🛠 FRIDA must for Mobile AST
Salute,
Today we’ll look at Tula, which becomes extremely useful for testing mobile clients from the first steps. I recommend that you immediately look in her direction, because it will help you correctly develop an understanding of the security analysis of a mobile application.
Frida is a dynamic tool for intercepting calls in processes and then injecting them. The client (CLI/Python/Node.js) and runtime work together within the target application process. They also use Frida Gadget as a built-in library.
Helps
• intercept and modify function calls with hooks
• change the arguments and conclusions of the results
• influence process memory in runtime
• bypass client checks (root/jailbreak detect, SSL pinning, licensing)
• do live dynamic analysis without source codes and recompilation
Teams
$ frida-ps -U # processes on the USB device
$ frida-ps -ai # apps with icons (mobile)
$ frida-trace -U -i "com.example.app.auth.LoginManager.validateCredentials" com.example.app # android trace without writing JS
$ frida-trace -i "SSL_*" -f /usr/bin/curl # trace all SSL_* functions in the native binary
$ frida-trace -i "fopen" -p <PID> # trace all fopen calls in the current process
Example
$ frida -U -f -n com.example.app -l script.js # load JS script attach by package name via USB
Java.perform(function() {
var LoginManager = Java.use("com.example.app.auth.LoginManager");
// Intercept the validateCredentials(String user, String pass) method
LoginManager.validateCredentials.implementation = function (user, pass) {
console.log("[*] validateCredentials called");
console.log(" user:", user);
console.log(" pass:", pass);
// You can change parameters
// user = "test@example.com";
// pass = "P@ssw0rd!";
var result = this.validateCredentials(user, pass);
console.log(" result:", result);
return result;
};
});
QA auto
import frida, sys
JS_CODE = """
Java.perform(function() {
var Cls = Java.use("com.example.app.auth.LoginManager");
Cls.validateCredentials.implementation = function (user, pass) {
send("validateCredentials: " + user + " / " + pass);
return this.validateCredentials(user, pass);
};
});
"""
def on_message(message, data):
print("[*] Message:", message)
device = frida.get_usb_device()
pid = device.spawn(["com.example.app"])
session = device.attach(pid)
script = session.create_script(JS_CODE)
script.on("message", on_message)
script.load()
device.resume(pid)
sys.stdin.read()
Total:
• Allows you to dynamically observe and change the behavior of applications without source code or recompilation
• Ideal for AppSec tasks at the level of mobile/desktop clients, crypto logic, protocols, anti-fraud and anti-tamper mechanisms
• Requires accuracy and understanding of internal APIs and platform features
• Almost indispensable in pentests of mobile applications, when you need to bypass protections and “look inside” runtime
#toolchain #sast #appsec #reco #dast #mast