mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Translated ['', 'src/mobile-pentesting/android-app-pentesting/android-an
This commit is contained in:
		
							parent
							
								
									96bea84864
								
							
						
					
					
						commit
						1b37b8e33e
					
				| @ -2,7 +2,7 @@ | ||||
| 
 | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| This page provides a practical workflow to regain dynamic analysis against Android apps that detect/root‑block instrumentation or enforce TLS pinning. It focuses on fast triage, common detections, and copy‑pasteable hooks/tactics to bypass them without repacking when possible. | ||||
| Hierdie bladsy verskaf 'n praktiese werkvloei om dinamiese analise teen Android-apps te hervat wat instrumentation opspoor/root‑blokkeer of TLS pinning afdwing. Dit fokus op vinnige triage, algemene opsporingsmetodes, en copy‑pastebare hooks/taktieke om hulle te omseil sonder om te repak indien moontlik. | ||||
| 
 | ||||
| ## Detection Surface (what apps check) | ||||
| 
 | ||||
| @ -14,18 +14,18 @@ This page provides a practical workflow to regain dynamic analysis against Andro | ||||
| 
 | ||||
| ## Step 1 — Quick win: hide root with Magisk DenyList | ||||
| 
 | ||||
| - Enable Zygisk in Magisk | ||||
| - Enable DenyList, add the target package | ||||
| - Reboot and retest | ||||
| - Skakel Zygisk in Magisk in | ||||
| - Skakel DenyList in, voeg die teikenpakket by | ||||
| - Herbegin en toets weer | ||||
| 
 | ||||
| Many apps only look for obvious indicators (su/Magisk paths/getprop). DenyList often neutralizes naive checks. | ||||
| Baie apps kyk net na duidelike aanduiders (su/Magisk paths/getprop). DenyList neutraliseer dikwels naiewe kontroles. | ||||
| 
 | ||||
| References: | ||||
| - Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk | ||||
| 
 | ||||
| ## Step 2 — 30‑second Frida Codeshare tests | ||||
| 
 | ||||
| Try common drop‑in scripts before deep diving: | ||||
| Probeer algemene drop‑in-skripte voordat jy dieper delf: | ||||
| 
 | ||||
| - anti-root-bypass.js | ||||
| - anti-frida-detection.js | ||||
| @ -35,11 +35,11 @@ Example: | ||||
| ```bash | ||||
| frida -U -f com.example.app -l anti-frida-detection.js | ||||
| ``` | ||||
| Hierdie stubs rig gewoonlik op Java root/debug checks, process/service scans en native ptrace(). Nuttig op lig beskermde apps; geharde teikens mag pasgemaakte hooks benodig. | ||||
| Hierdie vervang gewoonlik Java root/debug checks, process/service scans en native ptrace() met stubs. Nuttig vir liggies beskermde apps; geharde teikens mag pasgemaakte hooks benodig. | ||||
| 
 | ||||
| - Codeshare: https://codeshare.frida.re/ | ||||
| 
 | ||||
| ## Automate with Medusa (Frida framework) | ||||
| ## Outomatiseer met Medusa (Frida framework) | ||||
| 
 | ||||
| Medusa bied 90+ kant-en-klare modules vir SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, en meer. | ||||
| ```bash | ||||
| @ -54,20 +54,20 @@ use http_communications/multiple_unpinner | ||||
| use root_detection/universal_root_detection_bypass | ||||
| run com.target.app | ||||
| ``` | ||||
| Wenk: Medusa is uitstekend vir vinnige oorwinnings voordat jy aangepaste hooks skryf. Jy kan ook modules selekteer en dit met jou eie scripts kombineer. | ||||
| Wenk: Medusa is uitstekend vir vinnige oorwinnings voordat jy custom hooks skryf. Jy kan ook cherry-pick modules en dit met jou eie scripts kombineer. | ||||
| 
 | ||||
| ## Stap 3 — Om init-tyd detektore te omseil deur laat aan te koppel | ||||
| ## Stap 3 — Omseil init-time detectors deur laat aan te heg | ||||
| 
 | ||||
| Baie opsporings loop slegs tydens process spawn/onCreate(). Spawn‑time injection (-f) of gadgets word gevang; aanhegting nadat die UI gelaai is kan verbyglip. | ||||
| Baie deteksies loop slegs tydens process spawn/onCreate(). Spawn‑time injection (-f) of gadgets word gevang; aanheg nadat die UI gelaai is, kan deurglip. | ||||
| ```bash | ||||
| # Launch the app normally (launcher/adb), wait for UI, then attach | ||||
| frida -U -n com.example.app | ||||
| # Or with Objection to attach to running process | ||||
| aobjection --gadget com.example.app explore  # if using gadget | ||||
| ``` | ||||
| As dit werk, hou die sessie stabiel en gaan voort met kaartlegging en stub-kontroles. | ||||
| As dit werk, hou die sessie stabiel en gaan voort om map and stub checks uit te voer. | ||||
| 
 | ||||
| ## Stap 4 — Kaart die deteksielogika via Jadx en string hunting | ||||
| ## Stap 4 — Map detection logic via Jadx and string hunting | ||||
| 
 | ||||
| Statiese triage sleutelwoorde in Jadx: | ||||
| - "frida", "gum", "root", "magisk", "ptrace", "su", "getprop", "debugger" | ||||
| @ -82,12 +82,12 @@ Algemene APIs om te hersien/hook: | ||||
| - android.os.Debug.isDebuggerConnected | ||||
| - android.app.ActivityManager.getRunningAppProcesses / getRunningServices | ||||
| - java.lang.System.loadLibrary / System.load (native bridge) | ||||
| - java.lang.Runtime.exec / ProcessBuilder (probeer-kommando's) | ||||
| - android.os.SystemProperties.get (root/emulator-heuristieke) | ||||
| - java.lang.Runtime.exec / ProcessBuilder (probing commands) | ||||
| - android.os.SystemProperties.get (root/emulator heuristics) | ||||
| 
 | ||||
| ## Stap 5 — Runtime stubbing met Frida (Java) | ||||
| 
 | ||||
| Oorskryf pasgemaakte guards om veilige waardes terug te gee sonder om te herpak: | ||||
| Oorskryf pasgemaakte guards om veilige waardes terug te gee sonder repacking: | ||||
| ```js | ||||
| Java.perform(() => { | ||||
| const Checks = Java.use('com.example.security.Checks'); | ||||
| @ -102,7 +102,7 @@ const AM = Java.use('android.app.ActivityManager'); | ||||
| AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); }; | ||||
| }); | ||||
| ``` | ||||
| Triaging vroeë crashes? Dump classes net voordat dit doodgaan om waarskynlike detection namespaces op te spoor: | ||||
| Triaging vroeë crashes? Dump classes net voordat dit sterf om waarskynlike detection namespaces op te spoor: | ||||
| ```js | ||||
| Java.perform(() => { | ||||
| Java.enumerateLoadedClasses({ | ||||
| @ -129,9 +129,9 @@ return false; | ||||
| }; | ||||
| }); | ||||
| ``` | ||||
| ## Bypass emulator/VM detection (Java stubs) | ||||
| ## Omseil emulator/VM-deteksie (Java stubs) | ||||
| 
 | ||||
| Algemene heuristieke: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE waarin generic/goldfish/ranchu/sdk voorkom; QEMU-artefakte soos /dev/qemu_pipe, /dev/socket/qemud; standaard MAC 02:00:00:00:00:00; 10.0.2.x NAT; ontbrekende telephony/sensors. | ||||
| Algemene heuristieke: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE wat generic/goldfish/ranchu/sdk bevat; QEMU-artefakte soos /dev/qemu_pipe, /dev/socket/qemud; standaard MAC 02:00:00:00:00:00; 10.0.2.x NAT; ontbrekende telephony/sensors. | ||||
| 
 | ||||
| Vinnige spoof van Build-velde: | ||||
| ```js | ||||
| @ -143,11 +143,11 @@ Build.BRAND.value = 'google'; | ||||
| Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys'; | ||||
| }); | ||||
| ``` | ||||
| Aanvul met stubbe vir lêer-bestaan-kontroles en identifiseerders (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) om realistiese waardes terug te gee. | ||||
| Vul dit aan met stubs vir lêer-bestaanskontroles en identifiseerders (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) om realistiese waardes terug te gee. | ||||
| 
 | ||||
| ## SSL pinning bypass quick hook (Java) | ||||
| 
 | ||||
| Neutraliseer aangepaste TrustManagers en dwing permissiewe SSL contexts af: | ||||
| Neutraliseer pasgemaakte TrustManagers en dwing permissiewe SSL contexts af: | ||||
| ```js | ||||
| Java.perform(function(){ | ||||
| var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); | ||||
| @ -166,12 +166,12 @@ return SSLContextInit.call(this, km, TrustManagers, sr); | ||||
| }); | ||||
| ``` | ||||
| Aantekeninge | ||||
| - Brei uit vir OkHttp: hook okhttp3.CertificatePinner en HostnameVerifier soos nodig, of gebruik 'n universele unpinning script van CodeShare. | ||||
| - Brei uit vir OkHttp: hook okhttp3.CertificatePinner en HostnameVerifier soos nodig, of gebruik 'n universal unpinning script' van CodeShare. | ||||
| - Voer voorbeeld uit: `frida -U -f com.target.app -l ssl-bypass.js --no-pause` | ||||
| 
 | ||||
| ## Stap 6 — Volg die JNI/native spoor wanneer Java hooks misluk | ||||
| ## Stap 6 — Volg die JNI/native-spoor wanneer Java hooks faal | ||||
| 
 | ||||
| Volg JNI entry points om native loaders en detection init te vind: | ||||
| Spoor JNI entry points op om native loaders en detection init te vind: | ||||
| ```bash | ||||
| frida-trace -n com.example.app -i "JNI_OnLoad" | ||||
| ``` | ||||
| @ -186,7 +186,7 @@ Interaktiewe/native reversing: | ||||
| - Ghidra: https://ghidra-sre.org/ | ||||
| - r2frida: https://github.com/nowsecure/r2frida | ||||
| 
 | ||||
| Voorbeeld: neutraliseer ptrace om eenvoudige anti‑debug in libc te omseil: | ||||
| Voorbeeld: neutriseer ptrace om eenvoudige anti‑debug in libc te omseil: | ||||
| ```js | ||||
| const ptrace = Module.findExportByName(null, 'ptrace'); | ||||
| if (ptrace) { | ||||
| @ -202,28 +202,28 @@ reversing-native-libraries.md | ||||
| 
 | ||||
| ## Stap 7 — Objection patching (embed gadget / strip basics) | ||||
| 
 | ||||
| As jy repacking bo runtime hooks verkies, probeer: | ||||
| Wanneer jy repacking bo runtime hooks verkies, probeer: | ||||
| ```bash | ||||
| objection patchapk --source app.apk | ||||
| ``` | ||||
| Aantekeninge: | ||||
| - Vereis apktool; maak seker van 'n onlangse weergawe volgens die amptelike gids om bouprobleme te vermy: https://apktool.org/docs/install | ||||
| - Gadget injection maak instrumentation sonder root moontlik, maar kan steeds deur sterker init‑time kontroles opgespoor word. | ||||
| - Vereis apktool; maak seker van 'n huidige weergawe vanaf die amptelike gids om bouprobleme te vermy: https://apktool.org/docs/install | ||||
| - Gadget injection stel instrumentation sonder root in staat, maar kan steeds deur sterker init‑time kontroles opgevang word. | ||||
| 
 | ||||
| Opsioneel, voeg LSPosed modules en Shamiko by vir sterker root-verberging in Zygisk omgewings, en stel DenyList saam om onderliggende prosesse te dek. | ||||
| Opsioneel, voeg LSPosed modules en Shamiko by vir sterker root hiding in Zygisk omgewings, en stel die DenyList saam om child processes te dek. | ||||
| 
 | ||||
| Verwysings: | ||||
| - Objection: https://github.com/sensepost/objection | ||||
| 
 | ||||
| ## Stap 8 — Terugval: Patcheer TLS pinning vir netwerk‑sigbaarheid | ||||
| ## Stap 8 — Fallback: Patch TLS pinning vir netwerk-sigbaarheid | ||||
| 
 | ||||
| As instrumentation geblokkeer is, kan jy steeds netwerkverkeer inspekteer deur pinning staties te verwyder: | ||||
| As instrumentation geblokkeer is, kan jy steeds verkeer inspekteer deur pinning staties te verwyder: | ||||
| ```bash | ||||
| apk-mitm app.apk | ||||
| # Then install the patched APK and proxy via Burp/mitmproxy | ||||
| ``` | ||||
| - Gereedskap: https://github.com/shroudedcode/apk-mitm | ||||
| - Vir netwerkkonfigurasie CA‑trust-truuks (en Android 7+ user CA trust), sien: | ||||
| - Vir netwerkconfiguratie CA‑trust truuks (en Android 7+ user CA trust), sien: | ||||
| 
 | ||||
| {{#ref}} | ||||
| make-apk-accept-ca-certificate.md | ||||
| @ -251,12 +251,30 @@ objection --gadget com.example.app explore | ||||
| # Static TLS pinning removal | ||||
| apk-mitm app.apk | ||||
| ``` | ||||
| ## Wenke & waarskuwings | ||||
| ## Universele proxyafdwinging + TLS unpinning (HTTP Toolkit Frida hooks) | ||||
| 
 | ||||
| - Gebruik by voorkeur attaching laat bo spawning wanneer apps by opstart crash | ||||
| - Sommige detections word weer uitgevoer in critical flows (bv. payment, auth) — hou hooks aktief tydens navigation | ||||
| - Meng static en dynamic: string hunt in Jadx om klasse te shortlist; hook methods om by runtime te verify | ||||
| - Beveiligde apps kan packers en native TLS pinning gebruik — verwag om native code te reverse | ||||
| Moderne apps ignoreer dikwels stelselproxies en dwing verskeie lae van pinning af (Java + native), wat verkeersvaslegging moeilik maak selfs met user/system CAs geïnstalleer. 'n Praktiese benadering is om universele TLS unpinning te kombineer met proxyafdwinging via kant-en-klare Frida hooks, en alles deur mitmproxy/Burp te roete. | ||||
| 
 | ||||
| Workflow | ||||
| - Voer mitmproxy op jou host uit (of Burp). Verseker dat die toestel die host IP/poort kan bereik. | ||||
| - Laai HTTP Toolkit se saamgestelde Frida hooks om sowel TLS te unpin as proxygebruik af te dwing oor algemene stacks (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, ens.). Dit omseil CertificatePinner/TrustManager kontroles en oorskryf proxy selectors, sodat verkeer altyd via jou proxy gestuur word, selfs as die app proxies uitdruklik deaktiveer. | ||||
| - Begin die teikentoepassing met Frida en die hook-script, en vang versoeke in mitmproxy op. | ||||
| 
 | ||||
| Voorbeeld | ||||
| ```bash | ||||
| # Device connected via ADB or over network (-U) | ||||
| # See the repo for the exact script names & options | ||||
| frida -U -f com.vendor.app \ | ||||
| -l ./android-unpinning-with-proxy.js \ | ||||
| --no-pause | ||||
| 
 | ||||
| # mitmproxy listening locally | ||||
| mitmproxy -p 8080 | ||||
| ``` | ||||
| Aantekeninge | ||||
| - Kombineer dit met 'n stelselwye proxy via `adb shell settings put global http_proxy <host>:<port>` waar moontlik. Die Frida hooks sal proxygebruik afdwing selfs wanneer apps globale instellings omseil. | ||||
| - Hierdie tegniek is ideaal wanneer jy 'n MITM op mobile-to-IoT onboarding-strome nodig het, waar pinning/proxy-vermijding algemeen is. | ||||
| - Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning | ||||
| 
 | ||||
| ## Verwysings | ||||
| 
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user