Akansha Kesharwani - Mobile App: Reversing Hooking and Swizzling

Good afternoon everyone, how are you all? So, I am going to talk about mobile applications, how to reverse it, hook the application and swizzle it. So, let's have an introduction about me. So, as he said, my name is Akansha Keshirwani and I have expertise in web application pen testing and mobile application pen testing.

over here is to know how are we going to reverse the application to get to know what are the logics behind the development and what kind of logics are being used by the developers over there when they are developing the application and reading the functions and its methods and then reverse hooking it to get what we want is to sorry and hooking the application to get a agenda fulfilled like if there is a route direction will hook the application to get to bypass this route direction.

So my first question over here how many of you guys use a smartphones? I guess almost everyone right? So what is the difference between a smartphone and a basic phone? Can anyone tell me?

Right, so here come the reason why we use smartphone it's because of the applications. So last week I was going through a news site, hacker news site and which way I learn about a WhatsApp vulnerability recently you might have heard about it. Have anyone heard about the GIF vulnerability of WhatsApp? Yeah, what is it?

Okay so how the attacker was exploiting that vulnerability?

Okay so as you stated the WhatsApp vulnerability allowed us to get the attacker allowed the attacker to get what he was desiring it and even he was able to get the access of some sensitive data of the user. So as we see we are all using smartphones currently there are 2.7 billion of smartphones being used and can you guess how many mobile apps are being used? It's in 2018 it was

205.4 billions and it's supposed to increase in ah 2022 to be ah 258.2 billions. So since we are having many of the vulnerabilities in the application this is I talked about only the whatsapp applications they are near about 200 and billions of applications. So they might be having vulnerabilities and because of this it's become a very necessary step to know what is mobile application pen testing and it's very necessary for us to check what, how to hack the application and even how the users data is being violated and used. So what is, since in the mobile application pen testing whenever the pen tester is testing any application. What happens is some of the applications have already a security measures in building

that like root directions or jailbreak detection, SSL pinning or you can see some of the applications traffic are being encrypted and being sent to the server. So in order to bypass that what we need is to get to the reverse engineer the application and check how are they doing this stuff, how are they doing at the client side how are they hooking sorry how are they having the root directions take and whatever the functions they are using whatever the logic they are using how are they using it. So for that we do reversing.

Can anyone tell what is reverse engineering?

So why do we need it? Any okay.

So most of the applications are susceptible to reverse engineering. It's codes are either Java, C-sharp, dot net. What happens in reverse engineering is there is a product. We have a product. You can say you have a pizza. Now you have to reverse engineer it, so what you are going to separate is there is a bread and there are the stuffings in the pizza. So that is what reverse engineering is. What are the business impacts? It depends upon how adverse effect it have. Some of the reverse engineering has, when we are doing the reverse engineering, in the code we found a logic, maybe there is a hard coded data, sensitive data which is used to cryptography, which is used to encrypt any of

the data. then in that case it becomes a very high risk or in some cases it's just nothing just the codes having not more than a severity they are having some of the logics like for loops and all that's it and only the screen login screen and all which is not having any of the severity in that case it's not that much it was. beginning to reverse engineer in the Android application. For reversing the Android application we are going to use Dex2jar and JDGUI. In this, this D2J Dex2jar is a file. What we'll do is it will convert the Dex, Smalley codes to the Dex codes and then the Dex code which we obtain we are going to use the

JDGUI jar, JDGUI jar to get the classes in the Java format.

Here is a sample over here. This is a class, post login class. It is having some of the functions like does SU exist? I can see whatever the code is written in this function. The ca, over here it is checking for the, is there any string matching system bin which in SU. So it is checking which SU. If it gets the answer of that, it say yes, there is a super user in my Android mobile. In this case, what will happen is if it find a issue, then in this, my application is going to show me that there is a rooted device working and the application is not going to work. It can be, example I can take you is of any

of the bank applications. So if I have a rooted device and I'm testing on any of the bank application, in that case, Some of the bank applications have the filter that it is not going to work in the rooted device. So we need the reverse engineering to get to know what are the methods in which it is and how are they checking it that my device is a rooted device.

After reverse engineering, we even get to know what are the permissions over there. You might have heard about the Android manifest files. Have anyone heard about Android manifest files?

So here it comes tell us what are the permissions. So in this file it will tell if suppose we have a application, WhatsApp application, what permission it is going to use in our mobile device. If it is being installed, the WhatsApp application is installed in our phone, so it is going to use the photos, galleries, access the galleries and the voice and the call methods, messages and

messages and storage and all these are all the permissions which is it is going to use. This is one of the example over here this function string function it is decrypting a password. So over here if I have a password which is already stored in my shared preferences or my local device if I login into any of the application and the application is storing in the password of mine and but it is in an encrypted form now what to do we need to check if the application is decrypting the password oh yes it is decrypting it so this is the function which is which is decrypting it what we can do is we can hook the application and get whatever

it is encrypting it we can get the decrypted password over there

So this is JDQI and I am using this to read one of the reversed engineered application. So here this is a class. Here in the login section it is having multiple methods. One of the method is thus SU exists. What does this application in this, in this method it is checking for the root direction, there are more method like this over here, does super user apk exist or not? what this methods are returning is, they are returning boolean, okay pretty much good for us, if it is returning a boolean that is it is returning true or false, if it is returning a true and false, if it is returning false I can definitely hook it and just return

a false.

The second function I told you about is that this is a cryptographic class. Over here it is having function not only to decrypt it, how they are encrypting the application. How they are encrypting any of the keys in the application or any of the data which is stored in the application. These are some of the functions like this. It is returning in the string, it is returning in the byte,

There is a house application also like I told you about JDG there is also a application known as house which we can help us to get to know what are the functions you and the classes being used in the application. So we can use this application to hook the our mobile application at the run time.

So I have selected a device over here, Android device and this is a package name which we are going to hook and now I want to know how many classes are there in this application. I'm just going to do load the classes, load the script

and while I got my class, okay, let me search for post logging.

Yes, here it is. This is the class which I need. Okay. Now I'm going to check what are the methods in this class. To get the methods in the class I'll go to just class methods, copy the class, generate the script and then load it.

There are many of the methods, it's 11 methods. So which one I do need? This one seems some fishy, even this. Change password, no I don't want to change the password, no. Check the show root status, yeah it is also something good. I can check what is my root status, is my device rooted or not?

So I told you how the house function. This is the same how to get the class methods, class methods. Okay. Now enough about the Android. The iOS device, iOS applications. We can use the iOS application to reverse engineer this iOS application we need one of the tool which is known as hopper. So what are we going to do with the hopper? Before using the hopper, what we need to do is connect iOS device with any of the windows or either Mac, whatever you have or you can do a SSH to your device. When you go to the directory where your application is running, you will get an executable file. You have to just fetch that file and copy

it in your PC. Now you are going to use a

hopper, hopper application. This is a disassembler application which is generally used to reverse engineer and read the codes in the form or you can say is 01 type of forms.

Hopper is going to look like this something over here what we need to when we open a hopper we are going to read the disassemble code and over here there is a search box. So you can just search for any of the text you like if you are checking for jailbreak you just go and search for jailbreak. If there is any other functions related to that and is the word jailbreak is being listed over there it is going to pop up over here. Now what you need to do is click on the function over there and then you have to go as generate the pseudo code. If the pseudo code is generated over there you can get, okay sorry for the disturbance,

okay. When the pseudo code is generated you are going to easily read the code and it will be very much readable format. Let me check, I guess my hopper is being hacked.

So this is a demo version I'm using. So over here I went to read executable to disassemble. Now I just need to fetch my application binaries. Here it is.

Next. Okay.

There are many functions over here. Many class methods. Now how can I get it? know some of the function let's check for that.

Okay something looking like cryptography okay here I want to generate a pseudo code of this function. I got the pseudo code, let's just study the pseudo code. So what does this pseudo code is doing? Okay, here it is getting some directories, it is appending any, creating any file named secret data, okay, pretty well.

Coding down, okay, it is decrypting anything with the password, what is decrypting? secret key what does secret key is? Okay, maybe this is the hard coded data. So in this application it's a demo application damn vulnerable iOS application, okay. So in this application they are using the secret key as a salt and they are using this key they are encrypting encrypting the their password and storing it in the database. We got a secret key. We know what they are using to encrypt the data. Even we have a function for decrypting the data in the application itself. Yes, I can use this function to decrypt any of the passwords which they have used to encrypt it.

One more tool is Passion Fruit. It's almost same like the house. House is we are, house, for house we are using it for Android and Passion Fruit we use it for iOS devices. So to start the Passion Fruit I just need to go to my terminal, tap, type Passion Fruit

and now I'll just navigate over here.

have my devices connected, I have to take the iOS device, okay, this is the application which I am testing, okay.

Here we can get the list of all the classes by name which is being used and which is being there in this application. So since we are working for the, in the iOS we are working for the jailbreak, Let's search for the jailbreak. Yes, we have a name as jailbreak detection VC. Okay, what are the functions in this? Okay, it's, is jailbroken? Yes.

Jailbreak test one tab, no not interested. Jailbreak test two tab, no not that much. This is the function which seems interesting. Okay, in further process we are going to hook this application to know what are, is it returning and what are the arguments it is taking.

So from a long time I'm talking about hooking, hooking, hooking. Can anyone tell what is hooking? Is it it? Is this called hooking?

This is not hooking, can anyone tell me what is hooking?

Yes, we are trying to spy on the application at the runtime that is hooking. Intercepting any of the method function or event in the runtime is called as hooking.

Till now I am told you about the house, the passion fruit, now we are going to learn a one more tool which is known as objection. How many of you heard about Prida? Okay, what does it do?

Alright, you have, you were telling about, okay. So, Frida is a server which help us to reverse engineer the application at the runtime and we are, it help us to hook the application, not only the mobile application, Frida, Frida is even used for the applications like if you are running any of the exes or any of the windows app related applications. Frida help us to debug the applications. Now, Frida, for Frida as I too, it is application to reverse engineer. But for Frida, it is almost we need to enter and write many of the lines of the codes. But using the objection, it has, for us it is very easy because we need to write only one line of syntax. That's it. After that,

objection is going to do half of our work. So these are some syntax object, for objection. How are we going to run the objection? Objection, hyphen, g, whatever the, process ID or the application name we are hooking and then explore. In that case, after this we are going to enter into the shell of objection. Now for Android or iOS we can search string or list of the classes or list the methods or hook a class or even change the return value of the class. Now let's see how are we going to hook a class.

This is the objection over here. I have an Android application running in my device. Sorry, over here my application is not, mobile is not being casted. I guess I have both of my laptop and the mobile are in the different networks so it's not being connected.

Sorry guys, my demo is not working because my mobile is not being in the same network as my laptop. But yes, I have my pictures. Okay, so using objection as I showed you is, we are going to hook the application over here. Android hooking search classes post login. Okay, so over here I know there is a class name as post login. I'm going to search for this class, so these are the classes which are there in the application which is of the name post login, 1, 2 and 3, okay, I'm going to use the first class to check if there is any of the methods which I am interested in, yes, I'm going to list

whatever the class methods over here are, I listed it, I got does SU exit, does super user apk exists post logging check if device is emulator no I'm my device is not emulator so I'm not interested in this but these two functions yes definitely I'm interested in this

same thing we can hook the application using house

so here we got the applications, sorry, here we got the methods,

which is the method which I am interested, yeah, this one seems interested, does SU exist, yes, so I can open over here, just copy, I can copy the name of whatever my method is, I just copied it, now this is the name of my class.

Next is my method name. Yes. So it is does su exist. Okay. I'm going to add it. Since it's already added I'm deleting over here. Now I'm going to generate the script and then load the script. So using this method it is going to hook whatever is this application whenever it is being called and I'm traveling through my mobile applications since my demo is not working so I have the pics which I can show you

so here you can see When I hooked up this method does SU exists it is returning me a true value okay I have successfully hooked the application voila okay. Remember there was a AES decrypt function which I mentioned when we were dealing it with the reverse engineering yes. So this is a function and this was the encrypted value which was being shared in my shared preferences. Okay. I hooked that application using house and what I got is the return value in the string format which is the decrypted value of my password for this application.

Okay. What you will do if you see any of the traffic which is being encrypted? If the request body is encrypted, how are you going to test the application?

You cannot, right? But yes if you reverse engineer since it is being encrypted at the client side there might be some of the code which is encrypting it, right? So we can reverse engineer and check if there is some of the code which is encrypting it, okay? We got one code encrypt solved, it is returning in the script string format, yes it is taking some of the parameters, maybe this parameters are response which is in the string format and plain text format yes let's hook that let's hook it I use house and yes I got these are arguments and this argument is the response in the plain text it is having the phone number and the password

this is of the login request as you can see this was a login request and this was the body So here we got our request body being decrypted. Now I can hook the application and even swizzle application using the house and further.

My Android demo was not working. I hope my iOS demo is going to work. So as I told you about Android, there is the same process for hooking the application in the objection for the iOS.

Okay, let me check what is the PID of my application. Okay, 2007.

Now I'm going to use objection

Sometime it takes time. Okay. Is anyone having any queries by the time it is starting?

Can you repeat the question? Can you be a bit louder? Yes.

Right. Okay so if we reverse engineer the application on the android what will happen is we are doing it at the client side so as a for the web we can hook at the application for the JavaScript we can edit it, we can do control F and we can just edit whatever the JavaScript is in the web application, right? But it is not going to affect the server. So if you get my the code of my mobile application you can do some changes at your site but it is just going to create a replica of that application. You can say it is a fake application but it is not going to the changes what you are making in this application is not

going to be reflected in the server side.

Okay, I'll show the demo in the last by the time I'll proceed with it. So in the same as I told about the iOS, Android the process is same for finding the classes using in the iOS. So over here I'm writing iOS, okay search the classes. So what are the classes we want to search? I am checking for the jailbreak detection, okay let me check if there is any class name as jail, okay, yes it is. Okay what are the methods in this class, is jailbroken read article tab, tab, jailbreak test one tab, okay jailbreak test two tab, okay and so on. So is jail broken, this seems it is checking for, is the device is jailbroken, pretty much, okay.

returning to the passion fruit. Here also I can hook the application. So here I'm going to hook that method is jailbroken and let's see what is it is going to return.

So, the other time it loads.

Finally it's loaded.

So I search the class name as jail, okay there is a class I just now I'm going to check what are the methods in this.

Is jail broken? Now let me hook this method and let's see what it is going to return.

So I want the argument, I want the return and if I want a backtrist, I'm going to add the backtrist. So now it is hooking the function. Over here, in my mobile application, I'm just

opening the jailbreak detection and check, tapping a thing. So here it is showing me that the device is my jailbroken but and this is telling me it is returning 01. So it means this is the function which is, which I need to swizzle.

Using the passion fruit we are going to do the same thing. Now swizzling, done with the hooking, swizzling we are is the thing when we know that this is a function we have get that this is a function which is checking what is the root direction method and checking for the jailbreak. Now I want that this div, this method should return that my device is not jailbroken or it is not rooted. So we are going to swizzle it with it.

can hook the application, the application the method which I was telling you about was does exist, yes, when we hook this method it returns us true the value whatever it is returning to the application is returning true that yes the device is rooted but if we are using this statement android hook set return value of the method to false then when whenever we are going to tap sorry open the application it is going to return change the return value to false. So when we open the application it is going to show us that the device is not rooted. Same goes with the IOS. Now over here that this is returning 0 1. Let's change the value and see what is going to happen.

It was 0 1, so 0 1 is true. So maybe 0 0 would be the false. Let me try with that 0 0. Okay. I have set it. Then again I opened that same function and now it has been overrided from 01 to 00 and my device is showing the device is not jailbroken. This was a way how we can switch iOS application and the same with Android application. The steps for using objection for the Android and iOS are pretty much similar. It's just the difference is for Android we are going to use Android the keyword and the iOS. There is slight difference in the syntaxes of both of them but not that much.

I showed you the demo already. Any questions? Yes? So, if I wanted to start reverse engineering apps that currently uses

one, what's that? Like American, you know, things, where do you get them? Especially for iOS. Okay. So, in that case, I'm going to show you this. Okay. So, for iOS, the device I already have, my devices are jailbroken, and it's The testing devices is not my personal device. Okay. So for iOS this is the application which is having almost multiple vulnerabilities. This is a design vulnerable application I am going to say.

This is not from the OWASP. Yeah, it is developed by Pratik. Pratik Gyanchandani.

There are many applications like this. This is one of the application for iOS. Android I have used insecure bank. There is one more application like for since for iOS it is DVIA for Android it is DIVA damn insecure vulnerable Android application. Any more questions?

Thank you.