when they are running on a jailbroken iOS or rooted Android device. This has become a baseline security mechanism for most apps (opinion) Apps use a variety of libraries or methods to implement this such as rootbeer and IOSSecuritySuite
frida we can start experimenting and start hooking into interesting places and syscalls using early instrumentation. /proc/*/ Popen and Fopen getEnv Stat __system_property_find frida --codeshare FrenchYeti/android-arm64-strace -U -f YOUR_BINARY
frida we can start experimenting and start hooking into interesting places and syscalls using early instrumentation. Early instrumentation on Java Java.deoptimizeEveything(); Java.perform(()={ Java.use(…//InsertLogic) })
instrumentation on SO var ourlib = "librarycustom.so"; var do_dlopen = null; var call_ctor = null; var ModBase = null; Process.findModuleByName('linker64').enumerateSymbols().forEach(function(sym) { if (sym.name.indexOf('do_dlopen') >= 0) { do_dlopen = sym.address; } else if (sym.name.indexOf('call_constructor') >= 0) { call_ctor = sym.address; } }) Interceptor.attach(do_dlopen, function() { var library = this.context['x0'].readUtf8String(); if (library != null) { if (library.indexOf(ourlib) >= 0) { h( ll f i () {
a Private Bug Bounty Program with Mobile app in scope We had early advantage as we got invited after 1 month of launch We noticed that almost no one reported bugs on the Mobile application We used APKiD to identify the protector which was used in the Android App Bypassed the Root detections using Frida hooking Multiple APIs were vulnerable to trivial issues like SQL injection Reported and Got it Fixed
allows accepting only authorized ("pinned") certificates for authentication of client-server connections. This mechainism is devised as a means of thwarting MiTM. This essentially means, we will not be able to use our interception proxies to manipulate API traffic.
the ways in which application communicates with server Identify the network stack which the application uses Identify whether the application relies on the OS provided SSL libraries or comes with custom ones. OS Provided - LibSSL.so To Hook - SSL_read and SSL_write Custom ones BoringSSL WolfSSL etc
traffic to ensure attacker don’t get visibility into the traffic. In this case, as attacker you won’t be able to manipulate traffic even after bypassing root detection/SSL Pinning etc.
Burp Suite Extension that, working as a bridge between Burp Suite and Frida, lets you use and manipulate applications’ own methods while tampering the traffic exchanged between the applications and their back-end services/servers.