Install ADB, JADX. Use Android Studio or Genymotion or Nox for an emulator.
Burp
Set up proxy for all interfaces on 8082 or any port not in use and export cacert.der
Long press Wifi on phone and set up proxy on localhost.
Install the .der exported certificate as .CER
Copy it to device and Import it.
Enabled USB Debugging
Click on "Build Number" seven times.
Goto Developer Options and enable USB Degbugging
Install ADB
sudo apt install adb
ADB Connect
Switch on the WiFi and obtain the IP address of device.
Start an ADB server locally.
adb connect 192.168.232.2:5555
Check for connected devices
adb devices
Pull APK from physical/emulator phone
# Check packages:
pm list packages | grep "appname"
# Get installation path
pm path appname
# Pull the file path
adb pull <installation_path> appname_pulled.apk
adb shell
# Start Activity
am start b3mac.appname/.b123Activity
APK Tool
# Decompile APK
apktool d appname.apk
# Without resources
apktool d appname.apk
AWS & Firebase Enumeration
# AWS
cloud_enum
# Firebase
# Search for Keyword
python3 firebaseEnum.py -k company
Patching APK using Objection
Objection and Frida
Order of installation is important. First frida then objection.
pip3 install frida-tools
pip3 install objection
To patch the application, goto the directory with APK and use objection.
objection patchapk --source app.apk
# If the above command gives and error "No module named pkg_resources"
pip install --force-reinstall -U setuptools
# If an error "Unable to find aapt.."
# Add C:\Users\sid\AppData\Local\Android\Sdk\build-tools\35.0.0 to PATH
Copy the .objection.apk file. (Uninstall the original file on device before this).
Goto the "lib" folder and inject the Frida gadget here.
First find the architecture of the device and inject it accordingly (either in x84_64 or x86)
Get Frida for that particular version and copy it to the lib directory.
# download frida gadget - for 32bit ARM in this case
$ wget https://github.com/frida/frida/releases/download/9.1.26/frida-gadget-9.1.26-android-arm.so.xz
# extract the compressed archive
$ unxz frida-gadget-9.1.26-android-arm.so.xz
$ ls
frida-gadget-9.1.26-android-arm.so
# copy frida gadget library in armeabi directory under lib
# Note that we name the frida gadget as " libfrida-gadget.so "
$ cp frida_libs/armeabi/frida-gadget-9.1.26-android-arm.so out_dir/lib/armeabi/libfrida-gadget.so
Inject a System.loadLibrary("frida-gadget") call into the bytecode of the app, ideally before any other bytecode executes or any native code is loaded. A suitable place is typically the static initializer of the entry point classes of the app, e.g. the main application Activity, found via the manifest.
An easy way to do this is to add the following smali code in a suitable function:
Goto the /smali/ directory and find an activity that loads when the application starts.
Sign the updated APK using your own keys and zipalign.
# if you dont have a keystore already, here's how to create one
$ keytool -genkey -v -keystore custom.keystore -alias mykeyaliasname -keyalg RSA -keysize 2048 -validity 10000
# sign the APK
$ jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore mycustom.keystore -storepass mystorepass repackaged.apk mykeyaliasname
# verify the signature you just created
$ jarsigner -verify repackaged.apk
# zipalign the APK
$ zipalign 4 repackaged.apk repackaged-final.apk
Install the updated APK to a device.
Using frida gadget
When you next start the application you are going to see an empty screen: The injected libfrida-gadget.so library has opened a tcp socket and waits for a connection from frida.
You should see a message similar to the following in logcat:
Frida: Listening on TCP port 27042
Running nestat on the device confirms the listening socket:
shell@flo:/ $ netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:27042 0.0.0.0:*
As you might expect, the next step is connecting to the listening socket: Most frida tools work as expected although there are a few issues that can be handled better, e.g. connecting to the library after initialization, not just during loading.
There is just one thing to keep in mind: The process name you are going to use in Frida tooling should be “Gadget” instead of the normal package name.
$ frida-ps -U
Waiting for USB device to appear...
PID Name
----- ------
16071 Gadget
$ frida-trace -U -i open Gadget
Instrumenting functions...
open: Auto-generated handler at "/tmp/test/__handlers__/libc.so/open.js"
Started tracing 1 function. Press Ctrl+C to stop.
/* TID 0x2df7 */
4870 ms open(pathname=0xa280b100, flags=0x241)
4873 ms open(pathname=0xb6d69df3, flags=0x2)
/* TID 0x33d2 */
115198 ms open(pathname=0xb6d69df3, flags=0x2)
115227 ms open(pathname=0xb6d69df3, flags=0x2)
A blank screen may appear when opening the app, but that means the gadget works. To trigger it, use objection.
objection explore
We can now disable SSL pinning.
android sslpinning disable
We could also monitor clipboard, dump memory, check for root detection, run commands, etc.
help
list
# Debuggable Packages
run app.package.debuggable
# Obtain package name of app
run app.package.list -f app_name
# Get info about the app
run app.package.info –a sid.thoviti.app
# View Manifest file
run app.package.manifest sid.thoviti.app
# Identify App's Attack Surface
run app.package.attacksurface sid.thoviti.app
# View the Exported Activities.
run app.activity.info -a sid.thoviti.app
# Exploit and Invoke an activity
run app.activity.start --component sid.thoviti.app sid.thoviti.app.ActivityName
# List Services running via Package
run app.service.info –a <package_name>
# Start a service via app
run app.service.start –-action <nameoftheservice> –component <nameofthepackage> <nameoftheservice>
# List Broadcast Receivers
app.broadcast.info –a <packagename>
# Exploit Broadcast Receivers (Example of SMS)
run app.broadcast.send –-action <nameofthebroadcast> –component <nameofthepackage> <nameofthebroadcastreciever> -–extra string phonenumber <phonenumber> –-extra string message <anymessge>
# List Content Providers