Dynamic Analysis
A guide to Mobile Penetration Testing (Dynamic Analysis) including SSL Pinning Bypass, Frida and Objection.
Last updated
Was this helpful?
A guide to Mobile Penetration Testing (Dynamic Analysis) including SSL Pinning Bypass, Frida and Objection.
Last updated
Was this helpful?
From ADB Shell, run the following command to detect the architecture of the device:
References:
ARM: Architecture of CPU ARMv7 or armeabi
ARM64: Architecture of CPU Aarch64, arm64 or arm64-v8a
x86: Architecture of CPU x86 or x86abi
Download the latest (or custom) version of Frida Server and Gadget with .
I.e.: for Frida Server on x86 architecture in its latest version:
Frida CodeShare:
Frida Releases:
Move frida-server into Android Device with ADB and give it proper permissions for execution:
Now to get ready to use Frida Server, it's just required to run the binary frida-server as root:
Run Frida script to disable SSL Pinning, Root detection, and many other techniques with Frida:
/lib/ folderDecompile the APK with apktool:
Download and copy frida Gadget files in /lib/ (libraries) folders:
Compile again the APK with Frida Gadget injected:
Uber Apk Signer:
Objection:
Finally, Install the APK with adb shell:
frida-gadgetGeneric command:
Useful command when standard command not works:
Install the APK with ADB:
Detect current apps in execution with:
Run Frida with scripts to bypass Root Detection:
Detect current apps in execution with:
Now run the follows with objection:
Disable SSL Pinning and Root detection
All-in-one setup in Ubuntu which provides the optimal setup/environment for android pentesting, including common tools such as Frida and Objection.
Running these tools in Docker has a lot of benefits, especially ensuring that there will be not error of dependencies using the tools as well python/pip packages.
Also supports ADB connection via USB and Wireless.
Included by default tools such as Frida and Objection using a Python environment.
Customizable Ubuntu container.
Latest version of every tool included by default in the image.
Pull the latest version
Run the container assigning the name of spotify-bug-bounty
Copy the folder with APKs inside the container
Using ADB with USB Debugging
NOTE: Ensure first that in your local machine is active adb-server and it works correctly with your devices plugged.
SSL Pinning must to be bypass in order to intercept traffic on apps. This last step for Intercept HTTPS traffic is intendend to be the final part for Dynamic Analysis once SSL Pinning (and Root Detection if it is required) was successfully bypass.
Export certificate in .cer (or .der if doesn't work) format from Burp Suite.
Move certificate to Android Device Storage:
From Settings > Privacy and Security > More security settings > Install CA Certificate from device storage (depends on each device): Install cacert.cer certificate as authority certificate. (This allows Android ecosystem to recognize Burp Suite as legitim Proxy).
From Wi-FI Settings on the Android Device go to your current Wi-Fi AP connected and set Manual Proxy to your local machine IP Address in the port 8081 or any one you want.
From Burp Suite go to Proxy > Proxy Settings > Proxy Listeners > Add > Specific Address (like 192.168.100.30) > Port 8081
All done! If SSL Pinning was bypassed and the Android Device is configured to proxy all traffic to our Burp Suite listener proxy, we will be able to intercept and manipulate the application's requests and responses and interact in detail.
Sign the APK/APKs with Objection or
