Mobile Pentest Like a Pro

Mobile Pentest Like a Pro

Table of contents

Penetration testing applications for both iOS and Android platforms serve as invaluable tools for security professionals and ethical hackers to assess the security posture of mobile applications. These applications typically offer a range of features including dynamic analysis, static analysis, reverse engineering capabilities, network traffic interception, and vulnerability scanning. By simulating real-world attack scenarios, penetration testing applications help identify vulnerabilities such as insecure data storage, improper authentication mechanisms, insecure communication channels, and other security weaknesses that could be exploited by malicious actors. Additionally, they provide insights into potential risks and help organizations prioritize security measures to protect sensitive data and maintain the integrity of their mobile applications in an ever-evolving threat landscape.

IOS Jailbreak Methods

Jailbreaking an iOS device involves removing the software restrictions imposed by Apple, allowing users to gain root access to the iOS file system and manager. This process enables the installation of apps, themes, and tweaks that are not available through the official App Store. Below are some common jailbreaking methods, including commands and codes, along with their advantages and disadvantages.

IDJailbreak ToolMethodEase of Use
1Checkra1n- Download from official website

- Use Terminal commands
- Follow on-screen DFU mode instructions | Medium | | 2 | Unc0ver | - Download IPA file
- Install via AltStore
- Open app and tap "Jailbreak" | Easy | | 3 | Taurine | - Download IPA file
- Install via AltStore
- Open app and tap "Jailbreak" | Easy | | 4 | Electra | - Download IPA file
- Install via Cydia Impactor
- Open app and tap "Jailbreak" | Medium | | 5 | 3uTools | - Download and install 3uTools on Windows
- Connect device and open 3uTools
- Navigate to "Flash & JB" tab and select "Jailbreak" | Very Easy | | 6 | Dopamine | - Download IPA file
- Install via AltStore
- Open app and tap "Jailbreak" | Easy |

Common iOS Jailbreaking Methods

  1. Checkra1n

  2. Unc0ver

  3. Taurine

  4. Electra

  5. 3utools

  6. Dopamine

1. Checkra1n

Overview: Checkra1n is based on the checkm8 bootrom exploit and supports iOS devices from iPhone 5s to iPhone X running iOS 12.0 to iOS 14.5.

Commands and Codes:

  1. Download Checkra1n:

    • Download the latest version from the official website.

    • Transfer the file to your Mac or Linux computer.

  2. Running Checkra1n on macOS:

# Open Terminal
cd /path/to/checkra1n
sudo ./checkra1n
  1. Running Checkra1n on Linux:
# Open Terminal
cd /path/to/checkra1n
sudo ./checkra1n
  1. Follow On-Screen Instructions:

    • Connect your iOS device via USB.

    • Follow the instructions to put your device in DFU mode.

    • The jailbreaking process will begin.

2. Unc0ver

Overview: Unc0ver supports a wider range of iOS versions, from iOS 11.0 to iOS 14.3, and works on newer devices compared to Checkra1n.

Commands and Codes:

  1. Download Unc0ver:

    • Get the IPA file from the official website.
  2. Install Unc0ver via AltStore:

    • Download and install AltStore on your computer.

    • Connect your device and install AltServer.

    • Use AltStore on your device to install the Unc0ver IPA.

  3. Jailbreaking:

    • Open the Unc0ver app on your device.

    • Tap "Jailbreak" and wait for the process to complete.

3. Taurine

Overview: Taurine, developed by the Odyssey Team, supports iOS 14.0 to iOS 14.3 and is known for its speed and reliability.

Commands and Codes:

  1. Download Taurine:

    • Get the IPA file from the official website.
  2. Install Taurine via AltStore:

    • Follow the same steps as with Unc0ver to use AltStore for installation.
  3. Jailbreaking:

    • Open the Taurine app on your device.

    • Tap "Jailbreak" and follow the on-screen instructions.

4. Electra

Overview: Electra is an older tool, suitable for jailbreaking iOS 11.0 to iOS 11.4.1.

Commands and Codes:

  1. Download Electra:

    • Obtain the IPA file from the official website.
  2. Install Electra via Cydia Impactor:

    • Download Cydia Impactor and connect your device.

    • Drag the Electra IPA into Cydia Impactor and follow the installation steps.

  3. Jailbreaking:

    • Open the Electra app on your device.

    • Tap "Jailbreak" and let the process complete.

5. 3uTools

Overview: 3uTools is a comprehensive tool for iOS devices, providing features for flashing firmware, managing files, and jailbreaking. It's a user-friendly tool that integrates several jailbreaking methods, making it easier for users to perform various tasks without needing multiple tools.

Method:

  1. Download and Install 3uTools:

    • Download the latest version of 3uTools from the official website.

    • Install 3uTools on your Windows computer.

  2. Launch 3uTools and Connect Your Device:

    • Open 3uTools and connect your iOS device using a USB cable.
  3. Jailbreaking with 3uTools:

    • Navigate to the "Flash & JB" tab.

    • Select "Jailbreak."

    • 3uTools will automatically detect the iOS version and provide the appropriate jailbreak tool (e.g., Checkra1n, Unc0ver).

  4. Follow On-Screen Instructions:

    • Follow the prompts to enter DFU mode (if required).

    • The jailbreaking process will begin and complete automatically.

Commands and Codes:

  • Entering DFU Mode:

    • Follow the on-screen steps to put your device in DFU mode, which generally involves holding down the Power and Home/Volume buttons.

6. Dopamine

Overview: Dopamine is a modern jailbreak tool for iOS, primarily supporting newer iOS versions and devices. It's designed for ease of use and reliability.

Method:

  1. Download Dopamine:

    • Obtain the latest Dopamine IPA from the official website.
  2. Install Dopamine via AltStore:

    • Download and install AltStore on your computer (available for both macOS and Windows).

    • Connect your iOS device and open AltServer.

    • Use AltStore on your device to install the Dopamine IPA.

  3. Jailbreaking:

    • Open the Dopamine app on your device.

    • Tap "Jailbreak" and follow the on-screen instructions.

Commands and Codes:

  • Installing AltStore:

    • macOS:
brew install --cask altserver
  • Open AltServer and follow the instructions to install AltStore on your device.

    • Windows:

      • Download the AltServer installer from the official website and follow the installation steps.
  • Using AltStore:

    • Connect your device via USB.

    • Open AltStore on your device and select "Install AltStore."

    • Select the Dopamine IPA file and follow the prompts to install it.

Android Root Methods

IDRoot ToolMethodEase of Use
1KingoRoot- Download KingoRoot APK

- Install and run the APK
- Tap "One Click Root" | Very Easy | | 2 | One Click Root | - Download One Click Root software
- Install on PC
- Connect device via USB
- Follow on-screen instructions | Very Easy | | 3 | Magisk | - Install Magisk Manager
- Flash Magisk zip via custom recovery (e.g., TWRP)
- Reboot and manage root with Magisk Manager | Easy | | 4 | SuperSU | - Download SuperSU zip
- Flash SuperSU zip via custom recovery (e.g., TWRP)
- Reboot device | Easy | | 5 | Odin (for Samsung) | - Download Odin and CF-Auto-Root
- Boot device into Download Mode
- Connect to PC
- Use Odin to flash CF-Auto-Root | Medium | | 6 | Xposed or EdXposed | - Install Magisk
- Install Riru module
- Install EdXposed module
- Reboot device
- Manage modules with EdXposed Manager | Medium | | 7 | DFT Pro | - Install DFT Pro on PC
- Connect device via USB
- Use DFT Pro software to root device | Medium | | 8 | Chimera | - Install Chimera Tool
- Connect device to PC
- Use Chimera Tool to root device | Medium | | 9 | Global Unlocker Pro | - Install Global Unlocker Pro
- Connect device to PC
- Use software to root device | Medium | | 10 | Pandora Box | - Install Pandora Box
- Connect device to PC
- Use Pandora Box to root device | Medium | | 11 | Infinity CM2 Dongle | - Install Infinity CM2 Dongle software
- Connect device to PC
- Use software to root device | Medium |

Rooting an Android device involves gaining administrative or superuser access to the operating system, allowing users to bypass manufacturer restrictions. This enables the installation of custom ROMs, advanced system tweaks, and specialized apps. Here are some common Android rooting methods, including commands and codes, along with their advantages and disadvantages.

Common Android Rooting Methods

  1. Magisk

  2. SuperSU

  3. KingoRoot

  4. One Click Root

  5. Odin (for Samsung devices)

  6. Xposed or EdXposed

  7. DFT Pro

  8. chimera

  9. Global Unlocker Pro

  10. Pandora Box

  11. infinity-cm2-dongle

1. Magisk

Overview: Magisk is a popular tool that allows you to root your device systemlessly, meaning it doesn't modify the system partition. This makes it easier to hide the root status from apps that detect it, like banking apps.

Commands and Codes:

  1. Download Magisk:

    • Download the latest Magisk zip and Magisk Manager APK from the official website.
  2. Install Magisk:

    • Boot your device into custom recovery (e.g., TWRP).

    • In TWRP, select "Install" and choose the Magisk zip file.

    • Swipe to confirm the flash.

  3. Install Magisk Manager:

    • After rebooting, install the Magisk Manager APK.

2. SuperSU

Overview: SuperSU was one of the first widespread rooting solutions, modifying the system partition to grant root access.

Commands and Codes:

  1. Download SuperSU:

    • Download the SuperSU zip file from the official website.
  2. Install SuperSU:

    • Boot your device into custom recovery (e.g., TWRP).

    • In TWRP, select "Install" and choose the SuperSU zip file.

    • Swipe to confirm the flash.

3. KingoRoot

Overview: KingoRoot offers a one-click root solution, available for both PC and APK versions.

Commands and Codes:

  1. Download KingoRoot:

    • Download KingoRoot APK from the official website.

    • Alternatively, download the KingoRoot PC application.

  2. Root with KingoRoot APK:

    • Install the APK on your device.

    • Open KingoRoot and tap "One Click Root."

  3. Root with KingoRoot PC:

    • Install KingoRoot on your PC.

    • Connect your device via USB and enable USB debugging.

    • Open KingoRoot and click "Root."

4. One Click Root

Overview: One Click Root is a commercial rooting service that provides easy rooting with guaranteed support.

Commands and Codes:

  1. Download One Click Root:

    • Download the One Click Root software from the official website.
  2. Root with One Click Root:

    • Install the software on your PC.

    • Connect your device via USB and enable USB debugging.

    • Open One Click Root and follow the on-screen instructions.

5. Odin (for Samsung Devices)

Overview: Odin is a Samsung-specific tool used for flashing firmware, including rooting files like CF-Auto-Root.

Commands and Codes:

  1. Download Odin and CF-Auto-Root:

    • Download Odin and the CF-Auto-Root file for your device.
  2. Prepare Your Device:

    • Enable USB debugging and OEM unlock in developer options.

    • Boot your device into Download Mode (Power + Volume Down + Home/Bixby).

  3. Root with Odin:

    • Open Odin on your PC.

    • Connect your device via USB.

    • Load the CF-Auto-Root file into Odin.

    • Click "Start" to begin the flashing process.

Xposed Framework / EdXposed

Xposed Framework: The Xposed Framework is a versatile tool that allows users to modify the behavior of their Android device's OS and apps without changing the APKs or flashing custom ROMs. It operates by loading modules that can alter system and app functionalities at runtime.

EdXposed: EdXposed is an evolution of the Xposed Framework, designed to work with newer Android versions and to be compatible with the Magisk systemless root solution. It uses the Riru module to inject itself into the Android runtime environment.

Installation and Usage

Xposed Framework Installation:

  1. Download Xposed Installer:

    • Download the Xposed Installer APK from the official Xposed website or trusted sources.
  2. Install Xposed Installer:

    • Install the APK on your device.
  3. Install Xposed Framework:

    • Open the Xposed Installer app and go to the "Framework" section.

    • Tap "Install/Update" to install the Xposed framework.

    • Reboot your device.

EdXposed Installation:

  1. Install Magisk:

    • Follow the Magisk installation steps to ensure your device is rooted systemlessly.
  2. Install Riru:

    • Open the Magisk Manager app, go to the "Downloads" section, and install the Riru module.
  3. Install EdXposed:

    • From the Magisk Manager app, install the EdXposed module (either YAHFA or SandHook version).

    • Reboot your device.

  4. Install EdXposed Manager:

    • Download and install the EdXposed Manager APK to manage and configure EdXposed modules.

Commands and Codes

Checking Root Status:

su

Using Magisk for Installation:

# Install Riru via Magisk
magisk --install-module riru.zip

# Install EdXposed via Magisk
magisk --install-module edxposed-yahfa.zip
# or
magisk --install-module edxposed-sandhook.zip

7. DFT Pro

DFT Pro (Digital Forensics Tool Pro): DFT Pro is a powerful forensic tool used for extracting and analyzing data from mobile devices, primarily used in legal and investigative contexts. It supports a wide range of devices, including Android and iOS, and can retrieve deleted data, call logs, messages, app data, and more.

Usage and Features

  1. Install DFT Pro:

    • Obtain the DFT Pro software from the official website or authorized distributors.

    • Install the software on your computer.

  2. Connect Device:

    • Connect the target mobile device to the computer using a USB cable.

    • Ensure USB debugging is enabled on Android devices and necessary permissions are granted on iOS devices.

  3. Data Extraction:

    • Launch DFT Pro and select the connected device.

    • Choose the type of data you want to extract (e.g., messages, call logs, app data).

    • Initiate the extraction process.

  4. Data Analysis:

    • Use the built-in tools to analyze the extracted data.

    • Generate reports and export findings for further review.

Important Folders & Files

IDTitlePathType of File
1Application Databases/data/data/app_name/databases/*.sqlite, .dbSQLite Database Files
2Shared Preferences/data/data/app_name/shared_prefsXML Files
3SMS and MMS Database/data/com.android.providers.telephony

/databases/mmssms.db | SQLite Database Files | | 4 | MMS Attachments | /data/user_de/0/com.android.providers.
telephony/app_parts | Media Files | | 5 | Samsung Messaging Database | /data/com.samsung.android.messaging
/databases/messages_content.db | SQLite Database Files | | 6 | iOS Application Databases | /Applications/.../Library/Database | SQLite Database Files | | 7 | iOS Application Preferences | /Applications/.../Library/Preferences | Property List (.plist) Files |

important files and folders in iOS and Android systems, focusing on common directories and databases that store critical application and system data. This includes paths, file types, and key tables within databases.

Important Files and Folders in Android

Application Data

  • Path: /data/data/app_name/databases/*.sqlite, .db

    • Description: Stores SQLite database files used by apps.

    • Example Files:

      • app_name.db

      • user_data.sqlite

Shared Preferences

  • Path: /data/data/app_name/shared_prefs

    • Description: Stores XML files for app-specific shared preferences.

    • Example Files:

      • settings.xml

      • user_preferences.xml

SQLite Database

  • Command:

    • sqlite3 command-line tool for interacting with SQLite databases.

    • Useful Commands:

      • .headers on: Show column headers in query results.

      • .tables: List all tables in the database.

SMS and MMS Data

  • Path: /data/com.android.providers.telephony/databases/mmssms.db

    • Description: Database for SMS and MMS messages.

    • Tables of Interest:

      • addr: Stores addresses related to messages.

      • sms: Contains SMS message data.

      • mms: Contains MMS message data.

      • part: Stores parts of MMS messages, like text and attachments.

      • pdu: Stores protocol data units of MMS messages.

      • threads: Contains threads of conversations.

      • canonical_addresses: Maps phone numbers to IDs.

Attachments and Parts

  • Path: /data/user_de/0/com.android.providers.telephony/app_parts

    • Description: Stores parts of MMS messages, such as images and other attachments.

Samsung Messaging

  • Path: /data/com.samsung.android.messaging/databases/messages_content.db

    • Description: Database specific to Samsung's messaging app.

    • Tables of Interest: Similar to mmssms.db but specific to Samsung's implementation.

Important Files and Folders in iOS

Application Data

  • Path: /Applications/.../Library/Database

    • Description: Stores SQLite databases for iOS applications.

    • Example Files:

      • app_data.sqlite

      • user_info.db

Example Detailed Paths and Files:

Android

  • App Data:

    • /data/data/com.example.myapp/databases/app_data.db

    • /data/data/com.example.myapp/shared_prefs/settings.xml

  • Telephony Data:

    • /data/com.android.providers.telephony/databases/mmssms.db

    • /data/user_de/0/com.android.providers.telephony/app_parts/attachment.jpg

  • Samsung Messaging:

iOS

  • App Data:

    • /Applications/com.example.myapp/Library/Database/app_data.sqlite

    • /Applications/com.example.myapp/Library/Preferences/settings.plist

Example Database Tables and Their Significance:

Android

  • mmssms.db:

    • addr: Stores message addresses.

    • sms: Stores text messages.

    • mms: Stores multimedia messages.

    • part: Stores individual parts of MMS messages.

    • pdu: Stores protocol data units for MMS.

    • threads: Manages conversation threads.

    • canonical_addresses: Maps contact numbers to internal IDs.

iOS

  • Example Database (app_data.sqlite):

    • users: Stores user information.

    • messages: Stores messages data.

    • settings: Stores application settings.

Commands for SQLite Database Management:

Android

Example Database Tables and Their Significance:

Android

  • mmssms.db:

    • addr: Stores message addresses.

    • sms: Stores text messages.

    • mms: Stores multimedia messages.

    • part: Stores individual parts of MMS messages.

    • pdu: Stores protocol data units for MMS.

    • threads: Manages conversation threads.

    • canonical_addresses: Maps contact numbers to internal IDs.

iOS

  • Example Database (app_data.sqlite):

    • users: Stores user information.

    • messages: Stores messages data.

    • settings: Stores application settings.

Commands for SQLite Database Management:

Android

adb shell
sqlite3 /data/data/com.example.myapp/databases/app_data.db

Useful SQLite Commands:

.headers on
.tables
SELECT * FROM table_name;

iOS

Accessing SQLite Databases on a Jailbroken Device:

ssh root@<device-ip>
sqlite3 /Applications/com.example.myapp/Library/Database/app_data.sqlite

Static Analytics

Static analysis of iOS and Android applications involves examining the code and resources of an app without executing it. Important elements to analyze include the Global Offset Table (GOT), which holds addresses of functions and variables used in the application. Here's an overview of static analytics for both platforms, including methods and relevant commands:

iOS Static Analytics

Method:

  1. Decompile the App:

    • Use tools like Hopper, IDA Pro, or Ghidra to decompile the iOS application binary (Mach-O file).
  2. Analyze the Global Offset Table (GOT):

    • Locate the GOT in the disassembled code.

    • Identify important addresses, such as function calls, library references, and variable access points.

  3. Extract Strings and Resources:

    • Extract strings and resources from the binary for further analysis.

    • Look for sensitive information, API endpoints, and hardcoded values.

Command and Codes (Using Hopper Disassembler):

  1. Decompile Binary:
hopper disassemble -64 -o <output_directory> <app_binary_path>
  1. Analyze GOT:

    • Use Hopper's GUI to navigate to the Global Offset Table section and examine the addresses.
  2. Extract Strings:

    • Hopper provides a built-in feature to extract strings from the disassembled code.

Android Static Analytics

Method:

  1. Decompile the APK:

    • Use tools like JADX, apktool, or JADX-GUI to decompile the Android APK file.
  2. Inspect Smali Code:

    • Explore the smali code to understand the application's structure and functionality.

    • Locate the Global Offset Table (GOT) equivalent in Android, which contains method and class references.

  3. Extract Resources:

    • Extract resources, such as XML files, layouts, and strings, for analysis.

Command and Codes (Using JADX):

  1. Decompile APK:
jadx -d <output_directory> <apk_file>
  1. Inspect Smali Code:

    • Navigate to the smali directory in the output directory to explore the decompiled smali files.

    • Search for relevant sections related to the GOT.

  2. Extract Resources:

    • Use JADX's built-in feature to extract XML files, layouts, and strings for further analysis.

Important Global Offset Table Addresses

  • iOS:

    • In iOS, the Global Offset Table (GOT) is part of the Mach-O binary format.

    • Addresses in the GOT typically point to external functions and variables.

    • Example: 0x10001000 - Address pointing to a function in a shared library.

  • Android:

    • In Android, the GOT equivalent is represented in the smali code.

    • Addresses point to method and class references used by the application.

    • Example: Lcom/example/MainActivity;->onCreate(Landroid/os/Bundle;)V - Reference to the onCreate method of the MainActivity class.

Hooking

Dynamic analysis of iOS and Android applications involves inspecting and manipulating the behavior of the app during runtime. Hooking important functions and using Frida and objection scripts are common techniques for dynamic analytics. Here's an overview, including methods, important scripts, and their applications:

iOS Dynamic Analytics

Hooking Important Functions:

  1. Using Cydia Substrate or Substitute:

    • Hook into important functions using Substrate or Substitute, allowing you to intercept and modify behavior.

    • Common hooks include method swizzling, function interception, and dynamic class modification.

  2. Frida Scripting:

    • Use Frida to dynamically hook into iOS applications, enabling real-time function interception and manipulation.

Important Frida and Objection Scripts:

  1. Frida Script to Bypass Jailbreak Detection:
// JavaScript code to bypass jailbreak detection
Interceptor.attach(Module.findExportByName(null, "open"), {
    onEnter: function(args) {
        this.log("Bypassing jailbreak detection...");
        args[0] = Memory.allocUtf8String("/private/var/lib/apt/");
    }
});

Frida Script to Trace Objective-C Method Calls:

// JavaScript code to trace Objective-C method calls
function traceObjC(className) {
    var hook = ObjC.classes[className];
    for (var methodName in hook.$ownMethods) {
        console.log("Tracing: " + className + "." + methodName);
        try {
            hook[methodName].implementation = ObjC.implement(hook[methodName], {
                implementation: function() {
                    console.log(className + "." + methodName + " called with arguments: " + JSON.stringify(arguments));
                    return this[methodName].apply(this, arguments);
                }
            });
        } catch (e) {
            console.error("Error tracing " + className + "." + methodName + ": " + e);
        }
    }
}

Android Dynamic Analytics

Hooking Important Functions:

  1. Using Xposed Framework:

    • Create Xposed modules to hook into Android applications and modify their behavior.

    • Hooks can intercept method calls, access private variables, and manipulate UI elements.

  2. Frida Scripting:

    • Utilize Frida to dynamically hook into Android applications, providing real-time function interception and manipulation.

Important Frida and Objection Scripts:

  1. Frida Script to Bypass SSL Pinning:
// JavaScript code to bypass SSL pinning
Java.perform(function() {
    var CertificatePinner = Java.use("okhttp3.CertificatePinner");
    CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function() {
        console.log("[*] Bypassing SSL pinning");
    };
});

Frida Script to Trace Java Method Calls:

// JavaScript code to trace Java method calls
Java.perform(function() {
    var targetClass = Java.use("com.example.MainActivity");
    targetClass.onCreate.implementation = function() {
        console.log("onCreate() called");
        this.onCreate();
    };
});

SSL Pin

IDFunction/Library NamePopularity
1okhttp3.CertificatePinner.check (Android)High
2javax.net.ssl.X509TrustManager.checkServerTrusted (Android)High
3javax.net.ssl.SSLContext.init (Android)High
4android.webkit.WebViewClient.onReceivedSslError (Android)High
5javax.net.ssl.HttpsURLConnection.setSSLSocketFactory (Android)High
6NSURLSessionDelegate.URLSession:didReceive

Challenge:completionHandler: (iOS) | High | | 7 | NSURLConnectionDelegate.connection:didReceive
AuthenticationChallenge: (iOS) | High | | 8 | CFReadStreamSetProperty (iOS) | High | | 9 | NSURLRequest.allowsAnyHTTPSCertificateForHost (iOS) | High | | 10 | SecTrustEvaluateWithError (iOS) | High | | 11 | org.apache.http.impl.client.DefaultHttpClient (Android) | Medium | | 12 | CFNetwork (iOS) | Medium | | 13 | javax.net.ssl.HostnameVerifier.verify (Android) | Medium | | 14 | okhttp3.OkHttpClient.Builder.sslSocketFactory (Android) | Medium | | 15 | java.net.URL.openConnection (Android) | Medium | | 16 | NSURLRequest.allowEgress (iOS) | Medium | | 17 | SSLContext.getInstance (Android) | Medium | | 18 | NSURLProtectionSpace.authenticationMethod (iOS) | Low | | 19 | SSLContext.getInstance("TLS") (Android) | Low | | 20 | NSURLSession:canAuthenticateAgainstProtectionSpace: (iOS) | Low |

commonly hooked functions and libraries used to bypass SSL pinning in both Android and iOS applications with Frida and objection:

Top 10 Functions and Libraries for SSL Pinning Bypass

Android:

  1. OkHttp (Android):

    • Library: okhttp3

    • Functions to Hook:

      • CertificatePinner.check

      • SSLContext.getInstance

  2. TrustManager (Android):

    • Library: javax.net.ssl

    • Functions to Hook:

      • X509TrustManager.checkServerTrusted
  3. HttpClient (Android):

    • Library: org.apache.http.impl.client.DefaultHttpClient

    • Functions to Hook:

      • SSLContext.init
  4. WebView (Android):

    • Library: android.webkit

    • Functions to Hook:

      • WebViewClient.onReceivedSslError
  5. HttpsURLConnection (Android):

    • Library: javax.net.ssl

    • Functions to Hook:

      • HttpsURLConnection.setSSLSocketFactory

iOS:

  1. NSURLSession (iOS):

    • Library: Foundation

    • Functions to Hook:

      • -[NSURLSessionDelegate URLSession:didReceiveChallenge:completionHandler:]
  2. NSURLConnection (iOS):

    • Library: Foundation

    • Functions to Hook:

      • -[NSURLConnectionDelegate connection:didReceiveAuthenticationChallenge:]
  3. CFNetwork (iOS):

    • Library: CFNetwork

    • Functions to Hook:

      • CFReadStreamSetProperty
  4. NSURLRequest (iOS):

    • Library: Foundation

    • Functions to Hook:

      • -[NSURLRequest allowsAnyHTTPSCertificateForHost:]
  5. SecTrustEvaluate (iOS):

    • Library: Security

    • Functions to Hook:

      • SecTrustEvaluateWithError

Frida and Objection scripts to hook the CertificatePinner.check method in the OkHttp library, commonly used for SSL pinning in Android applications:

// Android SSL Pinning Bypass with Frida

// Define the target class and method to hook
var className = "okhttp3.CertificatePinner";
var methodName = "check";

// Hook into the CertificatePinner.check method
Interceptor.attach(Module.findExportByName(null, "Java_" + className.replace(/\./g, "_") + "_" + methodName), {
    onEnter: function(args) {
        console.log("[*] CertificatePinner.check() hooked!");
        // Log the arguments passed to the method
        console.log("[+] Hostname: " + args[1].readUtf8String());
        console.log("[+] Certificate: " + args[2].readUtf8String());
        // Modify the behavior if needed
        // args[0] = Memory.allocUtf8String("modified_certificate");
        // args[1] = Memory.allocUtf8String("example.com");
    }
});

Sample Objection Command:

# Start the objection tool and spawn a Frida gadget script to bypass SSL pinning
objection --gadget "com.example.app" explore --script "path/to/frida_script.js"

Root Detection

IDFunction/Library NamePopularity
1java.lang.Runtime.exec (Android - Magisk Detection)High
2java.io.File.exists (Android - Superuser.apk Detection)High
3com.scottyab.rootbeer.RootBeer.isRooted (Android - RootBeer Library)High
4java.io.File.canExecute (Android - Su Binary Detection)High
5java.io.File.exists (Android - BusyBox Detection)High
6Foundation.fileExistsAtPath (iOS - Jailbreak Detection)High
7Foundation.fileExistsAtPath (iOS - Cydia Detection)High
8Foundation.fileExistsAtPath (iOS - SSH Daemon Detection)High
9Foundation.fileExistsAtPath (iOS - MobileSubstrate Detection)High
10Foundation.sandboxed (iOS - App Sandbox Integrity Check)High
11java.lang.System.getenv (Android - Environment Variable Detection)Medium
12android.os.Build.PRODUCT (Android - Build Properties Detection)Medium
13java.lang.Class.forName (Android - Class Loading Detection)Medium
14com.scottyab.rootbeer.RootBeer.checkForDangerousProps (Android - RootBeer Library)Medium
15android.os.Debug.isDebuggerConnected (Android - Debugger Detection)Medium
16java.io.File.listRoots (Android - Root Filesystem Detection)Medium
17Foundation.fileExistsAtPath (iOS - Symbolic Link Detection)Medium
18System.loadLibrary (Android - Native Library Loading Detection)Medium
19com.scottyab.rootbeer.RootBeer.checkForSuBinary (Android - RootBeer Library)Low
20com.scottyab.rootbeer.RootBeer.detectTestKeys (Android - RootBeer Library)Low

top 10 libraries and function names commonly hooked to bypass root detection using Frida and objection in both Android and iOS applications:

Top 10 Libraries and Functions for Root Detection Bypass

Android:

  1. Magisk Detection (Android):

    • Library: java.lang.Runtime

    • Function: exec

  2. Superuser.apk Detection (Android):

    • Library: java.io.File

    • Function: exists

  3. RootBeer Library (Android):

    • Library: com.scottyab.rootbeer.RootBeer

    • Function: isRooted

  4. Su Binary Detection (Android):

    • Library: java.io.File

    • Function: canExecute

  5. BusyBox Detection (Android):

    • Library: java.io.File

    • Function: exists

iOS:

  1. Jailbreak Detection (iOS):

    • Library: Foundation

    • Function: fileExistsAtPath

  2. Cydia Detection (iOS):

    • Library: Foundation

    • Function: fileExistsAtPath

  3. SSH Daemon Detection (iOS):

    • Library: Foundation

    • Function: fileExistsAtPath

  4. MobileSubstrate Detection (iOS):

    • Library: Foundation

    • Function: fileExistsAtPath

  5. App Sandbox Integrity Check (iOS):

    • Library: Foundation

    • Function: sandboxed

Insecure Logging

insecure logging in Android and iOS applications, including both native and third-party logging frameworks:

Android:

  1. Logcat (Native Android Logging):

    • Command: adb logcat
  2. Filtering by Priority Level:

  • Command: Filter logs by priority level (V, D, I, W, E, F, S).

  • Example: Show logs with priority level higher than or equal to W (Warning) and tag MyApp

adb logcat *:W MyApp:*
  1. Filtering by Keyword:
  • Command: Filter logs by a specific keyword in the message.

  • Example: Show logs containing the keyword error

adb logcat | grep -i error
  1. Filtering by Application Name:
  • Command: Filter logs by the name of the application package.

  • Example: Show logs for the application with package name com.example.app

adb logcat | grep com.example.app
  1. Continuous Logging:
  • Command: Continuously stream logs, updating in real-time.

  • Example: Continuously stream logs

adb logcat -v time
  1. Filtering by Process ID (PID):
  • Command: Filter logs by a specific process ID.

  • Example: Show logs for process ID 12345

adb logcat --pid=12345

iOS:

  1. NSLog (Native iOS Logging):

    • Command: Not applicable (logging output visible in Xcode Console or retrieved from the device)
  2. NSLog (Native iOS Logging):

    • Command: Not applicable (logging output visible in Xcode Console or retrieved from the device)
NSLog(@"Message: %@", variable);
  1. OSLog (Native iOS Logging):
  • Command: Not applicable (logging output visible in Xcode Console or retrieved from the device)
os_log(OS_LOG_DEFAULT, "Message: %@", variable);

Insecure Storage

insecure storage in Android and iOS applications, including both native and common third-party libraries:

Android:

  1. Insecure SharedPreferences (Native Android):

    • Command: Not applicable (accessed programmatically)

    • Code: Accessing SharedPreferences without encryption

SharedPreferences prefs = getSharedPreferences("my_prefs", Context.MODE_PRIVATE);
String secret = prefs.getString("secret_key", "");
  1. Insecure SQLite Database (Native Android):
  • Command: Not applicable (accessed programmatically)

  • Code: Creating an SQLite database without proper encryption

SQLiteDatabase db = dbHelper.getWritableDatabase();
  1. Insecure File Storage (Native Android):
  • Command: Not applicable (accessed programmatically)

  • Code: Writing sensitive data to external storage

File file = new File(Environment.getExternalStorageDirectory(), "data.txt");
FileOutputStream fos = new FileOutputStream(file);

iOS:

  1. Insecure UserDefaults (Native iOS):

    • Command: Not applicable (accessed programmatically)

    • Code: Accessing UserDefaults without encryption

let defaults = UserDefaults.standard
let secret = defaults.string(forKey: "secret_key") ?? ""
  1. Insecure Keychain (Native iOS):
  • Command: Not applicable (accessed programmatically)

  • Code: Storing sensitive data in Keychain without proper protection:

let keychain = Keychain(service: "com.example.myapp")
try keychain.set("password", key: "user_password")
  1. Insecure File Storage (Native iOS):
  • Command: Not applicable (accessed programmatically)

  • Code: Writing sensitive data to local file system

let data = "sensitive_data".data(using: .utf8)!
try data.write(to: URL(fileURLWithPath: "/path/to/file.txt"))

Content Provider

Content Providers can lead to unauthorized access and data leakage in both Android and iOS applications. Here are the top 20 commands for potential attacks on Content Providers in Android and iOS:

Android:

SQL Injection Attack (Query Injection) (Native Android):

- Command: Inject malicious SQL code into a query.

String maliciousSelection = "1 OR 1=1";
Cursor cursor = getContentResolver().query(Uri, projection, maliciousSelection, selectionArgs, sortOrder);

Unauthorized Data Access (Native Android):

  • Command: Access Content Provider without proper permissions.
Cursor cursor = getContentResolver().query(Uri, projection, selection, selectionArgs, sortOrder);

Excessive Data Leakage (Native Android):

  • Command: Query all data without proper filtering.
Cursor cursor = getContentResolver().query(Uri, null, null, null, null);

Exported Content Provider (AndroidManifest.xml) (Native Android):

  • Command: Check if Content Provider is exported.
<provider
    android:name=".MyContentProvider"
    android:authorities="com.example.provider"
    android:exported="true"/>

SQL Injection Attack (Projection Injection) (Native Android):

  • Command: Inject malicious projection into a query.
String[] maliciousProjection = {"column1", "column2", "1 OR 1=1"};
Cursor cursor = getContentResolver().query(Uri, maliciousProjection, selection, selectionArgs, sortOrder);

iOS:

Unauthorized Data Access (Native iOS):

- Command: Access CNContactStore without proper permissions.

let store = CNContactStore()
let keysToFetch = [CNContactGivenNameKey]
let predicate = CNContact.predicateForContacts(matchingName: "John")
do {
    let contacts = try store.unifiedContacts(matching: predicate, keysToFetch: keysToFetch)
} catch {
    print("Error accessing contacts: \(error)")
}

Excessive Data Leakage (Native iOS):

  • Command: Query all contacts without proper filtering.
let store = CNContactStore()
let keysToFetch = [CNContactGivenNameKey]
let allContacts = CNContactFetchRequest(keysToFetch: keysToFetch)
do {
    let contacts = try store.unifiedContacts(matching: allContacts)
} catch {
    print("Error accessing contacts: \(error)")
}

Exported Content Provider (Info.plist) (Native iOS):

  • Command: Check if CNContactStore usage description is provided
<key>NSContactsUsageDescription</key>
<string>We need access to contacts for better user experience</string>

Data Modification (Native iOS):

  • Command: Modify contacts without proper permissions.
let store = CNContactStore()
let contact = CNMutableContact()
contact.givenName = "Jane"
let saveRequest = CNSaveRequest()
saveRequest.update(contact)
do {
    try store.execute(saveRequest)
} catch {
    print("Error updating contact: \(error)")
}

Inadequate Supply Chain Security

Inadequate supply chain security can lead to various attacks on Android and iOS applications, compromising the integrity and security of the software distribution process. Here are the top 20 commands for potential attacks related to inadequate supply chain security:

Android:

Dependency Hijacking (Android):

- Command: Replace or inject malicious dependencies into the project.

implementation 'com.example:malicious-library:1.0.0'

Malicious SDK Integration (Android):

  • Command: Integrate a malicious SDK into the application.
implementation 'com.example:malicious-sdk:1.0.0'

Compromised Build Systems (Android):

  • Command: Compromise build systems to inject malicious code during the build process.
echo "echo 'Malicious code executed!'" >> build.gradle

Code Injection via Build Scripts (Android):

  • Command: Inject malicious code into build scripts to modify the application behavior.
exec {
    commandLine 'bash', '-c', 'malicious_command'
}

iOS:

Dependency Hijacking (iOS):

- Command: Replace or inject malicious dependencies into the project

pod 'MaliciousLibrary'

Malicious Framework Integration (iOS):

  • Command: Integrate a malicious framework into the application.
target 'MyApp' do
    pod 'MaliciousFramework'
end

Compromised Build Systems (iOS):

  • Command: Compromise build systems to inject malicious code during the build process.
echo "echo 'Malicious code executed!'" >> Podfile

Code Injection via Build Scripts (iOS):

  • Command: Inject malicious code into build scripts to modify the application behavior.
post_install do |installer|
    system 'malicious_command'
end

Static Scanner

IDToolUsage FeaturesPopularity
1MobSF (Mobile Security Framework)Static and dynamic analysis, API testing, SSL/TLS verification, data storage security checks, and more.High
2QARK (Quick Android Review Kit)Static analysis for Android applications, vulnerability detection, insecure logging, cryptography issues, and more.High
3AndroBugs FrameworkStatic analysis tool for Android applications, identifying security vulnerabilities such as SQL injection, insecure data storage, and more.Medium
4AppknoxAutomated security testing for Android and iOS apps, identifying vulnerabilities like OWASP Top 10, insecure data storage, and more.Medium
5CheckmarxStatic application security testing (SAST), identifying security vulnerabilities in code, including OWASP Top 10, insecure data storage, and more.High
6Veracode Mobile Security TestingAutomated security testing for Android and iOS applications, including static and dynamic analysis, identifying vulnerabilities, and more.High
7NowSecure LabAutomated mobile app security testing, identifying vulnerabilities, insecure data storage, SSL/TLS issues, and more.Medium
8Fortify Static Code AnalyzerStatic analysis tool for identifying security vulnerabilities in code, including OWASP Top 10, insecure data storage, and more.High
9KryptowireAutomated security testing for Android and iOS applications, including static and dynamic analysis, identifying vulnerabilities, and more.Medium
10ZAP (Zed Attack Proxy)Dynamic application security testing (DAST), identifying vulnerabilities, SSL/TLS issues, insecure data storage, and more.High

Resources