Diving Deep: A Comprehensive Guide to Android Penetration Testing — Part 5
Android Insights Revealed: Navigating Data Networks and Mastering Hooking Strategies
Welcome to Part 5! Building on our decoding journey in Part 4, “Android Insights Revealed” takes us further. Now, we’re delving into data networks, decoding how Androids communicate digitally. Picture connecting digital dots! Alongside, we’re mastering hooking strategies, refining our penetration toolkit. In the end of the journey I have added Checklist and MindMap. Let’s dive into this thrilling chapter of our Android Penetration Testing adventure! 🚀💻🌐
Ways to analyze Android traffic
There are two different ways of traffic capture and analysis in any scenario. We will be looking at the two different types that are possible in the Android environment and how to perform them in a real-world scenario. The Passive and Active analyses are as follows:
Passive analysis: This is a way of traffic analysis in which no active interception is done with the application sending the network data. Instead, we will try to capture all the network packets and later open it up in a network analyzer, such as Wireshark, and then try to find out the vulnerabilities or the weak security issues in the application.
Initially, acquiring a tcpdump binary tailored for ARM architecture is necessary. You can access it via the following URL: https://www.androidtcpdump.com/android-tcpdump/downloads.
Then, install the tcpdump executable on your device:
Finally, access to the shell on your device and check type command tcpdump -D
And start the capture, saving the output on /sdcard/demo.pcap
Now whatever we do in the android device we can capture all the traffic and save it into the Demo.pcap file
Now pull the demo.pcap file from sdcard storage
Open that Pcap file in wireshark
We can see the traffic of HTTP Protocol
Active analysis: In Active analysis, the penetration tester will actively intercept all the network communications being made and can analyze, assess, and modify the data on the fly. Here, he will be setting up a proxy and all the network calls being made and received by the application/device will pass through that proxy.
Preparing BurpSuite to Intercept HTTP Requests: A Step-by-Step Guide
We should edit proxy settings on BurpSuite (You can set on All interfaces)
Open wifi settings in android -> advanced settings -> proxy -> manual-> set ip address of system and port
After all the settings, Install Burp Certificate in Android. Open Browser http://burp and download the certificate. Rename the extension from .der to .crt
Open Settings -> Install Certificate -> browse the Cacert.crt file with name and install the certificate
Now check Portswigger certificate in settings -> Security -> Trusted Credentials -> system
If you don’t see the certificate you can check these reference https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/#install-burp-ca-as-a-system-level-trusted-ca
Check in the Burpsuite we can now intercept the Request.
But hold on — what about when the application runs on HTTP-S (SSL)? How can we intercept requests in such cases?”
What is SSL ?
SSL stands for Secure Socket Layer, and it’s a standard security technology for establishing an encrypted link between a web server and a browser. This encryption ensures that all data exchanged between the server and the browser remains private and secure. SSL is commonly used to secure sensitive information such as login credentials, personal details, and credit card numbers transmitted over the internet. It’s often represented by the “https://” in a website’s URL, indicating a secure connection. The more modern equivalent of SSL is Transport Layer Security (TLS), and the terms are often used interchangeably.
What is SSL Pinning and why it is Important
SSL pinning in Android involves associating a specific SSL certificate with a server, enhancing security by trusting only that certificate. This practice mitigates potential man-in-the-middle attacks, preventing unauthorized interception and manipulation of communication between the app and server. By pinning the certificate, Android apps add an extra layer of defense against threats like DNS spoofing and rogue CA certificates. SSL pinning is vital for preserving data integrity, ensuring the app communicates only with the intended and trusted server, even in the event of a compromised CA. In summary, SSL pinning is crucial for bolstering the security of Android apps by establishing a trust relationship with a specific SSL certificate.
Types of SSL Pinning
Static Pinning : In static SSL pinning, the app is configured to trust a specific SSL/TLS certificate or public key during the development phase. This means the app will only accept the predefined certificate or key when establishing secure connections with a server.
Dynamic SSL Pinning : An application doesn’t embed the certificate or public key directly. Instead, it fetches these credentials from the server during the initial handshake and stores them locally for subsequent connections.This approach enables the app to identify any alterations in the server’s certificate or key and respond accordingly. While dynamic SSL pinning offers greater adaptability than its static counterpart, it does demand additional resources for implementation.
How to check that an application is SSL Pinned or not ?
If there is a mismatch between the server and the local copy of certificates, the connection will simply be disrupted, and no further user data will be even sent to that server. This enforcement ensures that the user devices are communicating only to the dedicated trustful servers.
Before diving into tools for bypassing these security measures, let’s first explore the fundamental technique of hooking. Understanding hooking lays the groundwork for navigating and mastering more advanced methods in bypassing such security logic.
Hooking :
In Android, “hooking” refers to a technique where an application or a piece of code intercepts and modifies the behavior of functions or methods at runtime. This can be used for various purposes, including monitoring or altering the behavior of other apps, adding custom functionality, or even for malicious activities.
Frida and Objection: If you’re not familiar with Frida and setting it up on both Windows and mobile devices, refer back to Part 2 for a comprehensive guide.
What happens when an android application runs on Rooted device
When an Android app operates on a rooted device:
- Elevated Access: The app gains elevated access privileges, enabling it to perform actions beyond the usual constraints of a non-rooted environment.
- System-Level Modifications: Rooted apps can modify system files and settings, allowing for extensive customization and potential alterations at the core of the operating system.
- Security Implications: While root access grants more control, it introduces security vulnerabilities. Malicious apps with root permissions can pose risks, compromising the device’s security and user data.
- Bypassing Constraints: Rooted devices can bypass certain security constraints imposed by the Android system, potentially facilitating the installation of unofficial or altered applications.
First, let’s employ Hooking Techniques to bypass the Root Detection Logic.
Let’s Hook Root detection Logic with Frida
Step 1 Open the application and we can see that the application is not running on a rooted device. It shows error
Step 2: Run the Frida server on mobile device
Step 3 : Open a new Terminal and run the below to check the package name installed on the device
Step4 : We got the Package name now we can run the frida script. We can get scripts from CODESHARE to bypass the root detection.
Step 5: Copy Highlighted command and paste it into terminal.
Change “YOUR_BINARY” to Package name and enter a flag -U and run the command
Here we are not getting any error of root detection after running frida script command
We have successfully bypassed Root detection
If you want to run your own script than run the below command
Let’s Hook Root detection Logic with Objection
Run the frida-server in android
Check the Package name of the application than run the below command it will bypass the root detection
Are there alternative methods to bypass Root detection, aside from using hooking?
Zygisk DenyList in the Magisk Application
In Magisk App version 23.0 and above, there’s a new feature called “Zygisk Denylist” that serves as an alternative to MagiskHide. When activated, this feature allows users to circumvent root detection in many applications, offering enhanced compatibility.
In the application we can see the error.
Step 1: Open Magisk Application -> Settings -> Magisk Menu we can see 3 Options enable Zygisk and Enforce Deny List
After Enabling go to Configure Deny list and select the Application which wants to Bypass
Now check the application. we don’t see any Root detection message
To Bypass Root detection there are some more methods. For detailed Information can go through below Reference
https://8ksec.io/advanced-root-detection-bypass-techniques/
https://redfoxsec.com/blog/android-root-detection-bypass-using-frida/
https://medium.com/@cintainfinita/android-how-to-bypass-root-check-and-certificate-pinning-36f74842d3be
Now, let’s employ Hooking Techniques to bypass the SSL Pinning Logic.
Let’s Hook SSL Pinning Logic with Frida
Step 1: Set Up Android with Burp Suite to Intercept Requests
Once the configuration is complete… Still we are unable to receive any request from application
Step 2: Run the Frida server on mobile device
Step 3 : Open a new Terminal and run the below to check the package name installed on the device
Step4 : We got the Package name now we can run the frida script. We can get scripts from CODESHARE as shown above same as root bypass we have scripts for SSL pinning bypass
Step 5: But for demonstration we have created a custom script.
Run the following command with custom script
We Execute our script. Check in the Burpsuite
Let’s Hook SSL Pinning Logic with Objection.
Enter the highlighted command for SSL pinning bypass
We can see Intercepting the request in the Burp suite
Alternative methods to bypass Root detection, aside from using hooking?
APK-MITM
Inspecting a mobile app’s HTTPS traffic using a proxy is probably the easiest way to figure out how it works. However, with the Network Security Configuration introduced in Android 7 and app developers trying to prevent MITM attacks using certificate pinning, getting an app to work with an HTTPS proxy has become quite tedious.
Step 1 : How to install apk-mitm
Step 2 : Run the apk-mitm as shown in below.
You can now install the example-patched.apk file on your Android device and use a proxy like Burpsuite to look at the app’s traffic.
To Bypass SSL Pinning there are some more methods For detailed Information can go through below Reference
https://medium.com/@cintainfinita/android-how-to-bypass-root-check-and-certificate-pinning-36f74842d3be
https://www.netspi.com/blog/technical/mobile-application-penetration-testing/four-ways-bypass-android-ssl-verification-certificate-pinning/
Unlock an extra level with the Android Penetration Testing Checklist! 🚀 Explore the bonus content, your key to mastering the art of securing Android systems. Unveil the checklist’s secrets and arm yourself with insights for a cybersecurity adventure like never before. 🛡️🔍 https://xmind.app/m/GkgaYH/
Penetration Testing Checklist According to OWASP Top 10 — https://docs.google.com/spreadsheets/d/1ylOZvEbEEVPC4QSt__7hfECzTi6wCFIYDncmUB5RhTM/edit#gid=0
As we conclude this comprehensive guide, ‘Diving Deep: A Comprehensive Guide to Android Penetration Testing our journey through the intricacies of Android security reaches a milestone. From navigating the abyss of Android architecture to decoding apps, exploring network data, and mastering hooking strategies, this expedition has been a testament to continuous learning. Armed with newfound insights, tools, and techniques, we’ve fortified our understanding of Android Penetration Testing. Yet, the adventure doesn’t end here. Stay tuned for more chapters, more challenges, and more revelations as we continue to explore the dynamic landscape of Android security. Happy exploring!
Feel free to connect with me on LinkedIn for more discussions and insights related to Android Penetration Testing.
You can find me on LinkedIn at @Omkar Gaikwad
