1 of 18

Unlocking Barriers: Bypassing Security Checks & SDK Protection

2 of 18

Frida & Objection: Exploration Toolkits

Frida

  • Dynamic instrumentation toolkit
    • Debug live processes
  • Scriptable
    • Execute your own debug scripts

inside another process

  • Cross-platform
  • Open Source

Objection

  • Runtime mobile exploration toolkit
    • Powered by Frida
    • Explore and manipulate applications at runtime
  • Dynamic & static application data inspection
  • Cross-platform
  • Open Source

$ pip install frida-tools

$ pip install objection

3 of 18

Android App Defences

There are multiple defences that Android developers use to protect their apps from attackers.

They include:

    • Root check
    • Anti Emulation / Anti-VM checks
    • Checksum Controls
    • Anti-Debug checks
    • SSL Pinning
    • Obfuscation

4 of 18

Root detection

5 of 18

Emulator detection

6 of 18

Checksum Controls�

7 of 18

Anti-Debug checks

8 of 18

Anti-Debug checks

9 of 18

SSL Pinning

10 of 18

Obfuscation

11 of 18

Case 1.

12 of 18

Case 2.

13 of 18

Case 2.

14 of 18

Case 3.

    • Method 1: Inject a libfrida-gadget.so as a dependency to a native library inside of APK
    • Method 2: Injecting into bytecode

15 of 18

Case 3.

16 of 18

Case 3.

wget https://github.com/frida/frida/releases/download/12.8.8/frida-gadget-12.8.8-android-arm64.so.xz �unxz -d frida-gadget-12.8.8-android-arm64.so.xz

apktool d -rs target.apk

cp frida-gadget-12.8.8-android-arm64.so target/lib/arm64-v8a/libfrida-gadget.so

#!/usr/bin/env python3import lief libnative = lief.parse("target/lib/arm64-v8a/libfromapk.so") �libnative.add_library("libfrida-gadget.so") # Injection! �libnative.write("target/lib/arm64-v8a/libfromapk.so")

python3 inject-gadget.py

apktool b target

java -jar uber-apk-signer-1.1.0.jar -a ./target/dist/target.apk

17 of 18

Case 3.

# direct methods.method constructor <init>(Lcom/some/packet/activity/MainActivity;)V� .locals 0....� const-string v0, "frida-gadget“� invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V � return-void� .end method

wget https://github.com/frida/frida/releases/download/12.8.8/frida-gadget-12.8.8-android-arm64.so.xz �unxz -d frida-gadget-12.8.8-android-arm64.so.xz

cp frida-gadget-12.8.8-android-arm64.so target/lib/arm64-v8a/libfrida-gadget.so

java -jar uber-apk-signer-1.1.0.jar -a ./target/dist/target.apk

apktool b target

18 of 18

References