Unlocking Barriers: Bypassing Security Checks & SDK Protection

Frida & Objection: Exploration Toolkits

Frida

• Dynamic instrumentation toolkit
• Debug live processes
• Scriptable
• Execute your own debug scripts

inside another process

• Cross-platform
• Open Source

Objection

• Runtime mobile exploration toolkit
• Powered by Frida
• Explore and manipulate applications at runtime
• Dynamic & static application data inspection
• Cross-platform
• Open Source

​

$ pip install frida-tools

$ pip install objection

Android App Defences

There are multiple defences that Android developers use to protect their apps from attackers.

They include:

• Root check
• Anti Emulation / Anti-VM checks
• Checksum Controls
• Anti-Debug checks
• SSL Pinning
• Obfuscation

Root detection

Emulator detection

Checksum Controls�

Anti-Debug checks

Anti-Debug checks

SSL Pinning

Obfuscation

Case 1.

Case 2.

Case 2.

Case 3.

• Method 1: Inject a libfrida-gadget.so as a dependency to a native library inside of APK
• Method 2: Injecting into bytecode

Case 3.

Case 3.

wget https://github.com/frida/frida/releases/download/12.8.8/frida-gadget-12.8.8-android-arm64.so.xz �unxz -d frida-gadget-12.8.8-android-arm64.so.xz

apktool d -rs target.apk

cp frida-gadget-12.8.8-android-arm64.so target/lib/arm64-v8a/libfrida-gadget.so

#!/usr/bin/env python3 �import lief libnative = lief.parse("target/lib/arm64-v8a/libfromapk.so") �libnative.add_library("libfrida-gadget.so") # Injection! �libnative.write("target/lib/arm64-v8a/libfromapk.so")

https://github.com/lief-project/LIEF

python3 inject-gadget.py

apktool b target

java -jar uber-apk-signer-1.1.0.jar -a ./target/dist/target.apk

Case 3.

# direct methods �.method constructor <init>(Lcom/some/packet/activity/MainActivity;)V� .locals 0 � ....� const-string v0, "frida-gadget“� invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V � return-void� .end method

wget https://github.com/frida/frida/releases/download/12.8.8/frida-gadget-12.8.8-android-arm64.so.xz �unxz -d frida-gadget-12.8.8-android-arm64.so.xz

cp frida-gadget-12.8.8-android-arm64.so target/lib/arm64-v8a/libfrida-gadget.so

java -jar uber-apk-signer-1.1.0.jar -a ./target/dist/target.apk

apktool b target

References

https://fadeevab.com/frida-gadget-injection-on-android-no-root-2-methods/

https://github.com/open-obfuscator/o-mvll

https://enovella.github.io/android/reverse/2017/05/20/android-owasp-crackmes-level-3.html

​

https://owasp.org/www-project-mobile-top-10/2014-risks/m10-lack-of-binary-protections

https://github.com/MobSF/Mobile-Security-Framework-MobSF

https://securitygrind.com/ssl-pinning-bypass-with-frida-gadget-gadget-injector-py/

https://beta.pithus.org/

https://github.com/AndnixSH/APKToolGUI