![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2022\/01\/Android-Pentesting-Using-FRIDA-1024x535.png\" "\\"Android")
\nIn this blog, we were going to see what Frida is and how to set it up in our systems. We will also perform android pentesting using Frida.<\/p>\n
\nIn this blog, we were going to see what Frida is and how to set it up in our systems. We will also perform android pentesting using Frida.<\/p>\n
<\/p>\n
Frida is a dynamic code instrumentation toolkit that permits you to inject snippets of JavaScript or your library into the native application on your operating systems like Windows, iOS, Android, and more. It is used to hook into the running process of the application and modify the code on the fly without any requirement for re-launching or re-packaging. You can find more details about Frida here –\u00a0Frida<\/a>.<\/p>\n <\/p>\n Installing Frida tools is pretty much simple but to ensure the seamless installment procedure, you need to fulfill the below requirement of tools for Frida.<\/p>\n Using the PIP command as recommended on the official website, install Frida on your operating system.<\/p>\n #pip install Frida-tools<\/p>\n Fig 1: Installing frida-tools<\/strong><\/p>\n Once Frida is successfully installed in the system, you will have to open up your command prompt and identify the version by using the below command:<\/p>\n #frida \u2013version<\/p>\n Fig 2: Latest frida version <\/strong><\/p>\n To install the server, you need to browse for the new\u00a0releases<\/a>\u00a0on GitHub and download the file depending upon your mobile device’s platform and of the version shown above.<\/p>\n Fig 3: Frida server files to installed in android device<\/strong><\/p>\n Download the file and then extract it. Then, you will have to move it to your mobile preferably \/data\/local\/tmp as shown below.<\/p>\n Fig 4: Push to folder \/data\/local\/tmp<\/strong><\/p>\n With the command mentioned below, modify the permissions for the Frida-server binary and run it.#chmod 755 frida-server<\/p>\n Fig 5: Giving executable permission<\/strong><\/p>\n Now, open your desktop, enter the command mentioned below to test the connection with your Frida-server<\/p>\n #frida-ps \u2013aU<\/p>\n Fig 6: Android application process<\/strong><\/p>\n Our setup is now complete. So, let\u2019s begin using Frida for assessment.<\/p>\n <\/p>\n While developing an application, the developers integrate the root mechanism to stop the user from using it. When a user tries to install some application, it throws an error message and doesn\u2019t allow the application to install on a rooted device. We make changes in the code while performing the root bypass. This is done to restrict the app from shutting down as it further leads to application installation on the rooted android device.<\/p>\n Let\u2019s look into a practical demonstration of a root detection bypass in the testing app. Open the testing app on your android phone and it says this device is rooted. You can\u2019t use this app.<\/p>\n Fig 7: Device is rooted<\/strong><\/p>\n Below is the root detection protection source-code screenshot<\/p>\n Fig 8: Root detection implemented in code<\/strong><\/p>\n Using the code mentioned below, we bypass the root detection logic. The code is available here<\/a>.<\/p>\n Fig 9: Javascript code for root detection bypass<\/strong><\/p>\n Let\u2019s run this script with this command #frida \u2013U \u2013f com.example.app rootbypass.js script \u2013no-paus. It has successfully bypassed the root detection of the android app as shown in the below screenshot.<\/p>\n Fig 10: Root detection bypassed<\/strong><\/p>\n <\/p>\n SSL pinning<\/strong>\u00a0only acknowledges the predefined or valid public key or certificate for any application. It is an additional security layer that is used by the developer for secure app traffic. The application trusts the custom certificate and the app to interrupt the traffic. During the implementation of SSL pinning, the app does not validate the custom certificates and does not authorize the proxy tools to intercept the traffic.<\/p>\n SSL pinning bypass we have to push two things into the android device:<\/p>\n Fig 11: Pushing burpsuite certificate <\/strong><\/p>\n Fig 12: pushing frida script <\/strong><\/p>\n Now let\u2019s try to bypass the SSL Pinning of an android application. Firstly, we need to find out the id of our target application. Then, we will list all running services on devices including your application process.<\/p>\n Now, run this command in your terminal — #frida-ps \u2013aU<\/p>\n Fig 13: Twitter PID and package name identifier<\/strong><\/p>\n After that hook fridascript.js and certificate file into android device and run this command –<\/p>\n \/\/frida -U -f <your_application_package_name> -l <path_to_fridascript.js_on_your_computer> –no-paus<\/p>\n Fig 14: SSL pinning bypassed<\/strong><\/p>\n We have successfully bypassed the SSL Pinning and intercepted the traffic in Burp Suite.<\/p>\n Fig 15: All request traffic in Burp Suite<\/strong><\/p>\n <\/p>\n In this blog, you read about carrying out the android pentesting using Frida. There is penetration method like\u00a0android penetration testing with drozer<\/a>,\u00a0AWS pentesting<\/a>, and much more that you can read in our\u00a0blog<\/a>\u00a0section.<\/p>\n <\/p>\n https:\/\/codeshare.frida.re\/<\/strong><\/a><\/p>\n https:\/\/httptoolkit.tech\/blog\/frida-certificate-pinning\/<\/strong><\/a><\/p>\nInstallation Procedure:<\/strong><\/h3>\n
\n
![\"Installing](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Installing-frida-tools.png\")
<\/p>\n![\"Latest](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Latest-frida-version.png\")
<\/p>\n![\"Frida](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Frida-server-files-to-installed-in-android-device.png\")
<\/p>\n![\"Push](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Push-to-folder-or-data-or-local-or-tmp.png\")
<\/p>\n![\"Giving](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Giving-executable-permission.png\")
<\/p>\n![\"Android](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Android-application-process.png\")
<\/p>\nTest Case 1: Root Detection Bypass Using Frida<\/strong><\/h3>\n
What is root bypass?<\/strong><\/h4>\n
![\"Device](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Device-is-rooted.png\")
<\/p>\n![\"Root](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Root-detection-implemented-in-code.png\")
<\/p>\n![\"Javascript](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Javascript-code-for-root-detection-bypass.png\")
<\/p>\n![\"Root](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Root-detection-bypassed.png\")
<\/p>\nTest Case 2: SSL Pinning Bypass Using Frida<\/strong><\/h3>\n
What is SSL Pinning?<\/strong><\/h4>\n
\n
![\"Pushing](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Pushing-burpsuite-certificate.png\")
<\/p>\n\n
![\"pushing](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/pushing-frida-script.png\")
<\/p>\n![\"Twitter](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Twitter-PID-and-package-name-identifier.png\")
<\/p>\n![\"SSL](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/SSL-pinning-bypassed.png\")
<\/p>\n![\"Password](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/Password-window.png\")
<\/p>\n![\"All](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2022\/01\/All-request-traffic-in-Burp-Suite.png\")
<\/p>\nConclusion<\/strong><\/h3>\n
References:<\/strong><\/h3>\n