SlideShare a Scribd company logo

idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf

idsecconf
idsecconf

Pembahasan ini bertujuan untuk memberikan edukasi tentang mekanisme perlindungan yang diterapkan pada aplikasi android seperti root detection, ssl pinning, anti emulation, tamper detection dan bagaimana teknik yang digunakan untuk melakukan mekanisme bypass proteksi yang diimplementasikan dengan bantuan reverse engineering menggunakan tool seperti frida, ghidra, objection, magisk, dan sebagainya.

Related slideshows

Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
Kaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciKaynak Kod Analiz Süreci
Kaynak Kod Analiz Süreci
 
1 of 95
Download to read offline
By Aan @petruknisme Hide `n seek with Android App Protections & Beat `em
HELLO! I’m… Aan Wahyu a.k.a petruknisme ● Lead Security Consultant @ Horangi ● Infosec Enthusiast & Part-time coder ● Passionate with OSINT, RE, and Red Team
Background Along with the rapid development of mobile application technology meeting various needs and providing convenience to their users. In this case, significant developments are also needed in the security aspect that guarantees privacy and security, especially user data. Therefore, a penetration testing or application audit process is needed to ensure that an application is suitable for use by the public. If this is not done properly, there is a high possibility of data leakage resulting in losses on the user side and on the company.
Background To prevent modification, manipulation or hacking, it is not uncommon for developers to apply protection to applications. This aims to minimize losses that could occur. As someone who works as a penetration tester, For applications can be tested properly, it is often necessary to bypass the implemented protection so that the required tools or processes can run according to the predetermined penetration testing workflow.
Table of contents Root Detection 01 03 02 04 SSL Pinning Anti Emulation Frida Detection
01 Root Detection
Root Detection To prevent modifications or manipulations that impact the application, root detection is implemented. Basically, the application will check files that are indicated to be part of the rooted device and when it finds this indication, the application will prevent access or perform an exit/crash so that the application cannot run on a rooted device.
Checking the BUILD tag for test-keys Checking SU binary and installed root package Root Detection Methods Checking common root cloaking apps Checking permission for system directory Checking dangerous props Many more
Sample Root Detection
Sample Root Detection
Reverse Engineering Apk Process Several processes are required in reverse engineering an APK. Start by unpacking the APK using an archive extractor such as WinRAR, WinZip, etc. After that, the dex file will be disassembled and decompiled into java source which is still a java class file.
01.1 Bypassing root detection using manual modification of smali Manual Modification
Extracting Apk To bypass root detection using the smali patch method, the first step that must be done is to extract the content in the apk using apktool
Searching the right function Then we can search for the word isRooted with the help of a code editor. In this example case, the isRooted function is in the Rootbeer.smali file As you can see, isRooted function are calling other function for checking: 1. Su Binary 2. RW Paths 3. Root via Native Checks 4. Magisk Specific checks 5. etc
Bypassing checkForSuBinary In the checkForSuBinary() function, change move-result v0 to const/4 v0, 0x0 with the aim of making the value of the variable v0 false instead of to taking a dynamic value from the result of the checkForBinary() function .method public checkForSuBinary()Z .locals 1 const-string v0, "su" .line 160 invoke-virtual {p0, v0}, Lcom/scottyab/rootbeer/RootBeer;->checkForBinary(Ljava/lang/String;)Z const/4 v0, 0x0 <-- Edited return v0
Bypassing checkSuExist In the checkSuExist() function, change value of v0 to 0x0 after if-eqz v2
Bypassing checkForRWPaths In the checkForRWPaths() function, add return v1 at the end of the function so that the function always returns false because the v1 variable is already false.
Bypassing checkForRootNative In the checkForRootNative() function, change the v1 value at the end of the function to 0x0 so that the returned value is false. .method public checkForRootNative()Z ---------------------SNIPPET------------- if-lez v0, :cond_2 const/4 v1, 0x0 <-- Edited :catch_0 :cond_2 return v1 .end method
Bypassing checkForMagiskBinary In the checkForMagiskBinary() function, change move-result v0 to const/4 v0, 0x0 with the aim of making the value of the variable v0 false instead of taking a dynamic value from the result of the checkForBinary() function
Rebuild, sign and install
Result We are successfully bypassing root detection with manual modification of smali files
01.2 Bypassing root detection using frida instrumentation Frida Instrumentation
Frida Instrumentation As we know, we need to bypass these protection to be able to run the app in rooted device: ● SU Binary ● RW Paths ● Root via Native Checks ● Magisk Specific Checks I assume that we already know how to write frida script. For the first step, we will try to hook one of the function to make sure that our script is working
Frida Instrumentation
Final frida Script For the rest of functions, we just need to copy and modify with the function name that we will hook. But, for keeping it simple(KISS) and follow DRY principle, I’ve modified the script to be more simple, short, and easy to understand.
Result
01.3 Bypassing root detection using objection Objection
What? objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak. ● Supports both iOS and Android. ● Inspect and interact with container file systems. ● Bypass SSL pinning. ● Dump keychains. ● Perform memory related tasks, such as dumping & patching. ● Explore and manipulate objects on the heap. ● And much, much more… Installation Installation is simply a matter of pip3 install objection. This will give you the objection command. You can update an existing objection installation with pip3 install --upgrade objection.
What? https://github.com/sensepost/objection/wiki/Screenshots
No need script, only command line
No need script, only command line Partially success bypassing rootbeer checker with objection command “android root disable”
Hook & patch the right function Before patching the functions, we need to know the class first android hooking list class_methods com.example.app.class
Set return value After we know the right class_methods, we can set the return value android hooking set return_value com.app.example.class.method
01.4 Bypassing root detection using Magisk Zygisk Magisk Zygisk
Magisk In simple terms, Magisk is a tool to help users gain root access by patching the ROM. For further information regarding installation and configuration, please refer to https://github.com/topjohnwu/Magisk The easiest method is to rely on Zygisk Denylist in the Magisk application. To be able to enjoy Zygisk, Magisk version that must be installed is v24.1+.
Setup
Setup
Result
02 SSL Pinning
SSL Pinning SSL pinning is a technique that helps to prevent MiTM attacks by hardcoding the SSL/TLS certificate’s public key into the app or device. This means that when the app or device communicates with the server, it will compare the server’s SSL/TLS certificate’s public key with the one that is hardcoded into the app or device. https://www.indusface.com/learning/what-is-ssl-pinning-a-quick-walk-through/
02.1 Bypassing SSL Pinning using manual modification of smali Manual Modification
Manual In this discussion, I will start by explaining how we can bypass the SSL Pinning process by manually modifying smalis. The target that will be used in this case study is an android application that use Cordova Framework. When connecting to the server, the application refused the connection because the certificate on the device did not match, because I was intercept the traffic using Burp Suite. With the help of “adb logcat | logcat-color”, I can find out the error message given by the application when it refuses a connection to the server.
Manual As you can see, android certificate pinning is failing and complaining about mismatch certificate hash. Our peer certificate chain is for PortSwigger(BurpSuite), but the Pinned Certificate for a domain(masked) is defined in the android resource file.
Best Approach Decompile apk and search for the right string. In this case, the file containing the word is in resource/assets/www/pinning/ . After knowing which file is appropriate, the next step is to modify the string sha256/dGxxxxx to sha256/fKxxxxx referring to the previous error message.
Recompile
Result
02.2 Bypassing SSL Pinning using Objection Objection
Approach As in the discussion for bypassing root detection, we can also do the same thing with the help of objection. There are two methods that can be done, using the built-in objection feature or manual patching of the return_value from class_method. For the study case, we will use https://github.com/httptoolkit/android-s sl-pinning-demo/releases/download/v1. 3.1/pinning-demo.apk
Approach Error when intercepted with burpsuite
Objection
Debugging
Debugging
02.3 Bypassing SSL Pinning using Frida Frida
Frida For bypassing SSL Pinning with Frida, we can use frida codeshare or create our own script.
Frida-codeshare Bypassing previous ssl pinning protection that failed when using objection, we can use frida codeshare from https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
Frida scripting For manual approach, we can search the right function, hook, replace the return value same as in the bypassing root detection
02.4 Bypassing Flutter SSL Pinning Bypassing Flutter
Flutter One of the reasons it is difficult to bypass SSL Pinning in Flutter is because Flutter compiles the code into native machine code. This makes common techniques such as method hooking or code injection in SSL Pinning bypass unable to be carried out, even the experiments that we have carried out previously. Flutter ignores proxy settings on the device so that applications cannot be intercepted. If in the previous case the application would error when passing through the proxy without the SSL pinning bypass process, this does not apply to Flutter because the application will only make a direct connection to the server without passing through the proxy even though it has been set on the device.
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf
02.4.1 Bypassing Flutter SSL Pinning using reFlutter reFlutter
reFlutter This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way. Key features: ● socket.cc is patched for traffic monitoring and interception; ● dart.cc is modified to print classes, functions and some fields; ● display absolute code offset for functions ● contains minor changes for successfull compilation; ● if you would like to implement your own patches, there is manual Flutter code change is supported using specially crafted Dockerfile
reFlutter
reFlutter
reFlutter
02.4.1 Bypassing Flutter SSL Pinning Ghidra & Frida pattern matching Frida Pattern Matching
Concepts Referring to the article https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-h ttps-dio-pinning/, to bypass SSL pinning on Flutter , we can use the pattern matching method after knowing the pattern of the SSL pinning checking offset address. In simple terms, the steps taken are: ● Find references to the string “x509.cc” and compare them to x509.cc to find session_verify_cert_chain ● Find references to the method you identified in order to identify ssl_verify_peer_cert
Concepts https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/
Concepts
Concepts Alternatively, we can use Frida’s pattern matching engine to search for functions that look very similar to the function from the demo app. The first bytes of a function are typically very stable, as long as the number of local variables and function arguments don’t change. Still, different compilers may generate different assembly code (e.g. usage of different registers or optimisations) so we do need to have some wildcards in our pattern. https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/
reFlutter
03 Emulator Detection
Emulator Detection Emulators are usually used to make it easier for reverse engineers, hackers or pentesters to run applications without needing to have the original device. Because usually, emulators can be easily created and deleted when there are errors or different needs, whereas the original device cannot. It is not uncommon for malware developers to use this check to ensure that their application is able to obtain or control the victim's original data or device. For this case study, we will use https://github.com/reveny/Android-Emulator-Detection/ The app detect emulator with this checks: ● checkHardware(); ● checkMounts(); ● checkModules(); ● checkCPU(); ● checkFiles(); ● checkCPUArchitecture();
Emulator Detection
Concepts Different from the previous discussion, this time our target is using the Java Native Interface. So, we can't do hooking like we did before. This is because all checking processes occur in libraries that have been compiled into objects. In this example, all the checks are in the libemulatordetector.so file. The first thing we have to do is find out what JNI functions are available, you can use Frida's help or use nm demangle.
Bypass To bypass, the first thing to do is tracing with frida-trace. In this case, I will specifically look for the dlopen function because this function is usually used to load shared libraries. It can be seen that what is used is android_dlopen_ext to load the shared library file libemulatordetector.so. So with this info, we can create code to hook Frida.
When we run Frida with this code, we can see that libemulatordetector.so is loaded from the android_dlopen_ext function
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf
03 Frida Detection
Concepts In some cases, developers create protection so that the application checks the existence of Frida on the device. This is to prevent pentesters/hackers from being able to run Binary Instruments using Frida as in the previous discussion. There are several mechanisms used to detect the presence of frida, including: ● Detection of named pipes used by Frida ● Detect frida specific thread names ● Detect the port used by Frida ● Etc For this discussion, I used a customized application to detect frida existence
Concepts In some cases, developers create protection so that the application checks the existence of Frida on the device. This is to prevent pentesters/hackers from being able to run Binary Instruments using Frida as in the previous discussion. There are several mechanisms used to detect the presence of frida, including: ● Detection of named pipes used by Frida ● Detect frida specific thread names ● Detect the port used by Frida ● Etc For this discussion, I used a customized application to detect frida existence
Sample app
Frida-server detection The mechanism used by the application to detect frida-server is to check whether there are files in /data/local/tmp/frida-se rver.
Frida-server detection
/proc detection The mechanism used is to check /proc/self/maps to detect the presence of frida-agent
/proc detection
Default frida port detection Another mechanism is to check the default Frida port, if the default port can be accessed then that indicates Frida is running
Default frida port detection To bypass this protection, we can change the default port used when running frida-server with the following command
Default frida port detection
Frida Thread Detection The application detects the Frida thread by checking /proc/self/task/<PID>/status and comparing its contents with FRIDA_THREAD_GUM_JS_LOOP and FRIDA_THREAD_GMAIN.
Frida Thread Detection To bypass this protection, we can easily manipulate the strstr function every time we find the specified words
CREDITS: This presentation template was created by Slidesgo, and includes icons by Flaticon, and infographics & images by Freepik Thanks! me@petruknisme t.me/@petruknisme linkedin.com/in/aancw Do you have any questions? Please keep this slide for attribution

More Related Content

What's hot

Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
Kaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciKaynak Kod Analiz Süreci
Kaynak Kod Analiz Süreci
PRISMA CSI
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
idsecconf
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Digit Oktavianto
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
Etkin Siber Savunma i̇çin Tehdit Avcılığı
Etkin Siber Savunma i̇çin Tehdit Avcılığı Etkin Siber Savunma i̇çin Tehdit Avcılığı
Etkin Siber Savunma i̇çin Tehdit Avcılığı
BGA Cyber Security
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
Kelly Grizzle
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
idsecconf
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfAli - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
idsecconf
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
MITRE - ATT&CKcon
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
idsecconf
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
Satoshi Takami
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 

What's hot (20)

Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
Kaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciKaynak Kod Analiz Süreci
Kaynak Kod Analiz Süreci
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
Etkin Siber Savunma i̇çin Tehdit Avcılığı
Etkin Siber Savunma i̇çin Tehdit Avcılığı Etkin Siber Savunma i̇çin Tehdit Avcılığı
Etkin Siber Savunma i̇çin Tehdit Avcılığı
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfAli - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 

Similar to idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf

From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in Essence
Satria Ady Pradana
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
Satria Ady Pradana
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
Ron Munitz
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
Judy Ngure
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
Mobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and MitigationMobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and Mitigation
Sunil Paudel
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
Boonpoj Thongakaraniroj
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Pyramid tutorial
Pyramid tutorialPyramid tutorial
Pyramid tutorial
Carlos de la Guardia
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
Carlos Andrés García
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
VMware Tanzu
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
Hafez Kamal
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
Pawel Rzepa
 
IRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security AssessmentIRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security Assessment
IRJET Journal
 

Similar to idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf (20)

From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in Essence
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Mobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and MitigationMobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and Mitigation
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Pyramid tutorial
Pyramid tutorialPyramid tutorial
Pyramid tutorial
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
IRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security AssessmentIRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security Assessment
 

More from idsecconf

idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
idsecconf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
idsecconf
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
idsecconf
 
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
idsecconf
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdf
idsecconf
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
idsecconf
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
idsecconf
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
idsecconf
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
idsecconf
 
Stream crime
Stream crime Stream crime
Stream crime
idsecconf
 
(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains
idsecconf
 
Mips router targeted worm botnet
Mips router targeted worm botnetMips router targeted worm botnet
Mips router targeted worm botnet
idsecconf
 
The achilles heel of GPN Card implementation
The achilles heel of GPN Card implementationThe achilles heel of GPN Card implementation
The achilles heel of GPN Card implementation
idsecconf
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpick
idsecconf
 
Paper - semi-automated information gathering tools for subdomain enumeration ...
Paper - semi-automated information gathering tools for subdomain enumeration ...Paper - semi-automated information gathering tools for subdomain enumeration ...
Paper - semi-automated information gathering tools for subdomain enumeration ...
idsecconf
 
Reconnaissance not always about resources
Reconnaissance not always about resourcesReconnaissance not always about resources
Reconnaissance not always about resources
idsecconf
 
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
idsecconf
 
A tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programA tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting program
idsecconf
 

More from idsecconf (20)

idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
 
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdf
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
 
Stream crime
Stream crime Stream crime
Stream crime
 
(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains
 
Mips router targeted worm botnet
Mips router targeted worm botnetMips router targeted worm botnet
Mips router targeted worm botnet
 
The achilles heel of GPN Card implementation
The achilles heel of GPN Card implementationThe achilles heel of GPN Card implementation
The achilles heel of GPN Card implementation
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpick
 
Paper - semi-automated information gathering tools for subdomain enumeration ...
Paper - semi-automated information gathering tools for subdomain enumeration ...Paper - semi-automated information gathering tools for subdomain enumeration ...
Paper - semi-automated information gathering tools for subdomain enumeration ...
 
Reconnaissance not always about resources
Reconnaissance not always about resourcesReconnaissance not always about resources
Reconnaissance not always about resources
 
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
 
A tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programA tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting program
 

Recently uploaded

一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
ygdi1tl
 
一比一原版(ui毕业证书)爱达荷大学毕业证如何办理
一比一原版(ui毕业证书)爱达荷大学毕业证如何办理一比一原版(ui毕业证书)爱达荷大学毕业证如何办理
一比一原版(ui毕业证书)爱达荷大学毕业证如何办理
ygdi1tl
 
一比一原版(dpu毕业证书)德保罗大学毕业证如何办理
一比一原版(dpu毕业证书)德保罗大学毕业证如何办理一比一原版(dpu毕业证书)德保罗大学毕业证如何办理
一比一原版(dpu毕业证书)德保罗大学毕业证如何办理
ygdi1tl
 
一比一原版(uiuc毕业证书)伊利诺伊大学香槟分校毕业证如何办理
一比一原版(uiuc毕业证书)伊利诺伊大学香槟分校毕业证如何办理一比一原版(uiuc毕业证书)伊利诺伊大学香槟分校毕业证如何办理
一比一原版(uiuc毕业证书)伊利诺伊大学香槟分校毕业证如何办理
ygdi1tl
 
Promt software engineer rEngineering.pdf
Promt software engineer rEngineering.pdfPromt software engineer rEngineering.pdf
Promt software engineer rEngineering.pdf
philipjuuu
 
MUWP SOLUTION by MUWPAY Bridging the current defi world to the future with
MUWP SOLUTION by MUWPAY Bridging the current defi world to the future withMUWP SOLUTION by MUWPAY Bridging the current defi world to the future with
MUWP SOLUTION by MUWPAY Bridging the current defi world to the future with
YvesTshefu1
 

Recently uploaded (6)

一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
 
一比一原版(ui毕业证书)爱达荷大学毕业证如何办理
一比一原版(ui毕业证书)爱达荷大学毕业证如何办理一比一原版(ui毕业证书)爱达荷大学毕业证如何办理
一比一原版(ui毕业证书)爱达荷大学毕业证如何办理
 
一比一原版(dpu毕业证书)德保罗大学毕业证如何办理
一比一原版(dpu毕业证书)德保罗大学毕业证如何办理一比一原版(dpu毕业证书)德保罗大学毕业证如何办理
一比一原版(dpu毕业证书)德保罗大学毕业证如何办理
 
一比一原版(uiuc毕业证书)伊利诺伊大学香槟分校毕业证如何办理
一比一原版(uiuc毕业证书)伊利诺伊大学香槟分校毕业证如何办理一比一原版(uiuc毕业证书)伊利诺伊大学香槟分校毕业证如何办理
一比一原版(uiuc毕业证书)伊利诺伊大学香槟分校毕业证如何办理
 
Promt software engineer rEngineering.pdf
Promt software engineer rEngineering.pdfPromt software engineer rEngineering.pdf
Promt software engineer rEngineering.pdf
 
MUWP SOLUTION by MUWPAY Bridging the current defi world to the future with
MUWP SOLUTION by MUWPAY Bridging the current defi world to the future withMUWP SOLUTION by MUWPAY Bridging the current defi world to the future with
MUWP SOLUTION by MUWPAY Bridging the current defi world to the future with
 

idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat em.pdf

  • 1. By Aan @petruknisme Hide `n seek with Android App Protections & Beat `em
  • 2. HELLO! I’m… Aan Wahyu a.k.a petruknisme ● Lead Security Consultant @ Horangi ● Infosec Enthusiast & Part-time coder ● Passionate with OSINT, RE, and Red Team
  • 3. Background Along with the rapid development of mobile application technology meeting various needs and providing convenience to their users. In this case, significant developments are also needed in the security aspect that guarantees privacy and security, especially user data. Therefore, a penetration testing or application audit process is needed to ensure that an application is suitable for use by the public. If this is not done properly, there is a high possibility of data leakage resulting in losses on the user side and on the company.
  • 4. Background To prevent modification, manipulation or hacking, it is not uncommon for developers to apply protection to applications. This aims to minimize losses that could occur. As someone who works as a penetration tester, For applications can be tested properly, it is often necessary to bypass the implemented protection so that the required tools or processes can run according to the predetermined penetration testing workflow.
  • 5. Table of contents Root Detection 01 03 02 04 SSL Pinning Anti Emulation Frida Detection
  • 7. Root Detection To prevent modifications or manipulations that impact the application, root detection is implemented. Basically, the application will check files that are indicated to be part of the rooted device and when it finds this indication, the application will prevent access or perform an exit/crash so that the application cannot run on a rooted device.
  • 8. Checking the BUILD tag for test-keys Checking SU binary and installed root package Root Detection Methods Checking common root cloaking apps Checking permission for system directory Checking dangerous props Many more
  • 11. Reverse Engineering Apk Process Several processes are required in reverse engineering an APK. Start by unpacking the APK using an archive extractor such as WinRAR, WinZip, etc. After that, the dex file will be disassembled and decompiled into java source which is still a java class file.
  • 12. 01.1 Bypassing root detection using manual modification of smali Manual Modification
  • 13. Extracting Apk To bypass root detection using the smali patch method, the first step that must be done is to extract the content in the apk using apktool
  • 14. Searching the right function Then we can search for the word isRooted with the help of a code editor. In this example case, the isRooted function is in the Rootbeer.smali file As you can see, isRooted function are calling other function for checking: 1. Su Binary 2. RW Paths 3. Root via Native Checks 4. Magisk Specific checks 5. etc
  • 15. Bypassing checkForSuBinary In the checkForSuBinary() function, change move-result v0 to const/4 v0, 0x0 with the aim of making the value of the variable v0 false instead of to taking a dynamic value from the result of the checkForBinary() function .method public checkForSuBinary()Z .locals 1 const-string v0, "su" .line 160 invoke-virtual {p0, v0}, Lcom/scottyab/rootbeer/RootBeer;->checkForBinary(Ljava/lang/String;)Z const/4 v0, 0x0 <-- Edited return v0
  • 16. Bypassing checkSuExist In the checkSuExist() function, change value of v0 to 0x0 after if-eqz v2
  • 17. Bypassing checkForRWPaths In the checkForRWPaths() function, add return v1 at the end of the function so that the function always returns false because the v1 variable is already false.
  • 18. Bypassing checkForRootNative In the checkForRootNative() function, change the v1 value at the end of the function to 0x0 so that the returned value is false. .method public checkForRootNative()Z ---------------------SNIPPET------------- if-lez v0, :cond_2 const/4 v1, 0x0 <-- Edited :catch_0 :cond_2 return v1 .end method
  • 19. Bypassing checkForMagiskBinary In the checkForMagiskBinary() function, change move-result v0 to const/4 v0, 0x0 with the aim of making the value of the variable v0 false instead of taking a dynamic value from the result of the checkForBinary() function
  • 20. Rebuild, sign and install
  • 21. Result We are successfully bypassing root detection with manual modification of smali files
  • 22. 01.2 Bypassing root detection using frida instrumentation Frida Instrumentation
  • 23. Frida Instrumentation As we know, we need to bypass these protection to be able to run the app in rooted device: ● SU Binary ● RW Paths ● Root via Native Checks ● Magisk Specific Checks I assume that we already know how to write frida script. For the first step, we will try to hook one of the function to make sure that our script is working
  • 25. Final frida Script For the rest of functions, we just need to copy and modify with the function name that we will hook. But, for keeping it simple(KISS) and follow DRY principle, I’ve modified the script to be more simple, short, and easy to understand.
  • 27. 01.3 Bypassing root detection using objection Objection
  • 28. What? objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak. ● Supports both iOS and Android. ● Inspect and interact with container file systems. ● Bypass SSL pinning. ● Dump keychains. ● Perform memory related tasks, such as dumping & patching. ● Explore and manipulate objects on the heap. ● And much, much more… Installation Installation is simply a matter of pip3 install objection. This will give you the objection command. You can update an existing objection installation with pip3 install --upgrade objection.
  • 30. No need script, only command line
  • 31. No need script, only command line Partially success bypassing rootbeer checker with objection command “android root disable”
  • 32. Hook & patch the right function Before patching the functions, we need to know the class first android hooking list class_methods com.example.app.class
  • 33. Set return value After we know the right class_methods, we can set the return value android hooking set return_value com.app.example.class.method
  • 34. 01.4 Bypassing root detection using Magisk Zygisk Magisk Zygisk
  • 35. Magisk In simple terms, Magisk is a tool to help users gain root access by patching the ROM. For further information regarding installation and configuration, please refer to https://github.com/topjohnwu/Magisk The easiest method is to rely on Zygisk Denylist in the Magisk application. To be able to enjoy Zygisk, Magisk version that must be installed is v24.1+.
  • 36. Setup
  • 37. Setup
  • 40. SSL Pinning SSL pinning is a technique that helps to prevent MiTM attacks by hardcoding the SSL/TLS certificate’s public key into the app or device. This means that when the app or device communicates with the server, it will compare the server’s SSL/TLS certificate’s public key with the one that is hardcoded into the app or device. https://www.indusface.com/learning/what-is-ssl-pinning-a-quick-walk-through/
  • 41. 02.1 Bypassing SSL Pinning using manual modification of smali Manual Modification
  • 42. Manual In this discussion, I will start by explaining how we can bypass the SSL Pinning process by manually modifying smalis. The target that will be used in this case study is an android application that use Cordova Framework. When connecting to the server, the application refused the connection because the certificate on the device did not match, because I was intercept the traffic using Burp Suite. With the help of “adb logcat | logcat-color”, I can find out the error message given by the application when it refuses a connection to the server.
  • 43. Manual As you can see, android certificate pinning is failing and complaining about mismatch certificate hash. Our peer certificate chain is for PortSwigger(BurpSuite), but the Pinned Certificate for a domain(masked) is defined in the android resource file.
  • 44. Best Approach Decompile apk and search for the right string. In this case, the file containing the word is in resource/assets/www/pinning/ . After knowing which file is appropriate, the next step is to modify the string sha256/dGxxxxx to sha256/fKxxxxx referring to the previous error message.
  • 47. 02.2 Bypassing SSL Pinning using Objection Objection
  • 48. Approach As in the discussion for bypassing root detection, we can also do the same thing with the help of objection. There are two methods that can be done, using the built-in objection feature or manual patching of the return_value from class_method. For the study case, we will use https://github.com/httptoolkit/android-s sl-pinning-demo/releases/download/v1. 3.1/pinning-demo.apk
  • 53. 02.3 Bypassing SSL Pinning using Frida Frida
  • 54. Frida For bypassing SSL Pinning with Frida, we can use frida codeshare or create our own script.
  • 55. Frida-codeshare Bypassing previous ssl pinning protection that failed when using objection, we can use frida codeshare from https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
  • 56. Frida scripting For manual approach, we can search the right function, hook, replace the return value same as in the bypassing root detection
  • 57. 02.4 Bypassing Flutter SSL Pinning Bypassing Flutter
  • 58. Flutter One of the reasons it is difficult to bypass SSL Pinning in Flutter is because Flutter compiles the code into native machine code. This makes common techniques such as method hooking or code injection in SSL Pinning bypass unable to be carried out, even the experiments that we have carried out previously. Flutter ignores proxy settings on the device so that applications cannot be intercepted. If in the previous case the application would error when passing through the proxy without the SSL pinning bypass process, this does not apply to Flutter because the application will only make a direct connection to the server without passing through the proxy even though it has been set on the device.
  • 62. 02.4.1 Bypassing Flutter SSL Pinning using reFlutter reFlutter
  • 63. reFlutter This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way. Key features: ● socket.cc is patched for traffic monitoring and interception; ● dart.cc is modified to print classes, functions and some fields; ● display absolute code offset for functions ● contains minor changes for successfull compilation; ● if you would like to implement your own patches, there is manual Flutter code change is supported using specially crafted Dockerfile
  • 67. 02.4.1 Bypassing Flutter SSL Pinning Ghidra & Frida pattern matching Frida Pattern Matching
  • 68. Concepts Referring to the article https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-h ttps-dio-pinning/, to bypass SSL pinning on Flutter , we can use the pattern matching method after knowing the pattern of the SSL pinning checking offset address. In simple terms, the steps taken are: ● Find references to the string “x509.cc” and compare them to x509.cc to find session_verify_cert_chain ● Find references to the method you identified in order to identify ssl_verify_peer_cert
  • 71. Concepts Alternatively, we can use Frida’s pattern matching engine to search for functions that look very similar to the function from the demo app. The first bytes of a function are typically very stable, as long as the number of local variables and function arguments don’t change. Still, different compilers may generate different assembly code (e.g. usage of different registers or optimisations) so we do need to have some wildcards in our pattern. https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/
  • 74. Emulator Detection Emulators are usually used to make it easier for reverse engineers, hackers or pentesters to run applications without needing to have the original device. Because usually, emulators can be easily created and deleted when there are errors or different needs, whereas the original device cannot. It is not uncommon for malware developers to use this check to ensure that their application is able to obtain or control the victim's original data or device. For this case study, we will use https://github.com/reveny/Android-Emulator-Detection/ The app detect emulator with this checks: ● checkHardware(); ● checkMounts(); ● checkModules(); ● checkCPU(); ● checkFiles(); ● checkCPUArchitecture();
  • 76. Concepts Different from the previous discussion, this time our target is using the Java Native Interface. So, we can't do hooking like we did before. This is because all checking processes occur in libraries that have been compiled into objects. In this example, all the checks are in the libemulatordetector.so file. The first thing we have to do is find out what JNI functions are available, you can use Frida's help or use nm demangle.
  • 77. Bypass To bypass, the first thing to do is tracing with frida-trace. In this case, I will specifically look for the dlopen function because this function is usually used to load shared libraries. It can be seen that what is used is android_dlopen_ext to load the shared library file libemulatordetector.so. So with this info, we can create code to hook Frida.
  • 78. When we run Frida with this code, we can see that libemulatordetector.so is loaded from the android_dlopen_ext function
  • 83. Concepts In some cases, developers create protection so that the application checks the existence of Frida on the device. This is to prevent pentesters/hackers from being able to run Binary Instruments using Frida as in the previous discussion. There are several mechanisms used to detect the presence of frida, including: ● Detection of named pipes used by Frida ● Detect frida specific thread names ● Detect the port used by Frida ● Etc For this discussion, I used a customized application to detect frida existence
  • 84. Concepts In some cases, developers create protection so that the application checks the existence of Frida on the device. This is to prevent pentesters/hackers from being able to run Binary Instruments using Frida as in the previous discussion. There are several mechanisms used to detect the presence of frida, including: ● Detection of named pipes used by Frida ● Detect frida specific thread names ● Detect the port used by Frida ● Etc For this discussion, I used a customized application to detect frida existence
  • 86. Frida-server detection The mechanism used by the application to detect frida-server is to check whether there are files in /data/local/tmp/frida-se rver.
  • 88. /proc detection The mechanism used is to check /proc/self/maps to detect the presence of frida-agent
  • 90. Default frida port detection Another mechanism is to check the default Frida port, if the default port can be accessed then that indicates Frida is running
  • 91. Default frida port detection To bypass this protection, we can change the default port used when running frida-server with the following command
  • 92. Default frida port detection
  • 93. Frida Thread Detection The application detects the Frida thread by checking /proc/self/task/<PID>/status and comparing its contents with FRIDA_THREAD_GUM_JS_LOOP and FRIDA_THREAD_GMAIN.
  • 94. Frida Thread Detection To bypass this protection, we can easily manipulate the strstr function every time we find the specified words
  • 95. CREDITS: This presentation template was created by Slidesgo, and includes icons by Flaticon, and infographics & images by Freepik Thanks! me@petruknisme t.me/@petruknisme linkedin.com/in/aancw Do you have any questions? Please keep this slide for attribution