Android Pentesting 101 — Part 3

Welcome to Part 3 of Android Pentesting. This series is about how you can hack into Android and find vulnerabilities in it using various methods. If you haven’t read parts 1 and 2, I would highly recommend you please read them before jumping to this section. You can find it over here.

In the third part, the final we aim to cover the Dynamic Analysis of Android Pentesting, along with various tools. Are you ready??

So Dynamic Analysis in Android Pentesting is all about playing with the requests and the responses of what the application is sending to the web server. But here is the catch! Two things to do before capturing the request:

1. Root Detection Bypass
2. SSL Pinning Bypass

Let’s us talk about them individually.

Root Detection Bypass: Rooting is the process of allowing users of the Android mobile operating system to attain privileged control (known as root access) over various Android subsystems. Applications should not be allowed to run on rooted devices. And hence we try out various Root Detection Bypass using Frida and Objection.

SSL Pinning Bypass: SSL Pinning is a technique that most application owners implement so that any request sent by the mobile application is not intercepted. SSL Pinning is considered as the first and the most important step in the security mechanism of an application. But due to improper means, SSL Pinning can usually be bypassed. Again Frida and Objection are the best tools that will help us over here.

So how do you start with the Dynamic Analysis? Well, the first step is the need for a Rooted Android Phone. You can easily Root any Android Phone using Magisk (the best and most accurate way) or other methods found here. Alternatively, you can use Genymotion, which sometimes does not provide accurate results

Alright, so let’s start by taking a live target, let's call the application <Redacted>. Okay so <Redacted> has Root Detection implemented which can be seen in the screenshot below.

Now to Bypass, this is very simple:

1. Download and install Frida & Objection using Hail Frida.
2. Try connecting Burp Suite and your phone by following this article
3. Start the Frida Server using: adb shell /data/local/tmp/frida-server &
4. Open the application and keep the application running in the background.
5. Find the Application package name using: frida-ps -Ua
6. Now you need to find the right script. This time we are going to run Root Bypass Script which can be found here. If this Frida script does not work you can find more online. Other Frida scripts can be found here.
7. The final step is to hook the script using Frida using the command:

frida -U -f com.package.android -l D:\frida\fridascript-root.js --no-paus

Alternatively, you can use objection to bypass the Root Detection. That can be quickly done using the following commands:

1. objection -g “com.package.android” explore
2. android root disable
3. android root simulate

Perfect! Now that we have bypassed the Root Detection, we can move forward. There is still a step left before we can capture the requests which are to bypass SSL pinning.

Alright, so to bypass the SSL Pinning we will again use Frida and the SSL Pinning Bypass Script which can be found here. Uh-Oh! But here is the catch you cannot run 2 Frida scripts simultaneously. But No Problem! Just add the SSL Pinning Bypass Script below Root Detection Bypass Script and re-run Frida and see the magic.

Dang! Here is how we can capture all the requests! Alternatively, you can use objection to bypass the SSL Pinning. That can be quickly done using the following commands:

1. objection -g “com.package.android” explore
2. android sslpinning disable
3. android sslpinning simulate

Oh, wait! The application uses the fingerprint as well to authenticate the user. Let’s try to bypass this as well. The script for fingerprint bypass can be found here. So simply add the fingerprint bypass script below the Root Detection and SSL Pinning Script.

Great! So we were able to bypass the Fingerprint as well! So what next, nothing capture all the requests, and try to play with them as you do while testing a Web Application.

We have collected and added all the Frida Scripts which we find useful over here. Please feel free to use them. Besides, we also created a Mind Map which you can use and can be found below.

That’s all folks for this article! We hope that you enjoyed the entire series! We will be back with another such series and this time it will be iOS Pentesting, where we will show you’ll the methodology of Dynamic Analysis while performing iOS Pentesting.

Happy Hunting!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!