Forked from approovm/00-android-bypass-certificate-pinning-and-mitm-attack-setup.md
Created
June 19, 2024 11:37
-
-
Save justrandomdev/4409103d3ed08562d94792f108bfaa14 to your computer and use it in GitHub Desktop.
Revisions
-
approovblog revised this gist
Oct 7, 2021 . 1 changed file with 10 additions and 10 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,7 @@ ## Install the Frida Server in the Android Emulator Get the Android architecture: ```bash adb shell getprop ro.product.cpu.abi ``` @@ -12,23 +12,23 @@ The output should look like: x86 ``` Now that we know the architecture is `x86` we can use it to download the Frida server: ```bash version=$(frida --version) && curl -Lo frida-server.xz https://github.com/frida/frida/releases/download/$version/frida-server-$version-android-x86.xz ``` After the download it’s finish we need to decompress it with: ```bash xz -d frida-server.xz ``` Next, we will push the frida-server into the Android device with: ```bash adb push frida-server /data/local/tmp ``` Give it executable permissions: ```bash adb shell "chmod +x /data/local/tmp/frida-server" ``` @@ -37,17 +37,17 @@ adb shell "chmod +x /data/local/tmp/frida-server" Now, open another shell in your computer to start the frida-server inside the Android device or emulator. Switch adb to the root user with: ```bash adb root ``` Start the Frida server in the background with: ```bash adb shell "/data/local/tmp/frida-server&" & ``` Now, check the frida-server is running on the device: ```bash frida-ps -U ``` -
Oct 6, 2021 . 1 changed file with 19 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -17,6 +17,25 @@ If you have installed Android Studio as a Snap package then it will be located a export JAVA_HOME=/snap/android-studio/current/android-studio/jre ``` ### Adb Path Check that `adb` is in the path: ```bash adb ``` If it says that the command is not found then add it to the path with: ```bash export PATH=~/Android/Sdk/platform-tools:$PATH ``` Try it out with: ``` adb help ``` ### Avd Manager Path Check that the `avdmanager` is in the path: -
Oct 6, 2021 . 1 changed file with 20 additions and 20 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,30 +7,30 @@ To use some of the tools bundled with Android studio we need to add them to the ### Java Home Var If your $JAVA_HOME is not set then you need to set it to the path on your machine. In this example I will use the path for the Java installation packaged inside Android Studio, that you may have installed in `/opt` or at `/usr/local`: ```bash # export JAVA_HOME=/usr/local/android-studio/jre/jre export JAVA_HOME=/opt/android-studio/jre/jre ``` If you have installed Android Studio as a Snap package then it will be located at `/snap/android-studio`: ```bash export JAVA_HOME=/snap/android-studio/current/android-studio/jre ``` ### Avd Manager Path Check that the `avdmanager` is in the path: ```bash avdmanager ``` If it says that the command is not found then add it to the path with: ```bash export PATH=~/Android/Sdk/tools/bin:$PATH ``` Try it out by listing the available targets: ```bash avdmanager list target ``` @@ -41,7 +41,7 @@ Exception in thread "main" java.lang.NoClassDefFoundError: javax/xml/bind/annota ``` This error can be fixed by installing the [Android Command Line Tools](https://developer.android.com/studio/command-line): ```bash # At the time of this download the latest version was `7583922` but at the time you read this a newer one may already exist. # Please check their download page at https://developer.android.com/studio#command-tools curl -o tools.zip https://dl.google.com/android/repository/commandlinetools-linux-7583922_latest.zip @@ -61,17 +61,17 @@ export PATH=~/Android/Sdk/cmdline-tools/latest/bin:$PATH ### Emulator Path Check the command is installed: ```bash emulator ``` If it says that the command is not found then add it to the path with: ```bash export PATH=~/Android/Sdk/emulator:$PATH ``` Test it by listing your current emulators: ```bash emulator -list-avds ``` @@ -80,29 +80,29 @@ emulator -list-avds If not already present in your Android installation, you need to add it. Start by installing the platform tools with: ```bash sdkmanager "platform-tools" "platforms;android-29" ``` Next, install the system image with: ```bash sdkmanager "system-images;android-29;google_apis;x86" ``` Finally, accept all package licenses with: ```bash sdkmanager --licenses ``` ## Create the Emulator AVD for Android API 29 Let’s create a Pixel AVD for Android API 29 with: ```bash avdmanager create avd --name pixel-android-api-29 --package "system-images;android-29;google_apis;x86" --device "pixel" ``` Add the physical keyboard support: ```bash echo "hw.keyboard=yes" >> ~/.android/avd/pixel-android-api-29.avd/config.ini ``` @@ -115,13 +115,13 @@ First, disconnect any mobile device you may have connected to your computer. Next, close any running instance of any emulator you may have running. Now, let’s start the emulator for Android 29 in writable mode: ```bash emulator -avd pixel-android-api-29 -writable-system &> /dev/null & ``` > NOTE: the bit `&> /dev/null` will discard all output, including errors, and `&` will run the command in the background so that we get the shell back. If the emulator doesn’t start or otherwise misbehaves try to remove `&> /dev/null` to see the errors being reported. Wait for the emulator to complete the boot process and then restart `adb` as root: ```bash adb wait-for-device && adb root ``` @@ -131,7 +131,7 @@ restarting adbd as root ``` In Android 29 we need to disable verification of the filesystem before we remount it as writable: ```bash adb shell avbctl disable-verification ``` @@ -141,12 +141,12 @@ Successfully disabled verification. Reboot the device for changes to take effect ``` Reboot for changes to take effect: ```bash adb reboot && adb wait-for-device ``` After the device have completed the reboot we need to change again adb to `root`: ```bash adb root ``` -
Oct 6, 2021 . 2 changed files with 11 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -36,12 +36,12 @@ ip address | grep -i wlp - You should see something like this: ``` 3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 inet 192.168.0.08/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0 ``` The IP address `192.168.0.08` will be necessary to start the mitmproxy and the emulator, thus you should replace it with your own one in any subsequent command you find it being used. To Run mitmproxy listening on the WiFi network open a new terminal window or tab and execute: ``` sudo docker run --rm -it -v ~/.mitmproxy:/home/mitmproxy/.mitmproxy -p 192.168.0.08:8080:8080 mitmproxy/mitmproxy:6.0.2 mitmproxy --showhost --view-filter "approov" ``` This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,13 +6,13 @@ To use some of the tools bundled with Android studio we need to add them to the ### Java Home Var If your $JAVA_HOME is not set then you need to set it to the path on your machine. In this example I will use the path for the Java installation packaged inside Android Studio, that you may have installed in `/opt` or at `/usr/local`: ``` # export JAVA_HOME=/usr/local/android-studio/jre/jre export JAVA_HOME=/opt/android-studio/jre/jre ``` If you have installed Android Studio as a Snap package then it will be locate at `/snap/android-studio`: ``` export JAVA_HOME=/snap/android-studio/current/android-studio/jre ``` @@ -42,15 +42,19 @@ Exception in thread "main" java.lang.NoClassDefFoundError: javax/xml/bind/annota This error can be fixed by installing the [Android Command Line Tools](https://developer.android.com/studio/command-line): ``` # At the time of this download the latest version was `7583922` but at the time you read this a newer one may already exist. # Please check their download page at https://developer.android.com/studio#command-tools curl -o tools.zip https://dl.google.com/android/repository/commandlinetools-linux-7583922_latest.zip # Installation steps mkdir -p ~/Android/Sdk/cmdline-tools/ unzip tools.zip -d ~/Android/Sdk/cmdline-tools rm -rf tools.zip mv ~/Android/Sdk/cmdline-tools/cmdline-tools ~/Android/Sdk/cmdline-tools/latest # To make it permanent you want to add this line to your shell file `~/.bashrc`, `~/.zshrc`, etc. # If you add it to your shell file then you need to reload your current shell session with `. ~/.bashrc`. # For this tutorial you just need to execute it in your termainal export PATH=~/Android/Sdk/cmdline-tools/latest/bin:$PATH ``` -
Oct 6, 2021 . 2 changed files with 28 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -36,7 +36,7 @@ ip address | grep -i wlp - You should see something like this: ``` 3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 inet **192.168.0.08**/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0 ``` The IP address in bold will be necessary to start the mitmproxy and the emulator, thus you should replace it with your own one in any subsequent command you find it being used and highlighted in bold. Run mitmproxy listening on the WiFi network This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,11 +6,17 @@ To use some of the tools bundled with Android studio we need to add them to the ### Java Home Var If your $JAVA_HOME is not set then you need to set it to the path on your machine. In this example I will use the path for the Java packaged inside Android Studio, that you may have installed in `/opt` or at `usr/local`: ``` # export JAVA_HOME=/usr/local/android-studio/jre/jre export JAVA_HOME=/opt/android-studio/jre/jre ``` If you have installed Android Studio as a snap package then it will be locate at `/snap/android-studio`: ``` export JAVA_HOME=/snap/android-studio/current/android-studio/jre ``` ### Avd Manager Path Check that the `avdmanager` is in the path: @@ -28,6 +34,26 @@ Try it out by listing the available targets: avdmanager list target ``` If you are in a recent version of Android Studio you may get an error: ``` Exception in thread "main" java.lang.NoClassDefFoundError: javax/xml/bind/annotation/XmlSchema ... ``` This error can be fixed by installing the [Android Command Line Tools](https://developer.android.com/studio/command-line): ``` # At the time of this download the latest version was `7583922` but at the time you read this a newer one may already exist. Please check their download page at https://developer.android.com/studio#command-tools curl -o tools.zip https://dl.google.com/android/repository/commandlinetools-linux-7583922_latest.zip mkdir -p ~/Android/Sdk/cmdline-tools/ unzip tools.zip -d ~/Android/Sdk/cmdline-tools rm -rf tools.zip mv ~/Android/Sdk/cmdline-tools/cmdline-tools ~/Android/Sdk/cmdline-tools/latest # you may want to add this line to your shell file `~/.bashrc`, `~/.zshrc`, etc. export PATH=~/Android/Sdk/cmdline-tools/latest/bin:$PATH ``` ### Emulator Path Check the command is installed: -
Apr 30, 2021 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -43,8 +43,8 @@ The IP address in bold will be necessary to start the mitmproxy and the emulator Open a new terminal window or tab and execute: ``` sudo docker run --rm -it -v ~/.mitmproxy:/home/mitmproxy/.mitmproxy -p 192.168.0.08:8080:8080 mitmproxy/mitmproxy:6.0.2 mitmproxy --showhost --view-filter "approov" ``` > **NOTE:** We use the --showhost option to be able to see the domain instead of just the IP address for each http request in the mitmproxy console output. The --view-filter options are to limit the output to requests containing the word approov in the URL, otherwise the output will be very noisy, due to all the other HTTP requests being done by the Android OS and other apps installed. The proxy is now listening on port 8080 for the IP address of your WiFi network. -
Apr 30, 2021 . 1 changed file with 10 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -80,12 +80,17 @@ echo "hw.keyboard=yes" >> ~/.android/avd/pixel-android-api-29.avd/config.ini To be able to add the mitmproxy certificate as a trusted certificate in the emulator we need to first make its file system writable. First, disconnect any mobile device you may have connected to your computer. Next, close any running instance of any emulator you may have running. Now, let’s start the emulator for Android 29 in writable mode: ``` emulator -avd pixel-android-api-29 -writable-system &> /dev/null & ``` > NOTE: the bit `&> /dev/null` will discard all output, including errors, and `&` will run the command in the background so that we get the shell back. If the emulator doesn’t start or otherwise misbehaves try to remove `&> /dev/null` to see the errors being reported. Wait for the emulator to complete the boot process and then restart `adb` as root: ``` adb wait-for-device && adb root ``` @@ -110,12 +115,12 @@ Reboot for changes to take effect: adb reboot && adb wait-for-device ``` After the device have completed the reboot we need to change again adb to `root`: ``` adb root ``` Now we need to enable the writable file system in the emulator: ``` adb remount ``` -
Apr 30, 2021 . 6 changed files with 17 additions and 27 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,5 +2,5 @@ This is a gist used in the following blog posts: * [How to MitM Attack the API of an Android App](https://blog.approov.io/how-to-mitm-attack-the-api-of-an-android-app) * [How to Bypass Certificate Pinning with Frida on an Android App](https://blog.approov.io/how-to-bypass-certificate-pinning-with-frida-on-an-android-app) This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -24,11 +24,9 @@ Platform: Linux-5.4.0-71-generic-x86_64-with ## Start the mitmproxy Before we add the mitmproxy certificate to the emulator’s system trusted store we need to first start mitmproxy, so that its certificate is created at ~/.mitmproxy. To start mitmproxy we also need to provide the IP address where it will be listening to, and we will use our WiFI IP address because it will be later easy to proxy the emulator through it. Find the WiFi IP Address The emulator will need to reach the proxy via the wifi network where mitimproxy will be listening on port 8080. To find the wifi ip address: ``` @@ -41,13 +39,12 @@ You should see something like this: inet 192.168.0.08/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0 ``` The IP address in bold will be necessary to start the mitmproxy and the emulator, thus you should replace it with your own one in any subsequent command you find it being used and highlighted in bold. Run mitmproxy listening on the WiFi network Open a new terminal window or tab and execute: ``` sudo docker run --rm -it -v ~/.mitmproxy:/home/mitmproxy/.mitmproxy -p 192.168.0.08:8080:8080 mitmproxy/mitmproxy:6.0.2 mitmproxy --showhost --view-filter "shipfast" --view-filter "auth0" ``` > **NOTE:** We use the --showhost option to be able to see the domain instead of just the IP address for each http request in the mitmproxy console output. The --view-filter options are to limit the output to requests containing the word shipfast or auth0 in the URL, because they are the only API backends the app communicates with, otherwise the output will be very noisy, due to all the other HTTP requests being done by the Android OS and other apps installed. The proxy is now listening on port 8080 for the IP address of your WiFi network. This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ Activate the virtual env: source frida-venv/bin/activate ``` Now that we are inside the virtual env, it is time to update it: ``` pip3 install -U setuptools @@ -27,7 +27,7 @@ Next, install the the Frida tools package with: pip3 install frida-tools ``` Finally, test that Frida is correctly installed: ``` frida --version This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,10 +6,11 @@ To use some of the tools bundled with Android studio we need to add them to the ### Java Home Var If your $JAVA_HOME is not set then you need to set it: ``` export JAVA_HOME=/opt/android-studio/jre/jre ``` ### Avd Manager Path Check that the `avdmanager` is in the path: @@ -26,6 +27,7 @@ Try it out by listing the available targets: ``` avdmanager list target ``` ### Emulator Path Check the command is installed: This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ For mitmproxy to be able to intercept the traffic coming from the Android emulator is necessary that we add it’s certificate to the trusted store, and we will follow their docs instructions. Create a hash of the certificate to use as the filename: ``` FILENAME=$(openssl x509 -inform PEM -subject_hash_old -in ~/.mitmproxy/mitmproxy-ca-cert.cer | head -1).0 ``` @@ -26,4 +26,5 @@ Reboot the emulator for changes to take effect: ``` adb reboot && adb wait-for-device ``` After the boot is completed you can move to the next step. This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,65 +3,55 @@ ## Install the Frida Server in the Android Emulator Get the Android architecture: ``` adb shell getprop ro.product.cpu.abi ``` The output should look like: ``` x86 ``` Now that we know the architecture is x86 we can use it to download the Frida server: ``` curl -Lo frida-server.xz https://github.com/frida/frida/releases/download/14.2.9/frida-server-14.2.9-android-x86.xz ``` After the download it’s finish we need to decompress it with: ``` xz -d frida-server.xz ``` Next, we will push the frida-server into the Android device with: ``` adb push frida-server /data/local/tmp ``` Give it executable permissions: ``` adb shell "chmod +x /data/local/tmp/frida-server" ``` ## Start the Frida Server in the Android Emulator Now, open another shell in your computer to start the frida-server inside the Android device or emulator. Switch adb to the root user with: ``` adb root ``` Start the Frida server in the background with: ``` adb shell "/data/local/tmp/frida-server&" & ``` Now, check the frida-server is running on the device: ``` frida-ps -U ``` The output should be a process list: ``` PID Name ---- --------------------------------------------------- -
Apr 19, 2021 . 7 changed files with 320 additions and 212 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,6 @@ # Android Bypass Certificate Pinning and MitM Attack Setup This is a gist used in the following blog posts: * [MitM Attack the API of an Android Mobile App](https://blog.approov.io/mitm-attack-the-api-of-an-android-app) * [Bypass Certificate Pinning with Frida on an Android Mobile App](https://blog.approov.io/bypass-certificate-pinning-with-frida-on-an-android-mobile-app) This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,53 @@ # MitMProxy Setup ## Install mitmproxy In order to intercept the traffic we will need a proxy interceptor tool, and in this tutorial we will use the mitmproxy CLI interface from within a docker container, but feel free to install it by using any other method listed in their docs. Download the mitmproxy docker image: ``` sudo docker pull mitmproxy/mitmproxy:6.0.2 ``` Test it works with: ``` sudo docker run --rm -it mitmproxy/mitmproxy:6.0.2 mitmproxy --version ``` The output should look like this: ``` Mitmproxy: 6.0.2 Python: 3.8.5 OpenSSL: OpenSSL 1.1.1i 8 Dec 2020 Platform: Linux-5.4.0-71-generic-x86_64-with ``` ## Start the mitmproxy Before we add the mitmproxy certificate to the emulator system trusted store we need to first start mitmproxy, so that it's certificate is created at `~/.mitmproxy`. To start mitmproxy we also need to provide the IP address where it will be listening too, and we will use our WiFI IP address because it will be later easy to proxy the emulator through it. Find the WiFi IP Address The emulator will need to reach the proxy via the wifi network where mitimproxy will be listening on port 8080. To find the wifi ip address: ``` ip address | grep -i wlp - ``` You should see something like this: ``` 3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 inet 192.168.0.08/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0 ``` The IP address in bold will be necessary to start the mitmproxy and the emulator, thus you should replace it with your own one in any subsequent command you find it being used and highlighted in bold. Run mitmproxy listening on the WiFi network Open a new terminal window or tab and execute: ``` sudo docker run --rm -it -v ~/.mitmproxy:/home/mitmproxy/.mitmproxy -p 192.168.0.08:8080:8080 mitmproxy/mitmproxy:6.0.2 mitmproxy --showhost --view-filter "shipfast" --view-filter "auth0" ``` > NOTE: We use the `--showhost` option to be able to see the domain instead of just the IP address for each http request in the mitmproxy console output. The `--view-filter` options are to limit the output to requests containing the word `shipfast` or `auth0` in the URL, because they are the only API backends the app communicates with, otherwise the output will be very noisy, due to all the other HTTP requests being done by the Android OS and other apps installed. The proxy is now listening on port 8080 for the IP address of your WiFi network. This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,34 @@ # Frida Setup ## Install Frida with Python Create the Python virtual env with: ``` python3 -m venv frida-venv ``` Activate the virtual env: ``` source frida-venv/bin/activate ``` Now that we are inside the virtual env is time to update it: ``` pip3 install -U setuptools ``` Next, install the the Frida tools package with: ``` pip3 install frida-tools ``` Finnaly, test that Frida is correctly installed: ``` frida --version ``` This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,126 @@ # Android 29 Emulator Setup ## Environment To use some of the tools bundled with Android studio we need to add them to the $PATH environment variable and set the $JAVA_HOME variable. ### Java Home Var If your `$JAVA_HOME` is not set then you need to set it: ``` export JAVA_HOME=/opt/android-studio/jre/jre ``` ### Avd Manager Path Check that the `avdmanager` is in the path: ``` avdmanager ``` If it says that the command is not found then add it to the path with: ``` export PATH=~/Android/Sdk/tools/bin:$PATH ``` Try it out by listing the available targets: ``` avdmanager list target ``` ### Emulator Path Check the command is installed: ``` emulator ``` If it says that the command is not found then add it to the path with: ``` export PATH=~/Android/Sdk/emulator:$PATH ``` Test it by listing your current emulators: ``` emulator -list-avds ``` ## Install Android API 29 If not already present in your Android installation, you need to add it. Start by installing the platform tools with: ``` sdkmanager "platform-tools" "platforms;android-29" ``` Next, install the system image with: ``` sdkmanager "system-images;android-29;google_apis;x86" ``` Finally, accept all package licenses with: ``` sdkmanager --licenses ``` ## Create the Emulator AVD for Android API 29 Let’s create a Pixel AVD for Android API 29 with: ``` avdmanager create avd --name pixel-android-api-29 --package "system-images;android-29;google_apis;x86" --device "pixel" ``` Add the physical keyboard support: ``` echo "hw.keyboard=yes" >> ~/.android/avd/pixel-android-api-29.avd/config.ini ``` ## Start the Emulator with a Writable File System To be able to add the mitmproxy certificate as a trusted certificate in the emulator we need to first make its file system writable. Let’s start the emulator in writable mode: ``` emulator -avd pixel-android-api-29 -writable-system &> /dev/null & ``` Restart `adb` as root: ``` adb wait-for-device && adb root ``` The output should look like: ``` restarting adbd as root ``` In Android 29 we need to disable verification of the filesystem before we remount it as writable: ``` adb shell avbctl disable-verification ``` The output should look like this: ``` Successfully disabled verification. Reboot the device for changes to take effect. ``` Reboot for changes to take effect: ``` adb reboot && adb wait-for-device ``` After the device have completed is reboot: ``` adb root ``` Remount `adb`: ``` adb remount ``` output should look like: ``` # ... some omitted output remount succeeded ``` This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,29 @@ # Add the mitmproxy Certificate to the Android Emulator For mitmproxy to be able to intercept the traffic coming from the Android emulator is necessary that we add it’s certificate to the trusted store, and we will follow their docs instructions. Create an hash of the certificate to use as the filename: ``` FILENAME=$(openssl x509 -inform PEM -subject_hash_old -in ~/.mitmproxy/mitmproxy-ca-cert.cer | head -1).0 ``` Copy the certificate to a new file that uses the hash filename computed in the previous step: ``` cp ~/.mitmproxy/mitmproxy-ca-cert.cer $FILENAME ``` Push the certificate to the system trusted store of the emulator: ``` adb push $FILENAME /system/etc/security/cacerts ``` Give the certificate the correct permissions: ``` adb shell "chmod 664 /system/etc/security/cacerts/$FILENAME" ``` Reboot the emulator for changes to take effect: ``` adb reboot && adb wait-for-device ``` After the boot is completed you can move to the next step. This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,72 @@ # Android Frida Server Setup ## Install the Frida Server in the Android Emulator Get the Android architecture: ``` adb shell getprop ro.product.cpu.abi ``` The output should look like: ``` x86 ``` Now that we know the architecture is `x86` we can use it to download the Frida server: ``` curl -Lo frida-server.xz https://github.com/frida/frida/releases/download/14.2.9/frida-server-14.2.9-android-x86.xz ``` After the download it’s finish we need to decompress it with: ``` xz -d frida-server.xz ``` Next, we will push the `frida-server` into the Android device with: ``` adb push frida-server /data/local/tmp ``` Give it executable permissions: ``` adb shell "chmod +x /data/local/tmp/frida-server" ``` ## Start the Frida Server in the Android Emulator Now, open another shell in your computer to start the `frida-server` inside the Android device or emulator. Switch adb to the root user with: ``` adb root ``` Start the Frida server in the background with: ``` adb shell "/data/local/tmp/frida-server&" & ``` Now, check the `frida-server` is running on the device: ``` frida-ps -U ``` The output should be a process list: ``` PID Name ---- --------------------------------------------------- 5310 adbd 1687 [email protected] 1790 [email protected] ... ``` This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,212 +0,0 @@ -
Apr 16, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,212 @@ # Certificate Pinning Setup ## MitMProxy Setup ### Install mitmproxy In order to intercept the traffic we will need a proxy interceptor tool, and in this tutorial we will use the mitmproxy CLI interface from within a docker container, but feel free to install it by using any other method listed in their docs. Download the mitmproxy docker image: ``` sudo docker pull mitmproxy/mitmproxy:6.0.2 ``` Test it works with: ``` sudo docker run --rm -it mitmproxy/mitmproxy:6.0.2 mitmproxy --version ``` The output should look like this: ``` Mitmproxy: 6.0.2 Python: 3.8.5 OpenSSL: OpenSSL 1.1.1i 8 Dec 2020 Platform: Linux-5.4.0-71-generic-x86_64-with ``` ### Start the mitmproxy Before we add the mitmproxy certificate to the emulator system trusted store we need to first start mitmproxy, so that it's certificate is created at `~/.mitmproxy`. To start mitmproxy we also need to provide the IP address where it will be listening too, and we will use our WiFI IP address because it will be later easy to proxy the emulator through it. Find the WiFi IP Address The emulator will need to reach the proxy via the wifi network where mitimproxy will be listening on port 8080. To find the wifi ip address: ``` ip address | grep -i wlp - ``` You should see something like this: ``` 3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 inet 192.168.0.08/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0 ``` The IP address in bold will be necessary to start the mitmproxy and the emulator, thus you should replace it with your own one in any subsequent command you find it being used and highlighted in bold. Run mitmproxy listening on the WiFi network Open a new terminal window or tab and execute: ``` sudo docker run --rm -it -v ~/.mitmproxy:/home/mitmproxy/.mitmproxy -p 192.168.0.08:8080:8080 mitmproxy/mitmproxy:6.0.2 mitmproxy --showhost --view-filter "shipfast" --view-filter "auth0" ``` > NOTE: We use the `--showhost` option to be able to see the domain instead of just the IP address for each http request in the mitmproxy console output. The `--view-filter` options are to limit the output to requests containing the word `shipfast` or `auth0` in the URL, because they are the only API backends the app communicates with, otherwise the output will be very noisy, due to all the other HTTP requests being done by the Android OS and other apps installed. The proxy is now listening on port 8080 for the IP address of your WiFi network. ## Android Emulator Setup ### Environment To use some of the tools bundled with Android studio we need to add them to the $PATH environment variable and set the $JAVA_HOME variable. #### Java Home Var If your `$JAVA_HOME` is not set then you need to set it: ``` export JAVA_HOME=/opt/android-studio/jre/jre ``` #### Avd Manager Path Check that the `avdmanager` is in the path: ``` avdmanager ``` If it says that the command is not found then add it to the path with: ``` export PATH=~/Android/Sdk/tools/bin:$PATH ``` Try it out by listing the available targets: ``` avdmanager list target ``` #### Emulator Path Check the command is installed: ``` emulator ``` If it says that the command is not found then add it to the path with: ``` export PATH=~/Android/Sdk/emulator:$PATH ``` Test it by listing your current emulators: ``` emulator -list-avds ``` ### Install Android API 29 If not already present in your Android installation, you need to add it. Start by installing the platform tools with: ``` sdkmanager "platform-tools" "platforms;android-29" ``` Next, install the system image with: ``` sdkmanager "system-images;android-29;google_apis;x86" ``` Finally, accept all package licenses with: ``` sdkmanager --licenses ``` ### Create the Emulator AVD for Android API 29 Let’s create a Pixel AVD for Android API 29 with: ``` avdmanager create avd --name pixel-android-api-29 --package "system-images;android-29;google_apis;x86" --device "pixel" ``` Add the physical keyboard support: ``` echo "hw.keyboard=yes" >> ~/.android/avd/pixel-android-api-29.avd/config.ini ``` ### Start the Emulator with a Writable File System To be able to add the mitmproxy certificate as a trusted certificate in the emulator we need to first make its file system writable. Let’s start the emulator in writable mode: ``` emulator -avd pixel-android-api-29 -writable-system &> /dev/null & ``` Restart `adb` as root: ``` adb wait-for-device && adb root ``` The output should look like: ``` restarting adbd as root ``` In Android 29 we need to disable verification of the filesystem before we remount it as writable: ``` adb shell avbctl disable-verification ``` The output should look like this: ``` Successfully disabled verification. Reboot the device for changes to take effect. ``` Reboot for changes to take effect: ``` adb reboot && adb wait-for-device ``` After the device have completed is reboot: ``` adb root ``` Remount `adb`: ``` adb remount ``` output should look like: ``` # ... some omitted output remount succeeded ``` ### Add the mitmproxy certificate to the Android emulator device For mitmproxy to be able to intercept the traffic coming from the Android emulator is necessary that we add it’s certificate to the trusted store, and we will follow their docs instructions. Create an hash of the certificate to use as the filename: ``` FILENAME=$(openssl x509 -inform PEM -subject_hash_old -in ~/.mitmproxy/mitmproxy-ca-cert.cer | head -1).0 ``` Copy the certificate to a new file that uses the hash filename computed in the previous step: ``` cp ~/.mitmproxy/mitmproxy-ca-cert.cer $FILENAME ``` Push the certificate to the system trusted store of the emulator: ``` adb push $FILENAME /system/etc/security/cacerts ``` Give the certificate the correct permissions: ``` adb shell "chmod 664 /system/etc/security/cacerts/$FILENAME" ``` Reboot the emulator for changes to take effect: ``` adb reboot && adb wait-for-device ``` After the boot is completed you can move to the next step.