Bug Bounties 2021 - Hacking Android and iOS with Frida

July 03, 2021

Bug Bounties in 2021 - Use your Skills

I have recently started moving to the mobile side of Bug Bounties. I have been finding the Web side of Bug Bounties to be mostly explored. Most targets appear to be reasonably hardened by the time I arrive. As a latecomer to the Bug Bounty Scene in 2020, and with bounties being easier to exploit then ever due to the amount of knowledge and tools out there, I have to take the time to learn where my skillsets are and where they are not. It is especially important to find what makes you unique from the thousands of others out there so you can find your stride. So far, I have found my diverse knowledge of many different areas allows me to move technolgies quickly. I will be exploring the Bug Bounty scene in Mid 2021 and Mobile hacking, I plan to share my findings here, I hope I cover something that will help. Feel free to reach out to me on Twitter if you have anything you’d like to share, discuss, or even a ‘Hi!’ would be awesome!

Transitioning to Mobile and Android Hacking, what about iOS?

I am exploring Android hacking first due to it being easilly emulated compared to iOS. I’ll be covering iOS as soon as I get around to jailbreaking my iPhone.

Android Hacking Tools


The tools I have found to be useful for hacking Android I list here.

  1. Burp Suite is by far the most popular tool for bug bounties in 2021 these days, for web, mobile, and IOT.
  2. Genymotion - the go-to emulator for many bug bounty hunters, mostly because it ‘just works’. A proxy is a must have to intercept the request from the mobile device to its backend server, allowing you to inspect the traffic once SSL Pinning Bypass is achieved.
  3. Frida is a Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. It’s Scriptable, Portable, and Free. It injects QuickJS into the target processes, where your JS gets executed with (and this part should be stressed) - with full access to memory - hooking functions and even calling native functions inside the process.

Resources


I started reading the the MSTG - Mobile Security Testing Guide Made by the OWASP Group. It’s available for Free over at PacktPub. Obviously, please support them rather than getting it for free if it’s within your means.

Now, starting off for this guide I am using a Windows 10 machine with a Kali Linux WSL2 Virtual machine. I also use a Macbook and will try to point out when commands or instructions differ. I have created a variety of my personal Github Gists here with a particular important one to this post and my tools here. I will be keeping that up to date as I move along.

SSL Pinning with Frida and Friends


Frida is used to perform what is known as SSL Pinning. It has been covered in many blog posts and video tutorials. The ones i’ve found particularly useful are at arben.sh, Infosec Writeups and the now free course by the XSSRat

They go into installing and setting up Genymotion on top of Virtualbox, Frida, adb and Pyenv. I also use Chocolatey as a Windows Package Manager. The goal is to run this ssl pinning script Which is just Javascript and allows you to intercept the traffic from the Android Phone to a Proxy such as Burp.

They explain how to accomplish this in depth and as good as I could, so I won’t repeat that. I will offer some tips that hopefuly will make the process smoother.

Tips for getting Hacking Android for Profit


If on Windows use the latest version of Virtualbox. This means when you install Genymotion, probably don’t use the bundled package that contains virtualbox.

A good reference is here by Microsoft. If you use the wrong version like I did, WSl2 and Virtualbox will fight for control over your hypervisor. The struggle was real for me and it took me carefully uninstalling all my apps with BCUninstaller and turning Windows Features on and off for days to realize that.

Make sure you install the Certificates correctly on your Genymotion Android or Rooted Android for your Proxy. The steps for this using Burp and Genymotion, as well as the symptoms of this problem follow

The symptons of doing this wrong will be that the proxy will not be able to connect the mobile device to the requested host. With Burp, it repeatedly would return a SSl Certifacte Error.

The instructions for installing it are here as well as in the other references I posted

  1. Download the Certificate from burp. Make sure you rename it with a .cer extension. I save mine to ~/projects/frida/burpcert.cer
  2. Push the Certificate to the Android Phone. This is done by following the instructions in my Tools Github Gist or running

adb push ./burpcert.cer /sdcard/Download/ On the Mobile Device, go to Security > Install a Certificate Navigate to your downlaods and select it. When prompted, select “Apps and Wifi” for the scope. When you are done, you now have to verify that you installed the cert. Go to Security < Installed Certificates and you should see it there.

  1. If all goes well, you can check burp and you should now see the traffic showing up.
  2. I never got this approach working, but you can in theory skip all of that and run

adb shell settings put global http_proxy 192.168.15.106:8082

Learn the difference between NAT and Bridged Network settings in Virtualbox.

The difference between them is not complex but getting the IPS right is important. If you choose to setup your device in NAT Mode, just remember it will act as if it is simply it’s own device, and connect to your router as if so. The machines for the most part will be completely unaware it is going through your device at all. When connected the http proxy to your PC, use its Local Network address somethign like 192.157.16.106:8082

Bridged mode is more Virtual Machiney. It gets the same IP address as your computer, and your computer then creates a little network within itself with some internal Ip addresses. When connected to the http proxy in Bridged mode, used the assigned internal address, something like 53.0.0.7:8082

Windows Stores a copy of the last 5000 commands in the directory C:\Users\Username\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine in a file called ConsoleHost_history

When you get All of that done, the final command to run frida will look like this. This command makes it so you don’t have to upload the frida script to the phone.

frida -U -f -no-pause com.hacker101.level11 —codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida

If all goes well, an instance of Nodes v8 engine has been injected into the runtime process of the android machine with -and I stress- full access tp the memory and applications. You can then proceed to do all kinds of cool things With Frida

Next I would recommend installing and using Objection and MobSF. I will cover those in a future Tutorial as well as my Methodology.

Other tools are [https://mobile-security.gitbook.io/mobile-security-testing-guide/appendix/0x08-testing-tools] if you want to suggest any I cover please contact me on Twitter

A great intro to hacking with Android is Hackerones CTF and the level android called H1 Thermostat Give it a shot and i’ll cover it in a future post.

Happy Hacking!

Feel free to checkout Presearch, Brave Browser, and Pi