate Frida server release (probably x86). Also download this script: pcipolloni/universal-android-ssl-pinning-bypass-with-frida and store it as fridascript.js, then:
1
adb push frida-server /data/local/tmp
2
adb shell chmod 777 /data/local/tmp/frida-server
3
adb push cacert.der /data/local/tmp/cert-der.crt
4
adb push fridascript.js /data/local/tmp
5
adb shell /data/local/tmp/frida-server &
Copied!
Run ps and note the app name you want to bypass it for:
1
frida-ps -U
Copied!
Finally:
1
frida -U -f com.twitter.android --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida --no-pause
Copied!

Checklist

  • unzip -d and apktool -d both (different outputs at time)
  • check for /assets and /res/raw (api keys, encryption keys)
  • sensitive files and external storage (world readable & writeable)
  • executables & log files on external storage
  • look at manifest (WRITE_EXTERNAL_STORAGE)., grep for "getExternal"
  • check for installed package "vnd.android.package-archive" (they want to install something)
  • hidden directories (.folder)
  • api keys saved as bytearray to obfuscate
  • identify crypto & understand it
  • webSettings.setJavaScriptEnabled(True); means we might be able to XSS
  • interesting options: "setAllowContent", "setAllowFileAccess", "setAllowFileAccessFromFileURILS", "setAllowUniversalAccessFromFileURLs", "setJavaScriptEnabled", "setPluginState", "setSavePassword"
  • overwriting ssl errors :facepalm:
  • xss might allow to call Runtime.getRuntime().exec() (CVE-2012-6636) <= Api17
  • use Mitm Proxy (mitm.it has the cert)
Last modified 1yr ago