forked from beau/relab
2.2 KiB
2.2 KiB
relab
Lab for reverse engineering APKs
RE environment for dynamic and static analysis of APKs
Includes:
- mitmproxy
- Frida
- Genymotion
- Jadx
- apktool
Note: Setup scripts built and tested on Ubuntu 20
Prereqs:
- Python3:
sudo apt install python3
- pip3:
sudo apt install python3-pip
- dev-tools:
apt install build-essential
)
Install Dynamic Analysis Tools
- Run install script for mitmproxy and genymotion emulator:
./install_all.sh
- Create and start Android emulated device in Genymotion OR attach physical rooted test Android device over USB.
- Make sure test device is accessible over adb with root access:
adb shell
->su
- Run script to copy mitmproxy cert to be system cert on device:
cd setup_scripts; ./make_root_ca.sh
- Install frida:
cd frida; ./install_frida.sh
- Get frida-server binary then push to test Android device:
./get_frida_server.sh
- Start frida-server on Android:
adb shell
->su
->/data/local/tmp/frida-server &
- Verify frida is attaching to device over adb:
frida-ps -U
Note: May need to mount Android filesystem as writable after step 3: adb shell; su; mount -o rw,remount /system
Capturing Live HTTPS from app
- Start mitmproxy on desktop:
cd mitmprox; ./mitmweb
- Make sure test Android is connected to proxy:
Settings
->Network
->Wi-Fi
->Click then hold down connected network
->Modify network
->(click) Advanced options drop down
->Set Proxy to "Manual"
->hostname = IP of desktop
->proxy port = 8080
- View decrypted traffic panel in
mitmweb
browser on desktop at:localhost:8081
- Visit any site in browser on Android to verify decryption is working
Use Frida to bypass SSL pinning and capture files accessed
- Make sure frida server is started on Android and verify connection:
frida-ps -U
- Find name of app package to target with frida:
adb shell pm list packages
- Bypass SSL for targeted app:
frida -l frida_scripts/multiple_unpinning.js -U -f <package_id> --no-pause
- Trace files being opened by app on device:
frida-trace -U -i open -f <package_id>
Note: Most Android apps do not need SSL pinning bypass for mitmproxy to work