Slide 1

Slide 1 text

ARC Android Developer Meeting Frida - Dynamic instrumentation toolkit for developers

Slide 2

Slide 2 text

Getting Started with Frida So what exactly is Frida? Frida is a dynamic instrumentation toolkit. It is mainly created for testers, developers, and reverse engineering enthusiasts. For mobile app security testers, Frida is like a Swiss army knife. Using the Frida tool, we can inject our JavaScript into apps of Windows, macOS, GNU/Linux, iOS, Android, and QNX. In recent times, the InfoSec field has been buzzing about Frida and tools based on Frida API.

Slide 3

Slide 3 text

IDA IDA is a commercial reverse-engineering tool. The pun “FRIDA” came up, both as in “Free IDA”, but also as in the Norwegian female names Ida and Frida, where Frida could be Ida’s sister, as IDA is a static analysis tool and Frida is a dynamic analysis toolkit.

Slide 4

Slide 4 text

Ghidra: Software Reverse Engineering Framework Ghidra is a Software Reverse Engineering (SRE) Framework developed by the National Security Agency Research Directorate for NSA’s cybersecurity mission. It was created with aim to help all pentesters and cybersecurity professionals with reverse engineering, analyzing code for malware and viruses, to understand potential vulnerabilities in systems/networks, etc.

Slide 5

Slide 5 text

Manticore: Symbolic Execution Tool Manticore is a prototyping tool for dynamic binary analysis, with support for symbolic execution, taint analysis, and binary instrumentation. It comes with easy-to-use CLI (Command Line Tool) which allows you to quickly generate new program test cases with symbolic execution.

Slide 6

Slide 6 text

Droidefense: Advance Android Malware Analysis Framework Droidefense (originally named atom: analysis through observation machine) is an open source Android App Scanner written in Java. It attempts to bypass every anti-analysis routine that malware may have, in order to get to the code (techniques can be: VM detection, emulator detection, self certificate checking, pipes detection. tracer pid check, etc.)

Slide 7

Slide 7 text

What does it means?

Slide 8

Slide 8 text

Some theoretical background on how frida works Frida is writing code directly in process memory. When you attach frida to a running application, frida on the background uses ptrace to hijack the thread.

Slide 9

Slide 9 text

Some theoretical background on how frida works A bootstrapper populates this thread and starts a new one, connecting to the frida server that is running on the device and loads a dynamically generated library that has the frida agent along with our instrumentation code.

Slide 10

Slide 10 text

Some theoretical background on how frida works This last part is where all the magic happens. The hijacked thread is being restored to its original state and resumes, then the process continues normally.

Slide 11

Slide 11 text

TLDR Frida allows: ● Injection of your own scripts into black box processes. ● Hook any function. ● Spy on crypto APIs or trace private application code. ● Disable SSL Pinning and root checkers. Frida is one of the best tools to use during an application penetration testing.

Slide 12

Slide 12 text

TLDR Frida Toolkit: ● Frida CLI : REPL interface that aims to emulate a lot of the nice features of IPython (or Cycript), which tries to get you closer to your code for rapid prototyping and easy debugging. ● frida-ps : command-line tool for listing processes (very useful when interacting with a remote system). ● frida-trace : tool for dynamically tracing function calls. ● frida-discover : tool for discovering internal functions in a program, which can then be traced by using frida-trace. ● frida-ls-devices : command-line tool for listing attached devices (very useful when interacting with multiple devices). ● frida-kill : command-line tool for killing processes.

Slide 13

Slide 13 text

Protection, protection, protection Some Android apps go to astounding lengths to ensure that even the owner of a device can never see the content of the app's HTTPS requests. This is problematic for security research, privacy analysis and debugging, and for control over your own device in general. It's not a purely theoretical problem either - protections like this attempt to directly block HTTPS inspection tools like HTTP Toolkit, which allow you to automatically intercept HTTPS from Android devices for inspection, testing & mocking.

Slide 14

Slide 14 text

Protection, protection, protection This depends on the target application(s) trusting the debugging proxy's certificate for HTTPS traffic. These HTTP interception and mocking techniques are super useful for testing and understanding most apps, but they have issues with the small set of hyper-vigilant apps that add extra protections aiming to lock down their HTTPS traffic and block this kind of inspection.

Slide 15

Slide 15 text

What's certificate pinning? By default, when an Android app makes an HTTPS connection, it makes sure that it's talking to a trusted server by comparing the issuer of the server's certificate to Android's built-in list of trusted system certificate authorities.

Slide 16

Slide 16 text

What's certificate pinning? 99% of apps stick with that default. You can't change the system certificate authorities on normal devices, so this list is fairly reliable and secure. You can change it though on rooted devices and most emulators, so it's quite possible to intercept and inspect HTTPS traffic from these apps by using a debugging proxy for HTTPS interception in those environments.

Slide 17

Slide 17 text

What's certificate pinning? Unfortunately however, the last 1% which don't stick with the default configuration are more complicated. These apps include their own custom certificate validation, to specify the exact HTTPS certificate issuers they're prepared to trust, instead of trusting all of the device's trusted certificate authorities. This ensures they will never trust a new certificate from a certificate authority that they don't explicitly recognize, and so won't accidentally expose HTTPS traffic to anybody other than the real server.

Slide 18

Slide 18 text

This is generally known as "public key pinning", "certificate pinning", or "SSL pinning".

Slide 19

Slide 19 text

What's certificate pinning? Because this blocks all except a specific list of certificate authorities, it also blocks the private certificate authorities used by HTTPS debugging proxies, and so we hit our problem.

Slide 20

Slide 20 text

What's certificate pinning? Certificate pinning used to be a much more popular technique, back before Android Nougat when Android's own certificate validation was more lax and users could easily be tricked into installing new trusted certificates on their devices.

Slide 21

Slide 21 text

What's certificate pinning? It's still used on Android in some corners, particularly by very high-profile apps (e.g. Twitter) and very security-sensitive apps (e.g. banking apps, like N26 or BBVA), all of whom are extremely protective over the details of how their APIs are used, and would prefer that prying eyes can't look too closely.

Slide 22

Slide 22 text

And Frida? Frida lets you do things like logging every time an app calls a specific method, changing constants within built applications, recording how values within an application change or replacing methods to disable functionality entirely.

Slide 23

Slide 23 text

And Frida? This is very neat! But it's also quite intimidating if you're not familiar with low-level reverse engineering, since the internals and much of the documentation are very involved in the finer details of how applications work on each of the various target platforms.

Slide 24

Slide 24 text

Caveats In theory, Frida is capable of defeating absolutely any certificate pinning you could possibly implement: if you can write some code to check a certificate, Frida can remove that code. That said, this all depends on whether the script you use is aware of the specific certificate pinning code or APIs that are used. Whether this technique works depends entirely on the combination of target app and the Frida script.

Slide 25

Slide 25 text

Detection?

Slide 26

Slide 26 text

Frida Detection Examples Some random ideas for detecting Frida instrumentation from within a process: ● Scan all local TCP ports, sending a D-Bus message to each port to identify fridaserver. ● Scan text sections for a string found inside frida-gadget*.so / frida-agent*.so. File operations are implemented in ASM so prevent easy bypassing with libc function hooks.

Slide 27

Slide 27 text

The Best Frida Flavors to Mobile App Security Most of the infosec community is using the Frida flavored tools because of the benefits and easiness given by tools. Infosec researchers have taken the Frida and made so many tools for a different purpose. There are so many tools out there but I am going to list some tools which are really helpful for your assessment. ● Objection - has lot of features, Regularly updating and very useful for Assessment. ● RMS-Runtime-Mobile-Security - similar to objection but it has web interface and currently supports android only. ● Grapefruit - iOS app blackbox assessment tool. ● r2frida - if you already using Radare, the r2frida makes it better together.

Slide 28

Slide 28 text

References

Slide 29

Slide 29 text

Advance Android Malware Analysis Framework – Droidefense https:/ /www.cyberpunk.rs/advance-android-malware-analysis-framework-droidefense Symbolic Execution Tool – Manticore https:/ /www.cyberpunk.rs/symbolic-execution-tool-manticor Ghidra: Software Reverse Engineering Framework https:/ /www.cyberpunk.rs/ghidra-software-reverse-engineering-framework IDA - A powerful disassembler and a versatile debugger https:/ /www.hex-rays.com/ida-pro/ LevelUp 0x04 - Fun with Frida on Mobile https:/ /www.youtube.com/watch?v=dqA38-1UMxI References

Slide 30

Slide 30 text

objection - Runtime Mobile Exploration https:/ /github.com/sensepost/objection https:/ /github.com/sensepost/objection/wiki/Screenshots Tools Don’t Hack Apps, Hackers Do: Securing Android Apps Against Frida https:/ /www.preemptive.com/securing-android-apps-against-frida/ Dynamic Instrumentation Toolkit – Frida https:/ /www.cyberpunk.rs/dynamic-instrumentation-toolkit-frida The Jiu-Jitsu of Detecting Frida https:/ /web.archive.org/web/20200310081321/https:/ /www.vantagepoint.sg/blog/90-the-jiu-jitsu-of-d etecting-frida References

Slide 31

Slide 31 text

How to hook Android Native methods with Frida (Noob Friendly) https:/ /erev0s.com/blog/how-hook-android-native-methods-frida-noob-friendly/#setting-up-our-testi ng-environment Frida Cheatsheet and Code Snippets for Android https:/ /erev0s.com/blog/frida-code-snippets-for-android/ Defeating Android Certificate Pinning with Frida https:/ /httptoolkit.com/blog/frida-certificate-pinning/ Mobile App Tampering and Reverse Engineering https:/ /github.com/OWASP/owasp-mastg/blob/master/Document/0x04c-Tampering-and-Reverse-Eng ineering.md How to Block Frida Instrumentation Exploits in Android & iOS apps https:/ /www.appdome.com/how-to/mobile-malware-prevention/frida-instrumentation-attacks/block-fr ida-instrumentation-exploits-in-android-ios-apps/ References

Slide 32

Slide 32 text

Frida on non-rooted Android devices https:/ /jlajara.gitlab.io/Frida-non-rooted Android pentesting using frida https:/ /www.varutra.com/android-pentesting-using-frida/ Frida: The Best General Scripts for Tracing and Debugging https:/ /medium.com/codex/frida-the-best-general-scripts-for-tracing-and-debugging-c848ab25b0b6 Frida Tutorials https:/ /book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/frida-tutorial References

Slide 33

Slide 33 text

Introduction to Frida https:/ /medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1 Getting started with Frida on Android Apps https:/ /payatu.com/blog/amit/Getting%20_started_with_Frida FRIDA 101 Android https:/ /www.slideshare.net/TonyThomas45/frida-101-android References

Slide 34

Slide 34 text

CREDITS:This presentation template was created by Slidego, and includes icons by Flaticon, and infographics & images by Freepik Thanks Do you have any questions? [email protected] Please keep this slide for attribution