Pentesting ya Programu za Android

Reading time: 37 minutes

Misingi ya Programu za Android

Inapendekezwa sana kuanza kusoma ukurasa huu ili kujua kuhusu sehemu muhimu zaidi zinazohusiana na usalama wa Android na vipengele hatari zaidi katika programu ya Android:

Android Applications Basics

ADB (Android Debug Bridge)

Hili ndilo chombo kikuu unachohitaji kuungana na kifaa cha Android (emulated au physical).
ADB inaruhusu kudhibiti vifaa iwe kwa USB au Network kutoka kwa kompyuta. Hii utility inaiwezesha copying ya faili kwa mwelekeo yote miwili, installation na uninstallation ya apps, execution ya amri za shell, backing up ya data, reading ya logs, miongoni mwa kazi nyingine.

Tazama orodha ifuatayo ya ADB Commands ili kujifunza jinsi ya kutumia adb.

Smali

Wakati mwingine ni muhimu kuhariri msimbo wa programu ili kupata taarifa zilizofichika (labda nywila zilizo obfuscated vizuri au flags). Kisha, inaweza kuwa ya kuvutia ku-decompile APK, kubadili msimbo na ku-recompile tena.
In this tutorial you can learn how to decompile and APK, modify Smali code and recompile the APK with the new functionality. Hii inaweza kuwa muhimu sana kama mbadala kwa vipimo vingi wakati wa dynamic analysis vitakavyowasilishwa. Basi, kumbuka kila wakati uwezekano huu.

Other interesting tricks

• Spoofing your location in Play Store
• Shizuku Privileged API (ADB-based non-root privileged access)
• Exploiting Insecure In-App Update Mechanisms
• Abusing Accessibility Services (Android RAT)
• NFC/EMV Relay via HCE (Android Tap-to-Pay abuse)
• Pakua APKs: https://apps.evozi.com/apk-downloader/, https://apkpure.com/es/, https://www.apkmirror.com/, https://apkcombo.com/es-es/apk-downloader/, https://github.com/kiber-io/apkd
• Toa APK kutoka kifaa:

adb shell pm list packages
com.android.insecurebankv2

adb shell pm path com.android.insecurebankv2
package:/data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk

adb pull /data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk

• Unganisha splits zote na base apks kwa APKEditor:

mkdir splits
adb shell pm path com.android.insecurebankv2 | cut -d ':' -f 2 | xargs -n1 -i adb pull {} splits
java -jar ../APKEditor.jar m -i splits/ -o merged.apk

# after merging, you will need to align and sign the apk, personally, I like to use the uberapksigner
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed

Masomo ya Kesi na Udhaifu

Air Keyboard Remote Input Injection

Android Rooting Frameworks Manager Auth Bypass Syscall Hook

Uchambuzi wa Static

Kwanza kabisa, kwa kuchambua APK unapaswa kutazama msimbo wa Java kwa kutumia decompiler.
Tafadhali, read here to find information about different available decompilers.

Kutafuta Taarifa Zenye Kuvutia

Kwa kuangalia tu strings za APK unaweza kutafuta passwords, URLs (https://github.com/ndelphit/apkurlgrep), api keys, encryption, bluetooth uuids, tokens na chochote kinachovutia... angalia hata kwa ajili ya code execution backdoors au authentication backdoors (hardcoded admin credentials kwenye app).

Firebase

Toa umakini maalum kwa Firebase URLs na angalia ikiwa imewekwa vibaya. More information about whats is FIrebase and how to exploit it here.

Uelewa wa msingi wa programu - Manifest.xml, strings.xml

Uchunguzi wa faili za programu Manifest.xml na strings.xml unaweza kufichua udhaifu wa usalama. Faili hizi zinaweza kupatikana kwa kutumia decompilers au kwa kubadilisha extension ya APK kuwa .zip kisha kuzifungua.

Udhaifu unaoweza kupatikana kutoka kwa Manifest.xml ni pamoja na:

• Debuggable Applications: Programu zilizo set kama debuggable (debuggable="true") katika Manifest.xml zinatoa hatari kwani zinaruhusu miunganisho ambayo inaweza kusababisha exploitation. Kwa kuelewa zaidi jinsi ya kutumia debuggable applications, rejea tutorial juu ya kupata na kutumia debuggable applications kwenye kifaa.
• Backup Settings: Attribute android:allowBackup="false" inapaswa kuwekwa wazi kwa applications zinazoshughulika na taarifa nyeti ili kuzuia backups zisizoidhinishwa kupitia adb, hasa wakati usb debugging imewezeshwa.
• Network Security: Custom network security configurations (android:networkSecurityConfig="@xml/network_security_config") katika res/xml/ zinaweza kubainisha maelezo ya usalama kama certificate pins na mipangilio ya HTTP traffic. Mfano ni kuruhusu HTTP traffic kwa domain maalum.
• Exported Activities and Services: Kutambua exported activities na services katika manifest kunaweza kuonyesha components ambazo zinaweza kutumika vibaya. Uchambuzi zaidi wakati wa dynamic testing unaweza kufichua jinsi ya exploit components hizi.
• Content Providers and FileProviders: Content providers zilizo wazi zinaweza kuruhusu upatikanaji au urekebishaji wa data bila ruhusa. Usanidi wa FileProviders pia unapaswa kuchunguzwa.
• Broadcast Receivers and URL Schemes: Vitu hivi vinaweza kutumika kwa exploitation, hasa kwa kuzingatia jinsi URL schemes zinavyosimamiwa kwa ajili ya input vulnerabilities.
• SDK Versions: minSdkVersion, targetSDKVersion, na maxSdkVersion zinaonyesha toleo za Android zinazoungwa mkono, zikibainisha umuhimu wa kutounga mkono toleo la zamani la Android lenye udhaifu kwa sababu za usalama.

Kutoka kwa faili strings.xml, taarifa nyeti kama API keys, custom schemas, na vidokezo vingine vya developer zinaweza kupatikana, zikisisitiza haja ya kupitia kwa umakini rasilimali hizi.

Tapjacking

Tapjacking ni shambulio ambapo malicious application inazinduliwa na kujipangia juu ya application ya mwathiriwa. Mara inapoficha kwa uwazi app ya mwathiriwa, kiolesura chake cha mtumiaji kimeundwa kwa njia ya kumdanganya mtumiaji kuingiliana nayo, wakati inapitisha mwingiliano huo kwa app ya mwathiriwa.
Kwa matokeo, inamfumba mtumiaji ili asitambue kwamba anafanya vitendo kwenye app ya mwathiriwa.

Find more information in:

Tapjacking

Task Hijacking

Activity yenye launchMode iliyowekwa kuwa singleTask bila taskAffinity imeelezwa kuwa hatarishi kwa task Hijacking. Hii ina maana kwamba, application inaweza kusanikishwa na ikiwa itaendeshwa kabla ya application halisi inaweza hijack the task of the real application (hivyo mtumiaji ataingiliana na malicious application akidhani anatumia ile halisi).

More info in:

Android Task Hijacking

Insecure data storage

Internal Storage

Katika Android, faili zilizohifadhiwa kwenye internal storage zimetengenezwa kuwa zinapatikana kwa eksklusivu na app iliyouunda. Hatua hii ya usalama inatekelezwa na mfumo wa uendeshaji wa Android na kwa kawaida inatosha kwa mahitaji ya usalama ya programu nyingi. Hata hivyo, watengenezaji wakati mwingine wanatumia mode kama MODE_WORLD_READABLE na MODE_WORLD_WRITABLE kuruhusu files kushirikiwa kati ya applications tofauti. Hata hivyo, modes hizi hazizuizi upatikanaji wa faili hizi na applications nyingine, ikiwa ni pamoja na zile zinazoweza kuwa hatari.

1. Static Analysis:

• Hakikisha kwamba matumizi ya MODE_WORLD_READABLE na MODE_WORLD_WRITABLE yamekaguliwa kwa makini. Modes hizi zinaweza kuonesha faili kwa upatikanaji usiotarajiwa au bila ruhusa.

2. Dynamic Analysis:

• Thibitisha ruhusa (permissions) zilizowekwa kwenye faili zilizoundwa na app. Hasa, angalia ikiwa faili yoyote imewekwa kuwa readable au writable kwa wote. Hii inaweza kuwa hatari kubwa kwa usalama, kwani itamruhusu application yoyote iliyosanikishwa kwenye kifaa, bila kujali asili au nia yake, kusoma au kurekebisha faili hizi.

External Storage

Unapotumia faili kwenye external storage, kama SD Cards, tahadhari fulani zinapaswa kuchukuliwa:

1. Accessibility:

• Faili kwenye external storage zinapatikana kwa kusomwa na kuandikwa kwa ulimwengu wote. Hii ina maana programu yoyote au mtumiaji anaweza kufikia faili hizi.

2. Security Concerns:

• Kwa uzuri wa upatikanaji, inashauriwa kutoweka taarifa nyeti kwenye external storage.
• External storage inaweza kuondolewa au kufikiwa na application yoyote, na kuifanya isiyo salama.

3. Handling Data from External Storage:

• Daima fanya input validation kwa data inayopatikana kutoka external storage. Hii ni muhimu kwa sababu data inatoka kwa chanzo kisichohakikishwa.
• Kupakia executables au class files kwenye external storage kwa ajili ya dynamic loading haipendekeziwi.
• Ikiwa application yako lazima iphatishe faili za executable kutoka external storage, hakikisha faili hizi zime-signed na kuthibitishwa kwa cryptographic kabla ya kuzidi kuziweka (dynamically loaded). Hatua hii ni muhimu kwa kutunza uadilifu wa usalama wa application yako.

External storage inaweza kupatikana katika /storage/emulated/0 , /sdcard , /mnt/sdcard

Sensitive data stored in clear-text

• Shared preferences: Android inaruhusu kila application kuhifadhi kwa urahisi faili za xml katika njia /data/data/<packagename>/shared_prefs/ na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text kwenye folda hiyo.
• Databases: Android inaruhusu kila application kuhifadhi kwa urahisi sqlite databases katika njia /data/data/<packagename>/databases/ na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.

Broken TLS

Accept All Certificates

Kwa sababu fulani wakati mwingine watengenezaji wanakubali certificates zote hata kama kwa mfano hostname haifani na mistari ya msimbo kama ifuatavyo:

SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

Njia nzuri ya kujaribu hii ni kujaribu kunasa trafiki ukitumia proxy kama Burp bila kuidhinisha Burp CA ndani ya kifaa. Pia, unaweza kutengeneza kwa Burp cheti kwa hostname tofauti na kukitumia.

Kriptografia Iliyovunjika

Poor Key Management Processes

Baadhi ya watengenezaji huhifadhi data nyeti kwenye local storage na kuificha kwa kutumia key hardcoded/predictable katika code. Hii haipaswi kufanywa kwani reversing inaweza kuruhusu attackers kutoa taarifa za siri.

Use of Insecure and/or Deprecated Algorithms

Watengenezaji hawapaswi kutumia deprecated algorithms kutekeleza authorization checks, store au send data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1... Ikiwa hashes zinatumika kuhifadhi passwords kwa mfano, zinapaswa kutumia hashes zinazostahimili brute-force pamoja na salt.

Ukaguzi Mengine

• Inapendekezwa obfuscate the APK ili kufanya kazi ya reverse engineer iwe ngumu kwa attackers.
• Ikiwa app ni nyeti (kama bank apps), inapaswa kufanya own checks to see if the mobile is rooted na kuchukua hatua za kufaa.
• Ikiwa app ni nyeti (kama bank apps), inapaswa kuangalia kama emulator inatumiwa.
• Ikiwa app ni nyeti (kama bank apps), inapaswa check it's own integrity before executing ili kuona kama ilibadilishwa.
• Use APKiD kuchagua ni compiler/packer/obfuscator gani ilitumiwa kujenga APK

React Native Application

Soma ukurasa ufuatao ili kujifunza jinsi ya kufikia kwa urahisi javascript code za React applications:

React Native Application

Xamarin Applications

Soma ukurasa ufuatao ili kujifunza jinsi ya kufikia kwa urahisi C# code za xamarin applications:

Xamarin Apps

Superpacked Applications

Kwa mujibu wa hii blog post superpacked ni Meta algorithm inayokandamiza maudhui ya application ndani ya faili moja. Blogu inazungumzia uwezekano wa kuunda app inayoweza decompress aina hizi za apps... na njia ya haraka ambayo inahusisha execute the application and gather the decompressed files from the filesystem.

Automated Static Code Analysis

Tool mariana-trench inaweza kupata vulnerabilities kwa scanning code ya application. Tool hii ina series ya known sources (inayoonyesha sehemu ambapo input inadhibitiwa na user), sinks (inayoonyesha sehemu hatari ambapo malicious user input inaweza kusababisha damages) na rules. Rules hizi zinaonyesha combination ya sources-sinks zinazobainisha vulnerability.

Kwa ujuzi huu, mariana-trench itapitia code na kupata vulnerabilities zinazowezekana.

Secrets leaked

Application inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomains...) ndani yake ambazo unaweza kugundua. Unaweza kutumia tool kama https://github.com/dwisiswant0/apkleaks

Bypass Biometric Authentication

Bypass Biometric Authentication (Android)

Mengineyo ya kuvutia

• Utekelezaji wa code: Runtime.exec(), ProcessBuilder(), native code:system()
• Tuma SMSs: sendTextMessage, sendMultipartTestMessage
• Native functions zilizotangazwa kama native: public native, System.loadLibrary, System.load
• Soma hii ili ujifunze how to reverse native functions
• Utekelezaji wa in-memory native code kupitia JNI (downloaded shellcode → mmap/mprotect → call):

In Memory Jni Shellcode Execution

Other tricks

content:// protocol

Uchambuzi wa Dynamic

Kwanza kabisa, unahitaji mazingira ambapo unaweza kusakinisha application na mazingira yote (Burp CA cert, Drozer na Frida hasa). Kwa hivyo, kifaa kilicho rooted (emulated au sio) kinapendekezwa sana.

Online Dynamic analysis

Unaweza kuunda akaunti ya bure kwenye: https://appetize.io/. Jukwaa hili linakuwezesha upload na execute APKs, hivyo ni muhimu kuona jinsi apk inavyofanya kazi.

Unaweza hata kuona logs za application yako kwenye wavuti na kuungana kupitia adb.

Shukrani kwa muunganisho wa ADB unaweza kutumia Drozer na Frida ndani ya emulators.

Local Dynamic Analysis

Using an emulator

• Android Studio (Unaweza kuunda x86 na arm devices, na kulingana na this latest x86 versions support ARM libraries bila kuhitaji emulator ya arm polepole).
• Jifunze kuzitayarisha kwenye ukurasa huu:

AVD - Android Virtual Device

• Genymotion (Toleo la bure: Personal Edition, unahitaji kuunda akaunti. Inashauriwa download toleo WITH VirtualBox ili kuepuka makosa yanayoweza kutokea.)
• Nox (Bure, lakini haiungi mkono Frida au Drozer).

Ili kusakinisha google services (kama AppStore) katika Genymotion unahitaji kubofya kitufe kilicho rangi nyekundu kwenye picha ifuatayo:

Pia, kumbuka kuwa katika configuration of the Android VM in Genymotion unaweza kuchagua Bridge Network mode (hii itakuwa muhimu ikiwa utaungana na Android VM kutoka VM tofauti yenye tools).

Use a physical device

Unahitaji kuwasha chaguo za debugging na itakuwa vizuri kama unaweza kuiroot:

1. Settings.
2. (FromAndroid 8.0) Chagua System.
3. Chagua About phone.
4. Bonyeza Build number mara 7.
5. Rudi nyuma na utapata Developer options.

Mara tu unapoweka application, jambo la kwanza unalopaswa kufanya ni kuijaribu na kuchunguza inafanya nini, jinsi inavyofanya kazi na kuzoea nayo.
Napendekeza kufanya uchambuzi huu wa awali wa dynamic kwa kutumia MobSF dynamic analysis + pidcat, kwa hivyo tutajifunza jinsi application inavyofanya kazi wakati MobSF inakamata data nyingi za kuvutia ambazo unaweza kupitia baadaye.

Magisk/Zygisk vidokezo vya haraka (vinapendekezwa kwenye vifaa vya Pixel)

• Patch boot.img na app ya Magisk na flash kupitia fastboot kupata systemless root
• Washa Zygisk + DenyList kwa kuficha root; fikiria LSPosed/Shamiko unapohitaji kuficha kwa nguvu zaidi
• Hifadhi boot.img ya awali ili kurejesha baada ya OTA updates; re-patch baada ya kila OTA
• Kwa kunakilishi skrini, tumia scrcpy kwenye host

Unintended Data Leakage

Logging

Watengenezaji wanapaswa kuwa makini na kufichua debugging information hadharani, kwani inaweza kusababisha sensitive data leaks. Tools pidcat na adb logcat zinapendekezwa kwa kusimamia logs za application ili kubaini na kulinda taarifa nyeti. Pidcat inapendekezwa kwa urahisi wa matumizi na uvinjari rahisi.

Copy/Paste Buffer Caching

Mfumo wa Android wa clipboard-based unawezesha utendaji wa copy-paste katika apps, lakini unaleta hatari kwani apps nyingine zinaweza access clipboard, na hivyo kuweza exposing data nyeti. Ni muhimu disable copy/paste kwa sehemu nyeti za application, kama maelezo ya kadi za mkopo, ili kuzuia leak.

Crash Logs

Iki application inakata tamaa na inaokoa logs, logs hizi zinaweza kumsaidia attacker, hasa wakati application haiwezi ku-reverse-engineer. Ili kupunguza hatari hii, epuka kuandika logs wakati wa crash, na ikiwa logs lazima zitumwe kupitia network, hakikisha zinatumwa kwa SSL channel kwa usalama.

Kama pentester, try to take a look to these logs.

Analytics Data Sent To 3rd Parties

Applications mara nyingi zinaunganisha huduma kama Google Adsense, ambazo zinaweza kwa bahati mbaya leak sensitive data kutokana na utekelezaji usiofaa na watengenezaji. Ili kubaini potential data leaks, inashauriwa intercept the application's traffic na kuangalia kama taarifa nyeti zinafanyika kutumwa kwa huduma za 3rd parties.

SQLite DBs

Most ya applications zitakuwa zinatumia internal SQLite databases kuhifadhi taarifa. Wakati wa pentest angalia databases zilizoundwa, majina ya tables na columns na data yote iliyohifadhiwa kwa sababu unaweza kupata sensitive information (ambayo ingekuwa vulnerability).
Databases zinapaswa kuwa katika /data/data/the.package.name/databases kama /data/data/com.mwr.example.sieve/databases

Iki database inahifadhi taarifa za siri na ime encrypted but unaweza find the password ndani ya application bado ni vulnerability.

Orodhesha tables kwa kutumia .tables na orodhesha columns za table kwa kufanya .schema <table_name>

Drozer (Exploit Activities, Content Providers and Services)

From Drozer Docs: Drozer inakuwezesha assume the role of an Android app na kuingiliana na apps nyingine. Inaweza kufanya anything that an installed application can do, kama kutumia mekanimu ya Android’s Inter-Process Communication (IPC) na kuingiliana na operating system. .
Drozer ni tool muhimu ya kutumia kushughulikia exploit exported activities, exported services and Content Providers kama utakavyojifunza katika sehemu zinazofuata.

Exploiting exported Activities

Read this if you want to refresh what is an Android Activity.
Kumbuka pia kwamba code ya activity inaanza katika onCreate method.

Authorisation bypass

Wakati Activity ime exported unaweza invoke screen yake kutoka kwa app ya nje. Hivyo, ikiwa activity yenye sensitive information ime exported unaweza bypass authentication mechanisms to access it.

Learn how to exploit exported activities with Drozer.

Unaweza pia kuanza exported activity kutoka kwa adb:

• PackageName ni com.example.demo
• Exported ActivityName ni com.example.test.MainActivity

adb shell am start -n com.example.demo/com.example.test.MainActivity

KUMBUKA: MobSF itatambua kama hatari matumizi ya singleTask/singleInstance kama android:launchMode katika activity, lakini kutokana na this, inaonekana hili ni hatari tu kwenye matoleo ya zamani (API versions < 21).

Sensitive information leakage

Activities can also return results. Ikiwa utapata activity iliyotangazwa (exported) na isiyolindwa inayoitisha metodo ya setResult na kurudisha taarifa nyeti, kutakuwa na sensitive information leakage.

Tapjacking

Ikiwa Tapjacking haizuizwi, unaweza kutumia exported activity kuifanya mtumiaji afanye vitendo visivyotarajiwa. Kwa maelezo zaidi kuhusu Tapjacking fuata kiungo.

Exploiting Content Providers - Accessing and manipulating sensitive information

Read this if you want to refresh what is a Content Provider.
Content providers kwa msingi hutumika kushiriki data. Ikiwa app ina content providers zinazopatikana unaweza kufanikiwa kutoa data nyeti kutoka kwazo. Pia ni muhimu kujaribu uwezekano wa SQL injections na Path Traversals kwani zinaweza kuwa na udhaifu.

Learn how to exploit Content Providers with Drozer.

Exploiting Services

Read this if you want to refresh what is a Service.
Kumbuka kwamba vitendo vya Service huanza katika metodo onStartCommand.

Service kwa msingi ni kitu kinachoweza kupokea data, kuichakata na kurudisha (au la) majibu. Hivyo, ikiwa application inafanya export ya services fulani unapaswa kagua code ili kuelewa inafanya nini na ijaribu kwa njia ya dynamic ili kutoa taarifa za siri, kuvuka hatua za uthibitishaji...
Learn how to exploit Services with Drozer.

Exploiting Broadcast Receivers

Read this if you want to refresh what is a Broadcast Receiver.
Kumbuka kwamba vitendo vya Broadcast Receiver huanza katika metodo onReceive.

Broadcast receiver itakuwa ikisubiri aina fulani ya ujumbe. Kulingana na jinsi receiver inavyoshughulikia ujumbe, inaweza kuwa na udhaifu.
Learn how to exploit Broadcast Receivers with Drozer.

Exploiting Schemes / Deep links

Unaweza kutafuta deep links kwa mikono, kwa kutumia zana kama MobSF au scripts kama this one.
Unaweza fungua scheme iliyotangazwa kwa kutumia adb au browser:

adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]

Kumbuka kwamba unaweza kuacha jina la kifurushi na simu itachagua moja kwa moja programu inayopaswa kufungua kiungo hicho.

<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
<!-- fallback in your url you could try the intent url -->
<a href="intent://hostname#Intent;scheme=scheme;package=your.package.name;S.browser_fallback_url=http%3A%2F%2Fwww.example.com;end">with alternative</a>

Msimbo unaotekelezwa

Ili kupata msimbo utakaoendeshwa katika App, nenda kwenye activity inayoitwa na deeplink na tafuta function onNewIntent.

Taarifa nyeti

Kila wakati unapokutana na deep link hakikisha kwamba haipokei data nyeti (kama passwords) kupitia vigezo vya URL, kwa sababu programu nyingine yoyote inaweza kuiga deep link na kuiba data hiyo!

Vigezo ndani ya path

Unapaswa pia kuangalia kama deep link yoyote inatumia parameter ndani ya path ya URL kama: https://api.example.com/v1/users/{username} , katika kesi hiyo unaweza kushinikiza path traversal kwa kufikia kitu kama: example://app/users?username=../../unwanted-endpoint%3fparam=value .
Kumbuka kwamba ikiwa utapata endpoints sahihi ndani ya application unaweza kusababisha Open Redirect (kama sehemu ya path inatumika kama domain name), account takeover (kama unaweza kubadilisha maelezo ya users bila CSRF token na ile vuln endpoint ilitumia method sahihi) na vulnerabilities nyingine zozote. More info about this here.

Mifano zaidi

Ripoti ya bug bounty ya kuvutia kuhusu links (/.well-known/assetlinks.json).

Ukaguzi wa Tabaka la Usafirishaji na Kushindwa kwa Uthibitishaji

• Certificates hazikaguliwi kila wakati kwa usahihi na applications za Android. Ni kawaida kwa applications hizi kupuuza onyo na kukubali self-signed certificates au, katika matukio mengine, kurudi kutumia muunganisho wa HTTP.
• Majadiliano wakati wa SSL/TLS handshake wakati mwingine ni dhaifu, kutumia insecure cipher suites. Uvunjifu huu huufanya muunganisho uwe nyeti kwa man-in-the-middle (MITM) attacks, kuruhusu watapeli kufungua (decrypt) data.
• Leakage of private information ni hatari pale applications zinapothibitisha kwa kutumia secure channels lakini kisha kuwasiliana kwa non-secure channels kwa miamala mingine. Mbinu hii haitoi ulinzi kwa data nyeti, kama session cookies au user details, dhidi ya kukamatwa na wahalifu.

Uthibitishaji wa Certificate

Tutazingatia certificate verification. Uadilifu wa certificate ya server lazima uhakikiwe ili kuongeza usalama. Hii ni muhimu kwa sababu insecure TLS configurations na usafirishaji wa data nyeti kupitia channels zisizoencrypted zinaweza kusababisha hatari kubwa. Kwa hatua za kina juu ya kuthibitisha certificates za server na kushughulikia vulnerabilities, this resource inatoa mwongozo wa kina.

SSL Pinning

SSL Pinning ni hatua ya usalama ambapo application inathibitisha certificate ya server dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Njia hii ni muhimu kwa kuzuia MITM attacks. Kutekeleza SSL Pinning kunapendekezwa sana kwa applications zinazoendesha taarifa nyeti.

Ukaguzi wa Traffic

Ili kukagua trafiki ya HTTP, ni lazima install the proxy tool's certificate (mfano, Burp). Bila kusanidi certificate hii, trafiki iliyosimbwa inaweza isionekana kupitia proxy. Kwa mwongozo wa kusakinisha custom CA certificate, bonyeza hapa.

Applications zinazolenga API Level 24 and above zinahitaji mabadiliko kwenye Network Security Config ili kukubali CA certificate ya proxy. Hatua hii ni muhimu kwa kukagua trafiki iliyosimbwa. Kwa maelekezo ya kubadilisha Network Security Config, rejea mafunzo haya.

Ikiwa Flutter inatumiwa unahitaji kufuata maagizo katika ukurasa huu. Hii ni kwa sababu, kuongeza tu certificate kwenye store haitafanya kazi kwani Flutter ina orodha yake ya valid CAs.

Ugundaji wa static wa SSL/TLS pinning

Kabla ya kujaribu runtime bypasses, pitia haraka mahali pinning inatekelezwa ndani ya APK. Ugunduzi wa static hukusaidia kupanga hooks/patches na kuzingatia code paths sahihi.

Tool: SSLPinDetect

• Open-source static-analysis utility inayo decompile APK kwenda Smali (via apktool) na inascan kwa curated regex patterns za utekelezaji wa SSL/TLS pinning.
• Inaripoti exact file path, line number, na snippet ya code kwa kila match.
• Inashughulikia common frameworks na custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, na Network Security Config XML pins.

Sakinisha

• Prereqs: Python >= 3.8, Java on PATH, apktool

git clone https://github.com/aancw/SSLPinDetect
cd SSLPinDetect
pip install -r requirements.txt

Matumizi

# Basic
python sslpindetect.py -f app.apk -a apktool.jar

# Verbose (timings + per-match path:line + snippet)
python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v

Mifano ya sheria za pattern (JSON) Tumia au panua signatures ili kugundua mitindo ya pinning ya proprietary/custom. Unaweza kupakia JSON yako mwenyewe na scan kwa kiwango kikubwa.

{
"OkHttp Certificate Pinning": [
"Lcom/squareup/okhttp/CertificatePinner;",
"Lokhttp3/CertificatePinner;",
"setCertificatePinner"
],
"TrustManager Override": [
"Ljavax/net/ssl/X509TrustManager;",
"checkServerTrusted"
]
}

Notes and tips

• Skanning ya haraka kwenye apps kubwa kupitia multi-threading na memory-mapped I/O; pre-compiled regex hupunguza overhead/false positives.
• Pattern collection: https://github.com/aancw/smali-sslpin-patterns
• Malengo ya kawaida ya utambuzi kwa kuchambua baadaye:
• OkHttp: matumizi ya CertificatePinner, setCertificatePinner, marejeo ya package okhttp3/okhttp
• Custom TrustManagers: javax.net.ssl.X509TrustManager, overrides za checkServerTrusted
• Custom SSL contexts: SSLContext.getInstance + SSLContext.init kwa custom managers
• Declarative pins katika res/xml network security config na marejeo kwenye manifest
• Tumia maeneo yaliyoendana kupanga Frida hooks, static patches, au ukaguzi wa config kabla ya majaribio ya dynamic.

Kukwepa SSL Pinning

Wakati SSL Pinning imetumika, kukwepa kwake kunakuwa muhimu ili kuchunguza traffic ya HTTPS. Mbinu mbalimbali zinapatikana kwa madhumuni haya:

• Kiotomatiki badilisha apk ili kuepuka SSLPinning kwa kutumia apk-mitm. Faida kuu ya chaguo hili ni kwamba hautahitaji root ili kukwepa SSL Pinning, lakini utahitaji kufuta application na kuiweka tena, na hii haitafanya kazi kila wakati.
• Unaweza kutumia Frida (imejadiliwa hapa chini) kukwepa ulinzi huu. Hapa kuna mwongozo kutumia Burp+Frida+Genymotion: https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/
• Unaweza pia kujaribu kuvuka SSL Pinning kiotomatiki kwa kutumia objection: objection --gadget com.package.app explore --startup-command "android sslpinning disable"
• Unaweza pia kujaribu kuepuka SSL Pinning kiotomatiki kwa kutumia MobSF dynamic analysis (imeelezewa hapa chini)
• Ikiwa bado unadhani kuna traffic ambayo hauichukui, unaweza kujaribu kupeleka traffic kwa Burp kwa kutumia iptables. Soma blogu hii: https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62

Kutafuta udhaifu wa kawaida wa Web

Ni muhimu pia kutafuta udhaifu wa kawaida wa web ndani ya application. Maelezo ya kina kuhusu kutambua na kupunguza udhaifu huu yapo nje ya mwangaza huu wa muhtasari lakini yamezungumziwa kwa undani mahali pengine.

Frida

Frida ni toolkit ya dynamic instrumentation kwa developers, reverse-engineers, na security researchers.
Unaweza kufikia application inayokimbia na ku-hook methods wakati wa runtime ili kubadilisha tabia, kubadilisha values, kutoa values, kuendesha code tofauti...
Ikiwa unataka pentest Android applications unapaswa kujua jinsi ya kutumia Frida.

• Jifunze jinsi ya kutumia Frida: Frida tutorial
• Baadhi ya "GUI" kwa vitendo na Frida: https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security
• Ojection ni nzuri ku-automate matumizi ya Frida: https://github.com/sensepost/objection , https://github.com/dpnishant/appmon
• Unaweza kupata baadhi ya Awesome Frida scripts hapa: https://codeshare.frida.re/
• Jaribu kukwepa anti-debugging / anti-frida mechanisms kwa ku-load Frida kama ilivyoonyesha katika https://erfur.github.io/blog/dev/code-injection-without-ptrace (tool linjector)

Anti-instrumentation & SSL pinning bypass workflow

Android Anti Instrumentation And Ssl Pinning Bypass

Kutoa Kumbukumbu - Fridump

Angalia kama application inahifadhi taarifa nyeti ndani ya kumbukumbu ambazo haipaswi kuhifadhi kama passwords au mnemonics.

Ukishatumia Fridump3 unaweza dump kumbukumbu za app kwa:

# With PID
python3 fridump3.py -u <PID>

# With name
frida-ps -Uai
python3 fridump3.py -u "<Name>"

Hii ita-dump memory kwenye folda ./dump, na ndani yake unaweza grep kwa kitu kama:

strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+$"

Data nyeti katika Keystore

Kwenye Android Keystore ni mahali pazuri zaidi pa kuhifadhi data nyeti, hata hivyo, kwa ruhusa ya kutosha bado ni inawezekana kuifikia. Kwa kuwa app huweka hapa data nyeti kwa clear text, pentests zinapaswa kuikagua, kama root user, kwani mtu mwenye ufikiaji wa kimwili wa kifaa anaweza kuiba data hii.

Hata kama app imehifadhi data katika Keystore, data inapaswa kuwa encrypted.

Ili kupata data ndani ya Keystore unaweza kutumia script ya Frida: https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js

frida -U -f com.example.app -l frida-scripts/tracer-cipher.js

Fingerprint/Biometrics Bypass

Kutumia script ifuatayo ya Frida, kunaweza kuwa inawezekana bypass fingerprint authentication ambayo Android applications zinaweza kuitekeleza ili protect certain sensitive areas:

frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>

Picha za Mandharinyuma

Unapoweka programu kwenye background, Android huhifadhi snapshot ya programu; inapoporudishwa kwenye foreground inaanza kupakia picha kabla ya programu yenyewe, hivyo kuonekana kama imepakiwa haraka.

Hata hivyo, kama snapshot hii ina taarifa nyeti, mtu mwenye ufikiaji wa snapshot anaweza kuiba taarifa hiyo (kumbuka unahitaji root ili kuifikia).

Snapshots kwa kawaida huhifadhiwa katika: /data/system_ce/0/snapshots

Android inatoa njia ya kuzuia upigaji picha za skrini kwa kuweka parameter ya layout FLAG_SECURE. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanachukuliwa kuwa salama, hivyo kuzuia kuonekana katika picha za skrini au kuonekana kwenye maonyesho yasiyo salama.

getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);

Android Application Analyzer

Zana hii inaweza kukusaidia kusimamia zana mbalimbali wakati wa dynamic analysis: https://github.com/NotSoSecure/android_application_analyzer

Intent Injection

Developers often create proxy components like activities, services, and broadcast receivers that handle these Intents and pass them to methods such as startActivity(...) or sendBroadcast(...), which can be risky.

Hatari iko katika kumruhusu mshambuliaji kuanzisha non-exported app components au kupata access kwa sensitive content providers kwa kupangilia vibaya Intents hizi. Mfano unaojulikana ni WebView component kubadilisha URLs kuwa Intent objects kupitia Intent.parseUri(...) kisha kuziendesha, jambo linaloweza kupelekea malicious Intent injections.

Muhtasari Muhimu

• Intent Injection is similar to web's Open Redirect issue.
• Exploits involve passing Intent objects as extras, which can be redirected to execute unsafe operations.
• It can expose non-exported components and content providers to attackers.
• WebView’s URL to Intent conversion can facilitate unintended actions.

Android Client Side Injections and others

Pengine unajua aina hii ya vulnerabilities kutoka kwa Web. Lazima uwe makini hasa na vulnerabilities hizi katika application ya Android:

• SQL Injection: When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
• JavaScript Injection (XSS): Verify that JavaScript and Plugin support is disabled for any WebViews (disabled by default). More info here.
• Local File Inclusion: WebViews should have access to the file system disabled (enabled by default) - (webview.getSettings().setAllowFileAccess(false);). More info here.
• Eternal cookies: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
• Secure Flag in cookies

Uchambuzi Otomatik

MobSF

Static analysis

Vulnerability assessment of the application using a nice web-based frontend. You can also perform dynamic analysis (but you need to prepare the environment).

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Kumbuka kwamba MobSF inaweza kuchambua Android(apk), IOS(ipa) and Windows(apx) applications (Maombi ya Windows lazima yachunguzwe kutoka kwa MobSF iliyosanikishwa kwenye mwenyeji wa Windows).
Pia, ikiwa utaunda faili ya ZIP yenye source code ya app ya Android au IOS (enda kwenye folda ya mzizi ya maombi, chagua kila kitu na uunde ZIPfile), itayoweza kuichambua pia.

MobSF pia inakuwezesha kufanya diff/Compare ya analysis na kuingiza VirusTotal (utahitaji kuweka API key yako katika MobSF/settings.py na kuiwezesha: VT_ENABLED = TRUE VT_API_KEY = <Your API key> VT_UPLOAD = TRUE). Unaweza pia kuweka VT_UPLOAD kuwa False, basi hash itapakiwa badala ya faili.

Uchambuzi wa Dynamic unaosaidiwa na MobSF

MobSF pia inaweza kuwa msaada mkubwa kwa dynamic analysis kwenye Android, lakini katika kesi hiyo utahitaji kusanisha MobSF na genymotion kwenye mwenyeji wako (a VM au Docker haitafanya kazi). Note: Unahitaji start first a VM in genymotion na then MobSF.
The MobSF dynamic analyser can:

• Dump application data (URLs, logs, clipboard, screenshots made by you, screenshots made by "Exported Activity Tester", emails, SQLite databases, XML files, and other created files). Yote haya hufanywa kiotomatiki isipokuwa kwa screenshots; unahitaji kubofya unapohitaji screenshot au unaweza kubofya "Exported Activity Tester" kupata screenshots za actividades zote zilizotolewa.
• Kukamata HTTPS traffic
• Tumia Frida kupata taarifa za runtime

From android versions > 5, it will automatically start Frida and will set global proxy settings to capture traffic. It will only capture traffic from the tested application.

Frida

Kwa chaguo-msingi, itatumia baadhi ya Frida Scripts ili bypass SSL pinning, root detection na debugger detection na ili monitor interesting APIs.
MobSF pia inaweza invoke exported activities, kunasa screenshots zao na kuzi-save kwa ajili ya ripoti.

Ili kuanza dynamic testing bonyea kitufe cha kijani: "Start Instrumentation". Bonyea "Frida Live Logs" kuona logs zinazotengenezwa na Frida scripts na "Live API Monitor" kuona invocation zote za hooked methods, arguments zilizopitishwa na values zilizorejeshwa (hii itaonekana baada ya kubofya "Start Instrumentation").
MobSF pia inakuwezesha kupakia Frida scripts zako mwenyewe (to send the results of your Friday scripts to MobSF use the function send()). Pia ina several pre-written scripts unaweza kupakia (unaweza kuongeza zaidi katika MobSF/DynamicAnalyzer/tools/frida_scripts/others/), chagua tu, bonyea "Load" kisha bonyea "Start Instrumentation" (utakuwa na uwezo wa kuona logs za script hizo ndani ya "Frida Live Logs").

Zaidi ya hayo, una baadhi ya vipengele vya ziada vya Frida:

• Enumerate Loaded Classes: Itataja classes zote zilizopakiwa
• Capture Strings: Itatandika strings zote zinazokamatwa wakati wa kutumia application (sauti nyingi sana)
• Capture String Comparisons: Inaweza kuwa muhimu sana. Itaonyesha the 2 strings being compared na kama matokeo yalikuwa True au False.
• Enumerate Class Methods: Weka jina la class (kama "java.io.File") na itatandika methods zote za class.
• Search Class Pattern: Tafuta classes kwa pattern
• Trace Class Methods: Trace whole class (ona inputs na outputs za methods zote za class). Kumbuka kwamba kwa chaguo-msingi MobSF inatrace several interesting Android Api methods.

Mara baada ya kuchagua module ya ziada unayotaka kutumia unahitaji kubofya "Start Intrumentation" na utaona output zote katika "Frida Live Logs".

Shell

Mobsf pia inakuja na shell yenye baadhi ya amri za adb, MobSF commands, na amri za kawaida za shell chini ya ukurasa wa dynamic analysis. Baadhi ya amri zinazovutia:

help
shell ls
activities
exported_activities
services
receivers

Zana za HTTP

Wakati http traffic inakamatwa unaweza kuona mtazamo mbaya wa trafiki iliyokamatwa kwenye kifungo cha "HTTP(S) Traffic" au mtazamo mzuri kwenye kifungo cha kijani cha "Start HTTPTools". Kutoka kwenye chaguo la pili, unaweza kutuma maombi yaliyokamatwa kwa proxies kama Burp au Owasp ZAP.
Ili kufanya hivyo, power on Burp --> turn off Intercept --> katika MobSB HTTPTools chagua request --> bonyeza "Send to Fuzzer" --> chagua anwani ya proxy (http://127.0.0.1:8080\).

Mara utakapomaliza dynamic analysis na MobSF unaweza kubonyeza "Start Web API Fuzzer" ili fuzz http requests na kutafuta udhaifu.

adb shell settings put global http_proxy :0

Uchambuzi wa Dynamic uliosaidiwa na Inspeckage

Unaweza kupata zana kutoka Inspeckage.
Zana hii itatumia baadhi ya Hooks kukujulisha nini kinafanyika katika application wakati unafanya dynamic analysis.

Yaazhini

Hii ni zana nzuri ya kufanya static analysis kwa GUI

Qark

Zana hii imetengenezwa kutafuta aina mbalimbali za vulnerabilities katika Android application zinazohusiana na usalama, ama katika source code au packaged APKs. Zana pia ina uwezo wa kutengeneza APK inayoendeshwa kama "Proof-of-Concept" na ADB commands, ili kufaida baadhi ya udhaifu uliopatikana (Exposed activities, intents, tapjacking...). Kama ilivyo kwa Drozer, hakuna haja ya root kifaa cha mtihani.

pip3 install --user qark  # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
qark --java path/to/parent/java/folder
qark --java path/to/specific/java/file.java

ReverseAPK

• Inaonyesha faili zote zilizotolewa kwa marejeo rahisi
• Inafanya decompile moja kwa moja faili za APK hadi muundo wa Java na Smali
• Inachambua AndroidManifest.xml kwa udhaifu na tabia za kawaida
• Uchambuzi wa msimbo wa chanzo kwa njia ya statiki kwa udhaifu na tabia za kawaida
• Taarifa za kifaa
• na zaidi

reverse-apk relative/path/to/APP.apk

SUPER Android Analyzer

SUPER ni programu ya command-line ambayo inaweza kutumika kwenye Windows, MacOS X na Linux, ambayo inachambua faili za .apk kutafuta udhaifu. Hufanya hivyo kwa kuzifungua APKs na kutumia mfululizo wa kanuni kugundua udhaifu huo.

Kanuni zote ziko katika faili rules.json, na kila kampuni au mpimaji anaweza kuunda kanuni zao ili kuchambua wanachohitaji.

Pakua binaries za hivi karibuni kutoka kwenye download page

super-analyzer {apk_file}

StaCoAn

StaCoAn ni zana multijukwaa ambayo inawasaidia watengenezaji, bugbounty hunters na ethical hackers wanaofanya static code analysis kwenye programu za simu.

Kanuni ni kwamba unavuta na kuachia faili ya programu ya simu yako (an .apk or .ipa file) kwenye programu ya StaCoAn na itaunda ripoti ya kuona na inayobebeka kwa ajili yako. Unaweza kubadilisha mipangilio na wordlists ili kupata uzoefu uliobinafsishwa.

Pakua latest release:

./stacoan

AndroBugs

AndroBugs Framework ni mfumo wa uchambuzi wa Android vulnerability unaosaidia waendelezaji au hackers kupata potential security vulnerabilities katika Android applications.
Windows releases

python androbugs.py -f [APK file]
androbugs.exe -f [APK file]

Androwarn

Androwarn ni zana ambayo lengo lake kuu ni kugundua na kuonya mtumiaji kuhusu tabia hatarishi zinazoweza kuundwa na programu ya Android.

Utambuzi unafanywa kwa njia ya static analysis ya Dalvik bytecode ya programu, inayowakilishwa kama Smali, kwa kutumia maktaba ya androguard.

Zana hii inatafuta common behavior of "bad" applications kama vile: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...

python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

MARA Framework

MARA ni Mfumo wa Mobile Application Reverse engineering and Analysis. Ni zana inayokusanya zana zinazotumika mara kwa mara kwa reverse engineering na uchambuzi wa mobile applications, kusaidia katika kujaribu mobile applications dhidi ya vitisho vya usalama vya OWASP mobile. Lengo lake ni kufanya kazi hii iwe rahisi na ya kirafiki kwa watengenezaji wa programu za simu na wataalamu wa usalama.

Inaweza:

• Extract Java and Smali code using different tools
• Analyze APKs using: smalisca, ClassyShark, androbugs, androwarn, APKiD
• Extract private information from the APK using regexps.
• Analyze the Manifest.
• Analyze found domains using: pyssltest, testssl and whatweb
• Deobfuscate APK via apk-deguard.com

Koodous

Inayotumika kugundua malware: https://koodous.com/

Obfuscating/Deobfuscating code

Kumbuka kwamba, kulingana na huduma na usanidi unayotumia kuficha the code, Secrets zinaweza au zisiwe zimefichwa.

ProGuard

From Wikipedia: ProGuard ni zana ya chanzo huria ya command-line inayopunguza, kuboresha na obfuscates Java code. Ina uwezo wa kuboresha bytecode pamoja na kugundua na kuondoa maelekezo yasiyotumika. ProGuard ni software ya bure na inasambazwa chini ya GNU General Public License, version 2.

ProGuard inasambazwa kama sehemu ya Android SDK na inatekelezwa wakati wa kujenga application katika release mode.

DexGuard

Pata mwongozo wa hatua kwa hatua wa ku-deobfuscate apk katika https://blog.lexfo.fr/dexguard.html

(From that guide) Last time we checked, the Dexguard mode of operation was:

• load a resource as an InputStream;
• feed the result to a class inheriting from FilterInputStream to decrypt it;
• do some useless obfuscation to waste a few minutes of time from a reverser;
• feed the decrypted result to a ZipInputStream to get a DEX file;
• finally load the resulting DEX as a Resource using the loadDex method.

DeGuard

DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.

Unaweza kupakia an obfuscated APK kwenye jukwaa lao.

[Deobfuscate android App]https://github.com/In3tinct/deobfuscate-android-app

Hii ni zana ya LLM kutafuta mianya yoyote ya usalama katika android apps na deobfuscate android app code. Inatumia Google's Gemini public API.

Simplify

Ni generic android deobfuscator. Simplify virtually executes an app kuelewa tabia yake kisha inajaribu optimize the code ili itendeke kwa utaratibu uleule lakini iwe rahisi kwa binadamu kuelewa. Kila aina ya optimization ni rahisi na generic, kwa hivyo haijalishi ni aina gani maalum ya obfuscation ilitumika.

APKiD

APKiD inakupa taarifa kuhusu jinsi APK ilivyotengenezwa. Inatambua compilers, packers, obfuscators nyingi, na vitu vingine vya kushangaza. Ni PEiD kwa Android.

Manual

Read this tutorial to learn some tricks on how to reverse custom obfuscation

Maabara

Androl4b

AndroL4b ni mashine halisi ya virtual ya usalama ya Android inayotegemea ubuntu-mate inayojumuisha mkusanyiko wa frameworks za hivi karibuni, tutorials na labs kutoka kwa security geeks na watafiti tofauti kwa ajili ya reverse engineering na malware analysis.

References

• https://owasp.org/www-project-mobile-app-security/
• https://appsecwiki.com/#/ Ni orodha nzuri ya rasilimali
• https://maddiestone.github.io/AndroidAppRE/ Android quick course
• https://manifestsecurity.com/android-application-security/
• https://github.com/Ralireza/Android-Security-Teryaagh
• https://www.youtube.com/watch?v=PMKnPaGWxtg&feature=youtu.be&ab_channel=B3nacSec
• SSLPinDetect: Advanced SSL Pinning Detection for Android Security Analysis
• SSLPinDetect GitHub
• smali-sslpin-patterns
• Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa
• CoRPhone — Android in-memory JNI execution and packaging pipeline