Star

Bypass binary protections

Identify compilers, packers, obfuscators

# https://github.com/rednaga/APKiD

apkid --scan-depth 0 -r target.apk

SSL Pinning

  • Missing SSL pinning

  • Bypass with objection

    objection --gadget <com.package.app> explore --startup-command "android sslpinning disable"
    
    ─❯ frida-ps -Uai
    5682  TestApp     com.testapp.plus
    [...]
    
    ─❯ objection -g 5682 explore # Attach to the app
    com.testapp.plus on (Android: 11) [usb] # android sslpinning disable
    
  • Bypass with frida

    frida -U --codeshare akabe1/frida-multiple-unpinning -f <com.package.app>
    frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f <com.package.app>
    
  • Replacing hard-Coded Sha256 hash

    # Detection
    # 1. Decompile apk
    # 2. Open jadx-gui
    # 3. Search "sha256/"
    
    # Replace Burp Suite certificate hash
    # 4. Export Certificate in DER format from Burp
    # 5. Convert DER to PEM certificate
    openssl x509 -inform DER -in cacert.cer -out cacert.crt
    # 6. Get Hash
    openssl x509 -in cacert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
    
  • Intercept network traffic using remote debugging

This allow you to intercept the traffic in the webview.

See Webview debug

Tip

If you can’t use remote debugging, recompile the app and enable it.

Root Detection

  • Missing root detection

  • Bypass with frida

    frida --codeshare dzonerzy/fridantiroot -f <com.package.app> -U
    
  • Identify RASP

    • Analyze source code
    • apkid --scan-depth 0 -r target.apk
  • Bypass protection analyzing the code and/or with frida

    • If the app return an error message (e.g. “Your device appears to be rooted”), search this string inside the code

Emulator Detection

  • Missing emulator detection
  • Bypass protection analyzing the code and/or with frida