mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['', 'src/mobile-pentesting/android-app-pentesting/android-an
This commit is contained in:
Translator
parent
c6e405beb5
commit
4e5e92f066
@ -2,7 +2,7 @@
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
Ukurasa huu unaorodhesha mtiririko wa vitendo ili kurejesha dynamic analysis dhidi ya programu za Android zinazogundua/kuzuia instrumentation kwa root au kutekeleza TLS pinning. Unalenga triage ya haraka, ugunduzi wa kawaida, na hooks/tactics za nakili-na-wekewa (copy‑pasteable) ili kuzipita bila kujaribu repacking inapowezekana.
|
||||
Ukurasa huu unaelezea mtiririko wa vitendo ili kupata tena dynamic analysis dhidi ya Android apps zinazogundua/root‑block instrumentation au zinazotekeleza TLS pinning. Unalenga fast triage, detections za kawaida, na copy‑pasteable hooks/tactics za kuzipitisha bila repacking inapowezekana.
|
||||
|
||||
## Detection Surface (what apps check)
|
||||
|
||||
@ -18,14 +18,14 @@ Ukurasa huu unaorodhesha mtiririko wa vitendo ili kurejesha dynamic analysis dhi
|
||||
- Enable DenyList, add the target package
|
||||
- Reboot and retest
|
||||
|
||||
Programu nyingi huangalia tu viashiria vinavyoonekana (su/Magisk paths/getprop). DenyList mara nyingi huondoa ukaguzi wa aina hiyo.
|
||||
Many apps only look for obvious indicators (su/Magisk paths/getprop). DenyList often neutralizes naive checks.
|
||||
|
||||
References:
|
||||
- Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk
|
||||
|
||||
## Step 2 — 30‑second Frida Codeshare tests
|
||||
|
||||
Jaribu scripts za kawaida za drop‑in kabla ya kuchimba kwa undani:
|
||||
Try common drop‑in scripts before deep diving:
|
||||
|
||||
- anti-root-bypass.js
|
||||
- anti-frida-detection.js
|
||||
@ -35,13 +35,13 @@ Example:
|
||||
```bash
|
||||
frida -U -f com.example.app -l anti-frida-detection.js
|
||||
```
|
||||
Hizi kwa kawaida stub Java root/debug checks, process/service scans, na native ptrace(). Zinasaidia kwenye apps zilizo na ulinzi mdogo; hardened targets zinaweza kuhitaji tailored hooks.
|
||||
Haya kwa kawaida hu-stub Java root/debug checks, process/service scans, na native ptrace(). Inafaa kwa apps zilizo na ulinzi mdogo; hardened targets may need tailored hooks.
|
||||
|
||||
- Codeshare: https://codeshare.frida.re/
|
||||
|
||||
## Otomatisha kwa Medusa (Frida framework)
|
||||
## Otomatisha na Medusa (Frida framework)
|
||||
|
||||
Medusa inatoa 90+ modules zilizo tayari kwa ajili ya SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na mengine mengi.
|
||||
Medusa hutoa moduli 90+ zilizotengenezwa tayari kwa SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na mengine.
|
||||
```bash
|
||||
git clone https://github.com/Ch0pin/medusa
|
||||
cd medusa
|
||||
@ -54,40 +54,40 @@ use http_communications/multiple_unpinner
|
||||
use root_detection/universal_root_detection_bypass
|
||||
run com.target.app
|
||||
```
|
||||
Vidokezo: Medusa ni nzuri kwa kupata ushindi wa haraka kabla ya kuandika hooks maalum. Unaweza pia kuchagua modules kwa makini na kuzichanganya na scripts zako.
|
||||
Tip: Medusa ni nzuri kwa ushindi wa haraka kabla ya kuandika custom hooks. Unaweza pia kuchagua modules na kuzichanganya na scripts zako.
|
||||
|
||||
## Hatua ya 3 — Pita kando detekta za wakati wa kuanzisha kwa kuambatisha baadaye
|
||||
## Hatua 3 — Pitia vichunguzi vya wakati wa init kwa kuambatisha kwa kuchelewa
|
||||
|
||||
Deteksheni nyingi hufanya kazi tu wakati wa process spawn/onCreate(). Spawn‑time injection (-f) au gadgets hukamatwa; kuambatisha baada ya UI kupakia kunaweza kupita bila kugunduliwa.
|
||||
Uchunguzi mwingi hufanya kazi tu wakati wa process spawn/onCreate(). Spawn‑time injection (-f) au gadgets hushikwa; kuambatisha baada UI inapopakuliwa kunaweza kupita bila kugunduliwa.
|
||||
```bash
|
||||
# Launch the app normally (launcher/adb), wait for UI, then attach
|
||||
frida -U -n com.example.app
|
||||
# Or with Objection to attach to running process
|
||||
aobjection --gadget com.example.app explore # if using gadget
|
||||
```
|
||||
Ikiwa hili litafanya kazi, hakikisha kikao kinabaki thabiti na endelea na kazi za kuunda ramani na ukaguzi wa stub.
|
||||
Ikiwa hii itafanya kazi, hakikisha kikao kimekaa thabiti kisha endelea na kuunda ramani na ukaguzi wa stub.
|
||||
|
||||
## Hatua 4 — Ramani mantiki ya utambuzi kupitia Jadx na utafutaji wa strings
|
||||
## Step 4 — Ramani ya mantiki ya utambuzi kupitia Jadx na kutafuta strings
|
||||
|
||||
Maneno muhimu ya static triage katika Jadx:
|
||||
Maneno muhimu kwa triage ya static katika Jadx:
|
||||
- "frida", "gum", "root", "magisk", "ptrace", "su", "getprop", "debugger"
|
||||
|
||||
Mifano ya kawaida ya Java:
|
||||
Mifumo ya kawaida ya Java:
|
||||
```java
|
||||
public boolean isFridaDetected() {
|
||||
return getRunningServices().contains("frida");
|
||||
}
|
||||
```
|
||||
API za kawaida za kukagua/hook:
|
||||
APIs za kawaida za kukagua/hook:
|
||||
- android.os.Debug.isDebuggerConnected
|
||||
- android.app.ActivityManager.getRunningAppProcesses / getRunningServices
|
||||
- java.lang.System.loadLibrary / System.load (native bridge)
|
||||
- java.lang.Runtime.exec / ProcessBuilder (maamri ya kuchunguza)
|
||||
- android.os.SystemProperties.get (heuristics za root/emulator)
|
||||
- java.lang.Runtime.exec / ProcessBuilder (probing commands)
|
||||
- android.os.SystemProperties.get (root/emulator heuristics)
|
||||
|
||||
## Hatua ya 5 — Runtime stubbing na Frida (Java)
|
||||
## Hatua 5 — Runtime stubbing na Frida (Java)
|
||||
|
||||
Override custom guards ili zirudishe thamani salama bila repacking:
|
||||
Fanya override ya custom guards ili zirudishe thamani salama bila repacking:
|
||||
```js
|
||||
Java.perform(() => {
|
||||
const Checks = Java.use('com.example.security.Checks');
|
||||
@ -102,7 +102,7 @@ const AM = Java.use('android.app.ActivityManager');
|
||||
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
|
||||
});
|
||||
```
|
||||
Triaging early crashes? Dump classes tu kabla inavyokufa ili kutambua detection namespaces zinazowezekana:
|
||||
Unachambua crashes za mapema? Dump classes tu kabla inavyokufa ili kugundua detection namespaces zinazowezekana:
|
||||
```js
|
||||
Java.perform(() => {
|
||||
Java.enumerateLoadedClasses({
|
||||
@ -119,7 +119,7 @@ RootChecker.isDeviceRooted.implementation = function () { return false; };
|
||||
} catch (e) {}
|
||||
});
|
||||
|
||||
Rekodi na kuzima mbinu zinazoshukiwa ili kuthibitisha mtiririko wa utekelezaji:
|
||||
Log na kuwafanya methods zinazoshukiwa zisifanye kazi ili kuthibitisha mtiririko wa utekelezaji:
|
||||
```js
|
||||
Java.perform(() => {
|
||||
const Det = Java.use('com.example.security.DetectionManager');
|
||||
@ -131,9 +131,9 @@ return false;
|
||||
```
|
||||
## Bypass emulator/VM detection (Java stubs)
|
||||
|
||||
Vidokezo vya kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zikiwa zinajumuisha generic/goldfish/ranchu/sdk; QEMU artifacts kama /dev/qemu_pipe, /dev/socket/qemud; default MAC 02:00:00:00:00:00; 10.0.2.x NAT; kukosekana kwa telephony/sensors.
|
||||
Vidokezo vya kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zinazojumuisha generic/goldfish/ranchu/sdk; QEMU artifacts kama /dev/qemu_pipe, /dev/socket/qemud; MAC ya chaguo-msingi 02:00:00:00:00:00; NAT 10.0.2.x; ukosefu wa huduma za simu/sensa.
|
||||
|
||||
Spoof ya haraka ya Build fields:
|
||||
Udanganyifu wa haraka wa sehemu za Build:
|
||||
```js
|
||||
Java.perform(function(){
|
||||
var Build = Java.use('android.os.Build');
|
||||
@ -143,11 +143,11 @@ Build.BRAND.value = 'google';
|
||||
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
|
||||
});
|
||||
```
|
||||
Ongeza stubs kwa ukaguzi wa kuwepo kwa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili zirudishe thamani za kweli.
|
||||
Ongeza stubs kwa ajili ya ukaguzi wa uwepo wa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili zirudishe thamani za kweli.
|
||||
|
||||
## SSL pinning bypass quick hook (Java)
|
||||
|
||||
Batilisha TrustManagers maalum na kulazimisha SSL contexts zinazoruhusu:
|
||||
Fanya TrustManagers zilizobinafsishwa zisizofanya kazi na ulazimishe SSL contexts zenye kuruhusu:
|
||||
```js
|
||||
Java.perform(function(){
|
||||
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
|
||||
@ -165,17 +165,17 @@ return SSLContextInit.call(this, km, TrustManagers, sr);
|
||||
};
|
||||
});
|
||||
```
|
||||
Vidokezo
|
||||
- Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier kama inavyohitajika, au tumia universal unpinning script kutoka CodeShare.
|
||||
Notes
|
||||
- Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier inapohitajika, au tumia universal unpinning script kutoka CodeShare.
|
||||
- Mfano wa kuendesha: `frida -U -f com.target.app -l ssl-bypass.js --no-pause`
|
||||
|
||||
## Hatua 6 — Fuata njia ya JNI/native wakati Java hooks zinashindwa
|
||||
## Hatua 6 — Fuata njia ya JNI/native wakati Java hooks zinaposhindwa
|
||||
|
||||
Fuatilia JNI entry points ili kupata native loaders na detection init:
|
||||
Chunguza entry points za JNI ili kutambua native loaders na detection init:
|
||||
```bash
|
||||
frida-trace -n com.example.app -i "JNI_OnLoad"
|
||||
```
|
||||
Tathmini ya haraka ya native ya mafaili .so yaliyoambatanishwa:
|
||||
Tathmini ya haraka ya native ya faili za .so zilizojumuishwa:
|
||||
```bash
|
||||
# List exported symbols & JNI
|
||||
nm -D libfoo.so | head
|
||||
@ -186,7 +186,7 @@ Interactive/native reversing:
|
||||
- Ghidra: https://ghidra-sre.org/
|
||||
- r2frida: https://github.com/nowsecure/r2frida
|
||||
|
||||
Mfano: kufanya ptrace isitumike ili kushinda anti‑debug rahisi katika libc:
|
||||
Mfano: kuzuia ptrace ili kushinda anti‑debug rahisi katika libc:
|
||||
```js
|
||||
const ptrace = Module.findExportByName(null, 'ptrace');
|
||||
if (ptrace) {
|
||||
@ -195,35 +195,35 @@ return -1; // pretend failure
|
||||
}, 'int', ['int', 'int', 'pointer', 'pointer']));
|
||||
}
|
||||
```
|
||||
Angalia pia:
|
||||
Tazama pia:
|
||||
{{#ref}}
|
||||
reversing-native-libraries.md
|
||||
{{#endref}}
|
||||
|
||||
## Hatua 7 — Objection patching (embed gadget / strip basics)
|
||||
## Hatua ya 7 — Objection patching (embed gadget / strip basics)
|
||||
|
||||
Ikiwa unapendelea repacking badala ya runtime hooks, jaribu:
|
||||
```bash
|
||||
objection patchapk --source app.apk
|
||||
```
|
||||
Vidokezo:
|
||||
- Requires apktool; ensure a current version from the official guide to avoid build issues: https://apktool.org/docs/install
|
||||
- Gadget injection enables instrumentation without root but can still be caught by stronger init‑time checks.
|
||||
Notes:
|
||||
- Inahitaji apktool; hakikisha toleo la hivi karibuni kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya ujenzi: https://apktool.org/docs/install
|
||||
- Gadget injection inaruhusu instrumentation bila root lakini inaweza kugunduliwa na init‑time checks kali.
|
||||
|
||||
Hiari, ongezea moduli za LSPosed na Shamiko kwa stronger root hiding katika Zygisk environments, na panga DenyList ili kufunika child processes.
|
||||
Hiari, ongeza LSPosed modules na Shamiko kwa kuficha root kwa nguvu zaidi katika mazingira ya Zygisk, na tengeneza DenyList ili kufunika child processes.
|
||||
|
||||
Marejeo:
|
||||
References:
|
||||
- Objection: https://github.com/sensepost/objection
|
||||
|
||||
## Hatua 8 — Mbadala: Rekebisha TLS pinning kwa uwazi wa mtandao
|
||||
## Step 8 — Njia mbadala: Rekebisha TLS pinning kwa uonekano wa mtandao
|
||||
|
||||
Ikiwa instrumentation imezuiwa, bado unaweza kuchunguza trafiki kwa kuondoa TLS pinning kwa njia ya statiki:
|
||||
Iwapo instrumentation imezuiwa, unaweza bado kuchambua traffic kwa kuondoa pinning kistatikali:
|
||||
```bash
|
||||
apk-mitm app.apk
|
||||
# Then install the patched APK and proxy via Burp/mitmproxy
|
||||
```
|
||||
- Zana: https://github.com/shroudedcode/apk-mitm
|
||||
- Kwa mbinu za CA‑trust katika usanidi wa network (na user CA trust ya Android 7+), angalia:
|
||||
- Kwa mbinu za CA‑trust za usanidi wa mtandao (na Android 7+ user CA trust), angalia:
|
||||
|
||||
{{#ref}}
|
||||
make-apk-accept-ca-certificate.md
|
||||
@ -251,25 +251,43 @@ objection --gadget com.example.app explore
|
||||
# Static TLS pinning removal
|
||||
apk-mitm app.apk
|
||||
```
|
||||
## Vidokezo na tahadhari
|
||||
## Kulazimisha proxy universal + TLS unpinning (HTTP Toolkit Frida hooks)
|
||||
|
||||
- Pendelea ku-attach mwishowe kuliko spawning wakati apps zinaporomoka wakati wa uzinduzi
|
||||
- Baadhi ya utambuzi zinafanywa tena katika mizunguko muhimu (mf., payment, auth) — weka hooks zikiwa active wakati wa navigation
|
||||
- Changanya static na dynamic: string hunt katika Jadx ili kupunguza orodha ya classes; kisha hook methods ili kuthibitisha wakati wa runtime
|
||||
- Apps zilizo hardened zinaweza kutumia packers na native TLS pinning — tarajia ku-reverse native code
|
||||
Programu za kisasa mara nyingi huupuza system proxies na kutekeleza tabaka nyingi za pinning (Java + native), na kufanya kukamata trafiki kuwa ngumu hata kama CAs za user/system zimesakinishwa. Njia ya vitendo ni kuchanganya universal TLS unpinning na kulazimisha proxy kupitia Frida hooks tayari, na kupitisha kila kitu kupitia mitmproxy/Burp.
|
||||
|
||||
## References
|
||||
Workflow
|
||||
- Run mitmproxy on your host (or Burp). Ensure the device can reach the host IP/port.
|
||||
- Load HTTP Toolkit’s consolidated Frida hooks to both unpin TLS and force proxy usage across common stacks (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). This bypasses CertificatePinner/TrustManager checks and overrides proxy selectors, so traffic is always sent via your proxy even if the app explicitly disables proxies.
|
||||
- Start the target app with Frida and the hook script, and capture requests in mitmproxy.
|
||||
|
||||
- [Reversing Android Apps: Bypassing Detection Like a Pro](https://www.kayssel.com/newsletter/issue-12/)
|
||||
Mfano
|
||||
```bash
|
||||
# Device connected via ADB or over network (-U)
|
||||
# See the repo for the exact script names & options
|
||||
frida -U -f com.vendor.app \
|
||||
-l ./android-unpinning-with-proxy.js \
|
||||
--no-pause
|
||||
|
||||
# mitmproxy listening locally
|
||||
mitmproxy -p 8080
|
||||
```
|
||||
Vidokezo
|
||||
- Unganisha na proxy ya mfumo mzima kupitia `adb shell settings put global http_proxy <host>:<port>` inapowezekana. Frida hooks yatafanya proxy itumike hata wakati apps zinapiepuka mipangilio ya mfumo.
|
||||
- Mbinu hii inafaa unapohitaji kufanya MITM kwenye taratibu za onboarding kutoka mobile kwenda IoT ambapo kuepukana na pinning/proxy ni jambo la kawaida.
|
||||
- Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning
|
||||
|
||||
## Marejeo
|
||||
|
||||
- [Reversing Android Apps: Kuepuka Ugunduzi Kama Mtaalamu](https://www.kayssel.com/newsletter/issue-12/)
|
||||
- [Frida Codeshare](https://codeshare.frida.re/)
|
||||
- [Objection](https://github.com/sensepost/objection)
|
||||
- [apk-mitm](https://github.com/shroudedcode/apk-mitm)
|
||||
- [Jadx](https://github.com/skylot/jadx)
|
||||
- [Ghidra](https://ghidra-sre.org/)
|
||||
- [r2frida](https://github.com/nowsecure/r2frida)
|
||||
- [Apktool install guide](https://apktool.org/docs/install)
|
||||
- [Mwongozo wa ufungaji wa Apktool](https://apktool.org/docs/install)
|
||||
- [Magisk](https://github.com/topjohnwu/Magisk)
|
||||
- [Medusa (Android Frida framework)](https://github.com/Ch0pin/medusa)
|
||||
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
|
||||
- [Jenga Maabara ya Android ya Bug Bounty Inayoweza Kurudiwa: Emulator vs Magisk, Burp, Frida, na Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user