Bypassing .APK Protections DAIANE SANTOS

Disclaimer: The content presented here is from my responsibility and has nothing to do with the opinions of my employer.

Disclaimer 2: The content presented here is only created for educational purposes.

It's okay not to know all the answers. It's better to admit our ignorance than to believe answers that might be wrong. Pretending to know everything, closes the door to finding out what's really there. Neil deGrasse Tyson

02 01 whoami mobile timeline 03 owasp mobile top 10 04 protections 05 bypasses 06 contact what we have for today Agenda

Daiane Santos Mobile Security Engineer @ Nubank CTF Player and Captain @ RATF Autist AH/SD Enthusiast of Neuroscience I like chess whoami

1987 Calls Mobira Cityman 900 First GSM (2G) phone Calls SMS 1992 1996 Vibrate Mode GSM SMS Calls 2000 FM Radio Opera mini web browser Camera Voice Recorder Vibrate Mode GSM (3G) SMS Calls 2007 First iPhone Apps A lot of new features Timeline Nokia 2110 Motorola StarTAC Nokia 3310 iPhone 2G

No content

No content

Reverse Engineering

Change .apk for .zip And you're be able to see all the folders, AndroidManifest, etc. easy "hack"

AndroidManifest.xml

API calls or endpoints understanding the way some security controls are implemented root detection -> SuperUser hardcoded sensitive information inside the code backdoor accounts, API keys and secrets, passwords... interesting strings points of encryption and obfuscation so we can decrypt and de-obfuscate What we are looking for?

shhgit Find secrets and sensitive files across GitHub (including Gists), GitLab and BitBucket.

Activities: Broadcast receivers: Services: Components that provide a screen with which users can interact. Components that receive and respond to broadcast messages from other apps or from the operating system. Components that perform operations in the background. What we are looking for?

attacks on activities If an application has an activity that is exported, other applications can also invoke it. This can be invoked by other malicious applications that are running on the device.

attacks on broadcast receivers That means any application will be able to send arbitrary, uncontrolled SMSs.

MobSF

Tempering Smali We can see there is a “if” condition is the decision maker element that decides whether the application is rooted or a Non-rooted device.

Tempering Smali

SSL Pinning and Proxy

Frida

No content

$ frida --codeshare akabe1/frida-multiple-unpinning -f YOUR_BINARY frida-unpinning

anti-frida-bypass $ frida --codeshare enovella/anti-frida-bypass -f YOUR_BINARY

No content

Root

Magisk

MagiskSU: Magisk Modules: MagiskBoot: Zygisk: Provide root access for applications Modify read-only partitions by installing modules The most complete tool for unpacking and repacking Android boot images Run code in every Android applications' processes What we can do?

What we can do?

Contact me: @Wh0isdxk Questions