SlideShare une entreprise Scribd logo

Pwning mobile apps without root or jailbreak

Abraham Aranguren
Abraham Aranguren

With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.

Technologie
1  sur  69
Télécharger pour lire hors ligne
Pwning Mobile Apps Without Root or Jailbreak > Abraham Aranguren > abraham@7asecurity.com > @7asecurity > @7a_ + 7asecurity.com CureCon 2018, Berlin
Agenda • Motivation • Repackaging & Instrumentation examples • Android • iOS • Q&A
• Director at 7ASecurity, check out our public reports, presentations, etc: 7asecurity.com/#publications • Author of Practical Web Defense, a hands-on attack & defense course: www.elearnsecurity.com/PWD • Founder and leader of OWASP OWTF, an OWASP flagship project: owtf.org • Some presentations: www.slideshare.net/abrahamaranguren/presentations • Some sec certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE: Security, MCSA: Security, Security+ • Some dev certs: ZCE PHP 5, ZCE PHP 4, Oracle PL/SQL Developer Certified Associate, MySQL 5 CMDev, MCTS SQL Server 2005 Who am I
Motivation ● iOS jailbreaks are not always available: ○ The app requires iOS version X, without a public jailbreak available ● iOS/Android jailbreak/root detection might take too long to bypass ○ Example: root/jailbreak detection via obfuscated binary ● Test an app on a device you don’t want to root/jailbreak ● Avoid ptrace/debugging app checks due to tampered environment
Repackaging: Android - Problem: App filesystem access Problem: ● When using the Android emulator/Genymotion you have a root shell ● BUT sometimes the app will only work on a real phone ● A non-rooted phone won’t give you a root shell ● A non-rooted phone won’t give you access to application files in /data/data/… ● The app often has backups disabled too Repackaging Solution: ● Modify the APK, enable backups
Repackaging: Android - Problem: Debugging Problem: ● Some apps enable debugging features, such as Webview debugging or other useful information in logcat, etc., when the app has debugging enabled Repackaging Solution: ● Modify the APK, enable debugging
Step 1: Disassemble APK - apktool d some_app.apk -o some_app_disassembled Step 2: Edit AndroidManifest.xml Change: <application android:allowBackup="false" To: <application android:allowBackup="true" android:debuggable="true" Step 3: Repackage APK - apktool b some_app_disassembled -o some_app_debug.apk Step 4: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore some_app_debug.apk alias_name Step 5: Install - adb install some_app_debug.apk Example: Backups + Debugging
Example: Backups + Debugging Now we have access to app files via adb backup: Step 1: Backup app files adb backup some.app.com Step 2: Make the backup useful ( printf "x1fx8bx08x00x00x00x00x00" ; tail -c +25 backup.ab ) | tar xfvz - Step 3: Review files :)
Yay file access!
Repackaging: Android - Problem: Pinning ● Often a problem at the start of the test as you try to MitM :) ● We can modify the APK to skip certificate pinning checks
Repackaging: Android - Problem: Pinning Examp Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled Step 2: Find file to modify - grep -Ir checkServerTrusted * Step 3: Modify the file .method public final checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;) V [...] return-void # Pinning bypass Steps 4-6: Repackage, Sign & Install :)
Wait, is it that easy?
Repackaging: Android - Problem: Root detection ● Sometimes apps refuse to run when your phone is rooted ● Repackaging often allows us to bypass these checks and enjoy root powers :D
Android repackaging - Root detection bypass example 1 Step 1: Disassemble - apktool d some.apk -o some_disassembled Step 2: Remove check from app Java Code: if (isRooted()) [...] Related Smali Code: if-eqz v0, :cond_0 Change Smali Code to: if-nez v0, :cond_0 NOTE: The if-nez opcode inverts the condition, hence bypassing the check Steps 3-5: Repackage, Sign & Install :)
Android repackaging - Root detection bypass example 2 Step 1: Disassemble - apktool d some.apk -o some_disassembled Step 2: Remove check from app, return “False” from isRooted .method public isRooted()Z const/4 v0, 0x0 # False return v0 # Return false [...] Steps 3-5: Repackage, Sign & Install :)
So this is awesome, right?
Limitations of apktool-style Android repackaging ● Limited to changes in smali code: ○ We can only modify Java code disassembled as smali ○ If the app loads and runs code from a binary we cannot modify that (at least not as easily :D) ● Changes are static ○ If you notice later that you need further changes you need to: ■ Disassemble ■ Modify ■ Repackage, Sign and Install ■ … For each modification! :P
Further reading Must-use tool for Android repackaging: https://ibotpeaches.github.io/Apktool/ Cool smali opcode references: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html https://source.android.com/devices/tech/dalvik/dalvik-bytecode
What is Frida? - https://www.frida.re/ ● Dynamic Instrumentation Toolkit ● Allows hooking and observing/modifying any app function: ○ Crypto APIs ○ Proprietary functions ○ Even functionality in binaries ● Lets you inject snippets of JavaScript into native apps that run on Windows, Mac, Linux, iOS and Android In short: Frida Gadgets allow root-like access on apps from not-rooted/jailbroken devices
How to add Frida to an APK so we can run it without root? Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled Step 2: Add the frida-gadget binaries to the APK - For the correct architecture! :) https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-x86.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-x86_64.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-arm.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-arm64.so.xz
How do I know the architecture? ADB Command: adb shell getprop ro.product.cpu.abi Example Output (Genymotion): x86
Step 2: Adding the Frida-Gadget to the APK - (ARM 32bits) Download: wget https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-a ndroid-arm.so.xz Uncompress: unxz frida-gadget-12.0.8-android-arm.so.xz Copy: cp frida-gadget-12.0.8-android-arm.so some_disassembled/lib/armeabi/libfrida-gadget.so
Step 3: Make the APK load the Gadget Find main activity: find . | grep -i main | grep smali$ Add the following smali code to the constructor: const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V Corresponding Java Code: System.loadLibrary("frida-gadget")
Step 4: Ensure network permissions in AndroidManifest.xml We will talk to Frida over the network so the app needs to use the internet, most apps do but worth double checking: File: AndroidManifest.xml Make sure it has: <uses-permission android:name="android.permission.INTERNET" />
Repackage, Sign & Install Step 5: Repackage APK - apktool b some_app_disassembled -o some_app_debug.apk Step 6: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore some_app_debug.apk alias_name Step 7: Install - adb install some_app_debug.apk
Basic Frida usage Logcat - Frida: Listening on TCP port 27042 The PID will show Gadget instead of the original package name: Command: $ frida-ps –U Output: PID Name ----- ------ 16071 Gadget
Basic Frida usage – Interactive Instrumentation Shell Command: frida -U Gadget --no-pause Output: Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit [USB::Android Emulator 5556::['com.android.chrome']]-> Java.androidVersion "7.1.1"
Basic Frida usage – Public script example: Root Bypass https://github.com/0xdea/frida-scripts/blob/master/android-snippets/raptor_frida _android_bypass.js Usage (Frida Server): frida -U -f com.xxx.yyy -l raptor_frida_android.js --no-pause Usage (Frida Gadget): frida -U Gadget -l raptor_frida_android.js --no-pause
Basic Frida usage – Public script example: Root Bypass setTimeout(function() { // avoid java.lang.ClassNotFoundException Java.perform(function() {// Root detection bypass example var hook = Java.use("com.target.utils.RootCheck"); hook.isRooted.overload().implementation = function() { console.log("info: entered target method"); var retval = this.isRooted.overload().call(this); //old retval console.log("old ret value: " + retval); var retnew = false; // set new retval console.log("new ret value: " + retnew); return retnew; } }); }, 0);
Basic Frida usage – Crypto Hooks https://gitlab.com/roxanagogonea/frida-scripts/blob/master/cryptography/crypt ography.js setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.generateKey.implementation = function () { console.log("[*] Generate symmetric key called. "); return this.generateKey(); }; }); });
Basic Frida usage – Crypto Hooks setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.getInstance.overload('java.lang.String').implementation = function (var0) { console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 + "n"); return this.getInstance(var0); }; }); });
Basic Frida usage – Crypto Hooks setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.getInstance.overload('java.lang.String', 'java.lang.String').implementation = function (var0, var1) { console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 + " and provider: " + var1 + "n"); return this.getInstance(var0, var1); }; }); });
Basic Frida usage – Shared Preferences setImmediate(function() { Java.perform(function() { var contextWrapper = Java.use("android.content.ContextWrapper"); var sharedPreferencesEditor = Java.use("android.app.SharedPreferencesImpl$EditorImpl"); sharedPreferencesEditor.putString.overload('java.lang.String', 'java.lang.String').implementation = function(var0, var1) { console.log("[*] Added a new String value to SharedPreferences with key: " + var0 + " and value " + var1 + "n"); var editor = this.putString(var0, var1); return editor; }});});
Basic Frida usage – SQLite query hooks setImmediate(function() { Java.perform(function() { var sqliteDatabase = Java.use("android.database.sqlite.SQLiteDatabase"); sqliteDatabase.execSQL.overload('java.lang.String').implementation = function(var0) { console.log("[*] SQLiteDatabase.exeqSQL called with query: " + var0 + "n"); var execSQLRes = this.execSQL(var0); return execSQLRes; };});}); https://gitlab.com/roxanagogonea/frida-scripts/blob/master/data-storage/sqlite-d atabase.js
Further reading & Frida script examples https://www.frida.re/docs/gadget/ https://koz.io/using-frida-on-android-without-root/ https://www.codemetrix.net/hacking-android-apps-with-frida-1/ https://github.com/iddoeldor/frida-snippets https://github.com/poxyran/misc https://gitlab.com/roxanagogonea/frida-scripts/blob/master/
Can this be automated? Here are some attempts: https://github.com/dpnishant/appmon/tree/master/apk_builder
BUT BUT BUT … What about iOS????
iOS Reversing 101 Usual approach overview: ● Decrypt IPA with Clutch - https://github.com/KJCracks/Clutch ● Generate Objective-C headers with class-dump - https://github.com/nygard/class-dump ● Disassemble with Hopper - https://www.hopperapp.com/index.html Explained by filedescriptor ☺ https://blog.innerht.ml/page/2/
iOS Repackaging Guides https://labs.mwrinfosecurity.com/blog/repacking-and-resigning-ios-applications/ https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/octo ber/ios-instrumentation-without-jailbreak/ https://github.com/sensepost/objection/wiki/Patching-iOS-Applications
iOS Repackaging - Step 1: Add Apple ID to XCode Add an Apple ID to Xcode: Xcode / Preferences / Accounts / Add Apple ID
iOS Repackaging - Step 2: Manage Certificates
iOS Repackaging - Step 2: Manage Certificates – iOS Dev
iOS Repackaging - Step 2: Manage Certificates – Done
iOS Repackaging - Step 2: Verify Code Signing Certificate Command: security find-identity -p codesigning -v Output: 1) xxx[…] "iPhone Developer: abraham+1@cure53.de ([…]XX)" 1 valid identities found
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file
iOS Repackaging - Step 3: Create mobileprovision file Just login :D
iOS Repackaging - Step 3: Create mobileprovision file ● Plug your iPhone ● Select the iPhone as the target device on Xcode ● Hit the “Play” button ● Verify the mobileprovision file has been created: find ~/Library/Developer/Xcode/DerivedData/ -name embedded.mobileprovision
iOS Repackaging - Step 3: Create mobileprovision file Do we have to do all this nonsense every time?
iOS Repackaging - Step 3: Create mobileprovision file From here, each time we will “only” need to: ● Create a blank app ● Deploy it to an iDevice This will create a new, valid provisioning file
iOS Repackaging - Step 4: IPA Patching Dependencies ● objection – from: https://github.com/sensepost/objection/wiki/Installation ● applesign - from: https://github.com/nowsecure/node-applesign ● insert_dylib - from: https://github.com/Tyilo/insert_dylib ● security, codesign, xcodebuild` - macOS/XCode commands ● zip & unzip - builtin, or just installed using homebrew ● 7z - installed using homebrew with brew install p7zip
iOS Repackaging - Step 4: IPA Patching Dependencies Objection Installation: pip3 install -U objection More details and options: https://github.com/sensepost/objection/wiki/Installation
iOS Repackaging - Step 4: IPA Patching Dependencies applesign Installation: npm install -g applesign. If npm is missing: brew install npm
iOS Repackaging - Step 4: IPA Patching Dependencies insert_dylib installation: Compile from source like so: git clone https://github.com/Tyilo/insert_dylib cd insert_dylib xcodebuild cp build/Release/insert_dylib /usr/local/bin/insert_dylib
iOS Repackaging - Step 4: IPA Patching Command: objection patchipa --source my-app.ipa --codesign-signature xxxx
iOS Repackaging - Step 5: Running the patched IPA More dependencies :D Install ios-deploy: npm install -g ios-deploy
iOS Repackaging - Step 5: Running the patched IPA Installing and running the app: unzip my-app.ipa # Creates a Payload/ directory. Unlock iDevice and plug via USB to your Mac Run ios-deploy: ios-deploy --bundle Payload/my-app.app -W -d More intel and Linux instructions: https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications
iOS Repackaging - Step 6: Using Frida ☺ So now we can run Frida scripts: frida -U Gadget -l <frida_script> --no-pause Some nice examples for iOS inspiration: https://github.com/iddoeldor/frida-snippets https://github.com/0xdea/frida-scripts/tree/master/ios-snippets
Frida Examples – Filesystem access https://github.com/nowsecure/frida-fs const fs = require('frida-fs'); fs.createReadStream('/etc/hosts').pipe(networkStream);
Frida Examples – Grab iOS Screenshots https://github.com/nowsecure/frida-screenshot const screenshot = require('frida-screenshot'); const png = yield screenshot(); send({ name: '+screenshot', payload: { timestamp: Date.now() }}, png);
Frida Examples – iOS instance member values ObjC.choose(ObjC.classes[clazz], { onMatch: function (obj) { console.log('onMatch: ', obj); Object.keys(obj.$ivars).forEach(function(v) { console.log('t', v, '=', obj.$ivars[v]); }); }, onComplete: function () { console.log('onComplete', arguments.length); }}); https://github.com/iddoeldor/frida-snippets
Frida Examples – iOS extract cookies var cookieJar = []; var cookies = ObjC.classes.NSHTTPCookieStorage.sharedHTTPCookieStorage().cookies(); for (var i = 0, l = cookies.count(); i < l; i++) { var cookie = cookies['- objectAtIndex:'](i); cookieJar.push(cookie.Name() + '=' + cookie.Value()); } console.log(cookieJar.join("; ")); https://github.com/iddoeldor/frida-snippets
Frida Examples – iOS monitor file access Interceptor.attach(ObjC.classes.NSFileManager['- fileExistsAtPath:'].implementation, { onEnter: function (args) { console.log('open' , ObjC.Object(args[2]).toString()); } }); https://github.com/iddoeldor/frida-snippets
What is Objection? ● Wrapper around Frida ● Automates a lot of stuff via Frida hooks ● Works for iOS and Android https://github.com/sensepost/objection/wiki
Demos from the author of objection https://www.youtube.com/watch?v=zkxSFERFuBw https://www.youtube.com/watch?v=AqqPGXa4nO8 https://www.youtube.com/watch?v=t3nRDELo_fY https://www.youtube.com/watch?v=aL8Z2PctBFE https://www.youtube.com/watch?v=Mhf92DeRk8c
> abraham@7asecurity.com @7asecurity | + 7asecurity.com @7a_ OWASP OWTF: @owtfp | + owtf.org Q & A Thank you for your time

Recommandé

Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 

Recommandé

Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectiveRajniHatti
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2Krisshhna Daasaarii
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 
How to use_000webhost
How to use_000webhostHow to use_000webhost
How to use_000webhostIIUM
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
Android & iOS Automation Using Appium
Android & iOS Automation Using AppiumAndroid & iOS Automation Using Appium
Android & iOS Automation Using AppiumMindfire Solutions
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 

Contenu connexe

Tendances

Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectiveRajniHatti
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 
How to use_000webhost
How to use_000webhostHow to use_000webhost
How to use_000webhostIIUM
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Android & iOS Automation Using Appium
Android & iOS Automation Using AppiumAndroid & iOS Automation Using Appium
Android & iOS Automation Using AppiumMindfire Solutions
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 

Tendances (20)

Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's Perspective
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
 
How to use_000webhost
How to use_000webhostHow to use_000webhost
How to use_000webhost
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Android & iOS Automation Using Appium
Android & iOS Automation Using AppiumAndroid & iOS Automation Using Appium
Android & iOS Automation Using Appium
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 

Similaire à Pwning mobile apps without root or jailbreak

FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
Modifying Android Apps Without Source Code with Microsoft Visual Studio Code
Modifying Android Apps Without Source Code with Microsoft Visual Studio CodeModifying Android Apps Without Source Code with Microsoft Visual Studio Code
Modifying Android Apps Without Source Code with Microsoft Visual Studio CodeRonillo Ang
 
Is Your App Hackable for droidcon Berlin 2015
Is Your App Hackable for droidcon Berlin 2015Is Your App Hackable for droidcon Berlin 2015
Is Your App Hackable for droidcon Berlin 2015Licel
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfAdityamd4
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeNSConclave
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPCheng Wig
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalNAVER D2
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays
 
Phonegap Development & Debugging
Phonegap Development & DebuggingPhonegap Development & Debugging
Phonegap Development & DebuggingIvano Malavolta
 

Similaire à Pwning mobile apps without root or jailbreak (20)

FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Modifying Android Apps Without Source Code with Microsoft Visual Studio Code
Modifying Android Apps Without Source Code with Microsoft Visual Studio CodeModifying Android Apps Without Source Code with Microsoft Visual Studio Code
Modifying Android Apps Without Source Code with Microsoft Visual Studio Code
 
Is Your App Hackable for droidcon Berlin 2015
Is Your App Hackable for droidcon Berlin 2015Is Your App Hackable for droidcon Berlin 2015
Is Your App Hackable for droidcon Berlin 2015
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdf
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSP
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_final
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
apidays LIVE Paris 2021 - APIGEE, different ways for integrating with CI/CD p...
 
Appium- part 1
Appium- part 1Appium- part 1
Appium- part 1
 
Phonegap Development & Debugging
Phonegap Development & DebuggingPhonegap Development & Debugging
Phonegap Development & Debugging
 

Plus de Abraham Aranguren

Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012Abraham Aranguren
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permissionAbraham Aranguren
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 

Plus de Abraham Aranguren (8)

Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
 

Dernier

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Dernier (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Pwning mobile apps without root or jailbreak

  • 1. Pwning Mobile Apps Without Root or Jailbreak > Abraham Aranguren > abraham@7asecurity.com > @7asecurity > @7a_ + 7asecurity.com CureCon 2018, Berlin
  • 2. Agenda • Motivation • Repackaging & Instrumentation examples • Android • iOS • Q&A
  • 3. • Director at 7ASecurity, check out our public reports, presentations, etc: 7asecurity.com/#publications • Author of Practical Web Defense, a hands-on attack & defense course: www.elearnsecurity.com/PWD • Founder and leader of OWASP OWTF, an OWASP flagship project: owtf.org • Some presentations: www.slideshare.net/abrahamaranguren/presentations • Some sec certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE: Security, MCSA: Security, Security+ • Some dev certs: ZCE PHP 5, ZCE PHP 4, Oracle PL/SQL Developer Certified Associate, MySQL 5 CMDev, MCTS SQL Server 2005 Who am I
  • 4. Motivation ● iOS jailbreaks are not always available: ○ The app requires iOS version X, without a public jailbreak available ● iOS/Android jailbreak/root detection might take too long to bypass ○ Example: root/jailbreak detection via obfuscated binary ● Test an app on a device you don’t want to root/jailbreak ● Avoid ptrace/debugging app checks due to tampered environment
  • 5. Repackaging: Android - Problem: App filesystem access Problem: ● When using the Android emulator/Genymotion you have a root shell ● BUT sometimes the app will only work on a real phone ● A non-rooted phone won’t give you a root shell ● A non-rooted phone won’t give you access to application files in /data/data/… ● The app often has backups disabled too Repackaging Solution: ● Modify the APK, enable backups
  • 6. Repackaging: Android - Problem: Debugging Problem: ● Some apps enable debugging features, such as Webview debugging or other useful information in logcat, etc., when the app has debugging enabled Repackaging Solution: ● Modify the APK, enable debugging
  • 7. Step 1: Disassemble APK - apktool d some_app.apk -o some_app_disassembled Step 2: Edit AndroidManifest.xml Change: <application android:allowBackup="false" To: <application android:allowBackup="true" android:debuggable="true" Step 3: Repackage APK - apktool b some_app_disassembled -o some_app_debug.apk Step 4: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore some_app_debug.apk alias_name Step 5: Install - adb install some_app_debug.apk Example: Backups + Debugging
  • 8. Example: Backups + Debugging Now we have access to app files via adb backup: Step 1: Backup app files adb backup some.app.com Step 2: Make the backup useful ( printf "x1fx8bx08x00x00x00x00x00" ; tail -c +25 backup.ab ) | tar xfvz - Step 3: Review files :)
  • 10. Repackaging: Android - Problem: Pinning ● Often a problem at the start of the test as you try to MitM :) ● We can modify the APK to skip certificate pinning checks
  • 11. Repackaging: Android - Problem: Pinning Examp Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled Step 2: Find file to modify - grep -Ir checkServerTrusted * Step 3: Modify the file .method public final checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;) V [...] return-void # Pinning bypass Steps 4-6: Repackage, Sign & Install :)
  • 12. Wait, is it that easy?
  • 13. Repackaging: Android - Problem: Root detection ● Sometimes apps refuse to run when your phone is rooted ● Repackaging often allows us to bypass these checks and enjoy root powers :D
  • 14. Android repackaging - Root detection bypass example 1 Step 1: Disassemble - apktool d some.apk -o some_disassembled Step 2: Remove check from app Java Code: if (isRooted()) [...] Related Smali Code: if-eqz v0, :cond_0 Change Smali Code to: if-nez v0, :cond_0 NOTE: The if-nez opcode inverts the condition, hence bypassing the check Steps 3-5: Repackage, Sign & Install :)
  • 15. Android repackaging - Root detection bypass example 2 Step 1: Disassemble - apktool d some.apk -o some_disassembled Step 2: Remove check from app, return “False” from isRooted .method public isRooted()Z const/4 v0, 0x0 # False return v0 # Return false [...] Steps 3-5: Repackage, Sign & Install :)
  • 16. So this is awesome, right?
  • 17. Limitations of apktool-style Android repackaging ● Limited to changes in smali code: ○ We can only modify Java code disassembled as smali ○ If the app loads and runs code from a binary we cannot modify that (at least not as easily :D) ● Changes are static ○ If you notice later that you need further changes you need to: ■ Disassemble ■ Modify ■ Repackage, Sign and Install ■ … For each modification! :P
  • 18. Further reading Must-use tool for Android repackaging: https://ibotpeaches.github.io/Apktool/ Cool smali opcode references: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html https://source.android.com/devices/tech/dalvik/dalvik-bytecode
  • 19. What is Frida? - https://www.frida.re/ ● Dynamic Instrumentation Toolkit ● Allows hooking and observing/modifying any app function: ○ Crypto APIs ○ Proprietary functions ○ Even functionality in binaries ● Lets you inject snippets of JavaScript into native apps that run on Windows, Mac, Linux, iOS and Android In short: Frida Gadgets allow root-like access on apps from not-rooted/jailbroken devices
  • 20. How to add Frida to an APK so we can run it without root? Step 1: Disassemble - apktool d some_app.apk -o some_app_disassembled Step 2: Add the frida-gadget binaries to the APK - For the correct architecture! :) https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-x86.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-x86_64.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-arm.so.xz https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-androi d-arm64.so.xz
  • 21. How do I know the architecture? ADB Command: adb shell getprop ro.product.cpu.abi Example Output (Genymotion): x86
  • 22. Step 2: Adding the Frida-Gadget to the APK - (ARM 32bits) Download: wget https://github.com/frida/frida/releases/download/12.0.8/frida-gadget-12.0.8-a ndroid-arm.so.xz Uncompress: unxz frida-gadget-12.0.8-android-arm.so.xz Copy: cp frida-gadget-12.0.8-android-arm.so some_disassembled/lib/armeabi/libfrida-gadget.so
  • 23. Step 3: Make the APK load the Gadget Find main activity: find . | grep -i main | grep smali$ Add the following smali code to the constructor: const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V Corresponding Java Code: System.loadLibrary("frida-gadget")
  • 24. Step 4: Ensure network permissions in AndroidManifest.xml We will talk to Frida over the network so the app needs to use the internet, most apps do but worth double checking: File: AndroidManifest.xml Make sure it has: <uses-permission android:name="android.permission.INTERNET" />
  • 25. Repackage, Sign & Install Step 5: Repackage APK - apktool b some_app_disassembled -o some_app_debug.apk Step 6: Sign - jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore some_app_debug.apk alias_name Step 7: Install - adb install some_app_debug.apk
  • 26. Basic Frida usage Logcat - Frida: Listening on TCP port 27042 The PID will show Gadget instead of the original package name: Command: $ frida-ps –U Output: PID Name ----- ------ 16071 Gadget
  • 27. Basic Frida usage – Interactive Instrumentation Shell Command: frida -U Gadget --no-pause Output: Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit [USB::Android Emulator 5556::['com.android.chrome']]-> Java.androidVersion "7.1.1"
  • 28. Basic Frida usage – Public script example: Root Bypass https://github.com/0xdea/frida-scripts/blob/master/android-snippets/raptor_frida _android_bypass.js Usage (Frida Server): frida -U -f com.xxx.yyy -l raptor_frida_android.js --no-pause Usage (Frida Gadget): frida -U Gadget -l raptor_frida_android.js --no-pause
  • 29. Basic Frida usage – Public script example: Root Bypass setTimeout(function() { // avoid java.lang.ClassNotFoundException Java.perform(function() {// Root detection bypass example var hook = Java.use("com.target.utils.RootCheck"); hook.isRooted.overload().implementation = function() { console.log("info: entered target method"); var retval = this.isRooted.overload().call(this); //old retval console.log("old ret value: " + retval); var retnew = false; // set new retval console.log("new ret value: " + retnew); return retnew; } }); }, 0);
  • 30. Basic Frida usage – Crypto Hooks https://gitlab.com/roxanagogonea/frida-scripts/blob/master/cryptography/crypt ography.js setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.generateKey.implementation = function () { console.log("[*] Generate symmetric key called. "); return this.generateKey(); }; }); });
  • 31. Basic Frida usage – Crypto Hooks setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.getInstance.overload('java.lang.String').implementation = function (var0) { console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 + "n"); return this.getInstance(var0); }; }); });
  • 32. Basic Frida usage – Crypto Hooks setImmediate(function() { Java.perform(function() { var keyGenerator = Java.use("javax.crypto.KeyGenerator"); keyGenerator.getInstance.overload('java.lang.String', 'java.lang.String').implementation = function (var0, var1) { console.log("[*] KeyGenerator.getInstance called with algorithm: " + var0 + " and provider: " + var1 + "n"); return this.getInstance(var0, var1); }; }); });
  • 33. Basic Frida usage – Shared Preferences setImmediate(function() { Java.perform(function() { var contextWrapper = Java.use("android.content.ContextWrapper"); var sharedPreferencesEditor = Java.use("android.app.SharedPreferencesImpl$EditorImpl"); sharedPreferencesEditor.putString.overload('java.lang.String', 'java.lang.String').implementation = function(var0, var1) { console.log("[*] Added a new String value to SharedPreferences with key: " + var0 + " and value " + var1 + "n"); var editor = this.putString(var0, var1); return editor; }});});
  • 34. Basic Frida usage – SQLite query hooks setImmediate(function() { Java.perform(function() { var sqliteDatabase = Java.use("android.database.sqlite.SQLiteDatabase"); sqliteDatabase.execSQL.overload('java.lang.String').implementation = function(var0) { console.log("[*] SQLiteDatabase.exeqSQL called with query: " + var0 + "n"); var execSQLRes = this.execSQL(var0); return execSQLRes; };});}); https://gitlab.com/roxanagogonea/frida-scripts/blob/master/data-storage/sqlite-d atabase.js
  • 35. Further reading & Frida script examples https://www.frida.re/docs/gadget/ https://koz.io/using-frida-on-android-without-root/ https://www.codemetrix.net/hacking-android-apps-with-frida-1/ https://github.com/iddoeldor/frida-snippets https://github.com/poxyran/misc https://gitlab.com/roxanagogonea/frida-scripts/blob/master/
  • 36. Can this be automated? Here are some attempts: https://github.com/dpnishant/appmon/tree/master/apk_builder
  • 37. BUT BUT BUT … What about iOS????
  • 38. iOS Reversing 101 Usual approach overview: ● Decrypt IPA with Clutch - https://github.com/KJCracks/Clutch ● Generate Objective-C headers with class-dump - https://github.com/nygard/class-dump ● Disassemble with Hopper - https://www.hopperapp.com/index.html Explained by filedescriptor ☺ https://blog.innerht.ml/page/2/
  • 40. iOS Repackaging - Step 1: Add Apple ID to XCode Add an Apple ID to Xcode: Xcode / Preferences / Accounts / Add Apple ID
  • 41. iOS Repackaging - Step 2: Manage Certificates
  • 42. iOS Repackaging - Step 2: Manage Certificates – iOS Dev
  • 43. iOS Repackaging - Step 2: Manage Certificates – Done
  • 44. iOS Repackaging - Step 2: Verify Code Signing Certificate Command: security find-identity -p codesigning -v Output: 1) xxx[…] "iPhone Developer: abraham+1@cure53.de ([…]XX)" 1 valid identities found
  • 45. iOS Repackaging - Step 3: Create mobileprovision file
  • 46. iOS Repackaging - Step 3: Create mobileprovision file
  • 47. iOS Repackaging - Step 3: Create mobileprovision file
  • 48. iOS Repackaging - Step 3: Create mobileprovision file
  • 49. iOS Repackaging - Step 3: Create mobileprovision file
  • 50. iOS Repackaging - Step 3: Create mobileprovision file Just login :D
  • 51. iOS Repackaging - Step 3: Create mobileprovision file ● Plug your iPhone ● Select the iPhone as the target device on Xcode ● Hit the “Play” button ● Verify the mobileprovision file has been created: find ~/Library/Developer/Xcode/DerivedData/ -name embedded.mobileprovision
  • 52. iOS Repackaging - Step 3: Create mobileprovision file Do we have to do all this nonsense every time?
  • 53. iOS Repackaging - Step 3: Create mobileprovision file From here, each time we will “only” need to: ● Create a blank app ● Deploy it to an iDevice This will create a new, valid provisioning file
  • 54. iOS Repackaging - Step 4: IPA Patching Dependencies ● objection – from: https://github.com/sensepost/objection/wiki/Installation ● applesign - from: https://github.com/nowsecure/node-applesign ● insert_dylib - from: https://github.com/Tyilo/insert_dylib ● security, codesign, xcodebuild` - macOS/XCode commands ● zip & unzip - builtin, or just installed using homebrew ● 7z - installed using homebrew with brew install p7zip
  • 55. iOS Repackaging - Step 4: IPA Patching Dependencies Objection Installation: pip3 install -U objection More details and options: https://github.com/sensepost/objection/wiki/Installation
  • 56. iOS Repackaging - Step 4: IPA Patching Dependencies applesign Installation: npm install -g applesign. If npm is missing: brew install npm
  • 57. iOS Repackaging - Step 4: IPA Patching Dependencies insert_dylib installation: Compile from source like so: git clone https://github.com/Tyilo/insert_dylib cd insert_dylib xcodebuild cp build/Release/insert_dylib /usr/local/bin/insert_dylib
  • 58. iOS Repackaging - Step 4: IPA Patching Command: objection patchipa --source my-app.ipa --codesign-signature xxxx
  • 59. iOS Repackaging - Step 5: Running the patched IPA More dependencies :D Install ios-deploy: npm install -g ios-deploy
  • 60. iOS Repackaging - Step 5: Running the patched IPA Installing and running the app: unzip my-app.ipa # Creates a Payload/ directory. Unlock iDevice and plug via USB to your Mac Run ios-deploy: ios-deploy --bundle Payload/my-app.app -W -d More intel and Linux instructions: https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications
  • 61. iOS Repackaging - Step 6: Using Frida ☺ So now we can run Frida scripts: frida -U Gadget -l <frida_script> --no-pause Some nice examples for iOS inspiration: https://github.com/iddoeldor/frida-snippets https://github.com/0xdea/frida-scripts/tree/master/ios-snippets
  • 62. Frida Examples – Filesystem access https://github.com/nowsecure/frida-fs const fs = require('frida-fs'); fs.createReadStream('/etc/hosts').pipe(networkStream);
  • 63. Frida Examples – Grab iOS Screenshots https://github.com/nowsecure/frida-screenshot const screenshot = require('frida-screenshot'); const png = yield screenshot(); send({ name: '+screenshot', payload: { timestamp: Date.now() }}, png);
  • 64. Frida Examples – iOS instance member values ObjC.choose(ObjC.classes[clazz], { onMatch: function (obj) { console.log('onMatch: ', obj); Object.keys(obj.$ivars).forEach(function(v) { console.log('t', v, '=', obj.$ivars[v]); }); }, onComplete: function () { console.log('onComplete', arguments.length); }}); https://github.com/iddoeldor/frida-snippets
  • 65. Frida Examples – iOS extract cookies var cookieJar = []; var cookies = ObjC.classes.NSHTTPCookieStorage.sharedHTTPCookieStorage().cookies(); for (var i = 0, l = cookies.count(); i < l; i++) { var cookie = cookies['- objectAtIndex:'](i); cookieJar.push(cookie.Name() + '=' + cookie.Value()); } console.log(cookieJar.join("; ")); https://github.com/iddoeldor/frida-snippets
  • 66. Frida Examples – iOS monitor file access Interceptor.attach(ObjC.classes.NSFileManager['- fileExistsAtPath:'].implementation, { onEnter: function (args) { console.log('open' , ObjC.Object(args[2]).toString()); } }); https://github.com/iddoeldor/frida-snippets
  • 67. What is Objection? ● Wrapper around Frida ● Automates a lot of stuff via Frida hooks ● Works for iOS and Android https://github.com/sensepost/objection/wiki
  • 68. Demos from the author of objection https://www.youtube.com/watch?v=zkxSFERFuBw https://www.youtube.com/watch?v=AqqPGXa4nO8 https://www.youtube.com/watch?v=t3nRDELo_fY https://www.youtube.com/watch?v=aL8Z2PctBFE https://www.youtube.com/watch?v=Mhf92DeRk8c
  • 69. > abraham@7asecurity.com @7asecurity | + 7asecurity.com @7a_ OWASP OWTF: @owtfp | + owtf.org Q & A Thank you for your time