开源软件名称(OpenSource Name):randorisec/MobileHackingCheatSheet开源软件地址(OpenSource Url):https://github.com/randorisec/MobileHackingCheatSheet开源编程语言(OpenSource Language):开源软件介绍(OpenSource Introduction):The Mobile Hacking CheatSheetThe Mobile Hacking CheatSheet is an attempt to summarise a few interesting basics info regarding tools and commands needed to assess the security of Android and iOS mobile applications. You can get the PDF versions: And the PNG versions: Main Steps
OWASP Mobile Security Testing ProjectMobile Security Testing Guidehttps://github.com/OWASP/owasp-mstg Mobile Application Security Verification Standardhttps://github.com/OWASP/owasp-masvs Mobile Security Checklisthttps://github.com/OWASP/owasp-mstg/tree/master/Checklists Android CheatSheetAPK Structure
Package NameThe package name represents the app’s unique identifier (e.g. for YouTube):
Data StorageUser applications /data/data/<package-name>/ Shared Preferences Files /data/data/<package-name>/shared_prefs/ SQLite Databases /data/data/<package-name>/databases/ Internal Storage /data/data/<package-name>/files/ adbConnect throug USB adb -d shell Connect through TCP/IP adb -e shell Get a shell or execute the specified command adb shell [cmd] List processes adb shell ps List Android devices connected to your machine adb devices Dump the log messages from Android system adb logcat Copy local file to Android device adb push <local> <device> Copy file from the Android device adb pull <remote> <local> Install APK file on the Android device adb install <APK_file> Install an App Bundle adb install-multiple <APK_file1> <APK_file2> <APK_file3> ... Set-up port forwarding using TCP protocol from host to Android device adb forward tcp:<local_port> tcp:remote_port List all packages on the device adb shell pm list packages Find the path where the APK is stored for the selected package name adb shell pm path <package-name> List only installed apps (not system apps) and the associated path adb shell pm list packages -f -3 List packages names matching the specified pattern adb shell pm list packages -f -3 [pattern] Application SigningFor signing your APK file, you have 2 options
To create your own keystore, the following one-liner can be used: keytool -genkeypair -dname "cn=John Doe, ou=Security, o=Randorisec, c=FR" -alias <alias_name>
-keystore <keystore_name> -storepass <keystore_password> -validity <days> -keyalg RSA -keysize 2048 -sigalg SHA1withRSA Code TamperingTo tamper an APK file, the foolowing steps should be performed:
FridaInstallationInstall Frida and Python bindings on your system using pip install frida frida-tools Download the Frida server binary matching the targeted architecture and your Frida version VER=`frida --version`
ABI=`adb shell getprop ro.product.cpu.abi`
wget https://github.com/frida/frida/releases/download/$VER/frida-server-$VER-android-$ABI.xz
xz -d frida-server-$VER-android-$ABI.xz Upload and execute the Frida server binary on your Android device (root privileges are needed) VER=`frida --version`
ABI=`adb shell getprop ro.product.cpu.abi`
adb root
adb push frida-server-$VER-android-$ABI /data/local/tmp/frida
adb shell "chmod 755 /data/local/tmp/frida"
adb shell "/data/local/tmp/frida" ToolsList running processes (emulators or devices connected through USB) frida-ps -U List only installed applications frida-ps -U -i Attach Frida client to the specified application (emulator or device connected through USB) frida -U <package_name> Spawn the specified application (emulator or device connected through USB) frida -U -f <package_name> Spawn the specified application without any pause at the beginning (emulator or device connected through USB) frida -U -f <package_name> --no-pause Load a Frida script when attaching to the specified application frida -U -l <script_file> <package_name> ObjectionInject Frida Gadget library inside an APK file by specifying the targeted architecture (if emulator not running or device not connected) objection patchapk --source <APK_file> -V <frida_version> --architecture <arch> Inject Frida Gadget library inside an APK file using lastest Frida version available on Github (if emulator running or device connected to the device) objection patchapk --source <APK_file> SSL/TLS Interception with BurpSuiteBefore Android 7
References:
After Android 7From Android 7, the Android system no longer trusts the user supplied CA certificates. To be able to intercept SSL/TLS communication, you have 3 options:
In order to tamper the targeted Android application, we are going to add or modify the network security configuration file. This file on recent Android versions allows to force the application to trust the user supplied CA certificates. The following steps should be performed:
Content ProviderQuery a Content Provider adb shell content query --uri content://<provider_authority_name>/<table_name> Insert an element on a Content Provider adb shell content insert --uri content://<provider_authority_name>/<table_name>
--bind <param_name>:<param_type>:<param_value> Delete a row on a Content Provider adb shell content delete --uri content://<provider_authority_name>/<table_name>
--where "<param_name>='<param_value>'" Activity ManagerStart an Activity with the specified Intent adb shell am start -n <package_name/activity_name> -a <intent_action> Start an Activity with the specified Intent and extra parameters adb shell am start -n <package_name/activity_name> -a <intent_action> --es <param_name> <string_value> --ez <param_name> <boolean_value> --ei <param_name> <int_value> … iOS CheatSheetFilesystemApp list database /User/Library/FrontBoard/applicationState.db Binary directory: include all the static resources of the app /private/var/containers/Bundle/Application/UUID/App.app Path of the binary (executable) /private/var/containers/Bundle/Application/UUID/App.app/App App metadata: configuration of the app (icon to display, supported document types, etc.) /private/var/containers/Bundle/Application/UUID/App.app/Info.plist Data directory /private/var/mobile/Containers/Data/Application/Data-UUID UUID (Universally Unique Identifier): random 36 alphanumeric characters string unique to the app Data-UUID: random 36 alphanumeric characters string unique to the app Default passwordBy default the root password on your jailbroken iOS device is If you've changed it and want to reset it:
Bundle IDThe bundle ID (aka package name) represents the app’s unique identifier (e.g. for YouTube)
How to find the data and binary directoriesGrep is the not-so-quick ‘n dirty way to find where are the data and binary directories of your app iPhone:~ root# grep -r <App_name> /private/var/* How to find the data and binary directories and the Bundle IDBy launching Frida with the ios-app-info script frida -U <App_name> -c dki/ios-app-info And then [iPhone::App]-> appInfo() Or manually by opening the app list database iPhone:~ root# sqlite3 /User/Library/FrontBoard/applicationState.db And displaying the key_tab table to get the binary directories sqlite> select * from key_tab; Or displaying the application_identifier_tab table to get the bundle IDs sqlite> select * from application_identifier_tab; App decryption
Dynamic analysis with FridaList running processes frida-ps –U Analyse the calls to a method by launching Frida with the objc-method-observer script frida -U <App_name> –c mrmacete/objc-method-observer And then using the command [iPhone::App]-> observeSomething('*[* *<Method_name>*]’); Hook the calls to the method <Method_name> frida-trace -U <App_name> -m "-[* <Method_name>*]" Then open the JavaScript handler file to edit the Dynamic analysis with ObjectionInject objection objection -g "<App_name>" explore List the classes (output will contain thousands of lines) ios hooking list classes List the methods of a class ios hooking list class_methods <Class_name> Search for classes|methods names containing ios hooking search classes|methods <String> Analyse the calls to the method <Method_name> ios hooking watch method "-[<Class_name> <Method_name>]" Hook the <Method_name> and return true to each call ios hooking set return_value "-[<Class_name> <Method_name>]" true Get the NSLog (syslog)Impactor (http://www.cydiaimpactor.com) let you display the NSLog (syslog) on command line ./Impactor idevicesyslog -u <UDID> SSL Interception with BurpSuite
Bypass SSL Pinning using SSL Kill Switch 2Download and install SSL Kill Switch 2 tweak wget https://github.com/nabla-c0d3/ssl-kill-switch2/releases/download/0.14/com.nablac0d3.sslkillswitch2_0.14.deb
dpkg -i com.nablac0d3.sslkillswitch2_0.14.deb
killall -HUP SpringBoard Go to “Settings->SSL Kill Switch 2” to ”Disable Certificate Validation” UDID (Unique Device Identifier)UDID is a string that is used to identify a device. Needed for some operations like signature, app installation, network monitoring.
idevice_id –l or ioreg -p IOUSB -l | grep "USB Serial" or by launching Impactor without parameters
usbfluxctl list or lsusb -s :`lsusb | grep iPhone | cut -d ' ' -f 4 | sed 's/://'` -v | grep iSerial | awk '{print $3}' or by launching Impactor without parameters Network capture (works also on non jailbroken devices)
rvictl -s <UDID>
tcpdump or tshark or wireshark –i rvi0
./rvi_capture.py --udid <UDID> iPhone.pcap Sideloading an appSideloading an app including an instrumentation library like Frida let you interact with the app even if it’s installed on a non jailbroken device. |