Xamarin Apps
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
Xamarin is an open-source platform designed for developers to build apps for iOS, Android, and Windows using the .NET and C# frameworks. This platform offers access to numerous tools and extensions to create modern applications efficiently.
Xamarin's Architecture
- For Android, Xamarin integrates with Android and Java namespaces through .NET bindings, operating within the Mono execution environment alongside the Android Runtime (ART). Managed Callable Wrappers (MCW) and Android Callable Wrappers (ACW) facilitate communication between Mono and ART, both of which are built on the Linux kernel.
- For iOS, applications run under the Mono runtime, utilizing full Ahead of Time (AOT) compilation to convert C# .NET code into ARM assembly language. This process runs alongside the Objective-C Runtime on a UNIX-like kernel.
.NET Runtime and Mono Framework
The .NET framework includes assemblies, classes, and namespaces for application development, with the .NET Runtime managing code execution. It offers platform independence and backward compatibility. The Mono Framework is an open-source version of the .NET framework, initiated in 2005 to extend .NET to Linux, now supported by Microsoft and led by Xamarin.
Reverse Engineering Xamarin Apps
Decompilation of Xamarin Assemblies
Decompilation transforms compiled code back into source code. In Windows, the Modules window in Visual Studio can identify modules for decompilation, allowing for direct access to third-party code and extraction of source code for analysis.
JIT vs AOT Compilation
- Android supports Just-In-Time (JIT) and Ahead-Of-Time (AOT) compilation, with a Hybrid AOT mode for optimal execution speed. Full AOT is exclusive to Enterprise licenses.
- iOS solely employs AOT compilation due to Apple's restrictions on dynamic code execution.
Extracting dll Files from APK/IPA
To access the assemblies in an APK/IPA, unzip the file and explore the assemblies directory. For Android, tools like XamAsmUnZ and xamarin-decompress can uncompress dll files.
python3 xamarin-decompress.py -o /path/to/decompressed/apk
In cases where after decompiling the APK it's possible to see the unknown/assemblies/ folder with the .dll
files inside it, so it's posible to use dnSpy directly over the .dlls
to analyze them.
However, sometimes, it's found the assemblies.blob
and assemblies.manifest
files inside the unknown/assemblies/ folder. The tool pyxamstore can be used for unpacking the assemblies.blob
file in Xamarin apps, allowing access to the .NET assemblies for further analysis:
pyxamstore unpack -d /path/to/decompressed/apk/assemblies/
iOS dll files are readily accessible for decompilation, revealing significant portions of the application code, which often shares a common base across different platforms.
Static Analysis
Once the .dll
s are obtained it's possible to analyze the .Net code statically using tools such as dnSpy or ILSpy that will allow to modify the code of the app. This can be super useful to tamper the application to bypass protections for example.
Note that after modifying the app you will need to pack it back again and sign it again.
Dynamic Analysis
Dynamic analysis involves checking for SSL pinning and using tools like Fridax for runtime modifications of the .NET binary in Xamarin apps. Frida scripts are available to bypass root detection or SSL pinning, enhancing analysis capabilities.
Other interesting Frida scripts:
Resigning
The tool Uber APK Signer simplifies signing multiple APKs with the same key, and can be used to resign an app after changes have been performed to it.
Further information
- https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers
- https://thecobraden.com/posts/unpacking_xamarin_assembly_stores/
- https://medium.com/@justmobilesec/introduction-to-the-exploitation-of-xamarin-apps-fde4619a51bf
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.