Hacking Mobile Apps With Frida

all right well thanks everybody first of all let me just very briefly say that it is incredibly humbling to be accepted to come speak internationally slightly terrifying as well so if I mess this up it's going to be a long flight home thank you for coming to hacking mobile apps with Frida the alternate title was hacking mobile apps with Frida and the other tools are based on Frida which don't always tell you about it or advertise it a very briefly about me I was or right now I am currently the application pen test lead for Allstate Insurance as you might imagine were a very large company we have a lot of applications so I see a lot of corporate

style applications before that I was an application security consultant for a kid small consulting firm going through many many different customers many different types of applications so I've worked on everything from the latest modern golang back to access 2000 databases before that I was a DoD security engineer doing kind of blue team type stuff and kind of cut my teeth as a as a programmer went through the programming world and sort of what we now call DevOps so writing the clothe the code deploying it to the servers hardening the servers and and whatnot so why am I the person to talk today about hacking mobile apps with frida because one thing I'm not is some kind of

reverse engineering wizard I struggle through things and this is an introductory level class so if you have experience already doing reverse engineering with frita you're probably going to be a little bit bored but tough sit it out so I like to teach the new people that I work with the stumbling blocks that I went through the things that I broke and where I failed so you can avoid those as you kind of start your journey with with reverse engineering this way so half of you right now are thinking this so what does this come down to hands up if you have a flip phone none none all right hands up if you have one of those

little tiny prison phones that we've all been hearing about I'm not a cop no one okay so we have apps right hands up if you have zero apps on your phone no one so we want to see what they do we want to test them sometimes it's for work sometimes it's for fun sometimes you just want to learn so that maybe you can get some work later sometimes you're just bored so everybody always kind of naturally flows towards the same first area because it's something that we're a little bit more comfortable comfortable with traffic analysis so obviously the most popular interception props proxy is burp at least where I come from you guys have some weird stuff going on over here

so everybody goes towards burped because you can test the api's you can test the calls and see what the application is doing outside of the device and that's where that's where most of the app is going to get its functionality in UI for for normal apps that are business apps and games and things like that they all have to call back to servers none of them almost no apps survive on their own anymore even if it's just used for tracking and advertising and you know there was a great talk earlier about privacy invasion even those apps send everything out over the device I mean over the Internet the next thing that usually follows especially if

you're doing this for like a mobile application pentesting job it's configuration analysis and this is really just ticking all the boxes and making sure that the build properties are set making sure that the environment properties were set and kind of going through the motions to to get some of the basic security things like backgrounding images so you don't leak privacy information very straightforward and then the next of the big three did everybody flows to is static analysis all right and so this almost always means that you're doing this for your job and probably have source codes there there are very few people that take the time to go through downloading and extracting the application and reverse engineering

it because that takes an incredibly long time and is incredibly expensive in man-hours and labor hours so most people stop there and you're dunzo so walk away but everybody in this room understands that there is a lot of dirty stuff going inside a lot of these applications and whether it's whether it's only mildly dirty like tracking you for advertising purposes or whether it's privacy violations like we saw in the talk earlier or whether it can be you know Android malware iOS malware we don't really see it's allegedly out there so this is where a reverse engineering approach like Frieda can can come in really handy what exactly is Frieda it is by definition and the open source dynamic

instrumentation framework so it's not really a debugger it's not really dynamic analysis it's kind of both of those a little bit from each side rolled into one so what you're actually doing is injecting into the the running process and hooking methods and hooking the you know the native calls and altering the way that the code runs in memory and so it's it's very ephemeral you don't save anything back to the binary you you can patch it should you decide to go that route but that's not what I think most people do it's extremely cross-platform and some of the typical things that we do with it right back to extracting and extracting the applications like what is

the number one blocker for doing static analysis on a iOS application that you don't own it's encrypted until it's running on the device right and so you have to have a method of performing the decryption which is usually signed with not your certificate and bring that off and decompiling it using binary an integer or something like that and maybe either if you're rich or you're doing this for work and another big thing that we can do is bypassing SSL certificate pinning and this is this is something that I'm starting to see a lot as a pen tester people are finally getting caught up with SSL pinning and understanding that it's it can be a significant

advantage for people who are doing surface level attacks against your apps and your your api's it's not going to stop anyone dedicated it's not going to stop the apts but defense-in-depth so how does free to work it's got a client and a server the server runs on the target device and I'll cover the different types of target devices in just a minute but so it it runs as a service and opens up a TCP port which is just a weird high port 2704 - and sits there and listens for commands and so it's got a couple different modes of operation depending on your objectives depending on how stealthy you want to be if you're doing hardcore reverse

engineering of a very popular game or an app that makes a lot of money then they're going to have reverse engineering obfuscation they're gonna have lots of different techniques different crypto techniques to try and stop people from doing exactly what we want to do so the first method is called interceptor and so what this does is it injects a trampoline into the assembly to send the execution flow over somewhere else right over to somewhere where we control and so once we can get to this location in memory that we can control we can obviously do whatever we want now some of you are thinking but what about a SLR so this is the post a SLR process once

the application is already running and freida can just jump in and find the base address and then we can find offsets from there and work towards finding the the modules and the methods and classes that we want to attack so interceptor is very sturdy it works very well it's not stealthy and it's it's harder to it's harder to hide if they've done a good job of optician and reverse engineering protection so the other method is called stalker so what this does is it it takes a copy of the assembly running in memory and makes one that's not quite the same right you can look at it and you're just like and now and so it can really only

get to a certain point in memory or a certain point in the assembly before it gets to a jump or some kind of instruction that it's just not gonna work if it copies so it can only work in smaller blocks so this is much more stealthy we can follow methods that are running and there are methods of going and seeing what gets called next what gets called next and so you can work your way down the call stack so it's sort of like a smarter Java stack trace if you're used to seeing something like that you can you can work in forwards time and get the method calls and so it's also much more fragile right

copying assembly and trying to execute it alongside other assembly that's running is hard to say the least so we're gonna run through what it's like to get workstation up and running to do the testing so the first part is the free to client side so you have some kind of workstation and it really doesn't matter what operating system you're running on first thing you need is Python and if you take away one thing from this talk the most critically critical thing to learn is that you have to have virtual environment running if you don't have virtual environment running you're going to hate life after about three hours because all of the all of the different

tools use different versions of dependencies they use different libraries and freida is constantly putting out new versions the jailbreaks have new versions the android routes have new versions and everything all of these end up with spaghetti code that breaks very quickly and so it's much easier to just blow away your virtual environment and start over so once you have that up and running you can just pip install Freda and Freda tools the Freda tools give you the command-line tools Freda itself gives you the core so if you want to do the command-line tools that I'll show in a little bit you want to do those separately and if you're doing Android you have to have Android studio because

that gives you the ADB Bridge right and that gives you a lot of commands that you can use to control the device and if you're going to do iOS you have to have Xcode and they separated the CLI tools now so you have to actually go out to their developer site download the CLI tools separately because that's courage so the target device can be any one of these and I know I hadn't heard of qnx in a long time BlackBerry bought them yes blackberry and so now they're partnering with qnx and doing something but free to runs on it so any of those devices can run the frita server-side right and so a lot of demos you'll find

on YouTube and stuff like that people always fall back to debugging like a Linux application that they wrote in C real quick because it's simple to show the source code and then simple to show how Freda can do the modification and so it's very powerful on on any OS so to get an Android phone setup I'm going to assume that you're using a rooted phone because the the Android environment is a little bit more friendly as far as getting devices that are ridded if you need recommendations I can give you an Amazon site that sells unlocked pixels and you basically just go out to github and find the free two server for your architecture so you got

a you know there's a droid info app you run that and it'll tell you what instruction set you're running for your for your CPU if you're using arm arm 64 or some kind of weird x86 so you got to have the right architecture and then you use ADB push to push that binary up into a location that you can control and once you have everything set up you can just do shelter mod and shell to run it but personally I like to just adb shell into the device and it's just like you're on the terminal there you can just su and CD to that directory and then I'll run it locally so that I can see if there's

any crashes or any log output stuff like that because there are many many times where something is just not working and you figure out that oh my phone rebooted so I forgot to restart the server or or just crashed you know lots of different things um this is very rapid testing depending on the versions if different versions are working for you you delete it download the new the other the older version maybe and try again with a different version the iOS it's a little little trickier on a jailbroken iOS device you're probably using Cydia I think that's how it's pronounced apt is another option but fewer people are using that and then you just add the

package source and install whatever is the latest now the guy who creates frita is very quick with uploading the new version to the city a packaged source but it's not as fast as to github repo so you know just in the month prior to creating this talk I probably went through eight different versions of Frida and their minor revisions but their bug fixes and maybe that bug fix the thing that I'm trying to do right now so of course I'm gonna test it I'm gonna try it out and I've got to wait a little while to do it on my iPhone's now a lot of people asked about not jailbroken iPhones because to be completely honest

jailbreaking iphones right now is miserable I held on to my six for six months before the jailbreak was released just watching Twitter and and the the jailbreak community is extremely toxic so I don't recommend it right now so with a non jailbroken iOS all is not lost we can still recompile the app and deploy the gadget which is super easy all you have to do is set up a developer account set up your signing certificate set your deployment profile create a project in Xcode deploy that as an app to your iPhone so that you can accept the signing or the deployment profile onto your iPhone and then recompile the app to include the frita gadget and then

Frida will understand that this app can be used right and it's it's basically the same functionality I haven't noticed any functionality difference it's just a pain difference right it takes a long time to go through these first time I did it I mean it took me days just to get all these things right because it's you know first of all you got to pay $100 I'm not sure how many pounds that is to get your developer account for Apple you know and going through all these things and when you search for them on Google it's from you know like 2014 so it takes a little more effort so now we come to the part where you're

ready to do stuff right you have you have your workstation set up and you have your target device set up so just gonna run you through some very basic operations to do basically a smoke test to make sure everything is working free to LS devices is just a wrapper around the adb LS devices so that you can see if anything's talking and it'll give you just a nice printed list of all the devices including your your workstation free to PS PS is just like you need Linux PS so you can get the running processes attacked use for USB and a is for all and then you can do you a I to do all that we're installed by you I

find myself doing these too many many many times so that's why I wanted to include them just to make sure things are working in the servers talking the next basic thing is to test out the stalker and so free to trace execute is the stalker on your app and so the I I can't honor what that stands for right now but the eye is looking for the the method that you want to capture so right now you're just saying free to trace and show me everything that functions in my app and so let's see if I can show that I'll come back to it so that I don't interrupt the flow so that's just tracing all of the running activity in

that process so if you've ever seen a Java stack trace think of that like water falling as fast as possible down your screen it's not helpful but you know something's working but then you can start to change that takei into well-known functions you know opens and receive open is for files on the file system send and receive obviously for network communications so if you're just starting to to do reversing on some app and you want to start looking at what kind of network traffic it might have and you haven't yet made the jump to to putting it through burp you can just see what's being sent and received and then generally you get to the point in every

reverse engineering talk where they're just like okay now just reverse the rest of it so unfortunately it's very difficult to to show reverse engineering in a 45-minute talk but I'm going to try and do as as much as we can from a beginner standpoint some not so basic operations once you're ready to really start feeling out the inside of an application and I'm highlighting Android right now just because I see a lot more activity on that sitting on the the message boards I'm gonna show later it's way more Android activity so no pause is important because when you start frita up and it spawns an app it's gonna sit there and wait for 10 seconds for you to

do something and I'm still sipping coffee so then it quits and I don't understand why so you have to put the note pause in unless you're doing unless you're loading a script right off the bat so I dunno pause on everything and you just give it to the target app and it's in the you know the weird reverse notation we'll come back to that in a second but that's just like every java package ever so at this point we turn free to on and it has its own little terminal it prints out the version number and you can you're sitting at a blinking terminal right and so I typically go here first because this will tell me what modules are loaded in

that app and so you're gonna get a bunch of the Java and Google stuff that are in every app just to run and then you're gonna you're gonna look through there and find the one that you guess is gonna be for the app that you're actually trying to target and it gives you a big XML style list so I typically just select all copy that out into sublime and start deleting things that I know I don't want to work through because it it's a giant list once you find the name of a module you just stir that in there and that will tell you the running memory base address for that application right now so that's what I said where

it's bypassed aslr and you can start working from there so you spend a lot of time working with memory addresses and pointers when you're doing the reverse engineering through frita so write that down once it prints and we can I'll show that in a little bit assuming the demos work so the next thing that you're generally want to get into is scripting with Freda and this is where it really starts to get powerful there are there are many public scripts that people have made that are useful and they're super easy to run so you can either have a JavaScript file or it also has bindings for c-sharp and node and I think even C so you can call the frita API directly

from your code to do all of the the functionality that Frieda would do just by normally banging on the terminal and so Frieda has a co-chair it's co-chaired our free to the re and all the links are at the end so don't need to write that down so people have pre-written a lot of scripts to help you like SSL pinning bypass you know extracting the iOS app from a running device all these things exist now caveat is again we're back to different versions different iOS versions different Python versions Frieda only recently made the jump to Python 3 so I generally keep my own little repo of scripts that I have edited and and I know are working on my

system but by now once you get some of these scripts running you're getting to the point where you're actually drawing the owl right it's it's starting to be built out into something where you can look into the inside of these applications and see the methods and activities that are happening and so this is good for for exploration and kind of feeling things out and just learning right it's it's best to start this just at the terminal because there's really a lot that goes on once you once you start looking at these scripts and I'm gonna show one now whether this likes it or not

[Music] once you start working with the scripts it gets pretty busy pretty quickly right and I for one don't love JavaScript so this is this is an example of a script that is tiny [Music] right so 125 lines of JavaScript and this is the same functionality that the stalker can do with following who is next in the call stack now the difference is this is using interceptor and so it is a little bit more effective it's just not quite as not quite as plug-and-play because you have to go through and and make sure that you know the architecture is proper make sure that the base address and the processor are actually functioning and so this is

about as small of a script as I could find around 100 lines and they get gigantic and obviously if you're working on an application that is a big money maker and they're trying to hide things then you have to worry about multiple competing rounds of crypto that are trying to hide you know different running methods and just a lot of verse reverse engineering obfuscation and I'm not even really talking about code obfuscation this is just doing things in a way to block game cheating right one of the guys on this the slack on the show is really big into hacking clash of clans right but they make a lot of money they have a lot of money to hide this

stuff and so he releases scripts that are not really public you know he'll show parts of what he does you know but obviously people spend so much time doing this that not everybody wants to release the stuff publicly so it can be it can be fun trying to figure it out so this is the Frieda terminal right so we're looking at candy crush okay so when I do this it actually spawns on the device right so this is this is live not more you know why because the phone died on the walk up here so watches so adb shell that puts me into a shell on the device over the USB su is route so once we read an android

device you have to use supersu it's a little app and that grants you permissions to take over route so even though the phone might have been unlocked and routed you're not actively running his route until you supersuit and then [Music]

[Music] so now I know the server's running it's very low on verbosity so there's not a lot of output I've talked to I can never pronounce his name but I've talked to the guy who created it and you can go in there and edit the code to increase the logging levels I might do a PR for that to add a switch because right now it's a little bit painful when you're trying to learn it so frida server is running now so ve activate is just a little bash function that gets me into my into my virtual environment sandbox right so [Music] tell me if I spill anything wrong you're supposed to tell me now it's gone and

it's live right and so that was kind of a lot to get to this point when you're doing it for the first time right it it does get a little bit of frustrating but once you get here you can get some it can be pretty fun once you see things that are actually running oh my gosh chief is back over here

and I'm just cutting paste wrist right now because it's easy so easy there we go all right so freeze got this nice command completion on the terminal right so you know you can just go down here and basically just play with all of these to try and figure out what they do so enumerate modules synchronous is a function most of these are functions so you have to go out and look at the API notes and the spec and see what types of parameters is expecting right and so this gives you this big nasty XML list you go through here and there you go and because it's a string you code it

[Music] Oh cousin tell me again yay so after all that we have the base address of the running application on the mobile device so pretty laborious to get to this point now as a pen tester or as anyone who wants to do this professionally you kind of have to go through all the basics just to get to here but there are other people who have gone before you that have done all of this work and maybe I can show you I'm just gonna leave that up there for a while all right so how do we speed this up okay we don't want to have to read you that every time we look at a new app right so there are multiple

apps and scripts out there right now for speeding up your testing right one of my favorites is BIOS for iOS the only problem is like many open-source projects this guy did it as a college thesis project and then disappeared off the planet Frick is the guy who does the the clash of clans reverse engineering right so he has put a ton of time into tying frita into an actual debugging framework and so if you want a debug while you're doing the reverse engineering so you have a little bit more intrusive but a little bit more active results when you're doing the testing Frick is great and it's very quick to set up so you install these apps and everything comes

preset for you so they all throw on github all the links are included are two frite road err is the reverse engineering tool that's extremely powerful and of all of these I would say are two frite is probably the most powerful but the highest learning curve objection I have another quick demo to show after this objection is similar to Frick and FiOS except it's all command line FiOS is very pretty it's a GUI and it's nice to look at but it doesn't work on my iPhone anymore because I upgraded so I'm just out of luck app Mon is another one like FiOS where it's it's very powerful and if you have a if you have an iPhone 6 or 5 it's probably

gonna work actually probably not a 6 because if you've upgraded your 6 to iOS like the latest one then it's not going to work I'm on I'm on 11 out 3.1 so if you're using the Elektra jailbreak with the 6 it won't work you got to have a 5 and Alderon 10.2 and there's all these stupid rules so I'm going to mirror my screen so that I can see this better well I show this off I think that's gonna make everybody's life a little better [Music]

[Music]

[Music]

so the notations a little bit different here and objection can do the same thing with Android apps and it's highlighted a little bit more with the Android as far as using it on a non rooted device right and so you can you can go out and recompile the app and they have their taxi which they call their gadget and so that that lets you use non-rooted non jailbroken devices this one you have to make sure that the app is already running right and so again we get a nice pretty command completion and this is very simple and much faster just to start poking around through the application and seeing what you want to see if you don't know the activities are

kind of all the screens that will run in the mobile app and then you can just start start looking through here you know classes are going to be the actual source classes that are their resident in memory so again most of them are gonna be the the Java Google stuff that's required for every Android app depending on what that app is using but you can go through this and slowly there we go find the stuff that you're looking for alright and again I just highlight this copy and paste it out of the sublime and start hitting them one at a time until I see what I'm actually looking for and so I know from doing

this

[Music] that this that this class exists right and so I don't want to list it though I want to watch it right and so one of the things that objection will do for us is nothing one of the things that objection will do for us is it will actually set up jobs too they can run concurrently so I can set multiple class methods multiple functions that I want to watch so what this awesome demo is supposed to do is I'll set up a watcher on the touch events right so candy crush you're sitting there swiping over and over again flicking and so I'll set up a watcher for the touch offense so that I know to start following things I can get

that output oh I know why no that's not why so yeah so that's terrible

[Music]

just getting my slide set back up here

[Music]

[Music]

[Music]

that's right [Music]

so sad on the demo obviously I didn't create any of this I wouldn't be here without as they say standing on the shoulders of giants so some of the resources that I really need to highlight this guy can't pronounce his name is the creator Frieda and he does a ton of coding work all the time he's absolutely brilliant there are several resources you can go to and I encourage you to go out and start getting into this Frieda on telegram is sort of helpful I'm not a big telegram user but it's okay Frieda on freenode is basically the same thing so the secret slack has a lot of people on there they're kind of going

through the same process and a few people who are the real reverse engineering wizards including the clash of clans guy so I spent some time in there and I encourage you to go out and iDevice pone is more for for jailbreaking and it's a low volume but I typically will see things about jailbreaking in there before I see it on Twitter so it's it's very fast this is an actual interaction I've had so obviously it's kind of like IRC in the 90s your mileage may vary you know so feel free to come out and and say hello and please ask me some questions if you get past that terrible demo

maybe a crash I'm not sure honestly but but you're right typically typically I have to have the whole kind of all the plates spinning at the same time and then I can I can spawn it that's that's been my biggest problem over the past month is apps spawning and then dying so yes my slack that one yeah that one's already there yeah you have to go to that website for an invite but there's tons of tutorials out there oh my slides yes yep so I'm trying a new slide app called reveal which gives me nice transitions but I have to export a PDF so and it's all written in JavaScript just yeah it's not a good choice see I have uh I have a

bunch of interesting links in there like I said the biggest thing to remember to take away is virtual environment and then there's a hundred different repos on github that have lots of little scripts for for testing through this and thank you