Having fun while analyzing mobile applications

any problem so the title of patrol has having someone on a similar application why I'm gonna try to cover this because it's a now gonna be a brief presentation is the difference tool that you can use to analyze Android um mainly iOS application but idea and I'm gonna focus mostly on Frida I don't know if you know about pretty framework but for me I'm opinion is the most powerful at the time to analyze any kind of mobile application so we are going to focus on that at the end this is my my presentation is my name is Alvaro um currently I work in an NCC group I do a lot of the themes I enjoy it for example

doing code review vulnerability research passing I do mobile application and also I'm part of Brotherly - core team so we are going to see a little bit today and there you have my tutoring in case you wanna ask anything so just go there we are finished our number three for the control is the division of instance a group in case you wanna ask anything related with the talk or whatever so just go there so let's get the start so why did the importance of mobile applications I mean basically we do everything from a mobile from book taxi applied a check your bank account details for everything so whether we like it or no I feel the

mobile application are running our lives in in every detail and every times I think it's getting bigger and it's something that our companies are paying more attention and they are investing more in in order to secure the mobile different web applications and it's something that I presume for instance group we do a lot of offense on mobile application I am probably five years ago it was mostly what applications instead of mobiles okay so what is the difference pom-poms untrue I think nowadays the only two platform that matter are iOS and Android you might find for example some Windows Phone I don't know if he's anyone here has that platform but up I think that the 100% here is a there is or

Android so we're gonna make a little overview of those platform the different schools a variable mainly I'm gonna focus on open source tools because I kind of like you use open source instead of business one so let's go to Android premier the philosophy Andre is more open there are for example denials so you have the kernel the whole ecosystem is open you can even unlock the bootloader you can compile your caramel in top of that the application are now running natively so they're running on a Java Virtual Machine that has been tailored for mobile devices his name is dalvik I think that all of that make analyzing an application much easier than denials because I think that

there is more documentation there are more tools available to do Android application assessments and that's what I think is easier okay so which are the tools that we have for Android mobile applications so I made a division of from static analysis and dynamic analysis I'm gonna start first with dynamic analysis freedom we are gonna see at the end the capabilities of breda a chip reader is a plugin of radare for free that winter I would frida that allow you to for a simple share Chum memory so if you have done and try for example you application is a store in some password this would be more sensitive might be store in a kitchen or something that is encrypted you can use

every trader to in order to find out the string quite easily very it is very straightforward expose is like the same as frida but it's like a java is writing in java there are a ton of difference models right and for expose but the more that i recommend is the in spec its packaged this kind of digital android device and you select the application that you are interested and it's going to lock all the activity from that application so it's gonna give you a lot of information about what the application is doing and sometimes is throw important info for your report and the last one I'm gonna talk is a dresser those areas beaut because that's

the application as well interact with application as any application in your device will do throw the difference export appease or explore yeah a piece of your application so it's not like you need arun Arbutin device is interacting with the different activities or broadcast receiver that your application is exposing and you can use browser for that okay so for the static analysis you have a peek at tool normally the workflow with a pica tool is due to compile application so you can change everything from head do compile again shine application you need to align in order to be run and you can deploy the application the scenario in this case is a simple application at the time of

establishing a secure connection it's checking against a specific certificate in order for that you have four days to analyze the application you need to bypass this because otherwise you might not see the traffic the application is a changing with the server so you'll resort to epic tool do the compile do change that certificate you change something in the logic of the application and yet you can deploy the application and everything's work underneath okay then we have raw data to support Android applications but that is assembly that you're gonna get is this Molly as Molly is the low-level representation of the byte code that's running in the java virtual machine and it's not quite nice as you can see here

so if you are not familiar with as Molly it might be a challenge helpers so this is why you have this application that you throw the Android application and you get the Java code or the application is it that are the compiled version so it must be easier at the end you are gonna add with Java code okay and that is pretty much the tools I use when I do a hundred application although that's been described at so you cannot try go for it so let's go to is for me is us in contrary with Android is more close proudful and everything is not that is not that well-documented in my opinion and the application runs

Natalie so do you need a bit of knowledge of art in order to understand a bit a bit when you are doing reverse engineer the application also the applications in iOS are writing in objective-c and a new language is Swift double made and so you have to be familiar with the boom time of the you have to say because when you are traversing an engineered application you need to understand how things were underneath how things get reference and its might be trigger if you are not familiar Objective C at first okay so I'm gonna show you later and it's creed that I made for my daughter that is going to allow you to find those

reference quite easily and didn't need to to know every detail of the objective-c runtime so which are the tools again the static analysis dynamic analysis at you realize the same as I said before if you have a site crate it looks it's like the same as Frida but Isis in a different framework but I don't know if it is longer maintain it the site Pete was created for shall read it sorry it's the guide emits Cydia if you are you have Kjellberg Isis device probably you know that application for the static analysis again now here we have data to that it's free it's open source obviously and then you have different options by listen sit

like hopper Ida Pro and if you don't like the data for whatever addition I will recommend hopper because hopper is very specific for iOS application and it has an interface people normally you know the command line get scared at first so hopper it has a nice interface is support is application but as well so I recommend hopper over either Pro for iOS applications well this is a slice is more for reference for the difference comments that I'm gonna get hang on the asic you later okay when I showed this slide with the organization let's talk about Frida very quickly Frida above all is a powerful framework that is gonna allow you to write JavaScript script that you're gonna

ensure a new profits so you can hook up different factions method you can change retton's values basically you can interact with applications very easily okay and another vintage that I see are free with free lights that are you don't need to have algebra divide your broker you can embed a library his name is Frida gadget and you can instrument application without the need of having algebraic device so in the below euro there is a blog post that I'll go work at his name is Rajiv Yong and Yun Billa wrote about the the profit that you have to follow to embed this library within the application so if it is very super when for example you have to test an

application in a Isis version that doesn't have anything break so you just follow that process and you can instrument application in a device from the store one of the tools that I'm that I'm going to present that I made for is it started as an internal project but ice is starting to improve over time and is as I said before a freed up apart from a tool it's also a framework which means that you can use it for your own tools and after a while I decided ok I'm using a lot of app reader script so when I need to have something that centralize everything I can reuse the script I can I want to be able to lock all the

interaction of the application and that is why I made this tool that I'm gonna present and now in a demo so let me introduce you I'm gonna okay so for example you go to this application we are gonna show cases you say I don't know if you know these applications whoops let's close it this applications demand boon table is up so if you do want to play with iOS applications I recommend it because you have all the different cells that you need to bypass so you can use difference method fraida static analysis to bypass all this challenge so ok so we are going to try to try to bypass this check the application is period so yeah at first

let's go to the static analysis part so we have the this is the iOS applications at the end is nothing more than a zip file so let's go to on tip the interested parties in payload up and this is the binary ok that are chewy has arrived in this command that allows you to unpack the Vanara because in Apple has a file format this name is fat mark that I embed difference Banaras inside so it will run this is create two files one for I'm 52 of one for arm 64 okay so let's go to that folder and let's open the version 64 and this is why it's armed so you will start reverse engine

the application trying to understand the difference make a names but for example I'm gonna say you if you go to the slides I show you before we are going to host these commands right now okay so let's go to this part red I have let me enable this one you're going to see at the top left the difference command that I'm gonna type right now okay so we're if we press underscore we enter in the hood mode and now we are can type for check for something like its period and you can see there is a method if I press ENTER I go to the direction I cannot start the okay another commander rather has that is quite useful is if you press

a lower B while your ambition what you have roses stuff and you have four flags classes so we're interested to share the difference classes of a BS application so we press here it's going to list the difference classes okay this person the platform of file and is getting all the information so as you recall the its period method belongs to this class so we are interested let's go to that class is this one if you do press ENTER you're gonna get the difference method of the application and you present it again it's going to seek it's gonna stick to that direction so that way I'll rather to allow you easily to locate the difference methods of the classes and

you can start understanding more application if you if you run this script using a pipe there's no way to interact with data to oops this escape this will be releases and I don't know in the following weeks so you can use it for iOS applications and basically this script is just parsing information within a pipe format to find reference okay oops and it's found all these reference so if for example we go to is the device you're broken it's found a reference and you you press now lower X you're gonna see where it's calling its get cold and that way you start digging the application just the beginning to understand okay so yeah let's move to

the freed apart is the the dynamically [Music] okay if it house is something that is a very important tool is free to trace that allows you to trace all everything from from from methods fractions is quite useful so let's use it for to track if the application that we saw in radar is actually gets cold okay so we are gonna grab the baby of this process it is one with the does a upper EU we are telling the we're gonna try it from the device that ice that is plug in we specify the process ID I we're not sure we are going to tell their we are interesting to trace from these classes I want to trace its period method that's

previous and it found one function okay so if I press right now this button you get it's printing that lets get a call okay press again you can see the obviously this at the method that I'm tracing right now is the responsible for this so if you write a script for Frida that looks like this to save a little time it's a Frida provide you a handle for objective-c the law so you can get handled for the classic for the difference method here I'm just attaching to that method and just changing their written value to returns zero okay so let's go to execute at this one so discreet has been wallet using Frida if I press now the check the

application is not period so whip opposite the check quite easily and I'm kind of fine if you maybe is not defined that you define but it's okay so it for me all this process was a little try some so that's why I decide to create a tool on top of a Frida let me go okay that allow me for example to check the difference device they have plug it in so I can use for example use the device I just devices so I can leave the difference process how I want to bypass this the check let's go to church for process Divya is this one I want to attach to it and now we are in the process okay so

from now on I come lower differential script to bypass P names jailbreak detection whatever you can create with Freda so we'd go for example to iOS that you'll break we have the same the same script that I saw you before and you can just do a period just great and you can see it the script as being loaded so if you now I could pass the check also you can for example you cannot load and the screen is gone yeah if we move for the dinner break dictation it is the debris is it broken you have for example this script the device not your program that easily okay also allow you to for example to

attach to out another devices now we are in the Android device that I have here if I list process is going to lead it process from the Android device sorry leave me for example to fight you tooth here we are attach this one and now we are in the YouTube application for an Android device but I can work with both devices from the same application you have different sessions and now in the Android device I can change for example to the iPhone I can lower a larger screen because it's quite common that when you are analyzing application the same company has an application price 100 and you probably have to to assess the application the same time so this

allows me to do it very quickly very easily another cool thing about the freedom is that allow you to expand up so for example if I found this application is detecting that the debate is jailbroken and imagined that I after I press ok the application closed so how I'm supposed to test that if that's detecting jailbreak so there is an option in the tool let's mean devices let me change the device because we are now in the aisles I want to deferred the jailbreak scripts now let me find the application that I'm interested it's good to go I want to spawn that application and is this found application in yet the script and now we

have bypass the root detection okay another thing that are I introduced recently is that as you can see here the different script that are inject into the applications there is one it is the eye and Asian and this alien is your like is a sporting remote produced calls so you can scroll it say way enable this mode set enable if I do this is like is in the device in the iPhone if I do data is taking me to the data from the application I can move around ok sorry I missed it that lip area cookies and the good thing is that I can get those files we'd get is save it in this direction

ok says man we had cookies B'nai cookies so now you can analyze from the gelato and all of this is Jasper grabbed by Frieda I think that that's the most I would shape the most powerful framework for more application if you didn't try I will go for it and it's I would say that this is pretty much their presentation the demo that I want to show the script that are for that it will be released as open source obviously for this tool is something that I'm thinking because I think that in summer this was - his name is objection that I kind of better love with the concern allottee that is Oh so I didn't know if opens or this tool

or just introduced improvements of the objections tool so I something that I need to to think about it but independently one way another will be open source so you can use it there's clips on the tool so there will be any program for that that's it so if you have any question or something hey thank you for your presentation I realized you didn't show much utilities with Android but you used also with Android you have something to help with education I mean not just ProGuard but real hard education obfuscation you need more time than average I mean it's tricky when you have another application obfuscated is time-consuming because you need to figure out everything maybe a

small e can help Maria is happen when you have office credit application not much help okay thank you very much one more time [Applause]