Bypass Binary Protections

Identify compilers, packers, obfuscators

# https://github.com/rednaga/APKiD

apkid --scan-depth 0 -r target.apk

SSL Pinning

  • Missing SSL pinning

  • Bypass with objection

objection --gadget <com.package.app> explore --startup-command "android sslpinning disable"
─❯ frida-ps -Uai
5682  TestApp     com.testapp.plus
[...]

─❯ objection -g 5682 explore # Attach to the app
com.testapp.plus on (Android: 11) [usb] # android sslpinning disable

  • Bypass with frida

frida -U --codeshare akabe1/frida-multiple-unpinning -f <com.package.app>
frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f <com.package.app>

  • Replacing hard-Coded Sha256 hash

# Detection
# 1. Decompile apk
# 2. Open jadx-gui
# 3. Search "sha256/"

# Replace Burp Suite certificate hash
# 4. Export Certificate in DER format from Burp
# 5. Convert DER to PEM certificate
openssl x509 -inform DER -in cacert.cer -out cacert.crt
# 6. Get Hash
openssl x509 -in cacert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

  • Intercept network traffic using remote debugging

This allow you to intercpet the traffic in the webview. It's especially useful in cordova-based apps.

Tip: if you can't use remote debugging, recompile the app and enable it.

Root Detection

  • Missing root detection

  • Bypass with frida

frida --codeshare dzonerzy/fridantiroot -f <com.package.app> -U

  • Identify RASP

    • Analyze source code

    • apkid --scan-depth 0 -r target.apk

  • Bypass protection analyzing the code and/or with frida

    • If the app return an error message (e.g. "Your device appears to be rooted"), search this string inside the code

Emulator Detection

  • Missing emulator detection

  • Bypass protection analyzing the code and/or with frida

Last updated