RE env for inspecting APKs
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

55 lines
2.2 KiB

2 years ago
2 years ago
  1. # relab
  2. Lab for reverse engineering APKs
  3. ### RE environment for dynamic and static analysis of APKs
  4. Includes:
  5. 1. mitmproxy
  6. 2. Frida
  7. 3. Genymotion
  8. 4. Jadx
  9. 5. apktool
  10. _**Note:** Setup scripts built and tested on Ubuntu 20_
  11. #### Prereqs:
  12. 1. Python3: `sudo apt install python3`
  13. 2. pip3: `sudo apt install python3-pip`
  14. 3. dev-tools: `apt install build-essential`)
  15. #### Install Dynamic Analysis Tools
  16. 1. Run install script for mitmproxy and genymotion emulator: `./install_all.sh`
  17. 2. Create and start Android emulated device in Genymotion OR attach physical rooted test Android device over USB.
  18. 3. Make sure test device is accessible over adb with root access: `adb shell` -> `su`
  19. 4. Run script to copy mitmproxy cert to be system cert on device: `cd setup_scripts; ./make_root_ca.sh`
  20. 5. Install frida: `cd frida; ./install_frida.sh`
  21. 6. Get frida-server binary then push to test Android device: `./get_frida_server.sh`
  22. 7. Start frida-server on Android: `adb shell` -> `su` -> `/data/local/tmp/frida-server &`
  23. 8. Verify frida is attaching to device over adb: `frida-ps -U`
  24. _**Note:**_ May need to mount Android filesystem as writable after step 3: `adb shell; su; mount -o rw,remount /system`
  25. #### Capturing Live HTTPS from app
  26. 1. Start mitmproxy on desktop: `cd mitmprox; ./mitmweb`
  27. 2. Make sure test Android is connected to proxy: `Settings` -> `Network` -> `Wi-Fi` -> `Click then hold down connected network` -> `Modify network` -> `(click) Advanced options drop down` -> `Set Proxy to "Manual"` -> `hostname = IP of desktop` -> `proxy port = 8080`
  28. 3. View decrypted traffic panel in `mitmweb` browser on desktop at: `localhost:8081`
  29. 4. Visit any site in browser on Android to verify decryption is working
  30. #### Use Frida to bypass SSL pinning and capture files accessed
  31. 1. Make sure frida server is started on Android and verify connection: `frida-ps -U`
  32. 2. Find name of app package to target with frida: `adb shell pm list packages`
  33. 3. Bypass SSL for targeted app: `frida -l frida_scripts/multiple_unpinning.js -U -f <package_id> --no-pause`
  34. 4. Trace files being opened by app on device: `frida-trace -U -i open -f <package_id>`
  35. _**Note:** Most Android apps do not need SSL pinning bypass for mitmproxy to work_