The Mobile Hacking CheatSheet is an attempt to summarise a few interesting basics info regarding tools and commands needed to assess the security of Android and iOS mobile applications.
PDF versions:
- Review the codebase
- Run the app
- Dynamic instrumentation
- Analyze network communications
https://github.com/OWASP/owasp-mstg
https://github.com/OWASP/owasp-masvs
https://github.com/OWASP/owasp-mstg/tree/master/Checklists
- META-INF: Files related to the signature scheme (v1 scheme only)
- lib: Folder containing native libraries (ARM, MIPS, x86, x64)
- assets: Folder containing application specific files
- res: Folder containing all the resources files (layouts, strings, etc.) of the application
- classes.dex [classes2.dex] ...: Dalvik bytecode of the application
- AndroidManifest.xml: Manifest file describing essential information about the app (permissions, components, etc.)
The package name represents the app’s unique identifier (e.g. for YouTube):
com.google.android.youtube
User applications
/data/data/<package-name>/Shared Preferences Files
/data/data/<package-name>/shared_prefs/SQLite Databases
/data/data/<package-name>/databases/Internal Storage
/data/data/<package-name>/files/Connect throug USB
adb -d shellConnect through TCP/IP
adb -e shellGet a shell or execute the specified command
adb shell [cmd]List processes
adb shell psList Android devices connected to your machine
adb devicesDump the log messages from Android system
adb logcatCopy local file to Android device
adb push <local> <device>Copy file from the Android device
adb pull <remote> <local>Install APK file on the Android device
adb install <APK_file>Install an App Bundle
adb install-multiple <APK_file1> <APK_file2> <APK_file3> ...Set-up port forwarding using TCP protocol from host to Android device
adb forward tcp:<local_port> tcp:remote_portList all packages on the device
adb shell pm list packagesFind the path where the APK is stored for the selected package name
adb shell pm path <package-name>List only installed apps (not system apps) and the associated path
adb shell pm list packages -f -3List packages names matching the specified pattern
adb shell pm list packages -f -3 [pattern]For signing your APK file, you have 2 options
-
jarsigner: Only supports v1 signature scheme (JAR signature)
jarsigner -verbose -keystore <keystore_name> -storepass <keystore_password> <APK_file> <alias_name> -
apksigner: Official tool from Android SDK (since version 24.0.3), which supports all the signature schemes (from v1 to v4)
apksigner sign --ks <keystore_name> --ks-pass pass:<keystore_password> <APK_file>
To create your own keystore, the following one-liner can be used:
keytool -genkeypair -dname "cn=John Doe, ou=Security, o=Randorisec, c=FR" -alias <alias_name>
-keystore <keystore_name> -storepass <keystore_password> -validity <days> -keyalg RSA -keysize 2048 -sigalg SHA1withRSATo tamper an APK file, the foolowing steps should be performed:
-
Disassemble the app with
apktooland save the smali code into output directoryapktool d <APK_file> -o <directory_output>
-
Modify the smali code of your app (or the resource files if needed)
-
Build the modified APK with
apktoolapktool b <directory_output> -o <new_APK_file>
-
Sign the APK (see Application Signing)
-
(Optional) Use
zipalignto provide optimization to the APK filezipalign -fv 4 <input_APK> <output_APK>
Install Frida and Python bindings on your system using pip
pip install frida frida-toolsDownload the Frida server binary matching the targeted architecture and your Frida version
VER=`frida --version`
ABI=`adb shell getprop ro.product.cpu.abi`
wget https://github.com/frida/frida/releases/download/$VER/frida-server-$VER-android-$ABI.xz
xz -d frida-server-$VER-android-$ABI.xzUpload and execute the Frida server binary on your Android device (root privileges are needed)
VER=`frida --version`
ABI=`adb shell getprop ro.product.cpu.abi`
adb root
adb push frida-server-$VER-android-$ABI /data/local/tmp/frida
adb shell "chmod 755 /data/local/tmp/frida"
adb shell "/data/local/tmp/frida"List running processes (emulators or devices connected through USB)
frida-ps -U List only installed applications
frida-ps -U -iAttach Frida client to the specified application (emulator or device connected through USB)
frida -U <package_name>Spawn the specified application (emulator or device connected through USB)
frida -U -f <package_name> Spawn the specified application without any pause at the beginning (emulator or device connected through USB)
frida -U -f <package_name> --no-pauseLoad a Frida script when attaching to the specified application
frida -U -l <script_file> <package_name>Inject Frida Gadget library inside an APK file by specifying the targeted architecture (if emulator not running or device not connected)
objection patchapk --source <APK_file> -V <frida_version> --architecture <arch>Inject Frida Gadget library inside an APK file using lastest Frida version available on Github (if emulator running or device connected to the device)
objection patchapk --source <APK_file>- Launch
BurpSuiteand modify Proxy settings in order to listen on "All interfaces" (or a specific interface) - Edit the Wireless network settings in your device or the emulator proxy settings (Android Studio)
- Export the CA certificate from Burp and save it with ".cer" extension
- Push the exported certificate on the device with adb (into the SD card)
- Go to "Settings->Security" and select "Install from device storage"
- Select for "Credentials use" select "VPN and apps"
References:
- Configuring an Android device to work with Burp
- Installing BurpSuite's CA certificate in an Android device
From Android 7, the Android system no longer trusts the user supplied CA certificates. To be able to intercept SSL/TLS communication, you have 3 options:
- Use an older version of Android
- Use a rooted device and install the BurpSuite CA certificate inside the sytem store certificate
- Tamper the targeted application in order to re-enable the user store certificate
In order to tamper the targeted Android application, we are going to add or modify the network security configuration file. This file on recent Android versions allows to force the application to trust the user supplied CA certificates. The following steps should be performed:
-
Install the Burpsuite's CA certificate on your Android device (see Before Android 7)
-
Disassemble the targeted app (APK file) with
apktool -
Add or modify the
network_security_config.xmlfile (usually onres/xml/folder). The content of the file should be:<?xml version="1.0" encoding="utf-8"?> <network-security-config> <base-config> <trust-anchors> <certificates src="system" /> <certificates src="user" /> </trust-anchors> </base-config> </network-security-config>
-
If the
network_security_config.xmlfile is not present on your app, theAndroidManifest.xmlalso need to be modified by adding thenetworkSecurityConfigtag as follow:<application android:name="AppName" android:networkSecurityConfig="@xml/network_security_config">
-
Build the modified app with
apktooland then sign the newly created APK file (see Application Signing)
Query a Content Provider
adb shell content query --uri content://<provider_authority_name>/<table_name>Insert an element on a Content Provider
adb shell content insert --uri content://<provider_authority_name>/<table_name>
--bind <param_name>:<param_type>:<param_value>Delete a row on a Content Provider
adb shell content delete --uri content://<provider_authority_name>/<table_name>
--where "<param_name>='<param_value>'"Start an Activity with the specified Intent
adb shell am start -n <package_name/activity_name> -a <intent_action>Start an Activity with the specified Intent and extra parameters
adb shell am start -n <package_name/activity_name> -a <intent_action> --es <param_name> <string_value> --ez <param_name> <boolean_value> --ei <param_name> <int_value> …App list database
/User/Library/FrontBoard/applicationState.db Binary directory: include all the static resources of the app
/private/var/containers/Bundle/Application/UUID/App.app Path of the binary (executable)
/private/var/containers/Bundle/Application/UUID/App.app/AppApp metadata: configuration of the app (icon to display, supported document types, etc.)
/private/var/containers/Bundle/Application/UUID/App.app/Info.plistData directory
/private/var/mobile/Containers/Data/Application/Data-UUIDUUID (Universally Unique Identifier): random 36 alphanumeric characters string unique to the app Data-UUID: random 36 alphanumeric characters string unique to the app
By default the root password on your jailbroken iOS device is alpine
If you've changed it and want to reset it:
- Open
/etc/passwdor/private/etc/master.passwdwith a file manager app (e.g. iFile/Fileza) - Change the hash to:
/smx7MYTQIi2M - root password will be
alpine
The bundle ID (aka package name) represents the app’s unique identifier (e.g. for YouTube)
com.google.ios.youtube
Grep is the not-so-quick ‘n dirty way to find where are the data and binary directories of your app
iPhone:~ root# grep -r <App_name> /private/var/*By launching Frida with the ios-app-info script
frida -U <App_name> -c dki/ios-app-infoAnd then
[iPhone::App]-> appInfo()Or manually by opening the app list database
iPhone:~ root# sqlite3 /User/Library/FrontBoard/applicationState.dbAnd displaying the key_tab table to get the binary directories
sqlite> select * from key_tab;Or displaying the application_identifier_tab table to get the bundle IDs
sqlite> select * from application_identifier_tab;- Add https://level3tjg.xyz/repo/ src to Cydia and install bfdecrypt tool
- Go to bfdecrypt pref pane in Settings and set the app to decrypt
- Launch the app to decrypt: decrypted IPA is stored in the Documents folder of the app
List running processes
frida-ps –UAnalyse the calls to a method by launching Frida with the objc-method-observer script
frida -U <App_name> –c mrmacete/objc-method-observerAnd then using the command observeSomething
[iPhone::App]-> observeSomething('*[* *<Method_name>*]’);Hook the calls to the method <Method_name>
frida-trace -U <App_name> -m "-[* <Method_name>*]"Then open the JavaScript handler file to edit the onEnter or onLeave functions to manipulate the behavior of the app
Inject objection
objection -g "<App_name>" exploreList the classes (output will contain thousands of lines)
ios hooking list classesList the methods of a class
ios hooking list class_methods <Class_name>Search for classes|methods names containing
ios hooking search classes|methods <String>Analyse the calls to the method <Method_name>
ios hooking watch method "-[<Class_name> <Method_name>]"Hook the <Method_name> and return true to each call
ios hooking set return_value "-[<Class_name> <Method_name>]" trueImpactor (http://www.cydiaimpactor.com) let you display the NSLog (syslog) on command line
./Impactor idevicesyslog -u <UDID>- Launch Burp and modify proxy settings in order to listen on “All interfaces”
- Browse to the IP/port of your Burp proxy using Safari
- Tap on the “CA Certificate” at the top right of the screen
- Tap on “Allow” on the pop-up asking to download a configuration profile
- Go to “Settings->Profile Downloaded” and select the “PortSwigger CA” profile
- Tap on “Install” then “Install” again and then “Install” one last time
- Edit the wireless network settings on your device to set a proxy (“Settings->Wi-Fi” then tap on the blue “i”, slide to the bottom of the screen and tap on “Configure Proxy”)
- Tap on ”Manual”, set the IP/port of your Burp proxy, tap on “Save”
- Go to “Settings->General->About->Certificate Trust Settings” & toggle on the PortSwiggerCA
Download and install SSL Kill Switch 2 tweak
wget https://github.com/nabla-c0d3/ssl-kill-switch2/releases/download/0.14/com.nablac0d3.sslkillswitch2_0.14.deb
dpkg -i com.nablac0d3.sslkillswitch2_0.14.deb
killall -HUP SpringBoard Go to “Settings->SSL Kill Switch 2” to ”Disable Certificate Validation”
UDID is a string that is used to identify a device. Needed for some operations like signature, app installation, network monitoring.
- Get the UDID with MacOS
idevice_id –lor
ioreg -p IOUSB -l | grep "USB Serial"or by launching Impactor without parameters
- Get the UDID with Linux
usbfluxctl list or
lsusb -s :`lsusb | grep iPhone | cut -d ' ' -f 4 | sed 's/://'` -v | grep iSerial | awk '{print $3}'or by launching Impactor without parameters
- With MacOS (install Xcode and additional tools and connect the device with USB)
rvictl -s <UDID>
tcpdump or tshark or wireshark –i rvi0- With Linux or Windows (get https://github.com/gh2o/rvi_capture and connect the device with USB)
./rvi_capture.py --udid <UDID> iPhone.pcapSideloading an app including an instrumentation library like Frida let you interact with the app even if it’s installed on a non jailbroken device.
Here’s the process to do it with IPAPatch: Clone the IPAPatch project
git clone https://github.com/Naituw/IPAPatchMove the IPA of the app you want to sideload to the Assets directory
mv <IPAfile> IPAPatch/Assets/Download the FridaGadget library (in Assets/Dylibs/FridaGadget.dylib)
curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylibSelect the identity to sign the app
security find-identity -p codesigning –vSign FridaGadget library
codesign -f -s <IDENTITY> FridaGadget.dylibThen open IPAPatch Xcode project, Build and Run.
Here’s the process to do it with Objection (detailed steps on https://github.com/sensepost/objection/wiki/Patching-iOS-Applications)
security find-identity -p codesigning –v
objection patchipa --source <IPAfile> --codesign-signature <IDENTITY>
unzip <patchedIPAfile>
ios-deploy --bundle Payload/my-app.app -W –d
objection exploreFour levels are provided by iOS to encrypt automatically files on the device:
NSProtectionComplete: file is only accessible when device is unlocked (files are encrypted with a key derived from the user PIN code & an AES key generated by the device)NSProtectionCompleteUntilFirstUserAuthentication: (defaut class) same except as before, but the decryption key is not deleted when the device is lockedProtectedUnlessOpen: file is accessible until openNoProtection: file is accessible even if device is locked
By launching Frida with the ios-dataprotection script
frida -U <App_name> -c ay-kay/ios-dataprotectionThe Mobile Hacking CheatSheet is an open source project released under the CC-BY-SA 4.0 licence.