Meticulously Modern Mobile Manipulations

welcome to my talk meticulously modern mobile manipulations that's a little bit of a mouthful you can just that orbit returns go mm-hmm all right my name is John Jacobs I'm a security researcher at since first and a little bit about me I've been hacking stuff for about ten years being fortunate to spend time with quite a large ISP had some banks and currently as I mentioned that since first and most specifically when it happens that I have to do a mobile assessments I kind of cringe very quickly because it's not a fun experience for most people now with this talk I hope to change some of that and we're going to look at these brand new iPhones and see what we could

do to make this hacking seen for us a little bit easier and better to work with but more importantly actually we want to cover sort of three disciplines and look a few look at a few techniques that could be used for those types of people's one of those would be a typical pen tester or a hacker that wants to look at a mobile application and find vulnerabilities or some bug that you could use the second scenario would be one where you're a malware reverser and maybe you want to understand how this mobile application actually works thirdly you might be responsible for some development with this mobile app that you're interested in and we'll look at some opportunities where you could

use some hacking tools or hacking techniques in your actual development pipeline but before we can get to the cool stuff I think first we need to have an honest conversation with ourselves about the state of mobile application hacking it's not the however old mobile apps have been around you know security has significantly improves for both mobile ecosystems and more specifically mobile applications and we can't just rampantly walk around and do what we want with the apps now that could be the fruits of the work that we've been doing you know some in this room could be maybe to blame that it's order today to do but that's not necessarily a bad thing but if we consider that from

hacking perspective you know the harder the ecosystem becomes the more difficult is it first you understand what our mobile apps might be doing in fact it might actually get even more complicated because I think many of us would simply say well I don't have a jailbreak for my device or I don't have root access for my device therefore I cannot perform this assessment or I cannot hack it this application or at the very least I can't effectively do that tasks that I want to do now it is a little bit different today very specifically today with things like check-rein being around wear a boot chain exploit exists for iOS devices I think it's up to the iPhone X

where we can get root access to a device you know and perform these assessments probably how we're used to if you had a iOS 12.4 device and you've heard of uncover before there was a case where Apple accidentally backports at a patch and you could actually have a signed version of iOS jailbroken at that very time now that very specific state is an incredibly rare scenario to be in you don't often have the opportunity to jailbreak at least with the public jailbreak I'm an assigned iOS version what's also quite funny about it is around about that time Apple announced at blackhat that they will be giving out researcher devices little that many of us know they're actually going to give

us a jailbreak in a new iOS device they obviously didn't intend that but nonetheless more importantly though as of today though is it might know a utility called Cydia impactor is actually broken for free development accounts meaning you can't just siloed arbitrary apps using Cydia impactor you sort of have to jump over a bunch of Hoops now really what I'm trying to say is a bunch of negative stuff about the state of mobile hacking we have this incredible reliance on having root and if we don't have that we say we won't be able to test these apps now for maybe the more tinfoil hats it in the room you know you might know about flashlight

apps many years ago that you would download don't know why you need a flashlight app but okay but it would not just be a flashlight app right this these apps are doing a whole bunch of other things and there was no way really to understand what they're doing in fact I might have actually chorus of God again I'd ask why I need a flashlight app but you know is our data that's being sent all of these devices being monetized in some way is it being used against us you know you a high profile person that has an interest in being secured not knowing that some stuff is leaving your device unintentionally now for me and my

personal capacity the boring rhetoric of not having the correct devices to perform an actual mobile pen test is actually something that's been incredibly frustrating for me like pretty badly but I was until I came across a framework or a utility or you know I don't even really know what you should call this called Frieda now most importantly I can't believe freed us free to start off with and the amount of stuff that you can do with it is actually incredible today we're going to be looking at some of the mobile applications or its application in the mobile world but honestly there's a whole bunch of other stuff that you can do with this it could probably blow your

mind in a different scenario I've been hacking some doom games and it's quite a lot of fun but okay maybe for those that have not seen free W we're at a security console need a lame analogy so I'm going to go with the castle and in this case imagine your castle is a mobile application here now the first scenario we have you have root on your device and if you look at this cause of that perspective you can come and go as you wish you can open any door you can inspect any room you know nothing is really off-limits from a mobile app perspective but when you don't have a jailbreak you probably can't see what's going on

in the castle next to you you're confined and that one that you are and in this case an application and it's sort of have to trust what they're up to you is what they say they're doing now to change that if we add frida to the mix you can sort of see this as someone that's been allowed into that castle and has a little torch and he can now look around and see what's going on and next to him he doesn't have a lot of tooling available to him there's not you know fancy horse that he came driving in for another bad analogy but um at this point there's some capability that exists to see what's going on on the inside yet

still confined to that very specific castle now bad analogies aside we can look at the very first thing we need to understand is the operating mode Frieda would be in and there's really two operating modes that's important the first being a server mode and the second being a gadget mode both of these modes expose a JavaScript API that you could use to interact with a mobile application at runtime and we're going to talk about a lot of runtime stuff now the server mode is applicable to retail and jailbroken devices so everything you're going to see today will work there in server mode but I'm currently making the claim that that's probably not the most maintainable way to go

forward so we'll focus on the gadget mode and how that works to understand gadget mode though the only thing that's really a requirement is the target app that you need to work with you need to be able to modify that application it's a lot easier in Android world where you can patch a little bit of the small e code or however the app is built and put together and at some entry points where logic would execute early load the gadget mode which comes in the form of a shared library and get your free to access into the app in the RS world it's a little bit more complicated but essentially you also need to get a

decrypted application and patch a gadget in and that's sort of the requirement to get started with this now I refer to a very scientific resource to try and figure out what people are using frida for now if you've heard of Google ponens before you can start typing stuff like I don't know why my and then read what the suggestions are and the similar methods are used here to go frida iOS and maybe see what people are trying to Google for for free to iOS similarly for Android what you should see though is SSL pinning bypasses jailbreak or route detection bypasses are really very common applications for frida itself now I believe that that should not be where it stops and I hope

to encourage you here that that would be the case but we could very quickly have a look at what these hypotheses really look like like fundamentally what does it mean when we say we perform an SSL pinning bypass now all of this code here is effectively what one of those hypotheses might look like obviously stripped out a whole bunch of stuff but what you need to see is there will be a class for example called pinning and there might be a method called check right now the part that's not commented out with the dot implementation property means with Freda we get access to that actual methods invocation in fact when we run a script like this we can see the

entry point and modify the entry of that method we can change the logic of the method and more importantly we can change the return value of that method that means in this applications normal operating mode as the app is running we can modify these parameters which includes the return value and make the application perform and behave in a different way in this case the signature for our method returns a boolean so maybe to bypass the pending check would be simply to return true meaning the check was successful it's a really major example other ones behave a little bit differently but that's you sort of give you the idea now I'm in no way discrediting that and I think it's super

useful to be able to do that stuff but I also think we can do a lot more with run some instrumentation in fact if we continue reading some more Freda docs or you wake up thinking what else could I do with this stuff you might learn about some more API store exposed to us in this case over here we're looking at just two lines of code that would be applicable to a Java Runtime on Android or an objective-c runtime on iOS and what we're really doing here is saying please instantiate in the case of the first line a fresh instance of the Java dot IO class right that means not one that already exists in the app one that

we have from the outside instantiate it I was really cool about that is we can now call methods on that class and we can start manipulating things using that Claus really what I'm saying is this is external code that got introduced not as intended by the application but by me to be able to do different things to this application at the bottom so at the top you initialize one at the bottom is really just allocation and initialization in objective-c so as the analogy goes I have a hammer and it's time to find that nail that I want to hit with this thing at this point while playing with the stuff I'm not really sure what that meant yet but I figured

that being able to do things different within the context of that app that could be quite a interesting thing to work with so for us where this actually started going a bit forward is an assessment comes along we don't have jailbroken or rooted device again a pretty boring scenario to be in but a very frustrating one and we've identified we needed access to a very specific database within an apps container I remember two apps don't necessarily freely talk to each other mobile operating systems because there a lot of effort to segregate those some apps from each other so I could install an app and pull stuff from another container you know a different approach is needed and this is where frida came

along in fact I hacked a bunch of shitty scripts together which actually eventually got a nice Python UI it took me longer to build the console stuff than actually writing most of these scripts but the bottom line was we had this freedom powered file manager available to us but we would connect to an application that we've patched we can start downloading files out of the container remember this is not a rooted device or anything this is just that application got modified and we're now able to you know execute this code cool now I don't trust the demo gods so I have recorded one but I want to show you what some of that stuff might look like now what

you'll see over here is a trusty old terminal on the left hand side was an objection session that's already been started and in the background here which I'm probably standing in front of is the YouTube application on an iPad and it's just streaming to my laptop during the screen recording now one bit to say extra on this when you on iOS flip between your applications the moment you sort of background it a picture would get taken and that will get used as the state that you would see in the app switcher right that picture actually lives inside the container of the application so we have this freed up our file manager we can actually browse

using a mostly familiar interface to the directory where these pictures might live and then you know have a look at those things in this case over here we go to the final directory and if we had to Alice here we would see some PNG files the extention wrapping there that we could download and we can have a look at what these pictures are that get saved now again like I've mentioned in its infancy objection was a file manager proud by Frieda so we would just go there and download the file but we can probably do some other cool things with this as well in fact what if we change this and say instead of downloading it

via the command line we start up an HTTP server that lets us browse that directory and see what those files look like in this case what you've seen here is an HTTP server getting started but I think what's not immediately of easier is that HTTP server starts as in the YouTube process on the actual iPad so if I open my browser and browse to the IP address and that port of the iPad not my laptop I can browse the contents of that directory that got served out of the apt container right so now I'm viewing these pictures those snapshots directly from the iPad not from my application the part that should really make your head

explode over here is I can tell you YouTube doesn't have an arbitrary HTTP server embedded as part of its normal production build but we've got an introduced this arbitrary logic which is quite cool in actually P server and extended it's for whatever we might want to use it for all right now please work thank you there at this point in time you know I think it was quite exciting and crazy for us because now we realize we can introduce uberta code so tools that we might be used to in a rooted environment could actually be ported to work within a contained environment right now you know we started writing some stuff the community contributed a

whole bunch of things and to take one example would be a keychain dumper in the rooted world we would read a sequel id be on iOS and simply pause the entries out of that but in a jailed world you know we can't just access that sequel IDB we need to access it from the context of the what the app is running us so just like a developer would write something to dump all the entries for its app group in iOS we could rise exactly the same thing wrap it up in the frida api and have a keychain dumper work for that application now if you're looking at an app and that apps context that's actually quite interesting because you

could see what's being done for that app you don't necessarily care what other applications as they are now hopefully the most technical slide you would see took me longer to find the picture than to actually build the rest but the process of building these tools all of that really means is we hinge off the JavaScript API that we have on the side and from Frida's perspective it has this concept of glue so you can call it that or bindings into your runtimes like objective-c and a runtime like Java or even a native runtime we can call code native code in that context wrapped in java scripts and interact with those api's as normal and really it I think that's a super

powerful technique to have but ok let's change gears a little bit and we could talk about application heaps now what I'm saying when we talk about a peeps is you might have an instance of Java that i/o file and you initialize that class or you could run the constructor or whatever your runtime is and an instance of that object lives on the heap somewhere right and depending on the runtime and what the rules for garbage collection could be methods would get called on that class values would get changed as necessary and in some form that controls some state right what we can do is actually enumerate those instances of those classes and work with them as they are right now so this is a

bit different from where we're saying there's a pelagic it runs and we change it no we're saying there's a live instance of that object and we want to modify properties or call methods on it not as the actual apps flow is calling methods now some classes it might be interesting to sort of get your ideas going you know it could be anything from classes at manage cryptography why would that be interesting well maybe there's some complicated logic that builds up a key for us and if we can read a value out of that class we can just copy the key out right we don't really care about how we got to that part maybe there are

classes that handle socket connections some form of configuration in the Android world it might be a class loader introducing even more logic into your application or really anything that manages States would be an interesting class for us to poke at and see where we're going effectively if we have these live classes means if we call a method on them arbitrarily not via the actual application or if we change values on those classes where ultimately altering the states of what that app looks like and behaves like and assumes it's the correct context right now from a freedom perspective there are too creamy complicated api's to use called Java duchies or Objective C virtues and the underlying implementations of these are

fascinating to read from a source code perspective but really calling that line we'd go and find you those instances of a type of selector or a class name that you want and you can start doing this type of magic on top of it but okay the theory is absolutely mind-numbing sometimes so let's look at what this might look like in action I'm going to start with this demo here and there's this not very popular app called tik-tok that i have running on the right hand side and i have my trusty old terminal on the left hand side right so we let that run in a little bit and we're going to start up objection and start playing

around with actual instances of classes now what I have to say I did reverse this app beforehand a little bit to ID which subclasses would be interesting right you would probably find you're in this sea of stuff to do and you need to do some work to find out what would ultimately be interesting in my case though there was a class called awwe video player controller objective-c class and that looked like the type of thing that's actually managing the video that's playing right now now what you can do in this case I'm running that the command you see there it's really just sugar over the objective-c Torchy's method but their output of that should be live instances of a w/e player

controller that are instantiated that are being used right now that we can start playing with the results or three of those of which we'll get the pointer to where it lives as well as a little bit of information about how many variables are in that class and how many methods are there and you can see 141 methods is quite a beefy class to work with cool now to get an idea of what the states of this class might be we might actually want to go and say show me the instance variables on that class right now an instance variable here you know it's property on a cloth could give us an idea of what the state

is right now some of those things are really simple values trues and falses and small bits but other ones are these handle ones that you would see over here that you can in turn also recursively try and enumerate ultimately doing some information gathering on the class now for me that absolutely sucked I don't want to do that very often so there's this extra flag that you could add onto the command called to utf-8 and that's going to try and actually print you a string representation of that class probably won't give you all the properties but give you a pretty good idea of what the values of them are so if we go ahead and run that now we could

see that some of these values are actually like URLs so current item is probably the tic-tock URL of where that video lives and yeah it gives us a pretty good idea of what's happening but it doesn't yet tell us is this actual class that we want to work with so probably the best way to know if I'm actually working with the right class running that video is to start running some methods on it now there are two maybe obvious methods for when it comes to a video player one being a play I'm jumping this ahead a little bit and another one being pause right and if we did a method list we can sort of see all

of the hundred forty one that we have which is a bit of a pain to go through but they are the play and pause methods so what we can go and do and make sure that we have the right instance is run that method on that specific instance I'm not saying run play on a instance of a wev video player no we specify the pointer of that instance and ask it to pause now as you can see that video is actually not paused so we definitely have the correct instance that we're working with here as you can imagine we can run the play Meister again and this dude continues jumping off that bridge all right now playing pause or simple

methods they don't take any arguments right it's just a sort of a gaiter stereo type thing but we can also call methods that do take arguments one could be save content URL string which if you know some objective-c takes one argument that argument though could be arbitrary it could be many things in this case it's a string which is simple to use but the cheers you know you can't really predict that all of these things might be ahead so what I went into it is implemented evaluate come on we should really just give you a small editor where you can run this arbitrary JavaScript over whoops over in that specific instance that because there's a super-bright you can

see there is a variable called PTR and that PTR is actually to that instance of that clause inside of this editor it's a bit tear up your head around but don't worry about it so in my editor the first thing I did was specify the URL this is a YouTube URL that I want to call once I have that URL set I'm just going to call set contains URL string it takes one argument denoted by an underscore so and then I'm gonna pass in that URL as the new content that I wanted to display cool now again if you've reversed this a little bit you would see we need to call another method called prepare to play or

what I would really do is just download this thing in the background and prepare it to play right and in case I forget I added a note there so I don't go a contra member what that does and then finally we I just print some console output just to make sure that that stuff actually worked because we hackers our error handling is great so print statement is how we debug cool so now we can see the moment we ran that I'm you'd exit the editor with escape and enter the screen is gone blank I paused the video but you would see the app is definitely still running the next thing that we probably wants to do with this

video is to play it right so now we can just go back and say execute on that instance the play method that we've just changed the stream URL for and watch our new education over here I leave it on a little bit cuz I know so most of you close this immediately all right but I think the key outcome from that is we found a class we've changed that state without interacting with the application and could you know make it do cool stuff that's just a video but again you could be cryptic classes that are more interesting to you we can get more interesting values obviously IRS is not the only platform that we can do this on this is possible

and Java based apps as well and one closet might be interesting to look at would be a next class loader or post class loader or whatever cluster is available for your application I did a similar thing as I just did with tik-tok to the YouTube app for Android and I said show me the instances of the next class loader that's our live right now what's quite cool about Java as many classes have this two string method I think it's amazing because I can just read that and don't code a lot of stuff to see things but one of the classes that YouTube app is loading is called apk you have to believe me that I did

not name it that they literally call it the apk now as you can imagine the apk seems like alright cool thankfully we've already built our super complicated file manager so because we could get the pause for where that lives we can download it and you can analyze it locally but it's all I should give you the idea that I'd run time things are interesting and you can change stuff get information if you actually statically analyze and analyze the YouTube app it's not immediately obvious that the apk is not actually the one you're working with now it's something that they're doing some weird stuff with which sort of leads us to this thing about we can actually use this stuff for

like malware analysis right what if you don't really know what this app is doing the reality is once an app is already running and things have been going along that'll be the final state that opposite but when you look at this from a static analysis perspective chances are good there's a whole bunch of obfuscation that's being applied or there's you know a bunch of things that ultimately try and hide what the true intents of that application is I searched for that photo for a very long time you don't really know what they really are up to and you want to try and figure out what that might be now I've mentioned you know they could

use some form of Packer or obfuscated in some way and make it difficult for you at a static analysis perspective to know what's really going on but Java has this really cool thing called reflection again the moment for that amazing picture where they could do some creative ways in which they could dynamically invoke methods again making it difficult for a static analysis process not impossible but making it difficult but at runtime getting the app logic in center what's really cool about this though is if they actually are using reflection using an invoke method we can hook that invoke method and see exactly what it is that's going on and again as an example runtime analysis actually

allowing this stuff to be a lot easier malware guy thinks he's hiding but will hook the same ways that they're using ok but this change over a little bit so what about like existing tools up until now we're saying you know we can hook stuff and we can see what's happening right now we've got control over the logic of some functions which we can change for example to bypass spinning or we can start building or tooling embed HTTP servers into apps maybe build keychain dampers all of these things but I think we're making ourselves look silly sometimes if we don't look at the existing tools that are already there especially the type of tools that

developers might want to use for them while they're writing apps you know they also need to debug not us as hackers so that stuff might already be super useful for us now some tools might come in the format of shared libraries and freida allows this complicated API called module load and what that actually does is do the hard work for you depending on what OS you're on what architecture in perform the correct calls to actually load the shared library you know it'll be different on Mac OS and Linux but in the end you'll have the shade library loaded and you can start calling the methods exposed by it similarly in the Java world you maybe

have an arbitrary jar you can also use a post-loss loader and finally actually load that class and call methods on top of it now two examples of tools that already exist that's pretty cool one of them is flex by the folks at Flipboard for iOS another one called stay so from Facebook it is being superseded by a project called flipper now which is like cool plus plus for stay though but in this case yeah I'll just show you those two and there's another extra one that will go with off to it so this look at a demo of what that might look like please work thank you okay the first example would be the IRS flex

app again trusty old terminal YouTube app on my iPad and will start an objection session but this time specifying a slash PFLAG to a plugins folder this plugins folder is nothing really other than just some convenience methods to run a frito script that contains a plug-in it exposes some extra commands now called plugin flex and then load to actually go and load that plug-in and what this would actually do is check is the dialog that contains the plug-in in this case Lib flex available on the iPads file system if it's not upload that and then once it's finished actually initialize it now what you should see is this little bar open up at the top that I've

just move down a little bit and that's flex itself they just got side loaded with freedom being running in the app already with the toolkit Raptor out you get the idea like there's a whole bunch of little of stuff that made this finally happen but yeah ok now you can start using flex itself browse classes browse the file system which is something that you might want to do and you should also check out its network Activity Monitor it's pretty amazing but yeah you know just like a developer would go and use this tools we can do it exactly the same way now at this point you might go ok that's cool you've added all this complexity when I

could have loaded flex exactly the same way you loaded Frieda so which I will admittedly agree however if you had to accidentally close flex then you probably need to restart the app and get that whole thing to go in this case with our plugin we can just load it again and flex is available to reuse as it is trust me the YouTube app does not come in beta to flex this is something that we've added arbitrarily cool so what about an Android case now here we again have an Android app just streaming to my computer trusty old terminal and at the bottom we have Chrome open but this time with the inspector and you can see I

have a super expensive Samsung device connected to it that I want to debug with now what I'm going to do is simply just start rate it up and use it as normal so I'll pop that open there connect the objection session to it again specifying the plugins that I want to learn we should see here that the state of plug-in specifically was being used now what I will do is browse to my favorite subreddit occasional purposes and try and learn something about what how to program better and finally when I'm bored of that I might go and say cool let's look at what this application looks like underneath you know and really it's a hard question

to answer why do I want to look at but you know you can sort of browse around and poke at things now from a runtime perspective you know static analysis tools can give you this but we can say hey which activities exist within this Android app an activity is something we're interested in out because we can orbit rarely start them if you had to go through this list you know one that might catch your eye is called data logging activity and I would immediately ask like what does it's a logging activity mean okay cool well let's start that activity again at run time yes you can do this stuff with ADB and a whole bunch of other tools

exist for it but it's convenient to do it from here where we could now once it's launched look at the Android app to see what that actually is I don't really want to say a whole bunch of stuff you're getting in trouble here but I have questions about a lot of the fields that are inside of this data logging activity I also don't know how to get to this activity legitimately like if there is a five button somewhere that you do to see what that looks like but okay now keep in mind a curiosity about what this data is I figured maybe I want to interact with the dates or a different way now remember the steps of plug-in

and I mentioned the beginning or we can go ahead and actually load that because tester provides the ability to interact with that data through Chrome so what you see here is the Java file gets uploaded I tries to search for it in a class loader finally when it finds it calls its initialization methods but now what you should see is the ridded app has popped up in the inspector and I can hit the inspect button which pops up in a new window for us to interact with the actual data in that container now again this is not to lie roads like this is a thing that developers can use today to help them debug stuff and we're simply

just using exactly the same stuff to see it what data is interesting for us now at the moment you're seeing the if that's not playing all the data that's statically there or we can look at the databases that exist one database of interest could be this pure EBV that has a logs table and this information looks very similar to that stuff we just saw on that data logging activity what's really cool about some stairs those we can actually run Ross Eagle queries on those databases and get sort of live output of what's in that table right now more importantly though what I hope your mind goes to is what if you're playing a game and they

say you have 100 coins currently and you connect that game to this and you now have a thousand coins or more right you can change state even from this perspective not just fancy heap interactions but maybe updating a value in a column now dev tools are cool and all but what our hacker tools does anyone use Metasploit before probably silly question yeah now in this case over here a terminal that's divided into two at the bottom I'm going to start up Metasploit really no fancy syntax exactly what you would expect and at the top I would start objection this is connected or this station is actually on my phone like not right now but I

recorded this demo running a latest iOS with the app that I've written but it's not a jailbroken phone as you can see there 13 2 3 being the latest version and the metal plugging available I first go and configure Metasploit to accept the connection for an interpreter I specify the 64-bit meterpreter reverse TCP it's a staged payload already set a low strand cool and then from an objection perspective with that ready I first go and load metal now remember the logic here is if the metal dollop doesn't exist I realized I should explain metal before we carry on with this has anyone heard of metal before no ok so metal is a project by rapid7

that's intended to be a low resource meterpreter written in native c right so not a thing that gets staged remotely by Metasploit so I mean that you could deploy an IOT device for example and connect back to Metasploit what's really cool is it has a the project you can download you literally go make target what your target is architecture wise and it would compile all of these shared libraries or dialogues for any architecture that you really want once that shared library we have available to us all of the logic that we've been using to load developer tools can be used to load a Metasploit session right so this case here I've gone and loaded metal and finally you know I would

encourage you there's a bit of a blog post about how actually managed to get that to run but the point is we end up getting this command where we can now connect that metal session back to an iPhone which is listening over there so I'll hit enter I get a shell it's not calc sheep or you don't believe me but it's a it's a real shell that came from it so from here onwards you know you could run something like this info you can see I have a meterpreter shell running on my iPhone now I don't have root yeah so you're not going to just do what you want if you were to explore the

post exploitation modules available for iPhones in Metasploit you're gonna see there's some old stuff to read images and read text reality is none of that stuff is going to work in this case right I'm running this in an app I'm constrained to that applications context of course at this stage if there's a sandbox escape you know that could be available to you if you know if you rate some of the Google project zero stuff that's come out you know maybe there are some attack avenues available to you but from a pejorative perspective you know we have a shell and we can use that in that context of that app we could also just like with objection manage or list

the file file system interact with it in this case I actually need to change the directory within the sandbox for this app so I would do that here and you should see that the dialog exists on that file system via meterpreter one attack that does work quite nicely with this set up as you can actually configure port forwards so if you do manage in some way to compromise the device and get this running imagine the case with the devices may be connected to a VPN you can connect back to it and maybe have access to that corporate network so you know let your imagination go wild I didn't tell you to do that you should follow parents advice and not go

to jail but okay cool the last sort of major topic I quickly want to go through I might run out of time a bit is to speak about integration options so so far you know we can build tools we can integrate sorry cabal tools we can instrument at runtime but what about actually making this part of a development pipe the more important part of why I was thinking about this is the apps that we would get to test at the end is that final build artifact that would end up on a target device right irrespective of what the price is at the end that thing that you have running there is the true form of what that

application is if you have some debug flags and stuff that's probably not included and it might make it difficult to test for that stuff but if we can test at run time the final artifact that gets deployed you know that might be a good place to be at now the building blocks with this mostly existed or Radia as well we have a mobile device it's got Frieda running on it via an application and there's this objection tooling that's already a Python environment and it took quite a long time so you can API going because it was just three lines of code to get app to work when I speak of an API it's really just a JSON serialized interface

that you can call with an HTTP client to run arbitrary frida scripts in fact as part of objection they're already a whole bunch of methods that you could call natively for example iOS binary info but you could also send this arbitrary frida scripts to also evaluate so if you have a special case of something you need to do run that script and get the output and make a decision from a testing perspective if it pauses or it does not so if we look at one more demo D I need a new laptop many folks probably heard of Jenkins before in this case I have a instance of Jenkins running that has a build an instrument

project and if we very quickly look at the configuration for this we'll see that all my project is really doing is building my application with when I get there building the app once that's done connect to a Mac that's running on a VM and run all the simulator commands to install the bolt app once the simulator is up and running I would start objection exposing the API right once I have the API ready I can finally do some testing and in my case I want to make sure that a whole bunch of binary protections are actually enabled too right at the end oh yes I know you could check this in the projects configuration but

we can confirm that that's truly the case once this apt finally running at the end that wishes a bunch of clean up stuff cause my harddrive Ernie has 20 Meg's of harddrive space at least that's what feels like sometimes and we can go ahead and build our project so let's speed this up a little bit but you should see that entire process completing and I want to emphasize the fact that this test although in a simulator is really the final build artifact that you have you know if you have edges opening for example enabled in some way you could probably instrument that and make sure is it really working when we strip this off to

a customer in this case here we see those call requests which finally goes through once the API is up in my case I care about two or three of these things that I wanted to test when that's done the build should be considered successful and you know whatever the next step in your pipeline is you can continue cool so to summarize I hope I remember this I think runtime analysis can be way more than just hooking things we don't have to just use it to bypass this opening or to bypass some route checks we can build new capabilities both in the form of tooling but also some arbitrary integrations that you might found useful I want to emphasize that we don't need

routine to the stuff if someone tells you that I don't have really to Kwan do anything for you that's absolutely a lie we can do stuff it might be limited in things that are confined to that sandbox for the app but you know we can continue on this Avenue and more importantly I think it's a more sustainable Avenue going forward not depending on what today's states of jailbreaking might be do we have one do you I have one don't we have one there my English is now finished cool and finally everyone can use this if you're interested source codes available on github there's charts about it I'm excited about this stuff thank you [Applause] I want to take a sip of water any

questions

sorry do I have it

right so question is can you use this to bypass the certificate pinning for the more recent versions of Android very good question because of the network security config stuff yes you can I think you need to remember that whatever the code flow is for that application to make decisions at runtime you can manipulate that now for me what I've noticed most commonly a pending check would be either a true and false being returned from a method which if you can in hook on that you can return that true in a false another implementation sometimes goes if the pending checks fails it actually throws an exception and in that case you simply don't run the logic that would

throw that exception you just return the method and the pen in check would bypass now that being said some of these implementations are in native code so it's not as simple as just doing the true and false you know you have to do a little bit of work to get to that point but we can relatively generically bypass that stuff but many of them does require some extra work to get posted cool anything else my favorite color is also blue