Bypass binary protections

Identify compilers, packers, obfuscators

# https://github.com/rednaga/APKiD

apkid --scan-depth 0 -r target.apk

SSL pinning

• Missing SSL pinning

• Bypass with objection

  objection --gadget <com.package.app> explore --startup-command "android sslpinning disable"

  ─❯ frida-ps -Uai
  5682  TestApp     com.testapp.plus
  [...]
  
  ─❯ objection -g 5682 explore # Attach to the app
  com.testapp.plus on (Android: 11) [usb] # android sslpinning disable

• Bypass with frida

  frida -U --codeshare akabe1/frida-multiple-unpinning -f <com.package.app>
  frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f <com.package.app>

• Replacing hard-Coded Sha256 hash

  # Detection
  # 1. Decompile apk
  # 2. Open jadx-gui
  # 3. Search "sha256/"
  
  # Replace Burp Suite certificate hash
  # 4. Export Certificate in DER format from Burp
  # 5. Convert DER to PEM certificate
  openssl x509 -inform DER -in cacert.cer -out cacert.crt
  # 6. Get Hash
  openssl x509 -in cacert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

• Intercept network traffic using remote debugging

This allow you to intercept the traffic in the webview.

See Webview debug

Tip: If you can’t use remote debugging, recompile the app and enable it.

Root detection

• Missing root detection

• Bypass with generic frida script

  frida --codeshare dzonerzy/fridantiroot -f <com.package.app> -U

• Identify RASP

  • Analyze source code
  • apkid --scan-depth 0 -r target.apk

• Bypass protection analyzing the code and/or with frida

  • If the app return an error message (e.g. “Your device appears to be rooted”), search this string inside the code

Emulator detection

• Missing emulator detection
• Bypass protection analyzing the code and/or with frida