From fbaf46c559a284af355c29751c24341de88744a8 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 5 Sep 2025 12:43:23 +0000 Subject: [PATCH] Add content from: Build a Repeatable Android Bug Bounty Lab: Emulator vs Magis... - Remove searchindex.js (auto-generated file) --- .../android-app-pentesting/README.md | 9 +++ ...-instrumentation-and-ssl-pinning-bypass.md | 73 +++++++++++++++++++ .../avd-android-virtual-device.md | 59 +++++++++++++++ .../frida-tutorial/README.md | 64 ++++++++++++++++ .../install-burp-certificate.md | 27 +++++-- 5 files changed, 224 insertions(+), 8 deletions(-) diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index e16a92d1b..70e4a75ef 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -291,6 +291,14 @@ You need to activate the **debugging** options and it will be cool if you can ** > Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it.\ > I will suggest to **perform this initial dynamic analysis using MobSF dynamic analysis + pidcat**, so we will be able to **learn how the application works** while MobSF **captures** a lot of **interesting** **data** you can review later on. +Magisk/Zygisk quick notes (recommended on Pixel devices) +- Patch boot.img with the Magisk app and flash via fastboot to get systemless root +- Enable Zygisk + DenyList for root hiding; consider LSPosed/Shamiko when stronger hiding is required +- Keep original boot.img to recover from OTA updates; re-patch after each OTA +- For screen mirroring, use scrcpy on the host + + + ### Unintended Data Leakage **Logging** @@ -858,6 +866,7 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th - [SSLPinDetect: Advanced SSL Pinning Detection for Android Security Analysis](https://petruknisme.medium.com/sslpindetect-advanced-ssl-pinning-detection-for-android-security-analysis-1390e9eca097) - [SSLPinDetect GitHub](https://github.com/aancw/SSLPinDetect) - [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns) +- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools) ## Yet to try diff --git a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md index c92a7c8f1..14c96f751 100644 --- a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md +++ b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md @@ -41,6 +41,25 @@ These typically stub Java root/debug checks, process/service scans, and native p - Codeshare: https://codeshare.frida.re/ +## Automate with Medusa (Frida framework) + +Medusa provides 90+ ready-made modules for SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, and more. + +```bash +git clone https://github.com/Ch0pin/medusa +cd medusa +pip install -r requirements.txt +python medusa.py + +# Example interactive workflow +show categories +use http_communications/multiple_unpinner +use root_detection/universal_root_detection_bypass +run com.target.app +``` + +Tip: Medusa is great for quick wins before writing custom hooks. You can also cherry-pick modules and combine them with your own scripts. + ## Step 3 — Bypass init-time detectors by attaching late Many detections only run during process spawn/onCreate(). Spawn‑time injection (-f) or gadgets get caught; attaching after UI loads can slip past. @@ -104,6 +123,14 @@ Java.perform(() => { }); ``` +// Quick root detection stub example (adapt to target package/class names) +Java.perform(() => { + try { + const RootChecker = Java.use('com.target.security.RootCheck'); + RootChecker.isDeviceRooted.implementation = function () { return false; }; + } catch (e) {} +}); + Log and neuter suspicious methods to confirm execution flow: ```js @@ -116,6 +143,48 @@ Java.perform(() => { }); ``` +## Bypass emulator/VM detection (Java stubs) + +Common heuristics: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE containing generic/goldfish/ranchu/sdk; QEMU artifacts like /dev/qemu_pipe, /dev/socket/qemud; default MAC 02:00:00:00:00:00; 10.0.2.x NAT; missing telephony/sensors. + +Quick spoof of Build fields: +```js +Java.perform(function(){ + var Build = Java.use('android.os.Build'); + Build.MODEL.value = 'Pixel 7 Pro'; + Build.MANUFACTURER.value = 'Google'; + Build.BRAND.value = 'google'; + Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys'; +}); +``` + +Complement with stubs for file existence checks and identifiers (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) to return realistic values. + +## SSL pinning bypass quick hook (Java) + +Neutralize custom TrustManagers and force permissive SSL contexts: +```js +Java.perform(function(){ + var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); + var SSLContext = Java.use('javax.net.ssl.SSLContext'); + + // No-op validations + X509TrustManager.checkClientTrusted.implementation = function(){ }; + X509TrustManager.checkServerTrusted.implementation = function(){ }; + + // Force permissive TrustManagers + var TrustManagers = [ X509TrustManager.$new() ]; + var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom'); + SSLContextInit.implementation = function(km, tm, sr){ + return SSLContextInit.call(this, km, TrustManagers, sr); + }; +}); +``` + +Notes +- Extend for OkHttp: hook okhttp3.CertificatePinner and HostnameVerifier as needed, or use a universal unpinning script from CodeShare. +- Run example: `frida -U -f com.target.app -l ssl-bypass.js --no-pause` + ## Step 6 — Follow the JNI/native trail when Java hooks fail Trace JNI entry points to locate native loaders and detection init: @@ -165,6 +234,8 @@ Notes: - Requires apktool; ensure a current version from the official guide to avoid build issues: https://apktool.org/docs/install - Gadget injection enables instrumentation without root but can still be caught by stronger init‑time checks. +Optionally, add LSPosed modules and Shamiko for stronger root hiding in Zygisk environments, and curate DenyList to cover child processes. + References: - Objection: https://github.com/sensepost/objection @@ -226,5 +297,7 @@ apk-mitm app.apk - [r2frida](https://github.com/nowsecure/r2frida) - [Apktool install guide](https://apktool.org/docs/install) - [Magisk](https://github.com/topjohnwu/Magisk) +- [Medusa (Android Frida framework)](https://github.com/Ch0pin/medusa) +- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md b/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md index 8be7f0e87..b641e102b 100644 --- a/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md +++ b/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md @@ -208,6 +208,59 @@ However there are **a lot of different command line useful options** that you ca - `-screen {touch(default)|multi-touch|o-touch}` : Set emulated touch screen mode. - **`-writable-system`** : Use this option to have a writable system image during your emulation session. You will need also to run `adb root; adb remount`. This is very useful to install a new certificate in the system. +## Linux CLI setup (SDK/AVD quickstart) + +The official CLI tools make it easy to create fast, debuggable emulators without Android Studio. + +```bash +# Directory layout +mkdir -p ~/Android/cmdline-tools/latest + +# Download commandline tools (Linux) +wget https://dl.google.com/android/repository/commandlinetools-linux-13114758_latest.zip -O /tmp/cmdline-tools.zip +unzip /tmp/cmdline-tools.zip -d ~/Android/cmdline-tools/latest +rm /tmp/cmdline-tools.zip + +# Env vars (add to ~/.bashrc or ~/.zshrc) +export ANDROID_HOME=$HOME/Android +export PATH=$ANDROID_HOME/cmdline-tools/latest/bin:$ANDROID_HOME/platform-tools:$ANDROID_HOME/emulator:$PATH + +# Install core SDK components +sdkmanager --install "platform-tools" "emulator" + +# Install a debuggable x86_64 system image (Android 11 / API 30) +sdkmanager --install "system-images;android-30;google_apis;x86_64" + +# Create an AVD and run it with a writable /system & snapshot name +avdmanager create avd -n PixelRootX86 -k "system-images;android-30;google_apis;x86_64" -d "pixel" +emulator -avd PixelRootX86 -writable-system -snapshot PixelRootX86_snap + +# Verify root (debuggable images allow `adb root`) +adb root +adb shell whoami # expect: root +``` + +Notes +- System image flavors: google_apis (debuggable, allows adb root), google_apis_playstore (not rootable), aosp/default (lightweight). +- Build types: userdebug often allows `adb root` on debug-capable images. Play Store images are production builds and block root. +- On x86_64 hosts, full-system ARM64 emulation is unsupported from API 28+. For Android 11+ use Google APIs/Play images that include per-app ARM-to-x86 translation to run many ARM-only apps quickly. + +### Snapshots from CLI + +```bash +# Save a clean snapshot from the running emulator +adb -s emulator-5554 emu avd snapshot save my_clean_setup + +# Boot from a named snapshot (if it exists) +emulator -avd PixelRootX86 -writable-system -snapshot my_clean_setup +``` + +## ARM→x86 binary translation (Android 11+) + +Google APIs and Play Store images on Android 11+ can translate ARM app binaries per process while keeping the rest of the system native x86/x86_64. This is often fast enough to test many ARM-only apps on desktop. + +> Tip: Prefer Google APIs x86/x86_64 images during pentests. Play images are convenient but block `adb root`; use them only when you specifically require Play services and accept the lack of root. + ## Rooting a Play Store device If you downloaded a device with Play Store you are not going to be able to get root directly, and you will get this error message @@ -236,6 +289,12 @@ You can **use the GUI** to take a snapshot of the VM at any time: ![](<../../images/image (234).png>) +## References + +- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools) +- [Android Emulator command line](https://developer.android.com/studio/run/emulator-commandline) +- [Run ARM apps on the Android Emulator (x86 translation)](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html) + {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md index 533715b89..730c8ab23 100644 --- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md +++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md @@ -26,6 +26,64 @@ frida-ps -U #List packages and processes frida-ps -U | grep -i #Get all the package name ``` +## Frida server vs. Gadget (root vs. no-root) + +Two common ways to instrument Android apps with Frida: + +- Frida server (rooted devices): Push and run a native daemon that lets you attach to any process. +- Frida Gadget (no root): Bundle Frida as a shared library inside the APK and auto-load it within the target process. + +Frida server (rooted) + +```bash +# Download the matching frida-server binary for your device's arch +# https://github.com/frida/frida/releases +adb root +adb push frida-server--android- /data/local/tmp/frida-server +adb shell chmod 755 /data/local/tmp/frida-server +adb shell /data/local/tmp/frida-server & # run at boot via init/magisk if desired + +# From host, list processes and attach +frida-ps -Uai +frida -U -n com.example.app +``` + +Frida Gadget (no-root) + +1) Unpack the APK, add the gadget .so and config: +- Place libfrida-gadget.so into lib// (e.g., lib/arm64-v8a/) +- Create assets/frida-gadget.config with your script loading settings + +Example frida-gadget.config +```json +{ + "interaction": { "type": "script", "path": "/sdcard/ssl-bypass.js" }, + "runtime": { "logFile": "/sdcard/frida-gadget.log" } +} +``` + +2) Reference/load the gadget so it’s initialized early: +- Easiest: Add a small Java stub to System.loadLibrary("frida-gadget") in Application.onCreate(), or use native lib loading already present. + +3) Repack and sign the APK, then install: +```bash +apktool d app.apk -o app_m +# ... add gadget .so and config ... +apktool b app_m -o app_gadget.apk +uber-apk-signer -a app_gadget.apk -o out_signed +adb install -r out_signed/app_gadget-aligned-debugSigned.apk +``` + +4) Attach from host to the gadget process: +```bash +frida-ps -Uai +frida -U -n com.example.app +``` + +Notes +- Gadget is detected by some protections; keep names/paths stealthy and load late/conditionally if needed. +- On hardened apps, prefer rooted testing with server + late attach, or combine with Magisk/Zygisk hiding. + ## Tutorials ### [Tutorial 1](frida-tutorial-1.md) @@ -202,6 +260,12 @@ Java.choose("com.example.a11x256.frida_test.my_activity", { - [Part 1 of Advanced Frida Usage blog series: IOS Encryption Libraries](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/) +## References + +- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools) +- [Frida Gadget documentation](https://frida.re/docs/gadget/) +- [Frida releases (server binaries)](https://github.com/frida/frida/releases) + {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md b/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md index 4bb402b05..bacc6db51 100644 --- a/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md +++ b/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md @@ -3,6 +3,20 @@ {{#include ../../banners/hacktricks-training.md}} +## System-wide proxy via ADB + +Configure a global HTTP proxy so all apps route traffic through your interceptor (Burp/mitmproxy): + +```bash +# Set proxy (device/emulator must reach your host IP) +adb shell settings put global http_proxy 192.168.1.2:8080 + +# Clear proxy +adb shell settings put global http_proxy :0 +``` + +Tip: In Burp, bind your listener to 0.0.0.0 so devices on the LAN can connect (Proxy -> Options -> Proxy Listeners). + ## On a Virtual Machine First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_ @@ -37,7 +51,7 @@ If you **rooted your device with Magisc** (maybe an emulator), and you **can't f Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you need to: -1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate` +1. **Install a CA certificate**: Just **drag&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`
@@ -45,7 +59,7 @@ Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you n
-2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone: +2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
@@ -152,10 +166,7 @@ nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/ ## References -- [https://httptoolkit.com/blog/android-14-install-system-ca-certificate/](https://httptoolkit.com/blog/android-14-install-system-ca-certificate/) - - -{{#include ../../banners/hacktricks-training.md}} - - +- [Android 14: Install a system CA certificate on a rooted device](https://httptoolkit.com/blog/android-14-install-system-ca-certificate/) +- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools) +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file