Frida - Dynamic instrumentation toolkit for developers

Transcript

1. ARC Android Developer Meeting Frida - Dynamic instrumentation toolkit for

   developers

2. Getting Started with Frida So what exactly is Frida? Frida

   is a dynamic instrumentation toolkit. It is mainly created for testers, developers, and reverse engineering enthusiasts. For mobile app security testers, Frida is like a Swiss army knife. Using the Frida tool, we can inject our JavaScript into apps of Windows, macOS, GNU/Linux, iOS, Android, and QNX. In recent times, the InfoSec field has been buzzing about Frida and tools based on Frida API.

3. IDA IDA is a commercial reverse-engineering tool. The pun “FRIDA”

   came up, both as in “Free IDA”, but also as in the Norwegian female names Ida and Frida, where Frida could be Ida’s sister, as IDA is a static analysis tool and Frida is a dynamic analysis toolkit.

4. Ghidra: Software Reverse Engineering Framework Ghidra is a Software Reverse

   Engineering (SRE) Framework developed by the National Security Agency Research Directorate for NSA’s cybersecurity mission. It was created with aim to help all pentesters and cybersecurity professionals with reverse engineering, analyzing code for malware and viruses, to understand potential vulnerabilities in systems/networks, etc.

5. Manticore: Symbolic Execution Tool Manticore is a prototyping tool for

   dynamic binary analysis, with support for symbolic execution, taint analysis, and binary instrumentation. It comes with easy-to-use CLI (Command Line Tool) which allows you to quickly generate new program test cases with symbolic execution.

6. Droidefense: Advance Android Malware Analysis Framework Droidefense (originally named atom:

   analysis through observation machine) is an open source Android App Scanner written in Java. It attempts to bypass every anti-analysis routine that malware may have, in order to get to the code (techniques can be: VM detection, emulator detection, self certificate checking, pipes detection. tracer pid check, etc.)

7. What does it means?

8. Some theoretical background on how frida works Frida is writing

   code directly in process memory. When you attach frida to a running application, frida on the background uses ptrace to hijack the thread.

9. Some theoretical background on how frida works A bootstrapper populates

   this thread and starts a new one, connecting to the frida server that is running on the device and loads a dynamically generated library that has the frida agent along with our instrumentation code.

10. Some theoretical background on how frida works This last part

    is where all the magic happens. The hijacked thread is being restored to its original state and resumes, then the process continues normally.

11. TLDR Frida allows: • Injection of your own scripts into

    black box processes. • Hook any function. • Spy on crypto APIs or trace private application code. • Disable SSL Pinning and root checkers. Frida is one of the best tools to use during an application penetration testing.

12. TLDR Frida Toolkit: • Frida CLI : REPL interface that

    aims to emulate a lot of the nice features of IPython (or Cycript), which tries to get you closer to your code for rapid prototyping and easy debugging. • frida-ps : command-line tool for listing processes (very useful when interacting with a remote system). • frida-trace : tool for dynamically tracing function calls. • frida-discover : tool for discovering internal functions in a program, which can then be traced by using frida-trace. • frida-ls-devices : command-line tool for listing attached devices (very useful when interacting with multiple devices). • frida-kill : command-line tool for killing processes.

13. Protection, protection, protection Some Android apps go to astounding lengths

    to ensure that even the owner of a device can never see the content of the app's HTTPS requests. This is problematic for security research, privacy analysis and debugging, and for control over your own device in general. It's not a purely theoretical problem either - protections like this attempt to directly block HTTPS inspection tools like HTTP Toolkit, which allow you to automatically intercept HTTPS from Android devices for inspection, testing & mocking.

14. Protection, protection, protection This depends on the target application(s) trusting

    the debugging proxy's certificate for HTTPS traffic. These HTTP interception and mocking techniques are super useful for testing and understanding most apps, but they have issues with the small set of hyper-vigilant apps that add extra protections aiming to lock down their HTTPS traffic and block this kind of inspection.

15. What's certificate pinning? By default, when an Android app makes

    an HTTPS connection, it makes sure that it's talking to a trusted server by comparing the issuer of the server's certificate to Android's built-in list of trusted system certificate authorities.

16. What's certificate pinning? 99% of apps stick with that default.

    You can't change the system certificate authorities on normal devices, so this list is fairly reliable and secure. You can change it though on rooted devices and most emulators, so it's quite possible to intercept and inspect HTTPS traffic from these apps by using a debugging proxy for HTTPS interception in those environments.

17. What's certificate pinning? Unfortunately however, the last 1% which don't

    stick with the default configuration are more complicated. These apps include their own custom certificate validation, to specify the exact HTTPS certificate issuers they're prepared to trust, instead of trusting all of the device's trusted certificate authorities. This ensures they will never trust a new certificate from a certificate authority that they don't explicitly recognize, and so won't accidentally expose HTTPS traffic to anybody other than the real server.

18. This is generally known as "public key pinning", "certificate pinning",

    or "SSL pinning".

19. What's certificate pinning? Because this blocks all except a specific

    list of certificate authorities, it also blocks the private certificate authorities used by HTTPS debugging proxies, and so we hit our problem.

20. What's certificate pinning? Certificate pinning used to be a much

    more popular technique, back before Android Nougat when Android's own certificate validation was more lax and users could easily be tricked into installing new trusted certificates on their devices.

21. What's certificate pinning? It's still used on Android in some

    corners, particularly by very high-profile apps (e.g. Twitter) and very security-sensitive apps (e.g. banking apps, like N26 or BBVA), all of whom are extremely protective over the details of how their APIs are used, and would prefer that prying eyes can't look too closely.

22. And Frida? Frida lets you do things like logging every

    time an app calls a specific method, changing constants within built applications, recording how values within an application change or replacing methods to disable functionality entirely.

23. And Frida? This is very neat! But it's also quite

    intimidating if you're not familiar with low-level reverse engineering, since the internals and much of the documentation are very involved in the finer details of how applications work on each of the various target platforms.

24. Caveats In theory, Frida is capable of defeating absolutely any

    certificate pinning you could possibly implement: if you can write some code to check a certificate, Frida can remove that code. That said, this all depends on whether the script you use is aware of the specific certificate pinning code or APIs that are used. Whether this technique works depends entirely on the combination of target app and the Frida script.

25. Detection?

26. Frida Detection Examples Some random ideas for detecting Frida instrumentation

    from within a process: • Scan all local TCP ports, sending a D-Bus message to each port to identify fridaserver. • Scan text sections for a string found inside frida-gadget*.so / frida-agent*.so. File operations are implemented in ASM so prevent easy bypassing with libc function hooks.

27. The Best Frida Flavors to Mobile App Security Most of

    the infosec community is using the Frida flavored tools because of the benefits and easiness given by tools. Infosec researchers have taken the Frida and made so many tools for a different purpose. There are so many tools out there but I am going to list some tools which are really helpful for your assessment. • Objection - has lot of features, Regularly updating and very useful for Assessment. • RMS-Runtime-Mobile-Security - similar to objection but it has web interface and currently supports android only. • Grapefruit - iOS app blackbox assessment tool. • r2frida - if you already using Radare, the r2frida makes it better together.

28. References

29. Advance Android Malware Analysis Framework – Droidefense https:/ /www.cyberpunk.rs/advance-android-malware-analysis-framework-droidefense Symbolic

    Execution Tool – Manticore https:/ /www.cyberpunk.rs/symbolic-execution-tool-manticor Ghidra: Software Reverse Engineering Framework https:/ /www.cyberpunk.rs/ghidra-software-reverse-engineering-framework IDA - A powerful disassembler and a versatile debugger https:/ /www.hex-rays.com/ida-pro/ LevelUp 0x04 - Fun with Frida on Mobile https:/ /www.youtube.com/watch?v=dqA38-1UMxI References

30. objection - Runtime Mobile Exploration https:/ /github.com/sensepost/objection https:/ /github.com/sensepost/objection/wiki/Screenshots Tools

    Don’t Hack Apps, Hackers Do: Securing Android Apps Against Frida https:/ /www.preemptive.com/securing-android-apps-against-frida/ Dynamic Instrumentation Toolkit – Frida https:/ /www.cyberpunk.rs/dynamic-instrumentation-toolkit-frida The Jiu-Jitsu of Detecting Frida https:/ /web.archive.org/web/20200310081321/https:/ /www.vantagepoint.sg/blog/90-the-jiu-jitsu-of-d etecting-frida References

31. How to hook Android Native methods with Frida (Noob Friendly)

    https:/ /erev0s.com/blog/how-hook-android-native-methods-frida-noob-friendly/#setting-up-our-testi ng-environment Frida Cheatsheet and Code Snippets for Android https:/ /erev0s.com/blog/frida-code-snippets-for-android/ Defeating Android Certificate Pinning with Frida https:/ /httptoolkit.com/blog/frida-certificate-pinning/ Mobile App Tampering and Reverse Engineering https:/ /github.com/OWASP/owasp-mastg/blob/master/Document/0x04c-Tampering-and-Reverse-Eng ineering.md How to Block Frida Instrumentation Exploits in Android & iOS apps https:/ /www.appdome.com/how-to/mobile-malware-prevention/frida-instrumentation-attacks/block-fr ida-instrumentation-exploits-in-android-ios-apps/ References

32. Frida on non-rooted Android devices https:/ /jlajara.gitlab.io/Frida-non-rooted Android pentesting using

    frida https:/ /www.varutra.com/android-pentesting-using-frida/ Frida: The Best General Scripts for Tracing and Debugging https:/ /medium.com/codex/frida-the-best-general-scripts-for-tracing-and-debugging-c848ab25b0b6 Frida Tutorials https:/ /book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/frida-tutorial References

33. Introduction to Frida https:/ /medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1 Getting started with Frida on

    Android Apps https:/ /payatu.com/blog/amit/Getting%20_started_with_Frida FRIDA 101 Android https:/ /www.slideshare.net/TonyThomas45/frida-101-android References

34. CREDITS:This presentation template was created by Slidego, and includes icons

    by Flaticon, and infographics & images by Freepik Thanks Do you have any questions? [email protected] Please keep this slide for attribution