[DevCTF2022 ] Android Network

Problem Statement

Apk Link: https://anonfiles.com/v6e481h4y8/malware_apk

Setting Up

The name of the problem suggests we have to do something with networks. We will be intercepting the network from our android device, and try to find the flags in the request. For this we are going to use Frida and HTTP Toolkit or some other similar tool such as BurpSuite. But first we need to decompile the apk for which I am going to use ApkLab extension on VSCode.

First Things First

1. Install the apk and open the app. It says nothing but failed 😢.
2. Now decompile the apk using ApkLab and open the project folder.
3. Go through the AndroidManifest.xml file. Main Activity class is com.example.hellojni.MainActivity2 .
4. Go through the source code of MainActivity2.java. We see that some request is being made with a code, but the request has certificate pinning enabled. What this means is that an interceptor will be able to only see the encrypted request body. You can read more about it here.

Main App Screen

SSL Unpinning

In order to read the contents we will have to remove this pinning. While one option is to recompile the apk and log the request body itself, in this problem it was intended to remove the SSL pinning completely from the app. This techniques is specially useful for apps with larger source codes, since browsing their code is much more difficult. To achieve this you need a rooted android device. Instead of physical device, android emulators can also be used. Windows users can also take advantage of WSA(Windows Subsystem for Android). Rooted version can be found here.

Frida

Phone Set Up

1. Connect your phone through adb. Make sure it is visible in adb devices .
2. Download the frida-server for your architecture from here. Next extract the binary.
3. Now run adb push ./local_frida_server_binary /data/local/tmp/frida-server .
4. Now enter adb shell in superuser mode using adb shell su .
5. Now run the frida-server using /data/local/tmp/frida-server .

Computer Set Up

1. Run pip install frida-tools .
2. Now simply run frida --no-pause -U -l ./frida-script.js -f com.example.hellojni . That’s it! SSL Pinning is disabled in the app now. Next we need to intercept the network requests.

Interceptor

For this part, I have used HTTP Toolkit instead of Burp Suite, because it is easy to setup, beginner friendly and suffices for the problem. To start the interceptor, simply launch the software and click on

Android Device via adb

Now it would start intercepting all the traffic that goes from your phone. Now open the malware app, and you would see a request being made to flag endpoint in the HTTP Toolkit. See the request body and Voila! We have found the flag:

ctf{y0u_f0Und_th3_m@lic10uS_d0m@in}

HTTP Toolkit request to flag endpoint