Hacking Mobile Apps with Frida

we can go ahead and get started I'm gonna move a little bit quick because I'm gonna try and get us back on track for the timing if you have any questions please feel free to stop me just shout it out whatever we'll deal with it this is an introductory level class right so if you already do any kind of mobile reverse engineering you're gonna be a little bit bored so just deal with it welcome to hacking mobile apps with frita also known as hacking mobile apps with Frieda and all the other tools that are based on Frieda which don't always tell you so as we'll go through this you'll see why I'm calling it that

because basically freitas like the magical framework at the very bottom it is not Turtles all the way down Frieda is what makes the magic happen so sometimes people want to know a little bit about me so this is my general career path to get into being a pen tester right now I am the pen test lead for Allstate Insurance I've been doing a pen testing for maybe five years something like that but before that I did Blue team engineering and then just a lot of random stuff to get here right and so half the people are always wondering about the speaker and half of the other people are like what the hell are we doing here so what makes me the

person to present to talk about reverse engineering mobile apps first of all I am NOT a wizard right I struggle through these over the past year and learned a few tricks and I feel the thing that I can really impart to people who are just picking this up is where I failed miserably and beat my head on the keyboard for weeks on end trying to get through very small problems and watching people online that are just like oh yeah you just do this and run that command and it doesn't work right yeah I'm like lippy so now everybody else is thinking that's great what are we doing here so everybody generally gets into mobile a cap hacking through the same sort of

path right people always start with traffic analysis first thing you want to do is hook it up to burp suite that's the only proxy that we accept around here so the apps most of them unless you're doing some really basic stuff are gonna make API calls out to the Internet right they got to call home to do almost everything and even the ones that are doing basic stuff for calling out for ads and malware and whatever else you run your dirty phones so this is where everybody really starts you can get into modifying the API calls changing parameters basically the same thing as you would with like a normal web pentest with a mobile phone a lot of the apps

that we see are just web views anyway so it's basically just a browser running on your phone and they called it an app right the next natural place most people go is configuration analysis but this is something that's done typically for professional pen testers and people who are trying to secure an app as much as possible you're gonna look for the the check boxes the configuration the buildconfig the the secure data storage things like that all the Apple nsurl garbage you're going to go through there and give a report to some developer maybe they'll do something maybe they won't so configuration analysis is is pretty dry and there's not much to do there's a couple good tools I'll show

later to speed that up but that's not why we're here if you're doing this professionally the next place you naturally go is static analysis right if you work for a company that makes mobile apps then you can get the source code that they wrote it with if you don't and you're just trying to learn this on your own at home with clash of clans then you're going to be decompiling that and trying to find either the assembly or maybe you're rich and you can get Ida Pro and get like the arm decompiler anyone in here ever use Ida Pro a little bit it helps a lot so typically for a professional pan tester frequent for

people who are just learning that's where most people stop that's kind of the end and you're just like okay I'm I'm done so I can give my report to the dev team and move on to the next app on Monday right so everybody in this room knows that there's more to that right like the the apps are doing a lot that are not covered by these three things and the real juicy vulnerabilities and the real juicy bug bounties are in modifying the behavior of the app itself so this is where Frida comes in Frida is a is a framework for what they call instrumentation of running code and so it's a it's a very complex low-level

kind of conglomeration of other projects that are put together so that you can actually talk to the running app in memory and so we can do all kinds of stuff with it the first one that everybody normally bumps their head against is SSL certificate pinning this is something that is huge on both Android and iOS right now and it is one of the best protections if you're on the blue development side against the first two kind of attack paths in mobile apps right so certificate pinning tells that app that I'm only ever going to use this specific certificate that I got them that's for the server that I'm talking to you for my API so when you try to add

the burp suite CA so that you can do your traffic analysis it just ignores it and you get in all these SSL errors in burp suite and you're not seeing the traffic so if this is something that you're been stuck on now Frida can definitely help with this right so there's a lot of other things that we can do in there changing methods and changing configuration items trying to get AES keys things like that out all of this is possible so how does it work Frieda has two primary modes of operation and you kind of have to be aware of these when you're when you're doing whatever task you're working on interceptor and stalker so interceptor actually takes the live

assembly code that's running in memory and puts in a trampoline who knows what an assembly trampoline is so it will it will inject new assembly into memory to tell the program execution to go to a different path right so it it's going to a new code location in memory that we can control we can monitor and we can do whatever we want with assembly essentially so this is this is very noisy it's when you have things like jailbreak detection and when you have things like game anti cheat detection interceptor is easier to detect right it's a also fun to watch so the more stealthy version is stalker right so what what stalker does is it

takes a copy of the running assembly in memory plops it over to a new section and then it can follow the path and watch what it's doing sort of passively without affecting the live running application so using this you can watch the methods that are being called as the program as the app executes so you'll get you'll get printouts of what method just got called with what parameters and what the response was and this is part of the reverse engineering process when you're just kind of trying to figure out what the heck is going on inside this stupid app because I want to get free cheats on class your plans so you need to find the names of the methods busy

because you can't alter them until you know what it's called or you know where it's running in memory so stalkers a lot of fun to work with it's a little bit more experimental and it has problems because obviously running live running assembly takes multiple directions right it's not just a straight path from beginning to end of the running app so once you get to a junction point in the code stalker has to kind of stop redo things usually bursts into flames and you start all over so it's a little bit experimental but it's a lot of fun to play with so to sum that up we can do a lot we can change almost any running feature of an

app on Android or iOS it takes a little bit of effort effort to get to that point because you have to do the re and maybe do some static code analysis to find the names of methods but you can do a lot so to get to that point it's a little bit of a bear to set up especially if you're doing this for the first time on some mobile devices right so you've got to have a workstation a laptop and it requires Python so they just upgraded to Python 3 however many of the tools that are built on frida are still using Python 2 so if you learn one thing in this talk it's virtual

environment right virtual environment cents a sandbox aside with whatever name you give it so that when you install the dependencies for that tool it's in the sandbox and when you install the dependencies for a different tool it's in a different sandbox so they don't crosstalk you won't have dependency problems and when you do have problems and things blow up you can blow away the sandbox and not have to uninstall Python and all the dependencies from your workstation once you get past that point pip the free to command-line tools are separate now so you have to do it on two different projects but you know that's just five minutes Android studio and Xcode are required depending on what

mobile device you want to work with right so if you don't do a lot of mobile development you just want to do hacking these are interesting right Android studio is much more friendly than Xcode right and Xcode command-line tools is now a separate download that you have to go out to Apple site to discover on your own so you can target almost any or you can I'm sorry you can run it from any platform through the magic of Python and you can target binaries from any of these so Freda is not just good for mobile you can use it for x86 x64 there's now a mips port like its arm it's everywhere who can tell me what qnx is who runs it

though where would you see it live in the real world maybe I don't know is it blackberries is what I was gonna say blackberry is like the main user of queue niché's so since we're here for mobile stuff I'm gonna start covering Android right so it's a little bit more friendly on Android you just go out to github and find the specific Frida server binary for your architecture now you have to pay attention to your architecture everything is basically going to arm 64 but it's not there yet and if you get a newer phone on both iOS and Android you might not be able to do the jailbreaks and the routes that you want to do so

like I do you're gonna drop back and get a $50 phone off eBay and it might be arm 32 right so just pay attention to that once you get to that point you can use ADB which is the little utility that's installed with Android studio and it's like Android debug bridge I think and you just you push it up to a friendly location where you can chew mod it to being excute Abul and run it and the free to server binary is is now running and listening on some tcp port and so when your whether you're connecting over USB or whether you're connecting over tcp you can talk to the server is making all the magic happen all right oh there

you go executing it if you don't know unix the ampersand just means run it in the background so i don't have to watch the output you're not gonna get a ton of debug output even when things are blowing up just because of the nature the way it runs you can do like adb logcat and that will show you all the logs that are happening on the device and it's a lot so you just kind of have to go back and forth on a jailbroken iPhone most people are gonna have Cydia and so then you just install it through the city you have to add the the package repository and go in and get the latest one now

because you're relying on someone else to up to upload the latest package to the city or repo it can be a little bit delayed even just developing this talk over the span of two months they went through six or eight revisions of the pretty free binary so you have to wait a few days now he's really fast and I think it's mostly automated but you might have to wait a day to get a new version and I did run into problems where the version that I had was not running on my version of phone if you're a little bit more advanced you can just run it from straight apt on iOS and you want to install the latest so you can do

this on non-jailbroken non-rooted device as well it is not a trivial task if you've never done app compilation on mobile devices before it's even worse to try and recompile somebody else's app so with Apple you have to have a developer account so you can you can get a free developer account or you can pay $99 for the professional version with the free version the caveat is the trusted profiles the certificates that you're using for your recompiled app or only good for like seven or ten days and so you're redoing that every 10 days for me it was the $99 was cheap enough that I could just avoid the hassle of having to you know like I do it a week later and

nothing's running and I can't figure out why and I'm like oh my stupid app certificate expired so then you have to set up deployment profiles and do you know all the recon recompilation process so it's it's not difficult the first time you do it it's time consuming consuming and non-trivial but it is possible if you can not get a jailbroken phone which is tough right now right like I have a jailbroken iPhone six running 11.3 dot one which is very old now but I waited with that version that phone doing nothing for three or four months because I knew there was a jailbreak coming for that version so I just shut it off and left it on my desk for three months and

then prayed that it still worked when the jailbreak got there and then you know it's like wizardry however they do that once you can recompile the app with the the free to gadget in it then you're talking directly to the gadget inside of the app instead of the free to server and so it can still do the things that it needs to do just a little bit more legwork on your part so now you've got to the point where you've got this thing running on your mobile device and you've got this thing running on your laptop and you want to start doing that though all right we're all here to do stuff so just some basic smoke tests to make sure

things are set up and running properly just make sure your devices are present right and this will actually show you the UID of those devices whatever is plugged in through USB I always do it over USB the the TCP version is just not as stable so you can see what devices are there and if you have more than one hooked up then you just have to add that UID on all the commands you use from the command line but then it'll show you the the running processes on the system to refer you to PS use for USB so you're gonna see that on everything and then free to trace will show you that app running right now

in memory and everything it's doing so when you put that asterisk in there that's saying show me all of the methods that are getting called internal to this app so it shows you not just their like the public exports but it shows you absolutely everything and it you know it's just the waterfall of text on the screen and when you hit control C it takes 8 minutes to stop so you can actually start using other internal methods that are common for the like the file system operations so like if you're trying to look for it opening certificates or private keys or you know anything on the file system any kind of thing that might be

in the secure storage that you want to be able to get access to you can use open send and receive is for network transmissions and you can actually change the one of the examples as you can change the the transmissions prior to like HTTP encryption so if you can't do your certificate pinning and you want to modify the behavior you can do it pre encryption and kind of get the same effect it's not nearly as easy as just watching it go through burp and you know modifying parameters in there but that you can do it so at this point in most reverse engineering talks this is where we get to write like it's it's extremely

difficult in an hour to give a full reverse engineering course okay so we're we're kind of it's step 1.1 right now right so I'm gonna try to show some some less basic operations that can just get you started we unfortunately don't have a lot of time for real demos but we'll see where we get so this is the second most important thing to take note of in this talk the no pause so it's operating sort of like a debugger when you start frita up and it either attaches to a running app or or spawns an app to run it's gonna sit there and wait and blanket you until you do something ok what this is doing is this is giving

free to time if you're loading a script and we'll get to scripting later it's giving free to time to load that script into memory and start doing the the pre spawning operations that you want to do if you do know pause then it doesn't it do that wait and it starts up and then you can just start actually typing and interacting with the running app and you'll see a pop up on your phone and if if you're doing SSL painting this is where or work or it will fail right so the process is literally the process is running on the on the device so you can start enumerate all of the all of the methods all of the symbols that are

exported and you can start getting names of things and when you do this let's see if this works when you do this you're getting actual live running memory locations so if we're talking about spawning apps and getting live memory locations somebody yell out what about a SLR so does a SLR affect where we're trying to find the apps they're now running in memory so if it's compiled in the app which is doesn't very happen very often a SLR does not come into play because we're spawning it natively or we're injecting into it already running in memory so we don't need to try and guess where it's gonna be running like a like a Windows exploit that we're

sending someone because it's already there we're just looking inside of it because we already have you know root permissions or whatever we need so

is that tiny that is tiny so ve activate is a just a wrapper script I have around virtual environments so I can say V activate Frida right and it drops me into that sandbox that I was talking about yeah that's not gonna work let's go back over here so so we can start enumerated things that are in the running process so when this happens how many of you have ever done any kind of mobile development a little bit so how many of you have ever done any kind of any development right when you sit down to write any kind of app do you write every line of code on your own or do you use frameworks and libraries and things

that exist right so when you do these enumerations you get a list of like a billion modules that are all in the the libraries that come from Apple or Google and you got to find the ones you're looking for because in this in this list of several thousand modules in there there might be like three for the app that you're attacking and so I'll just copy that out into sublime or something and scroll through there and literally just you know the app what they call the modules don't always match what the running app is called cuz that's just a display name right they don't actually call it clash of clans in the code so you just poke and find and scratch

through there until you think you find something and then you can go in there and start trying to find the base address right and this will give you the actual running memory location so that you can start modifying things so like in the scripts we'll come to later you'll see memory pointers and then you have to deal with offsets and so this is where we start getting into trying to do that owl right like it's hard to talk about pointers and offsets in a one-hour class but just understand that once you have the base address for the running application everything is built off that so maybe if you do have Ida Pro or you got good like

you can find that this function is a base plus whatever and then you can start messing around in there so everything in Frieda is scriptable and they have they have bindings for I think c-sharp node and JavaScript and C maybe not c-sharp see JavaScript and node so any of those three languages and Python you know those four languages can be scripted in order to call Frieda directly and make direct API calls to do the exact same things that you probably would never really do on the command line right I always start with the command line as I'm just starting to poke around and see what's inside this app but then you're gonna pull it out

and and do some scripts right so all you're doing there is you're saying that wizard guy that was in the beginning he wrote a script and I want to load that and so they can be super simple like this one right here is doing that it's changing the the send method that I was showing earlier in the trace right so we can send different messages with just this size of script now obviously this is super basic and you're not going to do this on a real app but it doesn't have to be super complicated and the documentation for the frita api is huge and it's all online so if you get stuck on one one point it's it's pretty easy

to find the other thing is the free to co-chair has tons of other scripts out there and so like if you don't really want to try and write your own SSL pinning bypass script you can just go out to the co-chair and find one of the eight that are already out there and find one that works for you right I do that a lot just because you know as you're going through this like some tools may or may not work depending on which version of iOS which version of frita which architecture you're on and how old is the code that is in that script and so you poke through there and I'll just copy pieces out and you know

kind of edit my own and there's always the github comm there are I have a bunch of links at the end of these slides but there's a bill in projects out there on github did all make use of Freda for doing the types of things you want to do to hack apps so yes yes yeah you can actually directly inject into the running application methods and and modify so like Swizzle in for lack of a better word modified that one single specific method so like say if it's um a common one and i always come back to this because it's such a pain as certificate pinning there are some very commonly known certificate pinning libraries or like certificate

pinning methods on iOS but the developers don't have to use those ones they can name it something else to get around us and if you go in there and you discover the name of that method then you can change that specific method to say true instead of false when it when it returns after the certificate check

so it it's not like a debugger where you would go register specific it's more it's abstracted one layer so you don't you can you can do direct pointer math and I think the answer is yes because you can actually go through with especially with the C bindings they're a lot lower level so you can go through and do direct pointer math I'm not sure if you can change like the execution register to get outside of your memory space or anything so it's a little bit different of a mindset where you wouldn't change his register to skip the method you would just blank that method out and so it doesn't exist anymore or it does something that you've wanted to

do right you could just tell it return you know or redirect yeah something like that so now we're at the point where we're starting to build our owl right and that was up there for a long time so if you once you get to this point how am I on time once you get to this point you're starting to change the way that the application behaves for real right so not only certificate pending and not only you know bypassing other types of authorization and authentication checks but you can go in there and start changing the everything else so like I like to mess around with games right I want to cheat on games so you can start

finding things where you can get free money and I don't necessarily go for like dollar money cuz I don't like prison but you can find you know the in-game money and stuff like that so that you can just cheat on games there we go so if you're doing this is that coming back so if you're doing this professionally you're probably not going to be doing frita at the command line I specifically I get a week per app right and so a week is not enough to do these types of operations I have no idea what just happened to the to the view here a week is not enough to go through these types of reverse engineering to get the

information that you need in order to to find vulnerabilities right this is something that if you have an app that you hate then you can sit and pick it apart or maybe on some bug bounties then it's a much more realistic that you can sit there for a month and work on one app

it's totally just blew up

here we go so there are some apps that I like to use now Android is always a little bit more of the Wild Wild West right like iPhone is very nice and controlled and everything works very well as long as you use pay attention to the specific versions of phone and iOS and whatever jailbreak you may be running FiOS is one of the best tools I've ever used for mobile testing right it's literally just plug and play and you get all that information about certificate bypass and configuration and analysis and you get all that super easy but it doesn't work right now on my 11.3 dot one right so I've been testing literally all of these tools and they're

all based on Frida so brick is a little bit different it's a little bit closer to the to the debugger world so it looks kind of like red air so when you start it up it's expecting you to start giving commands to you know to analyze and do you compile the app and do things like that but it's it's lower level and and super powerful it's just a little bit higher of a learning curve our two frite I really want to get better at our - but it's the highest learning curve of them all but so there's a freedom module so if you're good with with red air then you can just get in and use the R to

freedom module to talk directly to the phones objection is another good one an objection is the one I probably use the most these days because they stay most up to date because it's an actual company it's put out my sense post so they actually have people who get paid to keep this stuff working because they use it internally I guess so you know it's it's fairly good and when I when I have a question about the way some script is running or more commonly not running I'll go out and look at the objection source because it's all on the github and and see what I need to do demo is not working just get so so the creator of Frida is this guy

and I can't pronounce his name though we are all I just you know I have to throw that out because we're all standing on the shoulders of giants so Frida on telegram is a pretty good resource for kind of learning but it's like IRC in the 90s and so when you ask questions you need to have done some homework first because there are a lot of people just go in there and you know tell me how to hack my facebook app and it's not pretty Freed's on freenode is basically just a mirror of telegram the secret slack is pretty good the guy who runs it actually does hacking on clash of clans and like has developed cheats and stuff like that

so I like hanging out there and I device pone is for jailbreaking those last two are really low volume so if you're not into the whole hanging out online for all night long thing they're not so bad so any questions I know we move kind of fast and didn't really get a really nice owl but somebody asked me some questions

yeah go for it yes I you don't have to but I did

I think it does and honestly I've just never cared because yeah because it just works right like now I everything in the mobile stuff here is always caveated right so I left the company that I was working at before so I had to give up my perfectly working mobile devices send them back home and I bought two new ones on eBay so I bought an iPhone 6 and I bought a pixel one the iPhone 6 is jailbroken now and the pixel 1 is rooted but the bootloader is locked forever and that's not a carrier specific thing that comes from Google like that on some pixels so if you get a pixel from like Vietnam you can route it all day long

but if you buy a pixel in America the bootloader is locked and so I can't do some of the things I need to do like upload certificates to the certificate store to do pinning bypass so I'm going back to eBay again to find another older like I had really good luck with the the Nexus 6 yeah the Nexus 6 is very Ruta below and you can pick them up on eBay for I don't know like 50 bucks or something now there's no point in holding it up it's just a black rectangle [Laughter] so any other questions about anything getting set up hacking the apps No alright well thanks everybody sorry I didn't have a good working demo but such

as life [Applause]