Frida is a powerful dynamic instrumentation toolkit for pen testers, developers, reverse engineers, and security researchers. It is scriptable, implying you can write custom scripts to autonomously perform functions autonomously such as:
- Hook into functions. Take a peek into the code of private apps
- Inject code to modify the output
- Bypass root
- SSL pinning bypass
- Fingerprint bypass
- Bypassing different software-side security locks. It has an array of tools that span a wide range of test environments. And did I mention it’s free!!
Okay, enough blabbing. Let’s get straight into how to set up Frida and run a basic first Android testing project.
Requirements
- Frida
- Genymotion
- Virtual-box
- Android platform tools
- Burpsuite
Install Frida
$pip install frida $pip install frida-tools
- Go to Frida releases to download the Frida version for our little test.
- Search for the frida-server-15.1.17-android-x86.xz tool.
This is important because we will be running the tool on an emulated environment on our Ubuntu desktop with an x86 architecture.
If you were using a real mobile device for the test, you might want to download the ARM version of frida tools.
- On a new terminal, navigate to where you downloaded the file and extract it.
$xz -d frida-server-15.1.17-android-x86.xz
Rename it however you want (or don’t), I’ll name mine “frida-server”
$mv frida-server-15.1.17-android-x86 frida-server
- Go to your ADB path
$cd /opt/genymobile/genymotion/tools/
- Push the file to the device
$./adb push /home/ash/tools/frida-server /data/local/tmp
- Change the permission of the file:
$./adb shell "chmod 755 /data/local/tmp/frida-server"
- Open a new adb shell
$./adb shell "/data/local/tmp/frida-server &"
Output should be as indicated below
- Now on a new terminal in the /opt/genymobile/genymotion/tools/ path, run the following command to run frida:
To check if we have access to the files in the emulated device, enter the following command.
$frida-ps -U
Generating the CA certificate
- Go to Burpsuite > proxy > options.
- Import/export certificates
- Export Burp CA- Select the Certificate in DER
- Choose a save location name it and and download. i.e.
cacert - Navigate to your download location and rename the certificate to have a
.derextension. i.e. cacert.der
Operations on Genymotion Converting the Burp certificate from DER to PEM
- Open a new terminal
- Navigate to the location in which you saved the
cacert.derfile. - Enter the following commands:
$openssl x509 -inform DER -in cacert.der -out cacert.pem; ls cacert.pem
The output should be: cacert.pem
- Run this command next.
$openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1 |\
xargs -I $ sh -c 'mv cacert.pem $.0; ls $.0'
The output should be: 9a5ba575.0
- Next step is to move the certificate to the device.
- But first, we need to install Android Debugging Bridge:
$sudo apt install adb
- Run adb as root:
$adb root
You might get the following error.
**insert image**
If so, navigate to /opt/genymobile/genymotion/tools/ If you cant access the Genymotion directory that way, check where adb is installed:
$which adb (not that this is the one we installed)
But we want to use the one that came with Genymobile (at least for those who got the error above) Just make sure you are on the genymotion path when running the $adb root command.
Now retry running as root as follows:
$./adb root
Remount adb:
$./adb remount
Push the certificate file to the phone:
$./adb push ~/Downloads/9a5ba575.0 /sdcard/
Move the file from the sdcard to the directory as follows:
$mv /sdcard/9a5ba575.0 /system/etc/security/cacerts
Change the permissions:
$chmod 644 systemetc/security/cacerts/9a5ba575.0
Exit.
Back to Genymotion
Go to Settings> security> trusted credentials>PortSwigger
Everything should be working fine. Happy testing!!
No Responses