In this blog, we were going to see what Frida is and how to set it up in our systems. We will also perform android pentesting using Frida.

 

What is Frida?

Frida is a dynamic code instrumentation toolkit that permits you to inject snippets of JavaScript or your library into the native application on your operating systems like Windows, iOS, Android, and more. It is used to hook into the running process of the application and modify the code on the fly without any requirement for re-launching or re-packaging. You can find more details about Frida here – Frida.

 

Installation Procedure:

Installing Frida tools is pretty much simple but to ensure the seamless installment procedure, you need to fulfill the below requirement of tools for Frida.

  • The latest 3x version of Python is highly recommended.
  • Windows, macOS, or GNU/Linux supported OS.

Using the PIP command as recommended on the official website, install Frida on your operating system.

#pip install Frida-tools

Installing frida tools

Fig 1: Installing frida-tools

Once Frida is successfully installed in the system, you will have to open up your command prompt and identify the version by using the below command:

#frida –version

Latest frida version

Fig 2: Latest frida version

To install the server, you need to browse for the new releases on GitHub and download the file depending upon your mobile device’s platform and of the version shown above.

Frida server files to installed in android device

Fig 3: Frida server files to installed in android device

Download the file and then extract it. Then, you will have to move it to your mobile preferably /data/local/tmp as shown below.

Push to folder or data or local or tmp

Fig 4: Push to folder /data/local/tmp

With the command mentioned below, modify the permissions for the Frida-server binary and run it.#chmod 755 frida-server

Giving executable permission

Fig 5: Giving executable permission

Now, open your desktop, enter the command mentioned below to test the connection with your Frida-server

#frida-ps –aU

Android application process

Fig 6: Android application process

Our setup is now complete. So, let’s begin using Frida for assessment.

 

Test Case 1: Root Detection Bypass Using Frida

What is root bypass?

While developing an application, the developers integrate the root mechanism to stop the user from using it. When a user tries to install some application, it throws an error message and doesn’t allow the application to install on a rooted device. We make changes in the code while performing the root bypass. This is done to restrict the app from shutting down as it further leads to application installation on the rooted android device.

Let’s look into a practical demonstration of a root detection bypass in the testing app. Open the testing app on your android phone and it says this device is rooted. You can’t use this app.

Device is rooted

Fig 7: Device is rooted

Below is the root detection protection source-code screenshot

Root detection implemented in code

Fig 8: Root detection implemented in code

Using the code mentioned below, we bypass the root detection logic. The code is available here.

Javascript code for root detection bypass

Fig 9: Javascript code for root detection bypass

Let’s run this script with this command #frida –U –f com.example.app rootbypass.js script –no-paus. It has successfully bypassed the root detection of the android app as shown in the below screenshot.

Root detection bypassed

Fig 10: Root detection bypassed

 

Test Case 2: SSL Pinning Bypass Using Frida

What is SSL Pinning?

SSL pinning only acknowledges the predefined or valid public key or certificate for any application. It is an additional security layer that is used by the developer for secure app traffic. The application trusts the custom certificate and the app to interrupt the traffic. During the implementation of SSL pinning, the app does not validate the custom certificates and does not authorize the proxy tools to intercept the traffic.

SSL pinning bypass we have to push two things into the android device:

  • BurpSuite Certificate

Pushing burpsuite certificate

Fig 11: Pushing burpsuite certificate

  • SSL Pinning Bypassed JavaScript (Frida script we can find here)

pushing frida script

Fig 12: pushing frida script

Now let’s try to bypass the SSL Pinning of an android application. Firstly, we need to find out the id of our target application. Then, we will list all running services on devices including your application process.

Now, run this command in your terminal — #frida-ps –aU

Twitter PID and package name identifier

Fig 13: Twitter PID and package name identifier

After that hook fridascript.js and certificate file into android device and run this command –

//frida -U -f <your_application_package_name> -l <path_to_fridascript.js_on_your_computer> –no-paus

SSL pinning bypassed

Fig 14: SSL pinning bypassed

We have successfully bypassed the SSL Pinning and intercepted the traffic in Burp Suite.

Password window

All request traffic in Burp Suite

Fig 15: All request traffic in Burp Suite

 

Conclusion

In this blog, you read about carrying out the android pentesting using Frida. There is penetration method like android penetration testing with drozerAWS pentesting, and much more that you can read in our blog section.

 

References:

https://codeshare.frida.re/

https://httptoolkit.tech/blog/frida-certificate-pinning/

https://arben.sh/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/

https://www.youtube.com/watch?v=dqA38-1UMxI

 

Author,

Rituraj Vishwakarma

Associate Security Consultant,

Attack & Pentest Team,

Varutra Consulting Pvt Ltd.