maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/mobile-pentesting/android-app-pentesting/install-bu

Browse Source
This commit is contained in:
Translator 2025-09-08 01:58:33 +00:00
parent 398d8deb02
commit e87a9a854f
5 changed files with 613 additions and 408 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

521
src/mobile-pentesting/android-app-pentesting/README.md
View File

@ -1,10 +1,10 @@
# Android Applications Pentesting
# Kupima Usalama wa Programu za Android Pentesting
{{#include ../../banners/hacktricks-training.md}}
## Android Applications Basics
## Misingi ya Programu za Android
Inashauriwa sana kuanza kusoma ukurasa huu ili kujua kuhusu **sehemu muhimu zaidi zinazohusiana na usalama wa Android na vipengele hatari zaidi katika programu ya Android**:
It's highly recommended to start reading this page to know about the **most important parts related to Android security and the most dangerous components in an Android application**:
{{#ref}}
@ -13,15 +13,15 @@ android-applications-basics.md
## ADB (Android Debug Bridge)
Hii ni zana kuu unayohitaji kuunganishwa na kifaa cha Android (emulated au halisi).\
**ADB** inaruhusu kudhibiti vifaa kwa njia ya **USB** au **Network** kutoka kwenye kompyuta. Kifaa hiki kinawezesha **kunakili** mafaili pande zote mbili, **kusakinisha** na **kuondoa** apps, **kutekeleza** amri za shell, **kufanya backup** ya data, **kusoma** logi, pamoja na kazi nyingine.
This is the main tool you need to connect to an android device (emulated or physical).\
**ADB** allows to control devices either over **USB** or **Network** from a computer. This utility enables the **copying** of files in both directions, **installation** and **uninstallation** of apps, **execution** of shell commands, **backing up** of data, **reading** of logs, among other functions.
Angalia orodha ifuatayo ya [**ADB Commands**](adb-commands.md) ili kujifunza jinsi ya kutumia adb.
Take a look to the following list of [**ADB Commands**](adb-commands.md) to learn how to use adb.
## Smali
Wakati mwingine ni muhimu **kubadilisha msimbo wa programu** ili kupata **taarifa zilizofichwa** (labda nywila zilizofichwa vizuri au flagi). Kwa hivyo, inaweza kuwa muhimu ku-decompile APK, kubadilisha msimbo na kuirecompile.\
[**In this tutorial** you can **learn how to decompile and APK, modify Smali code and recompile the APK** with the new functionality](smali-changes.md). Hii inaweza kuwa msaada mkubwa kama **mbadala kwa vipimo kadhaa wakati wa dynamic analysis** vitakavyoonyeshwa. Kwa hivyo, **kumbuka daima uwezekano huu**.
Sometimes it is interesting to **modify the application code** to access **hidden information** (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.\
[**In this tutorial** you can **learn how to decompile and APK, modify Smali code and recompile the APK** with the new functionality](smali-changes.md). This could be very useful as an **alternative for several tests during the dynamic analysis** that are going to presented. Then, **keep always in mid this possibility**.
## Other interesting tricks
@ -49,7 +49,7 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk
# after merging, you will need to align and sign the apk, personally, I like to use the uberapksigner
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
```
## Case Studies & Vulnerabilities
## Masomo ya Kesi & Vulnerabilities
{{#ref}}
@ -63,39 +63,39 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
## Static Analysis
Kwanza kabisa, kwa kuchambua APK unapaswa **kuangalia msimbo wa Java** kwa kutumia decompiler.\
Tafadhali, [**soma hapa kupata taarifa kuhusu decompilers tofauti zinazopatikana**](apk-decompilers.md).
Kwanza kabisa, kwa kuchambua APK unapaswa **take a look to the to the Java code** using a decompiler.\
Please, [**read here to find information about different available decompilers**](apk-decompilers.md).
### Looking for interesting Info
### Kutafuta Taarifa Zinazovutia
Kwa kuangalia tu **strings** za APK unaweza kutafuta **passwords**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api** keys, **encryption**, **bluetooth uuids**, **tokens** na chochote kinachovutia... angalia hata kwa code execution **backdoors** au authentication backdoors (hardcoded admin credentials kwenye app).
Kwa kuangalia tu **strings** za APK unaweza kutafuta **passwords**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api** keys, **encryption**, **bluetooth uuids**, **tokens** na chochote kinachovutia... angalia hata kwa code execution **backdoors** au authentication backdoors (hardcoded admin credentials to the app).
**Firebase**
Lipa umakini maalum kwa **firebase URLs** na angalia kama imewekwa vibaya. [Taarifa zaidi kuhusu ni nini Firebase na jinsi ya kuitumia hapa.](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md)
Lipa umakini maalum kwa **firebase URLs** na angalia kama zimesanidiwa vibaya. [More information about whats is FIrebase and how to exploit it here.](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md)
### Basic understanding of the application - Manifest.xml, strings.xml
Uchunguzi wa faili za programu za _Manifest.xml_ na **_strings.xml_** unaweza kufichua udhaifu wa usalama. Faili hizi zinaweza kufikiwa kwa kutumia decompilers au kwa kubadilisha extension ya faili ya APK kuwa .zip kisha kuizikamua.
Uchunguzi wa faili za programu _Manifest.xml_ na _strings.xml_ unaweza kufichua potential security vulnerabilities. Faili hizi zinaweza kupatikana ukitumia decompilers au kwa kubadilisha extension ya faili ya APK kuwa .zip na kisha kuzifungua.
**Vulnerabilities** zilizotambulika kutoka kwa **Manifest.xml** ni pamoja na:
Vulnerabilities zilizobainika kutoka Manifest.xml ni pamoja na:
- **Debuggable Applications**: Programu zilizowekwa kama debuggable (`debuggable="true"`) katika _Manifest.xml_ zina hatari kwa sababu zinaruhusu muunganisho ambao unaweza kusababisha exploitation. Kwa uelewa zaidi juu ya jinsi ya kutumia programu debuggable, rejea mafunzo juu ya kutafuta na kushambulia debuggable applications kwenye kifaa.
- **Backup Settings**: Sifa `android:allowBackup="false"` inapaswa kuwekwa wazi kwa programu zinazoshughulikia taarifa nyeti ili kuzuia backups zisizoidhinishwa kupitia adb, hasa wakati usb debugging imewezeshwa.
- **Network Security**: Custom network security configurations (`android:networkSecurityConfig="@xml/network_security_config"`) katika _res/xml/_ zinaweza kueleza undani wa usalama kama certificate pins na mipangilio ya HTTP traffic. Mfano ni kuruhusu HTTP traffic kwa domains maalum.
- **Exported Activities and Services**: Kutambua exported activities na services katika manifest kunaweza kuonyesha vipengele vinavyoweza kutumiwa vibaya. Uchambuzi zaidi wakati wa dynamic testing unaweza kufichua jinsi ya kushambulia vipengele hivi.
- **Content Providers and FileProviders**: Content providers zilizo wazi zinaweza kuruhusu ufikiaji usioidhinishwa au urekebishaji wa data. Usanidi wa FileProviders pia unapaswa kuchunguzwa kwa makini.
- **Broadcast Receivers and URL Schemes**: Vipengele hivi vinaweza kutumiwa kwa exploitation, na umakini maalum unapaswa kuwekwa jinsi URL schemes zinavyosimamiwa kwa ajili ya input vulnerabilities.
- **SDK Versions**: `minSdkVersion`, `targetSDKVersion`, na `maxSdkVersion` zinaonyesha matoleo ya Android yanayounga mkono, yakionyesha umuhimu wa kutoendelea kuunga mkono matoleo ya zamani na yenye udhaifu kwa sababu za usalama.
- **Debuggable Applications**: Applications zilizowekwa kama debuggable (`debuggable="true"`) katika faili ya _Manifest.xml_ zina hatari kwa kuwa zinaruhusu connections ambazo zinaweza kusababisha exploitation. Kwa ufahamu zaidi juu ya jinsi ya ku-exploit debuggable applications, rejea tutorial kuhusu kupata na ku-exploit debuggable applications kwenye kifaa.
- **Backup Settings**: Kigezo `android:allowBackup="false"` kinapaswa kuwekwa wazi kwa applications zinazoendesha taarifa nyeti ili kuzuia unauthorized data backups kupitia adb, hasa wakati usb debugging iko enabled.
- **Network Security**: Custom network security configurations (`android:networkSecurityConfig="@xml/network_security_config"`) katika _res/xml/_ zinaweza kubainisha maelezo ya usalama kama certificate pins na mipangilio ya HTTP traffic. Mfano ni kuruhusu HTTP traffic kwa domains maalum.
- **Exported Activities and Services**: Kutambua exported activities na services katika manifest kunaweza kuonyesha components ambazo zinaweza kutumika vibaya. Uchambuzi zaidi wakati wa dynamic testing unaweza kufichua jinsi ya ku-exploit components hizi.
- **Content Providers and FileProviders**: Content providers zilizo wazi zinaweza kuruhusu access au modification ya data bila idhini. Sanidiwa nzuri ya FileProviders inapaswa pia kuchunguzwa.
- **Broadcast Receivers and URL Schemes**: Components hizi zinaweza kutumika kwa exploitation, ukizingatia jinsi URL schemes zinavyosimamiwa kwa matatizo ya input.
- **SDK Versions**: Atributi `minSdkVersion`, `targetSDKVersion`, na `maxSdkVersion` zinaonyesha toleo la Android linaloungwa mkono, zikibainisha umuhimu wa kuto-support matoleo ya zamani na yalio na vulnerabilities kwa sababu za usalama.
Kutoka kwa faili ya **strings.xml**, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya developer zinaweza kugunduliwa, ikisisitiza umuhimu wa ukaguzi wa makini wa rasilimali hizi.
Kutoka kwenye faili ya **strings.xml**, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya developer zinaweza kugunduliwa, ikisisitiza umuhimu wa kupitia kwa uangalifu rasilimali hizi.
### Tapjacking
**Tapjacking** ni shambulio ambapo **malicious** **application** inazinduliwa na **kujipangia juu ya application ya mwathiriwa**. Mara inapoificha app ya mwathiriwa, kiolesura chake kimeundwa kwa njia inayodanganya mtumiaji kuingiliana nayo, wakati kiingiliano hicho kinapitishwa kwa app ya mwathiriwa.\
Kwa ufanisi, inamficha mtumiaji ili asijue kuwa kwa kweli anafanya vitendo kwenye app ya mwathiriwa.
**Tapjacking** ni shambulio ambapo **malicious application** inaanzishwa na **positions itself on top of a victim application**. Mara inapoifunika kwa mtazamo app ya mhusika, user interface yake imeundwa kwa njia ya kumdanganya mtumiaji aingilie nayo, wakati inapotumia ile interaction kumtumia app ya mhusika.\
Kwa ufanisi, inamficha mtumiaji kuona kwamba kweli anafanya vitendo kwenye app ya mhusika.
Pata habari zaidi katika:
Pata taarifa zaidi katika:
{{#ref}}
@ -104,7 +104,7 @@ tapjacking.md
### Task Hijacking
Activity yenye **`launchMode`** imewekwa kwa **`singleTask` bila `taskAffinity`** yoyote iliyobainishwa ni nyeti kwa task Hijacking. Hii ina maana kwamba, application inaweza kusakinishwa na ikiwa itaendeshwa kabla ya application halisi inaweza **hijack task ya application halisi** (hivyo mtumiaji atakuwa akishirikiana na **malicious application akidhani anatumia ile halisi**).
An **activity** yenye **`launchMode`** imewekwa kwa **`singleTask` without any `taskAffinity`** iliyotajwa inaweza kuwa nyeti kwa task Hijacking. Hii ina maana kwamba, **application** inaweza kusakinishwa na ikiwa itaanzishwa kabla ya application halisi inaweza **hijack the task of the real application** (hivyo mtumiaji atakuwa akiingiliana na **malicious application thinking he is using the real one**).
Taarifa zaidi katika:
@ -117,69 +117,69 @@ android-task-hijacking.md
**Internal Storage**
Katika Android, faili zilizohifadhiwa katika **internal** storage zimetengenezwa kuwa zinapatikana mahsusi kwa **app** iliyozianzisha. Hatua hii ya usalama inatekelezwa na mfumo wa uendeshaji wa Android na kwa kawaida inatosheleza mahitaji ya usalama ya programu nyingi. Hata hivyo, waendelezaji wakati mwingine hutumia modes kama `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` kuruhusu faili kushirikiwa kati ya applications mbalimbali. Modes hizi hata hivyo **hazizuizi ufikiaji** wa faili hizi na applications nyingine, ikiwa ni pamoja na zile zinazoweza kuwa zenye malice.
Katika Android, files **stored** katika **internal** storage zimeundwa kupatikana tu na **app** iliyozitengeneza. Kipimo hiki cha usalama kinatekelezwa na operating system ya Android na kawaida kinafaa kwa mahitaji ya usalama ya applications nyingi. Hata hivyo, developers baadhi ya wakati hutumia modes kama `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` kuruhusu files kushirikiwa kati ya applications tofauti. Modes hizi hazizuizi access kwa files hizi na applications nyingine, zikiwemo zile zinazoweza kuwa malicious.
1. **Static Analysis:**
- **Hakikisha** matumizi ya `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` yanachunguzwa kwa makini. Modes hizi **zinaweza kuonyesha** faili kwa ufikiaji usiokusudiwa au usioidhinishwa.
- **Ensure** kwamba matumizi ya `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` yamechunguzwa kwa umakini. Modes hizi zinaweza ku-expose files kwa access isiyotarajiwa au isiyoidhinishwa.
2. **Dynamic Analysis:**
- **Thibitisha** ruhusa zilizowekwa kwenye faili zilizotengenezwa na app. Haswa, **angalia** kama faili yoyote imewekwa kuwa readable au writable kwa wote. Hii inaweza kuwa hatari kubwa ya usalama, kwani itaruhusu **programu yoyote** iliyosakinishwa kwenye kifaa, bila kujali asili au nia yake, kusoma au kurekebisha faili hizi.
- **Verify** permissions zilizowekwa kwenye files zilizotengenezwa na app. Hasa, **check** kama kuna files zilizowekwa kuwa readable au writable worldwide. Hii inaweza kuwa hatari kubwa kwa usalama, kwani itaruhusu **any application** iliyosakinishwa kwenye kifaa, bila kujali asili au nia yake, ku-read au ku-modify files hizi.
**External Storage**
Unapotumia faili kwenye **external storage**, kama SD Cards, tahadhari zifuatazo zinapaswa kuchukuliwa:
Unaposhughulikia files kwenye external storage, kama SD Cards, tahadhari fulani zinapaswa kuchukuliwa:
1. **Accessibility**:
- Faili kwenye external storage ni **globally readable and writable**. Hii inamaanisha programu yoyote au mtumiaji anaweza kufikia faili hizi.
- Files kwenye external storage ni globally readable na writable. Hii ina maana application au mtumiaji yeyote anaweza kuweza kupata files hizi.
2. **Security Concerns**:
- Kutokana na urahisi wa ufikiaji, inadokezwa **kuto hifadhi taarifa nyeti** kwenye external storage.
- External storage inaweza kuondolewa au kufikiwa na programu yoyote, ikifanya isiwe salama.
- Kutokana na urahisi wa access, inapendekezwa kutohifadhi taarifa nyeti kwenye external storage.
- External storage inaweza kuondolewa au kupatikana na application yoyote, ikifanya kuwa isiyo salama.
3. **Handling Data from External Storage**:
- Daima **fanya input validation** kwenye data inayorekebishwa kutoka external storage. Hii ni muhimu kwa sababu data ni kutoka chanzo kisichoaminika.
- Kuingiza executables au class files kwenye external storage kwa ajili ya dynamic loading inachukuliwa kuwa hatari na haipendekezwi.
- Ikiwa application yako lazima ipate faili za executable kutoka external storage, hakikisha faili hizi zimesainiwa na kuthibitishwa kwa cryptographic kabla ya kupakiwa kwa dynamic. Hatua hii ni muhimu kwa kudumisha uadilifu wa usalama wa application yako.
- Daima fanya input validation kwenye data inayorekebishwa kutoka external storage. Hii ni muhimu kwa sababu data inatoka kwenye chanzo kisichoaminika.
- Kuhifadhi executables au class files kwenye external storage kwa ajili ya dynamic loading haipendekezwi.
- Ikiwa application yako lazima irejelee executable files kutoka external storage, hakikisha files hizi zimesigned na cryptographically verified kabla ya kuzopakiwa kwa dynamic loading. Hatua hii ni muhimu kwa kudumisha integrity ya usalama wa application yako.
External storage inaweza kufikiwa katika `/storage/emulated/0` , `/sdcard` , `/mnt/sdcard`
External storage inaweza kupatikana katika `/storage/emulated/0` , `/sdcard` , `/mnt/sdcard`
> [!TIP]
> Kuanzia na Android 4.4 (**API 17**), SD card ina muundo wa directories ambao **unapunguza ufikiaji kutoka kwa app hadi directory ambayo ni maalum kwa app hiyo**. Hii inazuia application hasidi kupata ufikiaji wa kusoma au kuandika kwa faili za app nyingine.
> Kuanzia Android 4.4 (**API 17**), SD card ina muundo wa directories unaopunguza access kutoka app hadi directory ambayo ni maalum kwa app hiyo. Hii inazuia malicious application kupata read au write access kwa files za app nyingine.
**Sensitive data stored in clear-text**
- **Shared preferences**: Android inaruhusu kila application kuhifadhi faili za xml kwa urahisi katika path `/data/data/<packagename>/shared_prefs/` na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
- **Databases**: Android inaruhusu kila application kuhifadhi sqlite databases kwa urahisi katika path `/data/data/<packagename>/databases/` na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
- **Shared preferences**: Android inamruhusu kila application kuhifadhi kwa urahisi xml files katika path `/data/data/<packagename>/shared_prefs/` na wakati mwingine inawezekana kupata taarifa nyeti katika clear-text katika folder hiyo.
- **Databases**: Android inamruhusu kila application kuhifadhi kwa urahisi sqlite databases katika path `/data/data/<packagename>/databases/` na wakati mwingine inawezekana kupata taarifa nyeti katika clear-text katika folder hiyo.
### Broken TLS
**Accept All Certificates**
Kwa sababu fulani wakati mwingine developers wanakubali certificates zote hata kama kwa mfano hostname haifai na mistari ya msimbo kama ifuatayo:
Kwa sababu fulani wakati mwingine developers wanakubali certificates zote hata kama kwa mfano hostname haifananai na mistari ya code kama ifuatayo:
```java
SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
```
Njia nzuri ya kujaribu hii ni kujaribu kunasa trafiki kwa kutumia proxy kama Burp bila kuthibitisha Burp CA ndani ya kifaa. Pia, unaweza kuz生成 certificate na Burp kwa hostname tofauti na kuitumia.
Njia nzuri ya kujaribu hili ni kujaribu capture trafiki kwa kutumia proxy kama Burp bila kuidhinisha Burp CA ndani ya kifaa. Pia, unaweza kutengeneza kwa Burp cheti kwa hostname tofauti na kukitumia.
### Kriptografia Iliyovunjika
### Broken Cryptography
**Mchakato Duni wa Usimamizi wa Funguo**
**Mchakato duni wa Usimamizi wa Vifunguo**
Baadhi ya developers huhifadhi data nyeti kwenye storage ya ndani na kuikryptisha na ufunguo uliowekwa ndani/unaoweza kutabirika kwenye code. Hii haipaswi kufanywa kwa sababu reversing inaweza kuruhusu attackers kutoa taarifa za siri.
Baadhi ya developers huhifadhi data nyeti kwenye local storage na kui-encrypt kwa key iliyowekwa/takikana kwenye code. Hili halipaswi kufanywa kwa kuwa reversing inaweza kumruhusu attackers kutoa taarifa za siri.
**Matumizi ya Algorithimu zisizo salama na/au Zilizotumika kwa Muda Mrefu**
**Use of Insecure and/or Deprecated Algorithms**
Developers hawapaswi kutumia **deprecated algorithms** kufanya authorization **checks**, **store** au **send** data. Baadhi ya algorithm hizi ni: RC4, MD4, MD5, SHA1... Ikiwa **hashes** zinatumiwa kuhifadhi nywila kwa mfano, hash ambazo ni **brute-force resistant** zinapaswa kutumika pamoja na salt.
Developers hawapaswi kutumia **deprecated algorithms** kufanya uthibitisho (**checks**), **store** au **send** data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1... Ikiwa **hashes** zinatumiwa kuhifadhi passwords kwa mfano, zinasuasua dhidi ya brute-force na zinapaswa kutumika pamoja na salt.
### Mambo mengine ya kukagua
### Ukaguzi mwingine
- Inapendekezwa **ku-obfuscate the APK** ili kufanya kazi ya reverse engineer kuwa ngumu kwa attackers.
- Ikiwa app ni nyeti (kama bank apps), inapaswa kufanya **checks zake kuona kama simu ime-rooted** na kuchukua hatua ipasavyo.
- Ikiwa app ni nyeti (kama bank apps), inapaswa kuangalia kama **emulator** inatumiwa.
- Ikiwa app ni nyeti (kama bank apps), inapaswa **kuangalia integriti yake kabla ya kuitekeleza** ili kuhakikisha haijabadilishwa.
- Tumia [**APKiD**](https://github.com/rednaga/APKiD) kuona compiler/packer/obfuscator gani ilitumiwa kujenga APK
- Inashauriwa **obfuscate the APK** ili kufanya kazi ya reverse engineer kuwa ngumu kwa attackers.
- Ikiwa app ni nyeti (kama apps za benki), inapaswa kufanya ukaguzi wake ili kuona kama mobile ime-rooted na kuchukua hatua ipasavyo.
- Ikiwa app ni nyeti (kama apps za benki), inapaswa kuchunguza kama **emulator** inatumika.
- Ikiwa app ni nyeti (kama apps za benki), inapaswa **check it's own integrity before executing** ili kuona kama imebadilishwa.
- Tumia [**APKiD**](https://github.com/rednaga/APKiD) kuangalia compiler/packer/obfuscator gani ilitumika kujenga APK
### React Native Application
Soma ukurasa ufuatao ili kujifunza jinsi ya kupata javascript code za React applications kwa urahisi:
Soma ukurasa ufuatao ili ujifunze jinsi ya kufikia kwa urahisi javascript code ya React applications:
{{#ref}}
@ -188,7 +188,7 @@ react-native-application.md
### Xamarin Applications
Soma ukurasa ufuatao ili kujifunza jinsi ya kupata C# code za xamarin applications kwa urahisi:
Soma ukurasa ufuatao ili ujifunze jinsi ya kufikia kwa urahisi C# code ya xamarin applications:
{{#ref}}
@ -197,17 +197,17 @@ Soma ukurasa ufuatao ili kujifunza jinsi ya kupata C# code za xamarin applicatio
### Superpacked Applications
Kulingana na [**blog post**](https://clearbluejar.github.io/posts/desuperpacking-meta-superpacked-apks-with-github-actions/) superpacked ni Meta algorithm inayobana (compress) yaliyomo ya application ndani ya faili moja. Blogu inazungumzia uwezekano wa kuunda app inayoweza ku-decompress aina hizi za apps... na njia ya haraka zaidi ambayo inahusisha **ku-execute application na kukusanya files zilizo-decompressed kutoka filesystem.**
Kulingana na hii [**blog post**](https://clearbluejar.github.io/posts/desuperpacking-meta-superpacked-apks-with-github-actions/) superpacked ni Meta algorithm inayocompress content ya application ndani ya faili moja. Blogu inazungumzia uwezekano wa kuunda app inayofungua aina hizi za apps... na njia ya haraka zaidi inayohusisha kuendesha application na kukusanya faili zilizofunguliwa kutoka filesystem.
### Automated Static Code Analysis
Tool ya [**mariana-trench**](https://github.com/facebook/mariana-trench) inaweza kupatikana kwa kutafuta **vulnerabilities** kwa **scanning** **code** ya application. Tool hii ina mfululizo wa **known sources** (inayoonyesha sehemu kwa tool ambapo **input** iko **controlled by the user**), **sinks** (inayoonyesha sehemu **dangerous** ambapo input ya mtumiaji mbaya inaweza kusababisha uharibifu) na **rules**. Kanuni hizi zinaeleza **mchanganyiko** wa **sources-sinks** unaoashiria udhaifu.
Tool [**mariana-trench**](https://github.com/facebook/mariana-trench) inaweza kupata **vulnerabilities** kwa **scanning** **code** ya application. Tool hii ina mfululizo wa **known sources** (ambazo zinaonyesha sehemu ambapo **input** inadhibitiwa na user), **sinks** (zinazoonyesha sehemu hatari ambapo input ya mharifu inaweza kusababisha uharibifu) na **rules**. Rules hizi zinaelezea **combination** ya **sources-sinks** inayosema kuna vulnerability.
Kwa maarifa haya, **mariana-trench itapitia code na kupata udhaifu unaowezekana ndani yake**.
Kwa maarifa haya, **mariana-trench will review the code and find possible vulnerabilities on it**.
### Secrets leaked
Application inaweza kuwa na siri (API keys, passwords, hidden urls, subdomains...) ndani yake ambazo unaweza kugundua. Unaweza kutumia zana kama [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks)
Application inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomains...) ndani yake ambazo unaweza kugundua. Unaweza kutumia tool kama [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks)
### Bypass Biometric Authentication
@ -216,14 +216,14 @@ Application inaweza kuwa na siri (API keys, passwords, hidden urls, subdomains..
bypass-biometric-authentication-android.md
{{#endref}}
### Mengineyo ya kazi za kuvutia
### Vifunction vingine vinavyovutia
- **Utekelezaji wa Msimbo**: `Runtime.exec(), ProcessBuilder(), native code:system()`
- **Kutuma SMSs**: `sendTextMessage, sendMultipartTestMessage`
- **Funsi za native** zilizo elezwa kama `native`: `public native, System.loadLibrary, System.load`
- **Code execution**: `Runtime.exec(), ProcessBuilder(), native code:system()`
- **Send SMSs**: `sendTextMessage, sendMultipartTestMessage`
- **Native functions** declared as `native`: `public native, System.loadLibrary, System.load`
- [Read this to learn **how to reverse native functions**](reversing-native-libraries.md)
### **Mab trick mengine**
### **Mbinu nyingine**
{{#ref}}
@ -234,15 +234,15 @@ content-protocol.md
---
## Uchambuzi wa Muda
## Dynamic Analysis
> Kwanza kabisa, unahitaji mazingira ambapo unaweza kusakinisha application na mazingira yote (Burp CA cert, Drozer na Frida hasa). Kwa hivyo, kifaa chenye root (emulated au siyo) kinashauriwa sana.
> Kwanza kabisa, unahitaji mazingira ambapo unaweza kuinstall application na mazingira yote (Burp CA cert, Drozer and Frida hasa). Kwa hivyo, kifaa kilicho-rooted (emulated au la) kinapendekezwa sana.
### Online Dynamic analysis
Unaweza kuunda **free account** katika: [https://appetize.io/](https://appetize.io). Jukwaa hili linakuwezesha **upload** na **execute** APKs, hivyo ni muhimu kuona jinsi apk inavyo behave.
Unaweza kuunda akaunti ya **free account** kwenye: [https://appetize.io/](https://appetize.io/). Jukwaa hili linakuwezesha **upload** na **execute** APKs, hivyo ni muhimu kuona jinsi apk inavyo behave.
Hata unaweza **kuona logs za application yako** kwenye wavuti na kuungana kupitia **adb**.
Unaweza hata **kuona logs za application yako** kwenye wavuti na kuungana kupitia **adb**.
![](<../../images/image (831).png>)
@ -252,85 +252,91 @@ Shukrani kwa muunganisho wa ADB unaweza kutumia **Drozer** na **Frida** ndani ya
#### Using an emulator
- [**Android Studio**](https://developer.android.com/studio) (Unaweza kuunda **x86** na **arm** devices, na kulingana na [**hii** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** bila kuhitaji slow arm emulator).
- Jifunze jinsi ya kuiweka hapa:
- [**Android Studio**](https://developer.android.com/studio) (Unaweza kuunda **x86** na **arm** devices, na kulingana na [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** bila kuhitaji emulator ya arm ya polepole).
- Jifunze kuisanidi kwenye ukurasa huu:
{{#ref}}
avd-android-virtual-device.md
{{#endref}}
- [**Genymotion**](https://www.genymotion.com/fun-zone/) **(Free version:** Personal Edition, unahitaji kuunda account. _It's recommend to **download** the version **WITH**_ _**VirtualBox** ili kuepuka makosa ya uwezekano._)
- [**Nox**](https://es.bignox.com) (Free, lakini haitsupport Frida au Drozer).
- [**Genymotion**](https://www.genymotion.com/fun-zone/) **(Toleo la bure:** Personal Edition, unahitaji kuunda account. _Inashauriwa kupakua toleo **WITH**_ _**VirtualBox** ili kuepuka makosa yanayoweza kutokea._)
- [**Nox**](https://es.bignox.com) (Free, lakini haijiunga na Frida au Drozer).
> [!TIP]
> Unapotengeneza emulator mpya kwenye jukwaa lolote kumbuka kuwa skrini kubwa inafanya emulator kukimbia polepole. Hivyo chagua skrini ndogo iwezekanavyo.
> Unapotengeneza emulator mpya kwenye platform yoyote kumbuka kuwa skrini kubwa inafanya emulator kukimbia polepole. Hivyo chagua skrini ndogo pale inapowezekana.
Ili **kusakinisha google services** (kama AppStore) kwenye Genymotion unahitaji kubofya kitufe kilichowekwa kwa rangi nyekundu kwenye picha ifuatayo:
Ili **install google services** (kama AppStore) katika Genymotion unahitaji kubofya kitufe kilichowekwa kwa rangi nyekundu kwenye picha ifuatayo:
![](<../../images/image (277).png>)
Pia, fahamu kuwa katika **configuration ya Android VM katika Genymotion** unaweza kuchagua **Bridge Network mode** (hii itakuwa muhimu ikiwa utaungana kwenye Android VM kutoka VM tofauti yenye tools).
Pia, zingatia kwamba katika **configuration of the Android VM in Genymotion** unaweza kuchagua **Bridge Network mode** (hii itakuwa muhimu ukijiunga na Android VM kutoka VM tofauti yenye tools).
#### Use a physical device
Unahitaji kuwezesha chaguzi za **debugging** na itakuwa vizuri ikiwa unaweza kuendelea kui-**root**:
Unahitaji kuwasha chaguo za **debugging** na itakuwa nzuri ikiwa unaweza kui-**root**:
1. **Settings**.
2. (FromAndroid 8.0) Select **System**.
3. Select **About phone**.
4. Press **Build number** 7 times.
5. Go back and you will find the **Developer options**.
2. (FromAndroid 8.0) Chagua **System**.
3. Chagua **About phone**.
4. Bonyeza **Build number** mara 7.
5. Rudi nyuma na utapata **Developer options**.
> Mara baada ya kusakinisha application, jambo la kwanza unalopaswa kufanya ni kuijaribu na kuchunguza inafanya nini, inafanya kazi vipi na kuzoea kuifanya.\
> Napendekeza **kufanya uchambuzi huu wa awali wa dynamic kwa kutumia MobSF dynamic analysis + pidcat**, hivyo tutaweza **kujifunza jinsi application inavyofanya kazi** wakati MobSF inakayaza data nyingi **zazovutia** ambazo unaweza kuzitathmini baadaye.
> Mara tu utakapo-install application, jambo la kwanza unalopaswa kufanya ni kuijaribu na kuchunguza inafanya nini, jinsi inavyofanya kazi na kuzoea kuitumia.\
> Ninapendekeza kufanya uchambuzi huu wa mwanzo wa dynamic ukitumia MobSF dynamic analysis + pidcat, hivyo tunaweza kujifunza jinsi application inavyofanya kazi wakati MobSF inachukua data nyingi za kuvutia ambazo unaweza kukagua baadaye.
Magisk/Zygisk quick notes (recommended on Pixel devices)
- Patch boot.img with the Magisk app and flash via fastboot to get systemless root
- Enable Zygisk + DenyList for root hiding; consider LSPosed/Shamiko when stronger hiding is required
- Keep original boot.img to recover from OTA updates; re-patch after each OTA
- For screen mirroring, use scrcpy on the host
### Unintended Data Leakage
**Logging**
Developers wanapaswa kuwa waangalifu kutoonyesha **debugging information** hadharani, kwa maana inaweza kusababisha sensitive data leaks. Tools [**pidcat**](https://github.com/JakeWharton/pidcat) na `adb logcat` zinapendekezwa kwa kufuatilia application logs ili kubaini na kulinda taarifa nyeti. **Pidcat** inapendelewa kwa urahisi wa matumizi na readability.
Developers wanapaswa kuwa mwangalifu kuhusu kufichua **debugging information** hadharani, kwa kuwa inaweza kusababisha data nyeti ku-leak. Tools [**pidcat**](https://github.com/JakeWharton/pidcat) na `adb logcat` zinapendekezwa kwa kusimamia application logs ili kubaini na kulinda taarifa nyeti. **Pidcat** inapendelewa kwa urahisi wake wa matumizi na kusomeka kwake.
> [!WARNING]
> Kumbuka kuwa kutoka **later newer than Android 4.0**, **applications are only able to access their own logs**. Hivyo applications haziwezi kupata logs za apps nyingine.\
> Hata hivyo, bado inashauriwa **kutoi-log taarifa nyeti**.
> Kumbuka kuwa tangu toleo za baadaye zaidi za Android kuliko 4.0, **applications zinaweza kufikia tu logs zao wenyewe**. Hivyo applications haiwezi kufikia logs za apps nyingine.\
> Hata hivyo, bado inashauriwa **kuto-log taarifa nyeti**.
**Copy/Paste Buffer Caching**
Mfumo wa Android unaotegemea **clipboard** unaruhusu ufanyaji wa copy-paste katika apps, lakini una hatari ya kuwa **applications nyingine** zinaweza **access** clipboard, kwa hivyo zinaweza kufunua data nyeti. Ni muhimu **kuzima kazi za copy/paste** kwa sehemu nyeti za application, kama maelezo ya kadi ya mkopo, ili kuzuia data leaks.
Mfumo wa **clipboard-based** wa Android unawezesha utendakazi wa copy-paste ndani ya apps, lakini una hatari kwa kuwa **applications nyingine** zinaweza **access** clipboard, na hivyo kuweza ku-expose data nyeti. Ni muhimu kuzima kazi za copy/paste kwa sehemu za app zenye data nyeti, kama taarifa za kadi za malipo, ili kuzuia data ku-leak.
**Crash Logs**
Ikiwa application inavunjika (crashes) na **inahifadhi logs**, logs hizi zinaweza kumsaidia attacker, hasa wakati application haiwezi kureverse-engineered. Ili kupunguza hatari hii, epuka kuandika logs wakati wa crash, na ikiwa logs lazima zitumwa kwenye network, hakikisha zinatumwa kwa njia ya SSL kwa usalama.
Kama application ina **crash** na **inahifadhi logs**, logs hizi zinaweza kumsaidia attacker, hasa pale app haiwezi kureverse-engineered. Ili kupunguza hatari hii, epuka ku-log wakati wa crash, na ikiwa logs lazima zitumwe mtandaoni, hakikisha zinatumwa kupitia channel ya SSL kwa usalama.
Kama pentester, **jaribu kuangalia logs hizi**.
Kama pentester, **jaribu kuangalia_logs hizi**.
**Analytics Data Sent To 3rd Parties**
Applications mara nyingi hujumuisha huduma kama Google Adsense, ambazo zinaweza kwa bahati mbaya **leak sensitive data** kutokana na utekelezaji usio sahihi na developers. Ili kubaini potential data leaks, inashauriwa **ku-intercept traffic ya application** na kuangalia kama taarifa nyeti zinatumwa kwa huduma za watu wa tatu.
Applications mara nyingi hujumuisha huduma kama Google Adsense, ambazo zinaweza kwa bahati mbaya ku-leak data nyeti kutokana na utekelezaji mbovu na developers. Ili kubaini uwezekano wa data ku-leak, inashauriwa ku-intercept trafiki ya application na kuangalia kama kuna taarifa nyeti zinazotumwa kwa huduma za third-party.
### SQLite DBs
Wengi wa applications zitatafuta kutumia **internal SQLite databases** kuhifadhi taarifa. Wakati wa pentest angalia **databases** zilizoundwa, majina ya **tables** na **columns** na data zote zilizohifadhiwa kwa sababu unaweza kupata habari nyeti (ambayo inaweza kuwa vulnerability).\
Databases zinapaswa kuwa ziko kwenye `/data/data/the.package.name/databases` kama `/data/data/com.mwr.example.sieve/databases`
Mengi ya applications zitaitumia **internal SQLite databases** kuhifadhi taarifa. Wakati wa pentest angalia **databases** zilizoundwa, majina ya **tables** na **columns** na data zote zilizohifadhiwa kwa kuwa unaweza kupata taarifa nyeti (ambazo zitakuwa vulnerability).\
Databases zinapaswa kuwa ziko katika `/data/data/the.package.name/databases` kama `/data/data/com.mwr.example.sieve/databases`
Ikiwa database inahifadhi taarifa za siri na ime **encrypted** lakini unaweza **find** **password** ndani ya application bado ni **vulnerability**.
Kama database inahifadhi taarifa za siri na ime-**encrypted** lakini unaweza **find** **password** ndani ya application, bado ni **vulnerability**.
Taja meza (tables) kwa kutumia `.tables` na orodhesha columns za meza kwa kutumia `.schema <table_name>`
Orodhesha tables kwa kutumia `.tables` na orodhesha columns za table kwa kufanya `.schema <table_name>`
### Drozer (Exploit Activities, Content Providers and Services)
From [Drozer Docs](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf): **Drozer** allows you to **assume the role of an Android app** and interact with other apps. It can do **anything that an installed application can do**, such as make use of Androids Inter-Process Communication (IPC) mechanism and interact with the underlying operating system. .\
Drozer ni tool muhimu ya **exploit exported activities, exported services and Content Providers** kama utakavyojifunza katika sehemu zifuatazo.
From [Drozer Docs](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf): **Drozer** inakuwezesha kuchukua nafasi ya Android app na kuingiliana na apps nyingine. Inaweza kufanya chochote ambacho installed application inaweza kufanya, kama kutumia mfumo wa Androids Inter-Process Communication (IPC) na kuingiliana na operating system ya msingi. .\
Drozer ni tool muhimu kwa **exploit exported activities, exported services and Content Providers** kama utakavyojifunza katika sehemu zifuatazo.
### Exploiting exported Activities
[**Read this if you want to refresh what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)\
Kumbuka pia kwamba code ya activity inaanzia katika method ya **`onCreate`**.
Pia kumbuka kuwa code ya activity inaanza katika method ya **`onCreate`**.
**Authorisation bypass**
Wakati Activity ime-exported unaweza kuitia kwenye screen kutoka kwa app ya nje. Kwa hivyo, ikiwa activity yenye **taarifa nyeti** ime **exported** unaweza **bypass** mekanisme za **authentication** ili kuipata.
Wakati Activity ime-exported unaweza kuituma screen yake kutoka app ya nje. Hivyo, kama activity yenye **sensitive information** ime-**exported** unaweza **bypass** mechanisms za **authentication** ili kuipata.
[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/index.html#activities)
@ -341,50 +347,50 @@ Unaweza pia kuanzisha exported activity kutoka adb:
```bash
adb shell am start -n com.example.demo/com.example.test.MainActivity
```
**TAARIFA**: MobSF itaona kama hatari matumizi ya _**singleTask/singleInstance**_ kama `android:launchMode` katika activity, lakini kutokana na [this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), inaonekana hii ni hatari tu kwenye toleo za zamani (API versions < 21).
**NOTE**: MobSF itatambua kama hatari matumizi ya _**singleTask/singleInstance**_ kama `android:launchMode` katika activity, lakini kutokana na [hii](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), inaonekana hili ni hatari tu kwenye toleo za zamani (API versions < 21).
> [!TIP]
> Kumbuka kwamba authorisation bypass si kila mara ni vulnerability; yote yatategemea jinsi bypass inavyofanya kazi na ni taarifa gani zinazoonyeshwa.
> Kumbuka kwamba an authorisation bypass si kila mara ni udhaifu; itategemea jinsi bypass inavyofanya kazi na ni taarifa gani zilizo wazi.
**Sensitive information leakage**
**Uvuaji wa taarifa nyeti**
**Activities can also return results**. Ikiwa unaweza kupata activity iliyotumwa (exported) na isiyolindwa ikiyaita method ya **`setResult`** na **kurudisha sensitive information**, kuna sensitive information leakage.
**Activities zinaweza pia kurudisha matokeo**. Ikiwa utafanikiwa kupata activity iliyotolewa (exported) na isiyolindwa ikiyaita method ya **`setResult`** na **kurudisha taarifa nyeti**, kuna uvuaji wa taarifa nyeti.
#### Tapjacking
Kama tapjacking haizingwi, unaweza kutumia activity iliyotumwa (exported) kumuambia mtumiaji afanye vitendo visivyotarajiwa. Kwa maelezo zaidi kuhusu [**what is Tapjacking follow the link**](#tapjacking).
Ikiwa tapjacking haizuiliwi, unaweza kutumia vibaya activity iliyotolewa ili kumfanya **mtumiaji afanye vitendo visivyotarajiwa**. Kwa maelezo zaidi kuhusu [**nini Tapjacking — fuata kiungo**](#tapjacking).
### Exploiting Content Providers - Accessing and manipulating sensitive information
### Exploiting Content Providers - Kupata na kushughulikia taarifa nyeti
[**Read this if you want to refresh what is a Content Provider.**](android-applications-basics.md#content-provider)\
Content providers kwa msingi hutumika **kushiriki data**. Ikiwa app ina content providers zinazopatikana, huenda ukaweza **kutoa sensitive** data kutoka kwazo. Ni muhimu pia kujaribu uwezekano wa **SQL injections** na **Path Traversals** kwani zinaweza kuwa vunerable.
[**Soma hii ikiwa unataka kukumbusha ni nini Content Provider.**](android-applications-basics.md#content-provider)\
Content providers kawaida hutumika kwa **kushiriki data**. Ikiwa app ina content providers zinazopatikana unaweza kuwa na uwezo wa **kutoa taarifa nyeti** kutoka kwazo. Pia ni vema kujaribu uwezekano wa **SQL injections** na **Path Traversals** kwani zinaweza kuwa zilizo hatarini.
[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/index.html#content-providers)
[**Jifunze jinsi ya kufaida Content Providers kwa kutumia Drozer.**](drozer-tutorial/index.html#content-providers)
### **Exploiting Services**
[**Read this if you want to refresh what is a Service.**](android-applications-basics.md#services)\
Kumbuka kwamba vitendo vya Service huanza katika method `onStartCommand`.
[**Soma hii ikiwa unataka kukumbusha ni nini Service.**](android-applications-basics.md#services)\
Kumbuka kwamba matendo ya Service huanza katika method `onStartCommand`.
Service kwa msingi ni kitu ambacho **kinaweza kupokea data**, **kuchakata** na **kurudisha** (au la) majibu. Hivyo, ikiwa application inatoa services, inapaswa **kagua** **code** ili kuelewa inafanya nini na **jaribu** kivitendo (**dynamically**) kupata taarifa za siri, kuzuia authentication measures...\
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/index.html#services)
Service kwa msingi ni kitu ambacho **kinapokea data**, **kuisindika** na **kurudisha** (au sio) jibu. Kwa hivyo, ikiwa application ina kutoa services, unapaswa **kagua** **code** ili kuelewa inafanya nini na **ijaribu** kivitendo (dynamically) ili kutoa taarifa za siri, bypassing hatua za uthibitisho...\
[**Jifunze jinsi ya kufaida Services kwa kutumia Drozer.**](drozer-tutorial/index.html#services)
### **Exploiting Broadcast Receivers**
[**Read this if you want to refresh what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\
Kumbuka kwamba vitendo vya Broadcast Receiver huanza katika method `onReceive`.
[**Soma hii ikiwa unataka kukumbusha ni nini Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\
Kumbuka kwamba matendo ya Broadcast Receiver huanza katika method `onReceive`.
Broadcast receiver itakuwa ikisubiri aina fulani ya ujumbe. Kulingana na jinsi receiver inavyoshughulikia ujumbe, inaweza kuwa vunerable.\
[**Learn how to exploit Broadcast Receivers with Drozer.**](#exploiting-broadcast-receivers)
Broadcast receiver itakuwa ikisubiri aina fulani ya ujumbe. Kulingana na jinsi receiver inavyoshughulikia ujumbe, inaweza kuwa katika hatari.\
[**Jifunze jinsi ya kufaida Broadcast Receivers kwa kutumia Drozer.**](#exploiting-broadcast-receivers)
### **Exploiting Schemes / Deep links**
Unaweza kutafuta deep links kwa mikono, ukitumia zana kama MobSF au scripts kama [this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).\
Unaweza kutafuta deep links kwa mkono, ukitumia zana kama MobSF au scripts kama [hii](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).\
Unaweza **fungua** scheme iliyotangazwa kwa kutumia **adb** au **kivinjari**:
```bash
adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]
```
_Kumbuka kwamba unaweza **omit the package name** na kifaa cha mkononi kitaiteisha moja kwa moja app inayofaa kufungua link hiyo._
_Kumbuka kwamba unaweza **omit the package name** na simu itaita moja kwa moja app itakayofungua kiungo hicho._
```html
<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
@ -393,56 +399,56 @@ _Kumbuka kwamba unaweza **omit the package name** na kifaa cha mkononi kitaiteis
```
**Msimbo unaotekelezwa**
Ili kupata **msimbo utakaoendeshwa katika App**, nenda kwenye activity inayoitwa na deeplink na tafuta function **`onNewIntent`**.
Ili kupata **msimbo utakao tekelezwa katika App**, nenda kwenye activity inayoitwa na deeplink na tafuta function **`onNewIntent`**.
![](<../../images/image (436) (1) (1) (1).png>)
**Taarifa nyeti**
Kila unapopata deep link hakikisha kwamba **haipokei data nyeti (kama passwords) kupitia vigezo vya URL**, kwa sababu programu nyingine yoyote inaweza **kuiga deep link na kuiba data hiyo!**
Kila wakati unapokutana na deep link hakikisha haipokei data nyeti (kama passwords) kupitia URL parameters, kwa sababu programu nyingine yoyote inaweza kujifanya deep link na kuiba data hiyo!
**Vigezo katika path**
**Parameters in path**
Unapaswa **pia kukagua ikiwa deep link yoyote inatumia parameter ndani ya path** ya URL kama: `https://api.example.com/v1/users/{username}`, katika kesi hiyo unaweza kulazimisha path traversal kwa kuingia kitu kama: `example://app/users?username=../../unwanted-endpoint%3fparam=value`.\
Kumbuka kwamba ukipata endpoints sahihi ndani ya application unaweza kusababisha **Open Redirect** (ikiwa sehemu ya path inatumika kama domain name), **account takeover** (ikiwa unaweza kubadilisha maelezo ya users bila CSRF token na endpoint dhaifu ilitumia method sahihi) na aina nyingine yoyote ya vuln. Maelezo zaidi [hapa](http://dphoeniixx.com/2020/12/13-2/).
Lazima pia ukague ikiwa deep link yoyote inatumia parameter ndani ya path ya URL kama: `https://api.example.com/v1/users/{username}` , katika kesi hiyo unaweza kulazimisha path traversal kwa kufikia kitu kama: `example://app/users?username=../../unwanted-endpoint%3fparam=value` .\
Note that if you find the correct endpoints inside the application you may be able to cause a **Open Redirect** (if part of the path is used as domain name), **account takeover** (if you can modify users details without CSRF token and the vuln endpoint used the correct method) and any other vuln. More [info about this here](http://dphoeniixx.com/2020/12/13-2/).
**More examples**
**Mifano zaidi**
Ripoti ya [bug bounty ya kuvutia](https://hackerone.com/reports/855618) kuhusu links (_/.well-known/assetlinks.json_).
Ripoti ya bug bounty yenye kuvutia: [interesting bug bounty report](https://hackerone.com/reports/855618) kuhusu links (_/.well-known/assetlinks.json_).
### Ukaguzi wa Transport Layer na Kushindwa kwa Uthibitishaji
### Uchunguzi wa Transport Layer na Kushindwa kwa Uthibitishaji
- **Certificates hazichunguzwi kila mara ipasavyo** na applications za Android. Ni kawaida kwa applications hizi kupuuza onyo na kukubali self-signed certificates au, katika baadhi ya matukio, kurudi kutumia HTTP connections.
- **Mazungumzo wakati wa SSL/TLS handshake wakati mwingine ni dhaifu**, yakitumia insecure cipher suites. Uraha huo unafanya koneksheni kuwa nyeti kwa man-in-the-middle (MITM) attacks, na kuruhusu watakanya ku-decrypt data.
- **Leakage of private information** ni hatari wakati applications zina-authenticate kwa kutumia secure channels lakini kisha kuwasiliana kwa channels zisizo-secure kwa miamala mingine. Njia hii hairuhusu ulinzi wa data nyeti, kama session cookies au user details, dhidi ya interception na wahalifu.
- **Certificates are not always inspected properly** na applications za Android. Mara nyingi hizi applications hupuuza onyo na kukubali self-signed certificates au, katika matukio mengine, kurudi kutumia muunganisho wa HTTP.
- **Negotiations during the SSL/TLS handshake are sometimes weak**, zikitumia insecure cipher suites. Utaifu huu hufanya muunganisho uwe nyeti kwa man-in-the-middle (MITM) attacks, ukiruhusu mshambuliaji ku-decrypt data.
- **Leakage of private information** ni hatari wakati applications zinathibitisha watumiaji kwa kutumia channel salama lakini kisha kuwasiliana kwa channels zisizo salama kwa miamala mingine. Mbinu hii hailindi data nyeti, kama session cookies au maelezo ya mtumiaji, dhidi ya interception na wahalifu.
#### Certificate Verification
Tutazingatia **certificate verification**. Uadilifu wa server's certificate lazima uathibitishwe ili kuboresha usalama. Hii ni muhimu kwa sababu misanidi ya TLS isiyo salama na upeleka wa data nyeti kupitia channels zisizo-encrypted vinaweza kusababisha hatari kubwa. Kwa hatua za kina juu ya kuthibitisha server certificates na kushughulikia vulnerabilities, rasilimali hii [**this resource**](https://manifestsecurity.com/android-application-security-part-10/) inatoa mwongozo kamili.
Tutalenga kwenye **certificate verification**. Uadilifu wa certificate ya server lazima uthibitishwe ili kuongeza usalama. Hii ni muhimu kwa sababu usanidi wa TLS usio salama na kusafirisha data nyeti kupitia channels zisizo-simbwa kunaweza kusababisha hatari kubwa. Kwa hatua za kina juu ya kuthibitisha certificates za server na kushughulikia udhaifu, [**this resource**](https://manifestsecurity.com/android-application-security-part-10/) inatoa mwongozo kamili.
#### SSL Pinning
SSL Pinning ni hatua ya usalama ambapo application inathibitisha server's certificate dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Mbinu hii ni muhimu kuzuia MITM attacks. Kutekeleza SSL Pinning kunapendekezwa kwa nguvu kwa applications zinazoshughulikia taarifa nyeti.
SSL Pinning ni hatua ya usalama ambapo application inathibitisha certificate ya server dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Njia hii ni muhimu kuzuia MITM attacks. Kutekeleza SSL Pinning kunapendekezwa kwa nguvu kwa applications zinazoshughulikia taarifa nyeti.
#### Traffic Inspection
Ili kuchunguza HTTP traffic, ni muhimu **kufunga certificate ya proxy tool** (km: Burp). Bila kufunga certificate hii, traffic iliyosimbwa huenda ikasionelezeka kupitia proxy. Kwa mwongozo wa jinsi ya kufunga custom CA certificate, [**click here**](avd-android-virtual-device.md#install-burp-certificate-on-a-virtual-machine).
Ili kuchunguza trafiki ya HTTP, ni muhimu **kusakinisha certificate ya proxy tool** (mfano, Burp). Bila kusakinisha certificate hii, trafiki iliyosimbwa huenda isiweze kuonekana kupitia proxy. Kwa mwongozo wa kusakinisha custom CA certificate, [**click here**](avd-android-virtual-device.md#install-burp-certificate-on-a-virtual-machine).
Applications zinazolenga **API Level 24 and above** zinahitaji mabadiliko kwenye Network Security Config ili kukubali proxy's CA certificate. Hatua hii ni muhimu kwa kuchunguza traffic iliyosimbwa. Kwa maelekezo ya kubadilisha Network Security Config, [**refer to this tutorial**](make-apk-accept-ca-certificate.md).
Applications zinazolenga **API Level 24 and above** zinahitaji mabadiliko kwenye Network Security Config ili kukubali proxy's CA certificate. Hatua hii ni muhimu kwa kuchunguza trafiki iliyosimbwa. Kwa maelekezo juu ya kubadilisha Network Security Config, [**refer to this tutorial**](make-apk-accept-ca-certificate.md).
Ikiwa **Flutter** inatumika, lazima ufuate maelekezo katika [**this page**](flutter.md). Hii ni kwa sababu, kuongeza tu certificate kwenye store haitafanya kazi kwani Flutter ina orodha yake ya CA zinazokubalika.
If **Flutter** is being used you need to to follow the instructions in [**this page**](flutter.md). This is becasue, just adding the certificate into the store won't work as Flutter has its own list of valid CAs.
#### Static detection of SSL/TLS pinning
Kabla ya kujaribu runtime bypasses, panga haraka mahali pinning inatekelezwa ndani ya APK. Ugunduzi wa static utakusaidia kupanga hooks/patches na kuzingatia code paths sahihi.
Kabla ya kujaribu runtime bypasses, ramani kwa haraka sehemu ambako pinning inatekelezwa katika APK. Ugunduzi wa static utakusaidia kupanga hooks/patches na kuzingatia code paths sahihi.
Tool: SSLPinDetect
- Open-source static-analysis utility that decompiles the APK to Smali (via apktool) and scans for curated regex patterns of SSL/TLS pinning implementations.
- Reports exact file path, line number, and a code snippet for each match.
- Covers common frameworks and custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, and Network Security Config XML pins.
Install
- Prereqs: Python >= 3.8, Java on PATH, apktool
Sakinisha
- Mahitaji ya awali: Python >= 3.8, Java on PATH, apktool
```bash
git clone https://github.com/aancw/SSLPinDetect
cd SSLPinDetect
@ -457,7 +463,7 @@ python sslpindetect.py -f app.apk -a apktool.jar
python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v
```
Mifano ya kanuni za pattern (JSON)
Tumia au ongeza signatures ili kugundua proprietary/custom pinning styles. Unaweza kupakia JSON yako mwenyewe na kufanya scan kwa kiwango kikubwa.
Tumia au ongeza signatures ili kutambua proprietary/custom pinning styles. Unaweza kupakia JSON yako mwenyewe na scan kwa kiwango kikubwa.
```json
{
"OkHttp Certificate Pinning": [
@ -471,43 +477,41 @@ Tumia au ongeza signatures ili kugundua proprietary/custom pinning styles. Unawe
]
}
```
Notes and tips
- Skanning ya haraka kwenye apps kubwa kwa kutumia multi-threading na memory-mapped I/O; regex zilizotanguliwa hupunguza mzigo/false positives.
- Pattern collection: https://github.com/aancw/smali-sslpin-patterns
- Lengo za kawaida za kugundua za kutathmini kisha:
- OkHttp: CertificatePinner usage, setCertificatePinner, okhttp3/okhttp package references
- Custom TrustManagers: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
Vidokezo na ushauri
- Kukagua kwa haraka kwenye apps kubwa kupitia multi-threading na memory-mapped I/O; pre-compiled regex hupunguza overhead/false positives.
- Mkusanyiko wa pattern: https://github.com/aancw/smali-sslpin-patterns
- Malengo ya kawaida ya utambuzi ya kuchunguza baadae:
- OkHttp: matumizi ya CertificatePinner, setCertificatePinner, okhttp3/okhttp package references
- TrustManagers maalum: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
- Custom SSL contexts: SSLContext.getInstance + SSLContext.init with custom managers
- Declarative pins in res/xml network security config and manifest references
- Tumia maeneo yaliyolingana kupanga Frida hooks, static patches, au ukaguzi wa config kabla ya majaribio ya dynamic.
- Declarative pins katika res/xml network security config na manifest references
- Tumia maeneo yaliyolingana kupanga Frida hooks, static patches, au config reviews kabla ya dynamic testing.
#### Kupitisha SSL Pinning
Wakati SSL Pinning imewekwa, kuipita kunakuwa muhimu ili kuchunguza trafiki ya HTTPS. Mbinu mbalimbali zinapatikana kwa madhumuni haya:
#### Bypassing SSL Pinning
- Kiotomatiki **badilisha** the **apk** ili **kupitisha** SSLPinning kwa kutumia [**apk-mitm**](https://github.com/shroudedcode/apk-mitm). Faida kubwa ya chaguo hili ni kwamba hautahitaji root kupitisha SSL Pinning, lakini utalazimika kufuta application na kuisakinisha upya, na hii haitafanya kazi kila mara.
- Unaweza kutumia **Frida** (discussed below) kupitisha ulinzi huu. Hapa kuna mwongozo wa kutumia Burp+Frida+Genymotion: [https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/](https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/)
- Unaweza pia kujaribu **kuipita kiotomatiki SSL Pinning** kutumia [**objection**](frida-tutorial/objection-tutorial.md)**:** `objection --gadget com.package.app explore --startup-command "android sslpinning disable"`
- Unaweza pia kujaribu **kuipita kiotomatiki SSL Pinning** kwa kutumia **MobSF dynamic analysis** (explained below)
- Ikiwa bado unaona kuna trafiki ambayo hauiangalii unaweza kujaribu **kupeleka trafiki kwa burp kwa kutumia iptables**. Soma blogu hii: [https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62](https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62)
When SSL Pinning is implemented, bypassing it becomes necessary to inspect HTTPS traffic. Mbinu mbalimbali zinapatikana kwa madhumuni haya:
#### Kutafuta udhaifu wa wavuti wa kawaida
- Automatically **modify** the **apk** to **bypass** SSLPinning with [**apk-mitm**](https://github.com/shroudedcode/apk-mitm). The best pro of this option, is that you won't need root to bypass the SSL Pinning, but you will need to delete the application and reinstall the new one, and this won't always work.
- You could use **Frida** (discussed below) to bypass this protection. Here you have a guide to use Burp+Frida+Genymotion: [https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/](https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/)
- You can also try to **automatically bypass SSL Pinning** using [**objection**](frida-tutorial/objection-tutorial.md)**:** `objection --gadget com.package.app explore --startup-command "android sslpinning disable"`
- You can also try to **automatically bypass SSL Pinning** using **MobSF dynamic analysis** (explained below)
- If you still think that there is some traffic that you aren't capturing you can try to **forward the traffic to burp using iptables**. Read this blog: [https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62](https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62)
#### Looking for Common Web Vulnerabilities
Ni muhimu pia kutafuta udhaifu wa kawaida wa web ndani ya application. Maelezo ya kina juu ya kutambua na kupunguza udhaifu haya yapo mahali pengine na hayajumuishwi hapa.
Ni muhimu pia kutafuta udhaifu wa wavuti wa kawaida ndani ya application. Maelezo ya kina juu ya kutambua na kupunguza udhaifu haya yapita upeo wa muhtasari huu lakini yameelezewa kwa undani mahali pengine.
### Frida
[Frida](https://www.frida.re) ni dynamic instrumentation toolkit kwa developers, reverse-engineers, na watafiti wa usalama.\
**Unaweza kufikia application inayokimbia na kuhook methods wakati wa run time ili kubadilisha tabia, kubadilisha thamani, kutoa thamani, kuendesha code tofauti...**\
Kama unataka pentest Android applications unahitaji kujua jinsi ya kutumia Frida.
[Frida](https://www.frida.re) ni dynamic instrumentation toolkit kwa developers, reverse-engineers, na security researchers.\
**Unaweza kupata running application na ku-hook methods wakati wa runtime kubadilisha tabia, badilisha values, extract values, run different code...**\
Ikiwa unataka pentest Android applications lazima ujue jinsi ya kutumia Frida.
- Learn how to use Frida: [**Frida tutorial**](frida-tutorial/index.html)
- Some "GUI" for actions with Frida: [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
- Ojection is great to automate the use of Frida: [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)
- You can find some Awesome Frida scripts here: [**https://codeshare.frida.re/**](https://codeshare.frida.re)
- Try to bypass anti-debugging / anti-frida mechanisms loading Frida as in indicated in [https://erfur.github.io/blog/dev/code-injection-without-ptrace](https://erfur.github.io/blog/dev/code-injection-without-ptrace) (tool [linjector](https://github.com/erfur/linjector-rs))
- Jifunze jinsi ya kutumia Frida: [**Frida tutorial**](frida-tutorial/index.html)
- Baadhi ya "GUI" kwa vitendo na Frida: [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
- Ojection ni nzuri ku-automate matumizi ya Frida: [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)
- Unaweza kupata baadhi ya Awesome Frida scripts hapa: [**https://codeshare.frida.re/**](https://codeshare.frida.re)
- Jaribu kupitisha anti-debugging / anti-frida mechanisms kwa kupakia Frida kama inavyoelezwa katika [https://erfur.github.io/blog/dev/code-injection-without-ptrace](https://erfur.github.io/blog/dev/code-injection-without-ptrace) (tool [linjector](https://github.com/erfur/linjector-rs))
#### Anti-instrumentation & SSL pinning bypass workflow
@ -517,9 +521,9 @@ android-anti-instrumentation-and-ssl-pinning-bypass.md
### **Dump Memory - Fridump**
Kagua kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kuhifadhi, kama passwords au mnemonics.
Angalia kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kuhifadhi, kama vile passwords au mnemonics.
Using [**Fridump3**](https://github.com/rootbsd/fridump3) you can dump the memory of the app with:
Kutumia [**Fridump3**](https://github.com/rootbsd/fridump3) unaweza dump memory ya app kwa:
```bash
# With PID
python3 fridump3.py -u <PID>
@ -528,63 +532,63 @@ python3 fridump3.py -u <PID>
frida-ps -Uai
python3 fridump3.py -u "<Name>"
```
Hii itadump memory kwenye folda ./dump, na hapo unaweza grep kwa kitu kama:
Hii itadump memory katika folda ./dump, na ndani yake unaweza kufanya grep kwa kitu kama:
```bash
strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+$"
```
### **Data nyeti katika Keystore**
Katika Android, Keystore ni mahali bora pa kuhifadhi data nyeti, hata hivyo, kwa ruhusa za kutosha bado ni **inawezekana kuifikia**. Kwa kuwa applications huwa zinaweka hapa **sensitive data in clear text**, pentests zinapaswa kukagua hili kwa kutumia root user, kwani mtu mwenye ufikiaji wa kimwili kwa kifaa anaweza kuiba data hii.
Katika Android Keystore ni mahali bora zaidi pa kuhifadhi data nyeti, hata hivyo, kwa vibali vya kutosha bado ni **inawezekana kuipata**. Kwa kuwa apps huenda zikahifadhi hapa **sensitive data in clear text**, pentests zinapaswa kuangalia hili kama root user au mtu mwenye ufikiaji wa kimwili wa kifaa anaweza kuiba data hii.
Hata kama app iliweka data katika Keystore, data inapaswa kusimbwa.
Hata kama app imehifadhi data katika keystore, data hiyo inapaswa kuwa imefungwa kwa usimbaji.
Ili kufikia data ndani ya keystore unaweza kutumia Frida script: [https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js](https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js)
Ili kufikia data ndani ya keystore unaweza kutumia Frida script hii: [https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js](https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js)
```bash
frida -U -f com.example.app -l frida-scripts/tracer-cipher.js
```
### **Fingerprint/Biometrics Bypass**
Kutumia script ifuatayo ya Frida kunaweza kumwezesha **bypass fingerprint authentication** ambayo Android applications zinaweza kutumia ili **kulinda maeneo fulani nyeti:**
Kwa kutumia Frida script ifuatayo inaweza kuwa inawezekana **bypass fingerprint authentication** ambayo Android applications zinaweza kutumia ili **kulinda maeneo maalum nyeti:**
```bash
frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>
```
### **Picha za Usuli**
### **Picha za Mandharinyuma**
Unapoweka programu kwenye usuli, Android huhifadhi **snapshot ya programu** ili inaporekebishwa kurudi kwenye mbele (foreground) inaanza kupakia picha kabla ya programu, hivyo inaonekana kama programu ilipakiwa kwa haraka.
Unapoweka application katika mandharinyuma, Android huhifadhi **snapshot ya application** ili inaporejeshwa mbele (foreground) inaanza kupakia picha kabla ya application ili ionekane kama application ilipakiwa haraka zaidi.
Hata hivyo, ikiwa snapshot hii ina **taarifa nyeti**, mtu mwenye ufikiaji wa snapshot anaweza **kuiba taarifa hiyo** (kumbuka unahitaji root ili kuifikia).
Hata hivyo, ikiwa snapshot hii ina **taarifa nyeti**, mtu mwenye ufikiaji wa snapshot anaweza **kuiba taarifa hiyo** (tazama kwamba unahitaji root ili kuifikia).
Snapshots hizi kwa kawaida huhifadhiwa hapa: **`/data/system_ce/0/snapshots`**
Snapshots kawaida huhifadhiwa katika: **`/data/system_ce/0/snapshots`**
Android inatoa njia ya **kuzuia kunyakuliwa picha za skrini kwa kuweka parametro ya layout FLAG_SECURE**. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanachukuliwa kuwa salama, na kuzuia kuonekana kwenye picha za skrini au kuonyeshwa kwenye skrini zisizo salama.
Android inatoa njia ya **kuzuia kunyakua screenshot kwa kuweka parameta ya layout FLAG_SECURE**. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanatendewa kama salama, kizuia kuonekana kwenye screenshots au kuonyeshwa kwenye displays zisizo salama.
```bash
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);
```
### **Mchambuzi wa Programu za Android**
### **Android Application Analyzer**
Zana hii inaweza kukusaidia kusimamia zana tofauti wakati wa dynamic analysis: [https://github.com/NotSoSecure/android_application_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
Zana hii inaweza kukusaidia kusimamia zana mbalimbali wakati wa dynamic analysis: [https://github.com/NotSoSecure/android_application_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
### Intent Injection
Waendelezaji mara nyingi huunda proxy components kama activities, services, na broadcast receivers ambazo zinashughulikia Intent hizi na kuzipeleka kwa methods kama `startActivity(...)` au `sendBroadcast(...)`, ambazo zinaweza kuwa hatarishi.
Waundaji mara nyingi huunda proxy components kama activities, services, na broadcast receivers ambazo zinashughulikia Intent hizi na kuzipitisha kwa methods kama `startActivity(...)` au `sendBroadcast(...)`, jambo ambalo linaweza kuwa hatari.
Hatari iko katika kuruhusu washambuliaji kuanzisha components za app zisizokuwa exported au kupata content providers nyeti kwa kubeleza Intent hizi. Mfano unaojulikana ni component ya `WebView` kubadilisha URLs kuwa vitu vya `Intent` kupitia `Intent.parseUri(...)` kisha kuvitekeleza, jambo ambalo linaweza kusababisha intent zenye madhara.
Hatari iko katika kuwaruhusu watapeli kuanzisha non-exported app components au kupata content providers nyeti kwa kupeleka Intent hizi kwa njia isiyo sahihi. Mfano muhimu ni component ya `WebView` kubadilisha URLs kuwa vitu vya `Intent` kwa kutumia `Intent.parseUri(...)` kisha kuzitekeleza, jambo ambalo linaweza kusababisha malicious Intent injections.
### Essential Takeaways
### Vidokezo Muhimu
- **Intent Injection** ni sawa na tatizo la Open Redirect la web.
- Maenendo yanahusisha kupitisha `Intent` objects kama extras, ambayo yanaweza kuelekezwa tena ili kutekeleza operesheni zisizo salama.
- Inaweza kufichua components zisizokuwa exported na content providers kwa washambuliaji.
- Ubadilishaji wa URL kuwa `Intent` katika `WebView` unaweza kurahisisha vitendo visivyokusudiwa.
- **Intent Injection** ni sawa na suala la wavuti la Open Redirect.
- Exploits zinahusisha kupitisha `Intent` objects kama extras, ambazo zinaweza kuelekezwa ili kutekeleza operesheni zisizo salama.
- Inaweza kufichua non-exported components na content providers kwa watapeli.
- Ubadilishaji wa URL kwenda `Intent` wa `WebView` unaweza kuwezesha vitendo visivyokusudiwa.
### Android Client Side Injections and others
Huenda unajua kuhusu aina hizi za vulnerabilities kutoka kwa Web. Lazima uwe mwangalifu hasa na vulnerabilities hizi katika application ya Android:
Pengine unajua kuhusu aina hii ya vulnerabilities kutoka Web. Lazima uwe mwangalifu hasa na vulnerabilities hizi katika Android application:
- **SQL Injection:** Unaposhughulika na dynamic queries au Content-Providers hakikisha unatumia parameterized queries.
- **JavaScript Injection (XSS):** Thibitisha kwamba support ya JavaScript na Plugin imezimwa kwa WebViews zote (imezimwa kwa default). [More info here](webview-attacks.md#javascript-enabled).
- **Local File Inclusion:** WebViews zinapaswa kuwa na ufikiaji wa file system uzimw (umewezeshwa kwa default) - `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
- **Eternal cookies**: Katika kesi kadhaa, wakati application ya Android inapo maliza session cookie haifutwi au inaweza hata kuhifadhiwa kwenye disk
- **JavaScript Injection (XSS):** Thibitisha kwamba msaada wa JavaScript na Plugin umezimwa kwa WebViews yoyote (imezimwa kwa default). [More info here](webview-attacks.md#javascript-enabled).
- **Local File Inclusion:** WebViews zinapaswa kuwa na ufikiaji wa file system umezimwa (umewezeshwa kwa default) - `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
- **Eternal cookies**: Katika visa kadhaa, wakati Android application inamaliza session, cookie hairevokiwi au inaweza hata kuokolewa kwenye disk
- [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/index.html#cookies-flags)
---
@ -593,55 +597,55 @@ Huenda unajua kuhusu aina hizi za vulnerabilities kutoka kwa Web. Lazima uwe mwa
### [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
**Static analysis**
**Uchambuzi wa static**
![](<../../images/image (866).png>)
**Tathmini ya udhaifu ya application** ikitumia frontend nzuri inayotegemea web. Unaweza pia kufanya dynamic analysis (lakini unahitaji kuandaa mazingira).
**Tathmini ya vulnerabilities ya application** kwa kutumia frontend nzuri ya web. Unaweza pia kufanya dynamic analysis (lakini unahitaji kuandaa mazingira).
```bash
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
```
Notice that MobSF can analyse **Android**(apk)**, IOS**(ipa) **and Windows**(apx) applications (_Windows applications must be analyzed from a MobSF installed in a Windows host_).\
Also, if you create a **ZIP** file with the source code if an **Android** or an **IOS** app (go to the root folder of the application, select everything and create a ZIPfile), it will be able to analyse it also.
Kumbuka kwamba MobSF inaweza kuchambua **Android**(apk)**, IOS**(ipa) **and Windows**(apx) programu (_Programu za Windows lazima zichunguzwe kutoka kwenye MobSF iliyosakinishwa kwenye mwenyeji wa Windows_).\
Pia, ikiwa utaunda faili ya **ZIP** yenye msimbo wa chanzo wa app ya **Android** au **IOS** (nenda kwenye folda ya mizizi ya program, chagua kila kitu na tengeneza faili ya ZIP), MobSF itaweza kuichambua pia.
MobSF pia inaruhusu kufanya **diff/Compare** ya analysis na kuunganisha **VirusTotal** (utahitaji kuweka API key yako katika _MobSF/settings.py_ na kuiwezesha: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`). Unaweza pia kuweka `VT_UPLOAD` kuwa `False`, basi the **hash** itakuwa **upload** badala ya faili.
MobSF pia inakuwezesha kufanya **diff/Compare** ya uchambuzi na kuingiza **VirusTotal** (utahitaji kuweka API key yako katika _MobSF/settings.py_ na kuiwezesha: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`). Unaweza pia kuweka `VT_UPLOAD` kuwa `False`, kisha **hash** itapakiwa badala ya faili.
### Uchambuzi wa Dynamic uliosaidiwa na MobSF
### Iliyosaidiwa Dynamic analysis na MobSF
**MobSF** inaweza pia kuwa msaada mkubwa kwa ajili ya **dynamic analysis** katika **Android**, lakini katika kesi hiyo utahitaji kusanidi MobSF na **genymotion** kwenye host yako (VM au Docker hazitafanya kazi). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_\
The **MobSF dynamic analyser** inaweza:
**MobSF** pia inaweza kuwa msaada mkubwa kwa **dynamic analysis** kwenye **Android**, lakini katika kesi hiyo utahitaji kusakinisha MobSF na **genymotion** kwenye host yako (VM au Docker haitafanya kazi). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_\
The **MobSF dynamic analyser** can:
- **Dump application data** (URLs, logs, clipboard, screenshots made by you, screenshots made by "**Exported Activity Tester**", emails, SQLite databases, XML files, and other created files). Yote haya hufanywa kwa otomatiki isipokuwa kwa screenshots, unahitaji kubofya unapotaka screenshot au unahitaji kubofya "**Exported Activity Tester**" kupata screenshots za exported activities zote.
- **Dump application data** (URLs, logs, clipboard, screenshots made by you, screenshots made by "**Exported Activity Tester**", emails, SQLite databases, XML files, and other created files). Yote haya hufanywa kiotomatiki isipokuwa kwa screenshots — unahitaji kubofya unapotaka screenshot au kubofya "**Exported Activity Tester**" ili kupata screenshots za exported activities zote.
- Capture **HTTPS traffic**
- Use **Frida** to obtain **runtime** **information**
- Tumia **Frida** kupata **runtime** **information**
Kuanzia android **versions > 5**, itaanza **Frida** kwa **automatic** na itaweka global **proxy** settings ili **capture** trafiki. Itakamata trafiki tu kutoka kwa application inayojaribiwa.
Kuanzia toleo la **Android** > 5, itaanza **Frida** kiotomatiki na itaweka mipangilio ya **global proxy** kunasa trafiki. Itakanasa trafiki kutoka kwa application inayojaribiwa pekee.
**Frida**
Kwa default, itatumia pia baadhi ya Frida Scripts ili **bypass SSL pinning**, **root detection** na **debugger detection** na pia **monitor interesting APIs**.\
MobSF pia inaweza **invoke exported activities**, kuchukua **screenshots** za hizo activities na **save** kwa ajili ya report.
Kwa default, pia itatumia baadhi ya Frida Scripts ili **bypass SSL pinning**, **root detection** na **debugger detection** na ili **monitor interesting APIs**.\
MobSF pia inaweza **invoke exported activities**, kukamata **screenshots** zao na kuzihifadhi kwa ajili ya ripoti.
Ili kuanza dynamic testing bonyeza kitufe kijani: "**Start Instrumentation**". Bonyeza "**Frida Live Logs**" ili kuona logs zinazozalishwa na Frida scripts na "**Live API Monitor**" kuona mikao yote ya invocation kwa hooked methods, arguments zilizopita na values zilizorejeshwa (hii itaonekana baada ya kubofya "Start Instrumentation").\
MobSF pia inakuwezesha kupakia **Frida scripts** zako mwenyewe (to send the results of your Friday scripts to MobSF use the function `send()`). Ina pia **several pre-written scripts** unaweza kupakia (unaweza kuongeza zaidi katika `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), chagua tu, bonyeza "**Load**" na kisha bonyeza "**Start Instrumentation**" (utaweza kuona logs za scripts hizo ndani ya "**Frida Live Logs**").
Ili **start** mtihani wa dynamic bonyeza kitufe cha kijani: "**Start Instrumentation**". Bonyeza "**Frida Live Logs**" kuona logs zinazozalishwa na Frida scripts na "**Live API Monitor**" kuona miito yote kwa methods zilizopigwa hook, arguments zilizopita na values zilizorejeshwa (hii itaonekana baada ya kubonyeza "Start Instrumentation").\
MobSF pia inakuwezesha kupakia **Frida scripts** zako mwenyewe (kutuma matokeo ya Frida scripts zako kwa MobSF tumia function `send()`). Pia ina **several pre-written scripts** unaweza kupakia (unaweza kuongeza zaidi katika `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), chagua tu, bonyeza "**Load**" na kisha "**Start Instrumentation**" (utaweza kuona logs za scripts hizo ndani ya "**Frida Live Logs**").
![](<../../images/image (419).png>)
Zaidi ya hayo, una baadhi ya functionalities za ziada za Frida:
- **Enumerate Loaded Classes**: Itaonyesha madarasa yote yaliyo loaded
- **Capture Strings**: Itaonyesha strings zote zinazokamatwa wakati wa kutumia application (inazalisha kelele nyingi)
- **Capture String Comparisons**: Inaweza kuwa muhimu sana. Itaonyesha **strings 2 zinazolinganishwa** na kama matokeo yalikuwa True au False.
- **Enumerate Class Methods**: Weka jina la class (kama "java.io.File") na itaonyesha methods zote za class hiyo.
- **Enumerate Loaded Classes**: Itachapisha classes zote zilizopakiwa
- **Capture Strings**: Itachapisha strings zote zinazokamatwa wakati wa kutumia application (ina “noise” nyingi)
- **Capture String Comparisons**: Inaweza kuwa muhimu sana. Ita **show the 2 strings being compared** na kama matokeo yalikuwa True au False.
- **Enumerate Class Methods**: Weka jina la class (kama "java.io.File") na itachapisha methods zote za class.
- **Search Class Pattern**: Tafuta classes kwa pattern
- **Trace Class Methods**: **Trace** class nzima (ona inputs na outputs za methods zote za class). Kumbuka kwamba kwa default MobSF hufuatilia methods kadhaa zenye umuhimu za Android Api.
- **Trace Class Methods**: **Trace** class nzima (ona inputs na outputs za methods zote za class). Kumbuka kwamba kwa default MobSF inatTrace several interesting Android Api methods.
Mara tu unapochagua module ya ziada unayotaka kutumia unahitaji kubofya "**Start Intrumentation**" na utaona outputs zote katika "**Frida Live Logs**".
Mara baada ya kuchagua module ya ziada unayotaka kutumia unahitaji kubonyeza "**Start Intrumentation**" na utaona matokeo yote katika "**Frida Live Logs**".
**Shell**
Mobsf pia inakuleta shell yenye amri za **adb**, **MobSF commands**, na amri za kawaida za **shell** chini ya ukurasa wa dynamic analysis. Baadhi ya amri zinazovutia:
MobSF pia inakuja na shell yenye baadhi ya amri za **adb**, **MobSF commands**, na amri za kawaida za **shell** chini ya ukurasa wa dynamic analysis. Baadhi ya amri zinazovutia:
```bash
help
shell ls
@ -650,34 +654,34 @@ exported_activities
services
receivers
```
**HTTP tools**
**Zana za HTTP**
Wakati trafiki ya HTTP inapokamatwa unaweza kuona muonekano mbaya wa trafiki iliyokamatwa kwenye kitufe "**HTTP(S) Traffic**" au muonekano mzuri kwenye kitufe kijani "**Start HTTPTools**". Kutoka chaguo la pili, unaweza **send** the **captured requests** to **proxies** kama Burp au Owasp ZAP.\
Ili kufanya hivyo, _power on Burp -->_ _turn off Intercept --> in MobSB HTTPTools select the request_ --> bonyeza "**Send to Fuzzer**" --> _select the proxy address_ ([http://127.0.0.1:8080\\](http://127.0.0.1:8080)).
When http traffic is capture you can see an ugly view of the captured traffic on "**HTTP(S) Traffic**" bottom or a nicer view in "**Start HTTPTools**" green bottom. From the second option, you can **send** the **captured requests** to **proxies** like Burp or Owasp ZAP.\
To do so, _power on Burp -->_ _turn off Intercept --> in MobSB HTTPTools select the request_ --> press "**Send to Fuzzer**" --> _select the proxy address_ ([http://127.0.0.1:8080\\](http://127.0.0.1:8080)).
Mara baada ya kumaliza the dynamic analysis na MobSF unaweza kubonyeza "**Start Web API Fuzzer**" ili **fuzz http requests** na kutafuta udhaifu.
Once you finish the dynamic analysis with MobSF you can press on "**Start Web API Fuzzer**" to **fuzz http requests** an look for vulnerabilities.
> [!TIP]
> Baada ya kufanya the dynamic analysis na MobSF mipangilio ya proxy inaweza kuwa imepangwa vibaya na huwezi kuirekebisha kutoka GUI. Unaweza kurekebisha mipangilio ya proxy kwa kufanya:
> After performing a dynamic analysis with MobSF the proxy settings me be misconfigured and you won't be able to fix them from the GUI. You can fix the proxy settings by doing:
>
> ```
> adb shell settings put global http_proxy :0
> ```
### Uchambuzi wa Dynamic uliosaidiwa na Inspeckage
### Assisted Dynamic Analysis with Inspeckage
Unaweza kupata zana kutoka [**Inspeckage**](https://github.com/ac-pm/Inspeckage).\
Zana hii itatumia baadhi ya **Hooks** kukujulisha **kinachotokea katika application** wakati unafanya a **dynamic analysis**.
You can get the tool from [**Inspeckage**](https://github.com/ac-pm/Inspeckage).\
This tool with use some **Hooks** to let you know **what is happening in the application** while you perform a **dynamic analysis**.
### [Yaazhini](https://www.vegabird.com/yaazhini/)
Hii ni **zana nzuri ya kufanya static analysis kwa GUI**
Hii ni zana nzuri ya kufanya **static analysis kwa GUI**
![](<../../images/image (741).png>)
### [Qark](https://github.com/linkedin/qark)
Zana hii imeundwa kutafuta udhaifu mbalimbali zinazohusiana na usalama za Android application, iwe katika **source code** au **packaged APKs**. Zana pia ina uwezo wa kuunda "Proof-of-Concept" deployable APK na **ADB commands**, ili kutumia baadhi ya udhaifu uliopatikana (Exposed activities, intents, tapjacking...). Kama ilivyo kwa Drozer, hakuna haja ya ku-root kifaa cha mtihani.
Zana hii imeundwa kutafuta kadhaa za **security related Android application vulnerabilities**, ama katika **source code** au **packaged APKs**. Zana pia ina uwezo wa kuunda **"Proof-of-Concept" deployable APK** na **ADB commands**, ili ku-exploit baadhi ya vulnerabilities zilizopatikana (Exposed activities, intents, tapjacking...). Kama ilivyo kwa Drozer, hakuna haja ya root test device.
```bash
pip3 install --user qark # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
@ -686,10 +690,10 @@ qark --java path/to/specific/java/file.java
```
### [**ReverseAPK**](https://github.com/1N3/ReverseAPK.git)
- Inaonyesha faili zote zilizotolewa kwa marejeo rahisi
- Hu-decompile faili za APK moja kwa moja hadi muundo wa Java na Smali
- Huchambua AndroidManifest.xml kwa ajili ya udhaifu na tabia za kawaida
- Uchambuzi wa static wa source code kwa ajili ya udhaifu na tabia za kawaida
- Inaonyesha faili zote zilizotolewa kwa rejea rahisi
- Inafanya decompile faili za APK kwenda muundo wa Java na Smali kwa otomatiki
- Inachambua AndroidManifest.xml kwa udhaifu wa kawaida na tabia
- Uchambuzi wa msimbo wa chanzo (static) kwa udhaifu wa kawaida na tabia
- Taarifa za kifaa
- na zaidi
```bash
@ -697,11 +701,11 @@ reverse-apk relative/path/to/APP.apk
```
### [SUPER Android Analyzer](https://github.com/SUPERAndroidAnalyzer/super)
SUPER ni programu ya command-line inayoweza kutumika kwenye Windows, MacOS X na Linux, inayochambua faili za _.apk_ kwa kutafuta vulnerabilities. Inafanya hivyo kwa kuzifungua APKs na kutumia mfululizo wa sheria kugundua vulnerabilities hizo.
SUPER ni command-line application inayoweza kutumika kwenye Windows, MacOS X na Linux, inayochambua faili za _.apk_ ili kutafuta vulnerabilities. Hii inafanywa kwa kuzipanua APKs na kutekeleza mfululizo wa sheria ili kugundua vulnerabilities hizo.
Sheria zote ziko katika faili ya `rules.json`, na kila kampuni au mtapimaji anaweza kuunda sheria zake za kuchambua wanazohitaji.
Sheria zote zimetengwa katika faili ya `rules.json`, na kila kampuni au mtapimaji anaweza kuunda sheria zake kuchambua wanazohitaji.
Pakua binaries za hivi karibuni kutoka kwenye [download page](https://superanalyzer.rocks/download.html)
Pakua latest binaries kutoka kwenye [download page](https://superanalyzer.rocks/download.html)
```
super-analyzer {apk_file}
```
@ -709,9 +713,9 @@ super-analyzer {apk_file}
![](<../../images/image (297).png>)
StaCoAn ni zana ya **crossplatform** inayowawezesha waendelezaji, bugbounty hunters na ethical hackers kufanya [static code analysis](https://en.wikipedia.org/wiki/Static_program_analysis) kwenye programu za rununu.
StaCoAn ni zana ya **crossplatform** inayowasaidia developers, bugbounty hunters na ethical hackers kufanya [static code analysis](https://en.wikipedia.org/wiki/Static_program_analysis) kwenye mobile applications.
Dhana ni kwamba unaburuta na kuachia faili ya programu yako ya rununu (faili .apk au .ipa) kwenye application ya StaCoAn na itatengeneza ripoti ya kuona na inayoweza kubebwa kwako. Unaweza kubadilisha mipangilio na wordlists ili kupata uzoefu uliyobinafsishwa.
Dhana ni kwamba unavuta na kuacha faili ya mobile application yako (.apk au .ipa) kwenye application ya StaCoAn na itaunda ripoti ya kuona na inayobebeka kwako. Unaweza kubinafsisha settings na wordlists ili kupata uzoefu uliobinafsishwa.
Pakua[ latest release](https://github.com/vincentcox/StaCoAn/releases):
```
@ -719,7 +723,7 @@ Pakua[ latest release](https://github.com/vincentcox/StaCoAn/releases):
```
### [AndroBugs](https://github.com/AndroBugs/AndroBugs_Framework)
AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia waendelezaji au hackers kugundua udhaifu za usalama zinazowezekana katika programu za Android.\
AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia waendelezaji au hackers kupata udhaifu wa usalama unaowezekana katika programu za Android.\
[Windows releases](https://github.com/AndroBugs/AndroBugs_Framework/releases)
```
python androbugs.py -f [APK file]
@ -727,11 +731,11 @@ androbugs.exe -f [APK file]
```
### [Androwarn](https://github.com/maaaaz/androwarn)
**Androwarn** ni zana ambayo lengo lake kuu ni kugundua na kuwaonya mtumiaji kuhusu tabia hatari zinazoweza kufanywa na Android application.
**Androwarn** ni zana ambayo lengo lake kuu ni kugundua na kuwaonya mtumiaji kuhusu tabia zinazoweza kuwa za hatari zinazotengenezwa na programu ya Android.
Ugundaji hufanywa kwa **static analysis** ya application's Dalvik bytecode, inayowakilishwa kama **Smali**, kwa kutumia maktaba [`androguard`](https://github.com/androguard/androguard).
Ugunduzi hufanywa kwa kutumia **static analysis** ya Dalvik bytecode ya programu, inayowakilishwa kama **Smali**, kwa kutumia maktaba ya [`androguard`](https://github.com/androguard/androguard).
Zana hii inatafuta **common behavior of "bad" applications** like: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...
Zana hii inatafuta **common behavior of "bad" applications** kama: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...
```
python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
```
@ -739,36 +743,36 @@ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
![](<../../images/image (595).png>)
**MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. Ni chombo kinachoongeza pamoja zana zinazotumika mara kwa mara za mobile application reverse engineering na analysis, kusaidia katika kujaribu mobile applications dhidi ya vitisho vya OWASP mobile security. Lengo lake ni kufanya kazi hii iwe rahisi na rafiki kwa watengenezaji wa mobile application na wataalamu wa usalama.
**MARA** ni Mobile Application Reverse engineering and Analysis Framework. Ni chombo kinachokusanya zana zinazotumika mara kwa mara za mobile application reverse engineering na analysis, kusaidia katika testing mobile applications dhidi ya OWASP mobile security threats. Lengo lake ni kufanya kazi hii iwe rahisi na rafiki kwa mobile application developers na security professionals.
Ina uwezo wa:
Inaweza:
- Kutoa msimbo wa Java na Smali kwa kutumia zana mbalimbali
- Kuchambua APKs using: [smalisca](https://github.com/dorneanu/smalisca), [ClassyShark](https://github.com/google/android-classyshark), [androbugs](https://github.com/AndroBugs/AndroBugs_Framework), [androwarn](https://github.com/maaaaz/androwarn), [APKiD](https://github.com/rednaga/APKiD)
- Kutoa taarifa za kibinafsi kutoka kwenye APK kwa kutumia regexps.
- Kuchambua Manifest.
- Kuchambua domain zilizopatikana using: [pyssltest](https://github.com/moheshmohan/pyssltest), [testssl](https://github.com/drwetter/testssl.sh) and [whatweb](https://github.com/urbanadventurer/WhatWeb)
- Kuondoa obfuscation ya APK kupitia [apk-deguard.com]
- Extract Java and Smali code using different tools
- Analyze APKs using: [smalisca](https://github.com/dorneanu/smalisca), [ClassyShark](https://github.com/google/android-classyshark), [androbugs](https://github.com/AndroBugs/AndroBugs_Framework), [androwarn](https://github.com/maaaaz/androwarn), [APKiD](https://github.com/rednaga/APKiD)
- Extract private information from the APK using regexps.
- Analyze the Manifest.
- Analyze found domains using: [pyssltest](https://github.com/moheshmohan/pyssltest), [testssl](https://github.com/drwetter/testssl.sh) and [whatweb](https://github.com/urbanadventurer/WhatWeb)
- Deobfuscate APK via [apk-deguard.com](http://www.apk-deguard.com)
### Koodous
Inafaa kugundua malware: [https://koodous.com/](https://koodous.com/)
Useful to detect malware: [https://koodous.com/](https://koodous.com)
## Kuficha/Kuondoa kuficha msimbo
## Obfuscating/Deobfuscating code
Kumbuka kwamba, kulingana na huduma na usanidi unayotumia kuficha msimbo, siri zinaweza kufichwa au zisifichwe.
Kumbuka kwamba, kutegemea huduma na usanidi unaotumia kuobfuscate code, Secrets huenda zikabaki obfuscated au la.
### [ProGuard](<https://en.wikipedia.org/wiki/ProGuard_(software)>)
From [Wikipedia](<https://en.wikipedia.org/wiki/ProGuard_(software)>): **ProGuard** ni zana ya open source ya command-line inayopunguza, kuboresha na kuficha Java code. Ina uwezo wa kuboresha bytecode pamoja na kugundua na kuondoa maagizo yasiyotumika. ProGuard ni programu huria na inasambazwa chini ya GNU General Public License, version 2.
From [Wikipedia](<https://en.wikipedia.org/wiki/ProGuard_(software)>): **ProGuard** is an open source command-line tool that shrinks, optimizes and obfuscates Java code. It is able to optimize bytecode as well as detect and remove unused instructions. ProGuard is free software and is distributed under the GNU General Public License, version 2.
ProGuard inatolewa kama sehemu ya Android SDK na inafanya kazi wakati wa kujenga application katika release mode.
ProGuard is distributed as part of the Android SDK and runs when building the application in release mode.
### [DexGuard](https://www.guardsquare.com/dexguard)
Pata mwongozo hatua kwa hatua wa ku-deobfuscate apk katika [https://blog.lexfo.fr/dexguard.html](https://blog.lexfo.fr/dexguard.html)
Find a step-by-step guide to deobfuscate the apk in [https://blog.lexfo.fr/dexguard.html](https://blog.lexfo.fr/dexguard.html)
(From that guide) Mara ya mwisho tulipoangalia, mode ya uendeshaji wa Dexguard ilikuwa:
(Kutoka katika mwongozo huo) Mara ya mwisho tulipoangalia, Dexguard mode of operation ilikuwa:
- load a resource as an InputStream;
- feed the result to a class inheriting from FilterInputStream to decrypt it;
@ -780,31 +784,31 @@ Pata mwongozo hatua kwa hatua wa ku-deobfuscate apk katika [https://blog.lexfo.f
**DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.**
Unaweza kupakia APK iliyofichwa kwenda kwenye platform yao.
You can upload an obfuscated APK to their platform.
### [Deobfuscate android App]https://github.com/In3tinct/deobfuscate-android-app
Hii ni zana ya LLM ya kutafuta udhaifu wowote wa usalama katika android apps na ku-deobfuscate android app code. Inatumia Google's Gemini public API.
This is a LLM tool to find any potential security vulnerabilities in android apps and deobfuscate android app code. Uses Google's Gemini public API.
### [Simplify](https://github.com/CalebFenton/simplify)
Ni generic android deobfuscator. Simplify virtually executes an app ili kuelewa mienendo yake kisha inajaribu optimize the code ili iitende sawa lakini iwe rahisi kwa binadamu kuelewa. Kila aina ya optimization ni rahisi na generic, hivyo haijalishi aina maalum ya obfuscation inayotumiwa.
It is a **generic android deobfuscator.** Simplify **virtually executes an app** to understand its behavior and then **tries to optimize the code** so it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used.
### [APKiD](https://github.com/rednaga/APKiD)
APKiD inakupa taarifa kuhusu **how an APK was made**. Inatambua many **compilers**, **packers**, **obfuscators**, na mambo mengine ya ajabu. Ni [_PEiD_](https://www.aldeid.com/wiki/PEiD) kwa Android.
APKiD gives you information about **how an APK was made**. It identifies many **compilers**, **packers**, **obfuscators**, and other weird stuff. It's [_PEiD_](https://www.aldeid.com/wiki/PEiD) for Android.
### Manual
[Read this tutorial to learn some tricks on **how to reverse custom obfuscation**](manual-deobfuscation.md)
## Maabara
## Labs
### [Androl4b](https://github.com/sh4hin/Androl4b)
AndroL4b ni Android security virtual machine inayotokana na ubuntu-mate inayojumuisha mkusanyiko wa latest framework, tutorials na labs kutoka kwa security geeks na researchers mbalimbali kwa reverse engineering na malware analysis.
AndroL4b ni Android security virtual machine based on ubuntu-mate, inajumuisha mkusanyiko wa latest framework, tutorials na labs kutoka kwa different security geeks na researchers kwa reverse engineering na malware analysis.
## Marejeo
## References
- [https://owasp.org/www-project-mobile-app-security/](https://owasp.org/www-project-mobile-app-security/)
- [https://appsecwiki.com/#/](https://appsecwiki.com/#/) Ni orodha nzuri ya rasilimali
@ -815,8 +819,9 @@ AndroL4b ni Android security virtual machine inayotokana na ubuntu-mate inayojum
- [SSLPinDetect: Advanced SSL Pinning Detection for Android Security Analysis](https://petruknisme.medium.com/sslpindetect-advanced-ssl-pinning-detection-for-android-security-analysis-1390e9eca097)
- [SSLPinDetect GitHub](https://github.com/aancw/SSLPinDetect)
- [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
## Bado kujaribu
## Yet to try
- [https://www.vegabird.com/yaazhini/](https://www.vegabird.com/yaazhini/)
- [https://github.com/abhi-r3v0/Adhrit](https://github.com/abhi-r3v0/Adhrit)

145
src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
View File

@ -2,14 +2,14 @@
{{#include ../../banners/hacktricks-training.md}}
Ukurasa huu unaonyesha mtiririko wa vitendo wa kurudisha uwezo wa dynamic analysis dhidi ya Android apps zinazogundua/rootblock instrumentation au kutekeleza TLS pinning. Unalenga triage ya haraka, ugunduzi wa kawaida, na hooks/tactics zinazoweza kunakilinakubandika ili kuzivuka bila repacking inapowezekana.
Ukurasa huu unatoa mtiririko wa vitendo ili kupata tena dynamic analysis dhidi ya apps za Android zinazotambua au kuzuia instrumentation kwa sababu ya root, au kushikilia TLS pinning. Unalenga triage ya haraka, utambuzi wa kawaida, na copypasteable hooks/tactics za kuzipitisha bila ku-repack inapowezekana.
## Detection Surface (what apps check)
## Detection Surface (ambacho apps zinakagua)
- Root checks: su binary, Magisk paths, getprop values, common root packages
- Frida/debugger checks (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
- Native antidebug: ptrace(), syscalls, antiattach, breakpoints, inline hooks
- Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
- Ukaguzi wa root: su binary, Magisk paths, getprop values, common root packages
- Uhakiki wa Frida/debugger (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
- Antidebug ya native: ptrace(), syscalls, antiattach, breakpoints, inline hooks
- Ukaguzi wa init mapema: Application.onCreate() or process start hooks ambazo hu-crash ikiwa instrumentation ipo
- TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins
## Step 1 — Quick win: hide root with Magisk DenyList
@ -18,14 +18,14 @@ Ukurasa huu unaonyesha mtiririko wa vitendo wa kurudisha uwezo wa dynamic analys
- Enable DenyList, add the target package
- Reboot and retest
Programu nyingi zinatafuta tu viashiria vya wazi (su/Magisk paths/getprop). DenyList mara nyingi huondoa ukaguzi wa aina hiyo.
Apps nyingi hutafuta tu viashiria vinavyoonekana (su/Magisk paths/getprop). DenyList mara nyingi hu-neutralize ukaguzi wa kijana.
References:
- Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk
## Step 2 — 30second Frida Codeshare tests
Try common dropin scripts before deep diving:
Jaribu scripts za dropin za kawaida kabla ya kuchimba kwa undani:
- anti-root-bypass.js
- anti-frida-detection.js
@ -35,42 +35,59 @@ Example:
```bash
frida -U -f com.example.app -l anti-frida-detection.js
```
Hizi kwa kawaida hufanya stub Java root/debug checks, process/service scans, na native ptrace(). Zinasaidia kwenye apps zenye ulinzi mdogo; hardened targets zinaweza kuhitaji tailored hooks.
Hizi kwa kawaida huwa stub Java root/debug checks, process/service scans, na native ptrace(). Zinatumika kwenye apps zenye ulinzi mdogo; malengo yaliyoimarishwa yanaweza kuhitaji hooks maalum.
- Codeshare: https://codeshare.frida.re/
## Otomatisha na Medusa (Frida framework)
Medusa inatoa moduli 90+ tayari kwa ajili ya SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na zaidi.
```bash
git clone https://github.com/Ch0pin/medusa
cd medusa
pip install -r requirements.txt
python medusa.py
# Example interactive workflow
show categories
use http_communications/multiple_unpinner
use root_detection/universal_root_detection_bypass
run com.target.app
```
Vidokezo: Medusa ni nzuri kwa kupata faida za haraka kabla ya kuandika custom hooks. Unaweza pia cherry-pick modules na kuzichanganya na scripts zako.
## Hatua 3 — Bypass init-time detectors by attaching late
Ugundaji mwingi hufanywa tu wakati wa process spawn/onCreate(). Spawntime injection (-f) au gadgets hupatikana; kuambatisha baada UI inapopakua kunaweza kupita bila kugunduliwa.
Ugunduzi mwingi hufanyika tu wakati wa process spawn/onCreate(). Spawntime injection (-f) au gadgets hugunduliwa; kuambatisha baada UI inapopakia kunaweza kupita bila kugunduliwa.
```bash
# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore # if using gadget
```
Ikiwa hii itafanya kazi, weka kikao thabiti na endelea na kukagua ramani na stub.
Ikiwa hili litafanya kazi, weka session kuwa thabiti na endelea na map and stub checks.
## Hatua 4 — Ramani mantiki ya utambuzi kupitia Jadx na kutafuta strings
## Hatua 4 — Ramani mantiki ya utambuzi kupitia Jadx na string hunting
Static triage keywords in Jadx:
- "frida", "gum", "root", "magisk", "ptrace", "su", "getprop", "debugger"
Typical Java patterns:
Mifano ya kawaida ya Java:
```java
public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}
```
API za kawaida za kukagua/hook:
APIs za kawaida za kukagua/hook:
- android.os.Debug.isDebuggerConnected
- android.app.ActivityManager.getRunningAppProcesses / getRunningServices
- java.lang.System.loadLibrary / System.load (daraja la asili)
- java.lang.Runtime.exec / ProcessBuilder (amri za kuchunguza)
- android.os.SystemProperties.get (heuristics za root/emulator)
- java.lang.System.loadLibrary / System.load (native bridge)
- java.lang.Runtime.exec / ProcessBuilder (probing commands)
- android.os.SystemProperties.get (root/emulator heuristics)
## Hatua 5 — Runtime stubbing na Frida (Java)
## Hatua 5 — Uundaji wa stub wakati wa runtime na Frida (Java)
Rekebisha custom guards ili zirudishe thamani salama bila repacking:
Badilisha vidhibiti maalum ili kurudisha thamani salama bila repacking:
```js
Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
@ -85,7 +102,7 @@ const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});
```
Triaging early crashes? Dump classes tu kabla inakufa ili kugundua detection namespaces zinazowezekana:
Unapochambua crashes mapema? Dump classes tu kabla inavyokufa ili kugundua namespaces zinazoweza kuwa za utambuzi:
```js
Java.perform(() => {
Java.enumerateLoadedClasses({
@ -94,7 +111,15 @@ onComplete: () => console.log('Done')
});
});
```
Log na kulemaza mbinu zenye shaka ili kuthibitisha mtiririko wa utekelezaji:
// Quick root detection stub example (adapt to target package/class names)
Java.perform(() => {
try {
const RootChecker = Java.use('com.target.security.RootCheck');
RootChecker.isDeviceRooted.implementation = function () { return false; };
} catch (e) {}
});
Log na fanya methods zinazoshukiwa zisifanye kazi ili kuthibitisha mtiririko wa utekelezaji:
```js
Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
@ -104,13 +129,53 @@ return false;
};
});
```
## Hatua 6 — Fuata nyayo za JNI/native wakati Java hooks zinashindwa
## Bypass emulator/VM detection (Java stubs)
Rambua JNI entry points ili kupata native loaders na detection init:
Kanuni za kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zikiwa na generic/goldfish/ranchu/sdk; alama za QEMU kama /dev/qemu_pipe, /dev/socket/qemud; MAC ya default 02:00:00:00:00:00; 10.0.2.x NAT; ukosefu wa telephony/sensors.
Spoof ya haraka ya Build fields:
```js
Java.perform(function(){
var Build = Java.use('android.os.Build');
Build.MODEL.value = 'Pixel 7 Pro';
Build.MANUFACTURER.value = 'Google';
Build.BRAND.value = 'google';
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
});
```
Ongeza stubs kwa ukaguzi wa kuwepo kwa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili kurudisha thamani za kweli.
## SSL pinning bypass quick hook (Java)
Tawanya TrustManagers maalum na kulazimisha SSL contexts zinazoruhusu:
```js
Java.perform(function(){
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');
// No-op validations
X509TrustManager.checkClientTrusted.implementation = function(){ };
X509TrustManager.checkServerTrusted.implementation = function(){ };
// Force permissive TrustManagers
var TrustManagers = [ X509TrustManager.$new() ];
var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');
SSLContextInit.implementation = function(km, tm, sr){
return SSLContextInit.call(this, km, TrustManagers, sr);
};
});
```
Vidokezo
- Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier kama inahitajika, au tumia script ya unpinning kutoka CodeShare.
- Mfano wa kuendesha: `frida -U -f com.target.app -l ssl-bypass.js --no-pause`
## Hatua 6 — Fuata mnyororo wa JNI/native wakati Java hooks zinaposhindwa
Fuata entry points za JNI ili kubaini native loaders na detection init:
```bash
frida-trace -n com.example.app -i "JNI_OnLoad"
```
Triage ya haraka ya native ya faili za .so zilizoambatanishwa:
Tathmini ya haraka ya native ya faili za .so zilizojumuishwa:
```bash
# List exported symbols & JNI
nm -D libfoo.so | head
@ -121,7 +186,7 @@ Interactive/native reversing:
- Ghidra: https://ghidra-sre.org/
- r2frida: https://github.com/nowsecure/r2frida
Mfano: kudhoofisha ptrace ili kushinda antidebug rahisi katika libc:
Mfano: kuondoa ptrace ili kuishinda antidebug rahisi katika libc:
```js
const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
@ -135,28 +200,30 @@ Angalia pia:
reversing-native-libraries.md
{{#endref}}
## Step 7 — Objection patching (embed gadget / strip basics)
## Hatua 7 — Objection patching (embed gadget / strip basics)
Unapopendelea repacking kuliko runtime hooks, jaribu:
Ikiwa unapendelea repacking kuliko runtime hooks, jaribu:
```bash
objection patchapk --source app.apk
```
Vidokezo:
- Inahitaji apktool; hakikisha toleo la hivi karibuni kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya kujenga: https://apktool.org/docs/install
- Inahitaji apktool; hakikisha toleo la sasa kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya ujenzi: https://apktool.org/docs/install
- Gadget injection inaruhusu instrumentation bila root lakini bado inaweza kugunduliwa na stronger inittime checks.
Marejeo:
Hiari, ongeza LSPosed modules na Shamiko kwa stronger root hiding katika mazingira ya Zygisk, na andaa DenyList ili kufunika child processes.
Marejeleo:
- Objection: https://github.com/sensepost/objection
## Hatua 8 — Njia mbadala: Rekebisha TLS pinning kwa uonekano wa mtandao
## Hatua 8 — Njia mbadala: Rekebisha TLS pinning kwa muonekano wa mtandao
Ikiwa instrumentation imezuiwa, bado unaweza kuchunguza trafiki kwa kuondoa pinning kwa njia ya static:
```bash
apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy
```
- Chombo: https://github.com/shroudedcode/apk-mitm
- Kwa usanidi wa mtandao na mbinu za CAtrust (na Android 7+ user CA trust), angalia:
- Zana: https://github.com/shroudedcode/apk-mitm
- Kwa ujanja wa CAtrust katika usanidi wa mtandao (na user CA trust ya Android 7+), angalia:
{{#ref}}
make-apk-accept-ca-certificate.md
@ -166,7 +233,7 @@ make-apk-accept-ca-certificate.md
install-burp-certificate.md
{{#endref}}
## Orodha ya haraka ya amri muhimu
## Mwongozo mfupi wa amri muhimu
```bash
# List processes and attach
frida-ps -Uai
@ -184,14 +251,14 @@ objection --gadget com.example.app explore
# Static TLS pinning removal
apk-mitm app.apk
```
## Vidokezo na Tahadhari
## Vidokezo na tahadhari
- Pendelea attaching baadaye badala ya spawning wakati apps zinapo crash at launch
- Baadhi ya detections zinafanya rerun katika critical flows (mfano, payment, auth) — weka hooks zikifanya kazi wakati wa navigation
- Changanya static na dynamic: string hunt katika Jadx ili kupunguza classes; kisha hook methods kuthibitisha at runtime
- Pendelea attaching baadaye badala ya spawning wakati apps zinapo-crash wakati wa launch
- Baadhi ya detections zinafanyika tena katika critical flows (e.g., payment, auth) — keep hooks active during navigation
- Changanya static na dynamic: string hunt katika Jadx ili kupunguza classes kwenye shortlist; kisha hook methods ili kuthibitisha wakati wa runtime
- Hardened apps zinaweza kutumia packers na native TLS pinning — tarajia ku-reverse native code
## Marejeo
## References
- [Reversing Android Apps: Bypassing Detection Like a Pro](https://www.kayssel.com/newsletter/issue-12/)
- [Frida Codeshare](https://codeshare.frida.re/)
@ -202,5 +269,7 @@ apk-mitm app.apk
- [r2frida](https://github.com/nowsecure/r2frida)
- [Apktool install guide](https://apktool.org/docs/install)
- [Magisk](https://github.com/topjohnwu/Magisk)
- [Medusa (Android Frida framework)](https://github.com/Ch0pin/medusa)
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
{{#include ../../banners/hacktricks-training.md}}

166
src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
View File

@ -2,23 +2,23 @@
{{#include ../../banners/hacktricks-training.md}}
Asante sana kwa [**@offsecjay**](https://twitter.com/offsecjay) kwa msaada wake wakati wa kuunda maudhui haya.
Asante sana kwa [**@offsecjay**](https://twitter.com/offsecjay) kwa msaada wake wakati wa kuunda yaliyomo haya.
## Nini ni
## Nini
Android Studio inaruhusu **kufanya kazi na mashine za virtual za Android ambazo unaweza kutumia kujaribu APKs**. Ili kuzitumia utahitaji:
Android Studio inaruhusu **kuendesha mashine pepe za Android ambazo unaweza kuzitumia kujaribu APKs**. Ili kuzitumia utahitaji:
- **Zana za Android SDK** - [Pakua hapa](https://developer.android.com/studio/releases/sdk-tools).
- Au **Android Studio** (pamoja na zana za Android SDK) - [Pakua hapa](https://developer.android.com/studio).
- The **Android SDK tools** - [Download here](https://developer.android.com/studio/releases/sdk-tools).
- Au **Android Studio** (with Android SDK tools) - [Download here](https://developer.android.com/studio).
Katika Windows (katika kesi yangu) **baada ya kufunga Android Studio** nilikuwa na **Zana za SDK zilizofungwa katika**: `C:\Users\<UserName>\AppData\Local\Android\Sdk\tools`
Katika Windows (kwangu) **baada ya kusakinisha Android Studio** nilikuwa na **SDK Tools zimesakinishwa katika**: `C:\Users\<UserName>\AppData\Local\Android\Sdk\tools`
Katika mac unaweza **kupakua zana za SDK** na kuwa nazo katika PATH ukifanya:
Kwenye mac unaweza **download the SDK tools** na kuwa nazo kwenye PATH kwa kukimbia:
```bash
brew tap homebrew/cask
brew install --cask android-sdk
```
Au kutoka **Android Studio GUI** kama ilivyoonyeshwa katika [https://stackoverflow.com/questions/46402772/failed-to-install-android-sdk-java-lang-noclassdeffounderror-javax-xml-bind-a](https://stackoverflow.com/questions/46402772/failed-to-install-android-sdk-java-lang-noclassdeffounderror-javax-xml-bind-a) ambayo itawaweka katika `~/Library/Android/sdk/cmdline-tools/latest/bin/` na `~/Library/Android/sdk/platform-tools/` na `~/Library/Android/sdk/emulator/`
Au kutoka kwa **Android Studio GUI** kama ilivyoonyeshwa katika [https://stackoverflow.com/questions/46402772/failed-to-install-android-sdk-java-lang-noclassdeffounderror-javax-xml-bind-a](https://stackoverflow.com/questions/46402772/failed-to-install-android-sdk-java-lang-noclassdeffounderror-javax-xml-bind-a) ambayo itaweka hizo katika `~/Library/Android/sdk/cmdline-tools/latest/bin/` na `~/Library/Android/sdk/platform-tools/` na `~/Library/Android/sdk/emulator/`
Kwa matatizo ya Java:
```java
@ -26,9 +26,9 @@ export JAVA_HOME=/Applications/Android\ Studio.app/Contents/jbr/Contents/Home
```
## GUI
### Andaa Mashine Halisi
### Andaa Virtual Machine
Ikiwa umeinstall Android Studio, unaweza tu kufungua mtazamo wa mradi mkuu na kufikia: _**Tools**_ --> _**AVD Manager.**_
Ikiwa umeweka Android Studio, unaweza kufungua tu muonekano mkuu wa mradi na kufikia: _**Tools**_ --> _**AVD Manager.**_
<div align="center" data-full-width="false">
@ -43,31 +43,31 @@ Kisha, bonyeza _**Create Virtual Device**_
_**chagua** simu unayotaka kutumia_ na bonyeza _**Next.**_
> [!WARNING]
> Ikiwa unahitaji simu yenye Play Store imewekwa chagua moja yenye ikoni ya Play Store!
> Ikiwa unahitaji simu yenye Play Store imewekwa chagua ile yenye ikoni ya Play Store!
>
> <img src="../../images/image (1144).png" alt="" data-size="original">
Katika mtazamo wa sasa utaweza **kuchagua na kupakua picha ya Android** ambayo simu itakimbia:
Katika muonekano wa sasa utaweza **kuchagua na kupakua Android image** ambayo simu itaendesha:
<figure><img src="../../images/image (1145).png" alt="" width="375"><figcaption></figcaption></figure>
Hivyo, chagua na ikiwa haijapakuliwa bonyeza alama ya _**Download**_ iliyo karibu na jina (**sasa subiri hadi picha ipakuliwe).**\
Mara picha inapopakuliwa, chagua tu **`Next`** na **`Finish`**.
Hivyo, chagua hiyo na kama haijapakuliwa bonyeza alama ya _**Download**_ kando ya jina (**sasa subiri hadi image inapakuliwa).**\
Mara image inapopakuliwa, chagua tu **`Next`** na **`Finish`**.
Mashine halisi itaundwa. Sasa **kila wakati unapoingia AVD manager itakuwa ipo**.
Mashine pepe itaundwa. Sasa **kila mara unapoingia AVD Manager itakuwa pale**.
### Endesha Mashine Halisi
### Endesha Virtual Machine
Ili **kuendesha** bonyeza tu _**Start button**_.
![](<../../images/image (518).png>)
## Zana ya Mstari wa Amri
## Zana ya Command Line
> [!WARNING]
> Kwa macOS unaweza kupata zana ya `avdmanager` katika `/Users/<username>/Library/Android/sdk/tools/bin/avdmanager` na `emulator` katika `/Users/<username>/Library/Android/sdk/emulator/emulator` ikiwa umeziinstall.
> Kwa macOS unaweza kupata chombo `avdmanager` katika `/Users/<username>/Library/Android/sdk/tools/bin/avdmanager` na `emulator` katika `/Users/<username>/Library/Android/sdk/emulator/emulator` ikiwa umeziweka.
Kwanza kabisa unahitaji **kuamua ni simu ipi unayotaka kutumia**, ili kuona orodha ya simu zinazowezekana tekeleza:
Kwanza kabisa unahitaji **kuamua ni simu gani unayotaka kutumia**, ili kuona orodha ya simu zinazowezekana endesha:
```
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list device
@ -95,8 +95,8 @@ Name: Nexus 10
OEM : Google
[...]
```
Mara tu umeamua jina la kifaa unachotaka kutumia, unahitaji **kuamua picha ipi ya Android unayotaka kuendesha katika kifaa hiki.**\
Unaweza kuorodhesha chaguzi zote kwa kutumia `sdkmanager`:
Mara tu unapochagua jina la kifaa unayotaka kutumia, unahitaji **kuamua ni Android image gani unayotaka kuendesha kwenye kifaa hiki.**\
Unaweza kuorodhesha chaguzi zote ukitumia `sdkmanager`:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat --list
```
@ -104,7 +104,7 @@ Na **pakua** ile (au zote) unayotaka kutumia na:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat "platforms;android-28" "system-images;android-28;google_apis;x86_64"
```
Mara tu umepakua picha ya Android unayotaka kutumia unaweza **kuorodhesha picha zote za Android zilizopakuliwa** kwa:
Mara baada ya kupakua image ya Android unayotaka kutumia, unaweza **kuorodhesha picha zote za Android ulizopakua** kwa:
```
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list target
----------
@ -120,12 +120,12 @@ Type: Platform
API level: 29
Revision: 4
```
Katika wakati huu umekamua kifaa unachotaka kutumia na umepakua picha ya Android, hivyo **unaweza kuunda mashine ya virtual kwa kutumia**:
Kwa wakati huu umeamua kifaa unachotaka kutumia na umepakua picha ya Android, hivyo **unaweza kuunda mashine pepe ukitumia**:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat -v create avd -k "system-images;android-28;google_apis;x86_64" -n "AVD9" -d "Nexus 5X"
```
Katika amri ya mwisho **niliumba VM inayoitwa** "_AVD9_" kwa kutumia **kifaa** "_Nexus 5X_" na **picha ya Android** "_system-images;android-28;google_apis;x86_64_".\
Sasa unaweza **orodhesha mashine za virtual** ulizoziumba kwa:
Katika amri iliyopita **nilitengeneza VM iliyoitwa** "_AVD9_" kwa kutumia **kifaa** "_Nexus 5X_" na **Android image** "_system-images;android-28;google_apis;x86_64_".\
Sasa unaweza **kuorodhesha virtual machines** ulizozitengeneza kwa:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list avd
@ -140,75 +140,131 @@ Name: Pixel_2_API_27
Path: C:\Users\cpolo\.android\avd\Pixel_2_API_27_1.avd
Error: Google pixel_2 no longer exists as a device
```
### Run Virtual Machine
### Endesha Virtual Machine
> [!WARNING]
> Kwa macOS unaweza kupata zana ya `avdmanager` katika `/Users/<username>/Library/Android/sdk/tools/bin/avdmanager` na `emulator` katika `/Users/<username>/Library/Android/sdk/emulator/emulator` ikiwa umeziweka.
> Kwa macOS unaweza kupata zana `avdmanager` katika `/Users/<username>/Library/Android/sdk/tools/bin/avdmanager` na `emulator` katika `/Users/<username>/Library/Android/sdk/emulator/emulator` ikiwa umeisakinisha.
Tayari tumeona jinsi unavyoweza kuorodhesha mashine za virtual zilizoundwa, lakini **unaweza pia kuziorodhesha ukitumia**:
Tayari tumeona jinsi unavyoweza kuorodhesha virtual machines zilizoundwa, lakini **pia unaweza kuorodhesha kwa kutumia**:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -list-avds
AVD9
Pixel_2_API_27
```
Unaweza kwa urahisi **kufanya kazi na mashine yoyote ya virtual iliyoundwa** kwa kutumia:
Unaweza kwa urahisi **kuendesha virtual machine yoyote uliyotengeneza** ukitumia:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "VirtualMachineName"
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9"
```
Au kwa kutumia chaguzi za juu zaidi unaweza kuendesha mashine ya virtual kama:
Au kwa kutumia chaguo zilizoendelea zaidi unaweza kuendesha mashine pepe kama:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
```
### Command line options
### Chaguzi za mstari wa amri
Hata hivyo kuna **chaguzi nyingi tofauti za mstari wa amri zinazofaa** ambazo unaweza kutumia kuanzisha mashine ya virtual. Hapa chini unaweza kupata baadhi ya chaguzi za kuvutia lakini unaweza [**kupata orodha kamili hapa**](https://developer.android.com/studio/run/emulator-commandline)
Hata hivyo kuna **chaguzi nyingi tofauti za mstari wa amri zinazofaa** ambazo unaweza kutumia kuanzisha mashine pepe. Hapa chini unaweza kupata baadhi ya chaguzi za kuvutia lakini unaweza [**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
**Boot**
**Uanzishaji**
- `-snapshot name` : Anza VM snapshot
- `-snapshot name` : Anzisha snapshot ya VM
- `-snapshot-list -snapstorage ~/.android/avd/Nexus_5X_API_23.avd/snapshots-test.img` : Orodhesha snapshots zote zilizorekodiwa
**Network**
**Mtandao**
- `-dns-server 192.0.2.0, 192.0.2.255` : Ruhusu kuashiria seva za DNS kwa VM kwa kutumia alama ya koma.
- **`-http-proxy 192.168.1.12:8080`** : Ruhusu kuashiria proxy ya HTTP kutumia (inatumika sana kukamata trafiki kwa kutumia Burp)
- Ikiwa mipangilio ya proxy haifanyi kazi kwa sababu fulani, jaribu kuziunda ndani au kutumia programu kama "Super Proxy" au "ProxyDroid".
- `-netdelay 200` : Weka ucheleweshaji wa mtandao katika milisekunde.
- `-port 5556` : Weka nambari ya bandari ya TCP inayotumika kwa console na adb.
- `-ports 5556,5559` : Weka bandari za TCP zinazotumika kwa console na adb.
- **`-tcpdump /path/dumpfile.cap`** : Kamata trafiki yote katika faili
- `-dns-server 192.0.2.0, 192.0.2.255` : Inaruhusu kuonyesha servers za DNS tofauti zilizotenganishwa kwa koma kwa VM.
- **`-http-proxy 192.168.1.12:8080`** : Inaruhusu kuweka HTTP proxy ya kutumia (inayofaa sana kwa kunasa trafiki kwa kutumia Burp)
- If the proxy settings aren't working for some reason, try to configure them internally or using an pplication like "Super Proxy" or "ProxyDroid".
- `-netdelay 200` : Weka uigaji wa ucheleweshaji wa mtandao kwa millisekunde.
- `-port 5556` : Weka nambari ya port ya TCP inayotumika kwa console na adb.
- `-ports 5556,5559` : Weka ports za TCP zinazotumika kwa console na adb.
- **`-tcpdump /path/dumpfile.cap`** : Inakamata trafiki yote kwenye faili
**System**
**Mfumo**
- `-selinux {disabled|permissive}` : Weka moduli ya usalama ya Security-Enhanced Linux kuwa katika hali ya kuzuiwa au ya ruhusa kwenye mfumo wa uendeshaji wa Linux.
- `-timezone Europe/Paris` : Weka eneo la muda kwa kifaa cha virtual
- `-screen {touch(default)|multi-touch|o-touch}` : Weka hali ya skrini ya kugusa iliyosimuliwa.
- **`-writable-system`** : Tumia chaguo hili kuwa na picha ya mfumo inayoweza kuandikwa wakati wa kikao chako cha emulation. Utahitaji pia kukimbia `adb root; adb remount`. Hii ni muhimu sana kufunga cheti kipya katika mfumo.
- `-selinux {disabled|permissive}` : Weka module ya usalama Security-Enhanced Linux katika mode imezimwa au permissive kwenye mfumo wa uendeshaji Linux.
- `-timezone Europe/Paris` : Weka timezone kwa kifaa pepe
- `-screen {touch(default)|multi-touch|o-touch}` : Weka mode ya skrini ya kugusa inayoiga.
- **`-writable-system`** : Tumia chaguo hili kupata image ya mfumo inayoweza kuandikwa wakati wa kikao chako cha emulation. Pia utahitaji kukimbia `adb root; adb remount`. Hili ni muhimu sana kwa kufunga cheti jipya kwenye mfumo.
## Rooting a Play Store device
## Usanidi wa CLI ya Linux (SDK/AVD quickstart)
Ikiwa umepakua kifaa chenye Play Store huwezi kupata root moja kwa moja, na utapata ujumbe huu wa kosa
Vifaa rasmi vya CLI vinafanya iwe rahisi kuunda emulators za haraka na zinazoweza kudebugiwa bila Android Studio.
```bash
# Directory layout
mkdir -p ~/Android/cmdline-tools/latest
# Download commandline tools (Linux)
wget https://dl.google.com/android/repository/commandlinetools-linux-13114758_latest.zip -O /tmp/cmdline-tools.zip
unzip /tmp/cmdline-tools.zip -d ~/Android/cmdline-tools/latest
rm /tmp/cmdline-tools.zip
# Env vars (add to ~/.bashrc or ~/.zshrc)
export ANDROID_HOME=$HOME/Android
export PATH=$ANDROID_HOME/cmdline-tools/latest/bin:$ANDROID_HOME/platform-tools:$ANDROID_HOME/emulator:$PATH
# Install core SDK components
sdkmanager --install "platform-tools" "emulator"
# Install a debuggable x86_64 system image (Android 11 / API 30)
sdkmanager --install "system-images;android-30;google_apis;x86_64"
# Create an AVD and run it with a writable /system & snapshot name
avdmanager create avd -n PixelRootX86 -k "system-images;android-30;google_apis;x86_64" -d "pixel"
emulator -avd PixelRootX86 -writable-system -snapshot PixelRootX86_snap
# Verify root (debuggable images allow `adb root`)
adb root
adb shell whoami # expect: root
```
Vidokezo
- Aina za system image: google_apis (inaweza kudebugiwa, inaruhusu adb root), google_apis_playstore (haiwezi ku-root), aosp/default (nyepesi).
- Aina za build: userdebug mara nyingi huruhusu `adb root` kwenye image zilizo na uwezo wa kudebug. Play Store images ni production builds na huzuia root.
- Kwenye hosts za x86_64, emulation kamili ya ARM64 haitegemelewi kuanzia API 28+. Kwa Android 11+ tumia Google APIs/Play images zinazojumuisha tafsiri ya ARM-to-x86 kwa kila-app ili kuendesha kwa haraka apps nyingi za ARM pekee.
### Snapshots from CLI
```bash
# Save a clean snapshot from the running emulator
adb -s emulator-5554 emu avd snapshot save my_clean_setup
# Boot from a named snapshot (if it exists)
emulator -avd PixelRootX86 -writable-system -snapshot my_clean_setup
```
## Tafsiri ya binary ya ARM→x86 (Android 11+)
Google APIs na Play Store images kwenye Android 11+ zinaweza kutafsiri binaries za app za ARM kwa kila process huku zikihifadhi sehemu nyingine za mfumo kuwa native x86/x86_64. Hii mara nyingi ni ya kutosha kujaribu apps nyingi za ARM-tu kwenye desktop.
Kidokezo: Tumia Google APIs x86/x86_64 images wakati wa pentests. Play images ni rahisi lakini zinazuia `adb root`; zitumie tu unapohitaji Play services na ukubali kukosa root.
## Rooting kifaa cha Play Store
Ikiwa umepakua kifaa chenye Play Store hautaweza kupata root moja kwa moja, na utapata ujumbe huu wa kosa
```
$ adb root
adbd cannot run as root in production builds
```
Kukitumia [rootAVD](https://github.com/newbit1/rootAVD) pamoja na [Magisk](https://github.com/topjohnwu/Magisk) niliweza ku-root. Fuata kwa mfano [**hii video**](https://www.youtube.com/watch?v=Wk0ixxmkzAI) **au** [**hii nyingine**](https://www.youtube.com/watch?v=qQicUW0svB8).
Nikitumia [rootAVD](https://github.com/newbit1/rootAVD) pamoja na [Magisk](https://github.com/topjohnwu/Magisk) niliweza ku-root (fuata kwa mfano [**this video**](https://www.youtube.com/watch?v=Wk0ixxmkzAI) **au** [**this one**](https://www.youtube.com/watch?v=qQicUW0svB8)).
## Sakinisha Cheti cha Burp
## Install Burp Certificate
Angalia ukurasa ufuatao kujifunza jinsi ya kusakinisha cheti maalum cha CA:
Angalia ukurasa ufuatao kujifunza jinsi ya kusakinisha cheti cha CA cha kawaida:
{{#ref}}
install-burp-certificate.md
{{#endref}}
## Chaguzi Nzuri za AVD
## Nice AVD Options
### Chukua Picha
### Take a Snapshot
Unaweza **kutumia GUI** kuchukua picha ya VM wakati wowote:
Unaweza **kutumia GUI** kuchukua snapshot ya VM wakati wowote:
![](<../../images/image (234).png>)
## References
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
- [Android Emulator command line](https://developer.android.com/studio/run/emulator-commandline)
- [Run ARM apps on the Android Emulator (x86 translation)](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)
{{#include ../../banners/hacktricks-training.md}}

121
src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
View File

@ -1,54 +1,107 @@
# Frida Tutorial
# Mafunzo ya Frida
{{#include ../../../banners/hacktricks-training.md}}
## Installation
## Ufungaji
Sakinisha **frida tools**:
```bash
pip install frida-tools
pip install frida
```
**Pakua na usakinishe** kwenye android **frida server** ([Download the latest release](https://github.com/frida/frida/releases)).\
Mstari mmoja wa kuanzisha adb katika hali ya mizizi, kuungana nayo, kupakia frida-server, kutoa ruhusa za utekelezaji na kuikimbia katika hali ya nyuma:
**Pakua na sakinisha** kwenye Android **frida server** ([Download the latest release](https://github.com/frida/frida/releases)).\
Mstari mmoja wa kuanzisha adb tena kwa root mode, kujiunga nayo, kupakia frida-server, kumpa ruhusa za utekelezaji na kuiendesha kwa background:
```bash
adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &"
```
**Angalia** ikiwa inafanya **kazi**:
**Angalia** ikiwa **inafanya kazi**:
```bash
frida-ps -U #List packages and processes
frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name
```
## Frida server vs. Gadget (root vs. no-root)
Njia mbili za kawaida za ku-instrument programu za Android kwa kutumia Frida:
- Frida server (rooted devices): Tuma na endesha daemon asilia inayokuruhusu kuambatisha kwenye mchakato wowote.
- Frida Gadget (no root): Weka Frida kama shared library ndani ya APK na ipakie kiotomatiki ndani ya mchakato lengwa.
Frida server (rooted)
```bash
# Download the matching frida-server binary for your device's arch
# https://github.com/frida/frida/releases
adb root
adb push frida-server-<ver>-android-<arch> /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server & # run at boot via init/magisk if desired
# From host, list processes and attach
frida-ps -Uai
frida -U -n com.example.app
```
Frida Gadget (no-root)
1) Tenganisha APK, ongeza gadget .so na config:
- Weka libfrida-gadget.so ndani ya lib/<abi>/ (kwa mfano, lib/arm64-v8a/)
- Unda assets/frida-gadget.config na mipangilio yako ya upakiaji wa script
Mfano wa frida-gadget.config
```json
{
"interaction": { "type": "script", "path": "/sdcard/ssl-bypass.js" },
"runtime": { "logFile": "/sdcard/frida-gadget.log" }
}
```
2) Taja/pakia gadget ili ianzishwe mapema:
- Rahisi zaidi: Ongeza stub ndogo ya Java kwa System.loadLibrary("frida-gadget") katika Application.onCreate(), au tumia upakiaji wa maktaba za native uliopo tayari.
3) Repack na saini APK, kisha sakinisha:
```bash
apktool d app.apk -o app_m
# ... add gadget .so and config ...
apktool b app_m -o app_gadget.apk
uber-apk-signer -a app_gadget.apk -o out_signed
adb install -r out_signed/app_gadget-aligned-debugSigned.apk
```
4) Unganisha kutoka host hadi gadget process:
```bash
frida-ps -Uai
frida -U -n com.example.app
```
Vidokezo
- Gadget inatambuliwa na baadhi ya kinga; tunza majina/paths kwa utulivu na zipakwe mwishoni/kwa masharti ikiwa inahitajika.
- Kwa apps zilizo hardened, pendelea rooted testing na server + late attach, au unganisha na Magisk/Zygisk hiding.
## Mafunzo
### [Mafunzo 1](frida-tutorial-1.md)
**Kutoka**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\
**From**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\
**APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)\
**Msimbo wa Chanzo**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo)
**Source Code**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo)
**Fuata [kiungo kusoma](frida-tutorial-1.md).**
**Fuata [kiungo ili kusoma](frida-tutorial-1.md).**
### [Mafunzo 2](frida-tutorial-2.md)
### [Tutorial 2](frida-tutorial-2.md)
**Kutoka**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Sehemu 2, 3 & 4)\
**APKs na Msimbo wa Chanzo**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
**From**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Parts 2, 3 & 4)\
**APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
**Fuata [kiungo kusoma.](frida-tutorial-2.md)**
**Fuata [kiungo ili kusoma.](frida-tutorial-2.md)**
### [Mafunzo 3](owaspuncrackable-1.md)
### [Tutorial 3](owaspuncrackable-1.md)
**Kutoka**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
**From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
**APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk)
**Fuata [kiungo kusoma](owaspuncrackable-1.md).**
**Fuata [kiungo ili kusoma](owaspuncrackable-1.md).**
**Unaweza kupata scripts za Frida za ajabu zaidi hapa:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)
**You can find more Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)
## Mifano ya Haraka
## Quick Examples
### Kuita Frida kutoka kwa mstari wa amri
### Kuitisha Frida kutoka command line
```bash
frida-ps -U
@ -61,7 +114,7 @@ frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1
#frozen so that the instrumentation can occur, and the automatically
#continue execution with our modified code.
```
### Msingi wa Skripti ya Python
### Skripti ya Msingi ya Python
```python
import frida, sys
@ -72,9 +125,9 @@ print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()
```
### Kuingiza kazi bila vigezo
### Hooking functions without parameters
Kuingiza kazi `a()` ya darasa `sg.vantagepoint.a.c`
Hook the function `a()` ya class `sg.vantagepoint.a.c`
```javascript
Java.perform(function () {
; rootcheck1.a.overload().implementation = function() {
@ -91,7 +144,7 @@ sysexit.exit.overload("int").implementation = function (var_0) {
send("java.lang.System.exit(I)V // We avoid exiting the application :)")
}
```
Hook MainActivity `.onStart()` & `.onCreate()`
Hook MainActivity `.onStart()` na `.onCreate()`
```javascript
var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity")
mainactivity.onStart.overload().implementation = function () {
@ -115,9 +168,9 @@ send("Activity HIT!!!")
var ret = this.onCreate.overload("android.os.Bundle").call(this, var_0)
}
```
### Kuingiza kazi na vigezo na kupata thamani
### Hooking functions na vigezo na kupata thamani
Kuingiza kazi ya kufungua. Chapisha ingizo, itisha kazi ya asili kufungua ingizo na hatimaye, chapisha data safi:
Hooking function ya decryption. Chapisha ingizo, ita function ya asili ili ku-decrypt ingizo na hatimaye, chapisha data ya wazi:
```javascript
function getString(data) {
var ret = ""
@ -142,9 +195,9 @@ send("Decrypted flag: " + flag)
return ret //[B
}
```
### Kuingiza kazi na kuziita kwa pembejeo zetu
### Hooking functions na kuwaita na pembejeo zetu
Kuingiza kazi inayopokea mfuatano wa herufi na kuziita kwa mfuatano mwingine wa herufi (kutoka [hapa](https://11x256.github.io/Frida-hooking-android-part-2/))
Hook function inayopokea string na uite kwa string tofauti (kutoka [here](https://11x256.github.io/Frida-hooking-android-part-2/))
```javascript
var string_class = Java.use("java.lang.String") // get a JS wrapper for java's String class
@ -157,11 +210,11 @@ console.log("Return value: " + ret)
return ret
}
```
### Kupata kitu kilichoundwa tayari cha darasa
### Kupata object iliyoundwa tayari ya darasa
Ikiwa unataka kutoa sifa fulani ya kitu kilichoundwa unaweza kutumia hii.
Ikiwa unataka kutoa sifa fulani ya object iliyoundwa unaweza kutumia hii.
Katika mfano huu utaona jinsi ya kupata kitu cha darasa my_activity na jinsi ya kuita kazi .secret() ambayo itachapisha sifa ya faragha ya kitu hicho:
Katika mfano huu utaona jinsi ya kupata object ya darasa my_activity na jinsi ya kuita function .secret() ambayo itachapisha sifa binafsi ya object:
```javascript
Java.choose("com.example.a11x256.frida_test.my_activity", {
onMatch: function (instance) {
@ -172,10 +225,16 @@ console.log("Result of secret func: " + instance.secret())
onComplete: function () {},
})
```
## Mafunzo Mengineyo ya Frida
## Mafunzo mengine ya Frida
- [https://github.com/DERE-ad2001/Frida-Labs](https://github.com/DERE-ad2001/Frida-Labs)
- [Sehemu ya 1 ya mfululizo wa blogu za Matumizi ya Juu ya Frida: Maktaba za Usimbuaji za IOS](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/)
- [Part 1 of Advanced Frida Usage blog series: IOS Encryption Libraries](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/)
## Marejeleo
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
- [Frida Gadget documentation](https://frida.re/docs/gadget/)
- [Frida releases (server binaries)](https://github.com/frida/frida/releases)
{{#include ../../../banners/hacktricks-training.md}}

68
src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
View File

@ -1,20 +1,32 @@
# Install Burp Certificate
# Sakinisha Cheti cha Burp
{{#include ../../banners/hacktricks-training.md}}
## On a Virtual Machine
## Proxy ya mfumo mzima kupitia ADB
Kwanza kabisa unahitaji kupakua cheti cha Der kutoka Burp. Unaweza kufanya hivyo katika _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
Sanidi proxy ya HTTP ya mfumo mzima ili programu zote zipitie trafiki kupitia interceptor yako (Burp/mitmproxy):
```bash
# Set proxy (device/emulator must reach your host IP)
adb shell settings put global http_proxy 192.168.1.2:8080
# Clear proxy
adb shell settings put global http_proxy :0
```
Kidokezo: Katika Burp, elekeza listener yako kwa 0.0.0.0 ili vifaa kwenye LAN viweze kuungana (Proxy -> Options -> Proxy Listeners).
## Kwenye Mashine ya Virtuali
Kwanza kabisa unahitaji kupakua cheti la Der kutoka Burp. Unaweza kufanya hivyo katika _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
![](<../../images/image (367).png>)
**Export cheti katika muundo wa Der** na hebu **badilisha** kuwa fomu ambayo **Android** itaweza **kuelewa.** Kumbuka kwamba **ili kuunda cheti cha burp kwenye mashine ya Android katika AVD** unahitaji **kuendesha** mashine hii **ikiwa** na chaguo la **`-writable-system`**.\
Kwa mfano unaweza kuendesha kama:
**Hamisha cheti kwa muundo wa Der** na kisha **tubadilishe** hadi iwe katika fomu ambayo **Android** itaweza **kuelewa.** Kumbuka kwamba **ili kusanidi cheti cha burp kwenye mashine ya Android katika AVD** unahitaji **kuendesha** mashine hii **kwa** chaguo **`-writable-system`**.\
Kwa mfano unaweza kuiendesha hivi:
```bash
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
```
Kisha, ili **konfigura cheti cha burp fanya**:
Kisha, ili **configure burps certificate**, fanya:
```bash
openssl x509 -inform DER -in burp_cacert.der -out burp_cacert.pem
CERTHASHNAME="`openssl x509 -inform PEM -subject_hash_old -in burp_cacert.pem | head -1`.0"
@ -25,39 +37,43 @@ adb shell mv /sdcard/$CERTHASHNAME /system/etc/security/cacerts/ #Move to correc
adb shell chmod 644 /system/etc/security/cacerts/$CERTHASHNAME #Assign privileges
adb reboot #Now, reboot the machine
```
Mara tu **mashine itakapokamilisha kuanzisha tena**, cheti cha burp kitakuwa kinatumika!
Mara tu **mashine imekamilisha kuanzisha upya**, cheti cha Burp kitakuwa kinatumika na mfumo!
## Kutumia Magisc
Ikiwa umepata **root** kwenye kifaa chako kwa kutumia Magisc (labda emulators), na huwezi kufuata **hatua** za awali za kufunga cheti cha Burp kwa sababu **faili ya mfumo ni ya kusoma tu** na huwezi kuirejesha kuwa ya kuandika, kuna njia nyingine.
Ikiwa **ulikata root kifaa chako kwa Magisc** (labda emulator), na **huwezi kufuata** **hatua** zilizotangulia kusanidi Burp cert kwa sababu **filesystem ni read-only** na huwezi kuiremonta kuwa writable, kuna njia nyingine.
Imeelezwa katika [**hii video**](https://www.youtube.com/watch?v=qQicUW0svB8) unahitaji:
Iliyefafanuliwa katika [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) unahitaji:
1. **Kufunga cheti cha CA**: Tu **vuta na uachie** cheti cha DER Burp **ukibadilisha kiendelezi** kuwa `.crt` kwenye simu ili kuhifadhiwa kwenye folda ya Downloads na nenda kwenye `Install a certificate` -> `CA certificate`
1. **Install a CA certificate**: Just **drag&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`
<figure><img src="../../images/image (53).png" alt="" width="164"><figcaption></figcaption></figure>
- Hakikisha cheti kimehifadhiwa vizuri kwa kwenda kwenye `Trusted credentials` -> `USER`
- Angalia cheti kilihifadhiwa vizuri kwa kwenda `Trusted credentials` -> `USER`
<figure><img src="../../images/image (54).png" alt="" width="334"><figcaption></figcaption></figure>
2. **Fanya iwe ya kuaminika kwa Mfumo**: Pakua moduli ya Magisc [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (faili .zip), **vuta na uachie** kwenye simu, nenda kwenye **app ya Magics** kwenye simu kwenye sehemu ya **`Modules`**, bonyeza **`Install from storage`**, chagua moduli ya `.zip` na mara itakapokamilika **anzisha tena** simu:
2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
<figure><img src="../../images/image (55).png" alt="" width="345"><figcaption></figcaption></figure>
- Baada ya kuanzisha tena, nenda kwenye `Trusted credentials` -> `SYSTEM` na hakikisha cheti cha Postswigger kiko hapo
- Baada ya kuanzisha upya, nenda `Trusted credentials` -> `SYSTEM` na uhakikishe Postswigger cert iko hapo
<figure><img src="../../images/image (56).png" alt="" width="314"><figcaption></figcaption></figure>
### Jifunze jinsi ya kuunda module ya Magisc
Angalia [https://medium.com/@justmobilesec/magisk-for-mobile-pentesting-rooting-android-devices-and-building-custom-modules-part-ii-22badc498437](https://medium.com/@justmobilesec/magisk-for-mobile-pentesting-rooting-android-devices-and-building-custom-modules-part-ii-22badc498437)
## Baada ya Android 14
Katika toleo jipya la Android 14, mabadiliko makubwa yameonekana katika usimamizi wa cheti cha Mamlaka ya Cheti (CA) kinachokubalika na mfumo. Awali, vyeti hivi vilihifadhiwa katika **`/system/etc/security/cacerts/`**, vinavyoweza kufikiwa na kubadilishwa na watumiaji wenye ruhusa za root, ambayo iliruhusu matumizi ya haraka katika mfumo mzima. Hata hivyo, na Android 14, mahali pa kuhifadhiwa kumehamishwa kwenda **`/apex/com.android.conscrypt/cacerts`**, saraka ndani ya njia ya **`/apex`**, ambayo ni isiyoweza kubadilishwa kwa asili.
Katika toleo la hivi karibuni la Android 14, kumetokea mabadiliko makubwa katika jinsi Certificate Authority (CA) certificates zinazothibitishwa na mfumo zinavyoshughulikiwa. Hapo awali, cheti hizi zilihifadhiwa katika **`/system/etc/security/cacerts/`**, zikipatikana na zinabadilika kwa watumiaji wenye root, na hivyo kutumika mara moja kote kwenye mfumo. Hata hivyo, na Android 14, eneo la uhifadhi limehamishwa kwenda **`/apex/com.android.conscrypt/cacerts`**, saraka ndani ya `\`/apex\``, ambayo ni immutable kwa asili.
Jaribio la kurejesha **APEX cacerts path** kuwa ya kuandika linakutana na kushindwa, kwani mfumo haukuruhusu operesheni kama hizo. Hata jaribio la kuondoa au kuweka saraka hiyo na mfumo wa muda (tmpfs) halipuuzi isiyoweza kubadilishwa; programu zinaendelea kufikia data ya cheti asilia bila kujali mabadiliko katika kiwango cha mfumo wa faili. Uthabiti huu unatokana na **`/apex`** kuunganishwa na kueneza PRIVATE, kuhakikisha kwamba mabadiliko yoyote ndani ya saraka ya **`/apex`** hayaathiri michakato mingine.
Jaribio la kuremonta APEX cacerts path kuwa writable yatashindwa, kwani mfumo hautaruhusu operesheni hizo. Hata jaribio la kuunmount au ku-overlay saraka kwa tmpfs halitachukua muda; programu zitabaki kutumia data za cheti asilia licha ya mabadiliko kwenye ngazi ya filesystem. Ustahimilivu huu unatokana na mount ya **`/apex`** kuwa na PRIVATE propagation, kuhakikisha kwamba mabadiliko ndani ya saraka ya **`/apex`** hayagusi michakato mingine.
Kuanza kwa Android kunahusisha mchakato wa `init`, ambao, unapozindua mfumo wa uendeshaji, pia huanzisha mchakato wa Zygote. Mchakato huu unawajibika kwa kuzindua michakato ya programu na jina jipya la kuunganishwa ambalo linajumuisha kuunganishwa binafsi la **`/apex`**, hivyo kuzuia mabadiliko katika saraka hii kutoka kwa michakato mingine.
Uanzishaji wa Android unahusisha mchakato wa `init`, ambao, anapoanza mfumo wa uendeshaji, pia huanzisha mchakato wa Zygote. Mchakato huu unawajibika kuwasha michakato ya programu ndani ya mount namespace mpya inayojumuisha mount ya kibinafsi ya **`/apex`**, hivyo kutenganisha mabadiliko ya saraka hii kutoka kwa michakato mingine.
Hata hivyo, kuna njia mbadala kwa wale wanaohitaji kubadilisha vyeti vya CA vinavyokubalika na mfumo ndani ya saraka ya **`/apex`**. Hii inahusisha kurejesha kwa mikono **`/apex`** ili kuondoa kueneza PRIVATE, hivyo kuifanya iwe ya kuandika. Mchakato huu unajumuisha nakala ya maudhui ya **`/apex/com.android.conscrypt`** kwenda mahali pengine, kuondoa saraka ya **`/apex/com.android.conscrypt`** ili kuondoa kizuizi cha kusoma tu, na kisha kurejesha maudhui kwenye mahali pake pa asili ndani ya **`/apex`**. Njia hii inahitaji hatua za haraka ili kuepuka kuanguka kwa mfumo. Ili kuhakikisha matumizi ya mabadiliko haya katika mfumo mzima, inapendekezwa kuanzisha tena `system_server`, ambayo kwa ufanisi inaanzisha tena programu zote na kuleta mfumo katika hali thabiti.
Hata hivyo, kuna njia mbadala kwa wale wanaohitaji kubadilisha CA certificates zinazothibitishwa na mfumo ndani ya saraka ya **`/apex`**. Hii inahusisha kuremonta kwa mkono **`/apex`** ili kuondoa PRIVATE propagation, hivyo kuifanya iwe writable. Mchakato unajumuisha kunakili yaliyomo ya **`/apex/com.android.conscrypt`** mahali pengine, kuunmount saraka ya **`/apex/com.android.conscrypt`** ili kuondoa ukandamizaji wa read-only, na kisha kurejesha yaliyomo kwenye eneo lao la asili ndani ya **`/apex`**. Njia hii inahitaji hatua ya haraka ili kuepuka kukatika kwa mfumo. Ili kuhakikisha mabadiliko haya yanatumika kwenye mfumo mzima, inapendekezwa kuanzisha upya `system_server`, ambayo kwa ufanisi inaanzisha tena programu zote na kuleta mfumo katika hali thabiti.
```bash
# Create a separate temp directory, to hold the current certificates
# Otherwise, when we add the mount we can't read the current certs anymore.
@ -117,26 +133,26 @@ echo "System certificate injected"
```
### Bind-mounting through NSEnter
1. **Kuweka Saraka Inayoweza Kuandikwa**: Kwanza, saraka inayoweza kuandikwa inaanzishwa kwa kufunga `tmpfs` juu ya saraka ya cheti ya mfumo isiyo ya APEX iliyopo. Hii inafanywa kwa amri ifuatayo:
1. **Kuweka saraka inayoweza kuandikwa**: Awali, saraka inayoweza kuandikwa inaanzishwa kwa ku-mount `tmpfs` juu ya saraka ya vyeti ya mfumo non-APEX iliyopo. Hii inafikiwa kwa amri ifuatayo:
```bash
mount -t tmpfs tmpfs /system/etc/security/cacerts
```
2. **Kuandaa Vyeti vya CA**: Baada ya kuweka saraka inayoweza kuandikwa, vyeti vya CA ambavyo mtu anakusudia kutumia vinapaswa kunakiliwa kwenye saraka hii. Hii inaweza kujumuisha kunakili vyeti vya kawaida kutoka `/apex/com.android.conscrypt/cacerts/`. Ni muhimu kurekebisha ruhusa na lebo za SELinux za vyeti hivi ipasavyo.
3. **Kufunga Mount kwa Zygote**: Kutumia `nsenter`, mtu anaingia kwenye eneo la mount la Zygote. Zygote, ikiwa ni mchakato unaohusika na kuzindua programu za Android, inahitaji hatua hii ili kuhakikisha kwamba programu zote zinazozinduliwa kuanzia sasa zinatumia vyeti vya CA vilivyowekwa upya. Amri inayotumika ni:
2. **Kuandaa Vyeti vya CA**: Baada ya kuweka saraka inayoweza kuandikwa, vyeti vya CA ambavyo mtu anakusudia kutumia vinapaswa kunakiliwa katika saraka hii. Hii inaweza kuhusisha kunakili vyeti za default kutoka `/apex/com.android.conscrypt/cacerts/`. Ni muhimu kurekebisha ruhusa na lebo za SELinux za vyeti hivi ipasavyo.
3. **Bind Mounting for Zygote**: Kwa kutumia nsenter, mtu anaingia katika mount namespace ya Zygote. Zygote, kama mchakato unaehusika na kuanzisha programu za Android, anahitaji hatua hii ili kuhakikisha kwamba programu zote zinazozinduliwa kuanzia sasa zitumie vyeti vya CA vilivyosanidiwa upya. Amri inayotumika ni:
```bash
nsenter --mount=/proc/$ZYGOTE_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
```
Hii inahakikisha kwamba kila programu mpya inayozinduliwa itafuata mipangilio ya CA certificates iliyosasishwa.
Hii inahakikisha kwamba kila app mpya itakayozinduliwa itazingatia usanidi wa CA certificates uliosasishwa.
4. **Kuweka Mabadiliko kwa Programu Zinazoendesha**: Ili kuweka mabadiliko kwa programu ambazo tayari zinaendesha, `nsenter` inatumika tena kuingia kwenye namespace ya kila programu moja baada ya nyingine na kufanya mtego wa kufunga sawa. Amri inayohitajika ni:
4. **Kutekeleza Mabadiliko kwa Programu Zinazoendeshwa**: Ili kutekeleza mabadiliko kwa programu ambazo tayari zinaendeshwa, `nsenter` hutumika tena kuingia katika namespace ya kila app kibinafsi na kufanya bind mount sawa. Amri inayohitajika ni:
```bash
nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
```
5. **Njia Mbadala - Soft Reboot**: Njia mbadala inahusisha kufanya bind mount kwenye mchakato wa `init` (PID 1) ikifuatiwa na soft reboot ya mfumo wa uendeshaji kwa kutumia amri za `stop && start`. Njia hii itasambaza mabadiliko katika majimbo yote, ikiepuka haja ya kushughulikia kila programu inayofanya kazi kwa separately. Hata hivyo, njia hii kwa ujumla haitafutwa sana kutokana na usumbufu wa kuanzisha upya.
5. **Alternative Approach - Soft Reboot**: Njia mbadala inahusisha kufanya bind mount kwenye mchakato wa `init` (PID 1) ikifuatiwa na soft reboot ya mfumo wa uendeshaji kwa amri za `stop && start`. Njia hii itasambaza mabadiliko katika namespaces zote, ikiepuka haja ya kushughulikia kila app inayokimbia kimoja kwa kimoja. Hata hivyo, njia hii kwa ujumla haipendekeziwi kutokana na usumbufu wa kufanya reboot.
## Marejeleo
- [https://httptoolkit.com/blog/android-14-install-system-ca-certificate/](https://httptoolkit.com/blog/android-14-install-system-ca-certificate/)
## Marejeo
- [Android 14: Install a system CA certificate on a rooted device](https://httptoolkit.com/blog/android-14-install-system-ca-certificate/)
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
{{#include ../../banners/hacktricks-training.md}}