Bypassing APK Protections

Transcript

1. Bypassing .APK Protections DAIANE SANTOS

2. Disclaimer: The content presented here is from my responsibility and

   has nothing to do with the opinions of my employer.

3. Disclaimer 2: The content presented here is only created for

   educational purposes.

4. It's okay not to know all the answers. It's better

   to admit our ignorance than to believe answers that might be wrong. Pretending to know everything, closes the door to finding out what's really there. Neil deGrasse Tyson

5. 02 01 whoami mobile timeline 03 owasp mobile top 10

   04 protections 05 bypasses 06 contact what we have for today Agenda

6. Daiane Santos Mobile Security Engineer @ Nubank CTF Player and

   Captain @ RATF Autist AH/SD Enthusiast of Neuroscience I like chess whoami

7. 1987 Calls Mobira Cityman 900 First GSM (2G) phone Calls

   SMS 1992 1996 Vibrate Mode GSM SMS Calls 2000 FM Radio Opera mini web browser Camera Voice Recorder Vibrate Mode GSM (3G) SMS Calls 2007 First iPhone Apps A lot of new features Timeline Nokia 2110 Motorola StarTAC Nokia 3310 iPhone 2G
8. None
9. None

10. Reverse Engineering

11. Change .apk for .zip And you're be able to see

    all the folders, AndroidManifest, etc. easy "hack"

12. AndroidManifest.xml

13. API calls or endpoints understanding the way some security controls

    are implemented root detection -> SuperUser hardcoded sensitive information inside the code backdoor accounts, API keys and secrets, passwords... interesting strings points of encryption and obfuscation so we can decrypt and de-obfuscate What we are looking for?

14. shhgit Find secrets and sensitive files across GitHub (including Gists),

    GitLab and BitBucket.

15. Activities: Broadcast receivers: Services: Components that provide a screen with

    which users can interact. Components that receive and respond to broadcast messages from other apps or from the operating system. Components that perform operations in the background. What we are looking for?

16. attacks on activities If an application has an activity that

    is exported, other applications can also invoke it. <activity android:label="@string/profile" android:name=".activities.ViewProfile" android:exported="true" /> This can be invoked by other malicious applications that are running on the device.

17. attacks on broadcast receivers That means any application will be

    able to send arbitrary, uncontrolled SMSs.

18. MobSF

19. Tempering Smali We can see there is a “if” condition

    is the decision maker element that decides whether the application is rooted or a Non-rooted device.

20. Tempering Smali

21. SSL Pinning and Proxy

22. Frida

23. None

24. $ frida --codeshare akabe1/frida-multiple-unpinning -f YOUR_BINARY frida-unpinning

25. anti-frida-bypass $ frida --codeshare enovella/anti-frida-bypass -f YOUR_BINARY

26. None

27. Root

28. Magisk

29. MagiskSU: Magisk Modules: MagiskBoot: Zygisk: Provide root access for applications

    Modify read-only partitions by installing modules The most complete tool for unpacking and repacking Android boot images Run code in every Android applications' processes What we can do?

30. What we can do?

31. Contact me: @Wh0isdxk Questions