Article directory
[Author's homepage]: Wu Qiulin
[Author introduction]: A high-quality creator in the Python field, an expert on Alibaba Cloud Blog, and an expert on Huawei Cloud Sharing. Long-term commitment to research and development in the field of Python and crawlers!
[Recommended by the author]: Friends who are interested in JS reverse engineering can pay attention to "Crawler JS Reverse Practice" . Friends who are interested in distributed crawler platforms can pay attention to "Distributed Crawler Platform Construction and Development Practice"
and there will be verifications that will be continuously updated in the future. A series of articles on code penetration, APP reverse engineering, Python field, etc.
1. Write in front
Android APP packet capture skills are a must-have technology for security, crawler, test and other personnel! Currently, the Android application protection methods on the market are becoming more and more perfect. The step of capturing packets often stops many people from moving forward.
As shown above! In the following content, we will introduce various APP protection bypass technologies and a series of practical tools and methods based on the above picture.
2. Proxy detection bypass
In APP packet capture, proxy detection is a security mechanism. Detect whether the application is making network requests through the proxy server to prevent malicious or illegal users from obtaining application data through packet capture tools
2.1. Poster
1. First install the posterior global proxy tool, open it and click Configure proxy:
2. Save the configuration information after modifying it:
3. Modify the configuration rules and save:
4. Finally, use BurpSuite or Charles to capture APP application data packets. You can refer to my previous article: Using Python to crawl Kuaishou videos and comments (App and Web-side analysis)
2.2. Drones
1. Open drone, swipe right, and slide to the setting interface:
2. Click on the wifi below:
3. Select the network wifi where your packet capture tool is located. Since I am in the simulator here, there must be only this one:
4. Configure as follows in order. The IP and port here are the LAN IP of the PC where the packet capture tool is located, and the port of the packet capture tool. I am using fiddler here, and the port is 8889:
5. Then scroll down, select allow all for filter default value, and then click Rules:
6. Configure a filtering rule and click the plus sign on the right to create a new one:
7. Select Local proxy chain for Action, and then select the target app for Application. The prerequisite is that you have to install the target app in the virtual machine, and it can be opened normally and request data! Finally, remember to save:
8. The above configuration is complete, then go all the way back to settings, then slide left to LOG, click OFF below, and change from OFF to ON. You can start capturing packets
2.3. ProxyDroid
1. Using ProxyDroid, the operation is similar to Postern:
2.4. HttpCanary
1. Open HttpCanary, click Settings to select the application to capture packets:
2. Find the application you want to capture packets, first run the software you want to capture packets, then run HttpCanary, click the lower right corner to start capturing packets:
3. Modify the package through static injection:
3. Client certificate binding bypass
In APP packet capture, the purpose of client certificate binding is to ensure that the communication between the application and the server is encrypted and bidirectionally authenticated. This mechanism uses certificate technology to verify the identity between the application and the server and ensure the security of data transmission
3.1. JustTrustMe
1. Find JustTrustMe in the Xposed/EdXposed module and check it, then restart to take effect:
2. Click JustTrustMe to set the scope:
3. Select the application to capture packets in the scope:
3.2. JustTrustMePlus
1. Find JustTrustMePlus in the Xposed/EdXposed module and check it, then restart to take effect:
2. Click JustTrustMePlus to select and open:
3. Select the application you want to hook:
3.3. JustTrustMe++
1. Find JustTrustMe++ in the Xposed/EdXposed module and check it, then restart to take effect:
2. Click JustTrustMe++ to set the scope:
3. Select the application to capture packets in the scope:
3.4. Frida script
1. Use the open source script ssl-sslping script:
2. Run frida_server on the test device:
3. Use the ssl-sslping script to hook the test application:
You can also analyze the apk yourself. Write a script to bypass detection!
3.5. Objection
1. Run frida_server on the test device:
2. Start object:
3. Use the command to inject the application:
4. Bidirectional certificate binding bypass
Two-way certificate binding (also known as client certificate binding) is a security mechanism that ensures that the connection established between an application and the server is secure and trusted. With two-way certificate binding, not only does the server verify the client's identity, but the client also verifies the server's identity. This mechanism prevents malicious users, man-in-the-middle attacks or data tampering
4.1. Bypassing the client
1. If the client bypasses it, use the above steps to bypass the certificate binding.
4.2. Bypassing the server
1. Unzip the apk and find .p12, .cer, .crt, .pfx, PKCS12, keyStore and other suffix files from the installation package:
2. Drag the application into jadx to decompile, and then globally search for .p12, .cer, .crt, .pfx, PKCS12, keyStore and other keywords:
3. Go to the code location to view the details (certificate installation password, other passwords, etc.). You can see that the local test installation of the pfx certificate requires a password:
4. Once you have the key, the rest is easy to handle. Merge the crt certificate and key file into a ".p12" certificate file. When merging, remember to encrypt the certificate (that is, add a certificate password). Burpsuite will not work without a password. Unable to import.
Merge certificate command: openssl pkcs12 -export -inkey client.key -in client.crt -out client.p12:
5. Finally import the certificate into burpsuite:
6. Then you can successfully import the certificate and enable it:
5. Root detection bypass
Root detection in the APP is to determine whether the user's device has been rooted or jailbroken (for iOS devices). When an application detects that the device has been rooted or jailbroken, it may take appropriate measures, such as refusing to run, restricting functions, or improving security policies to prevent application data from being tampered with or stolen.
5.1. Magical
1. Use magisk to bypass root detection, open magisk, then open magisk hide, and then click Settings:
2. Turn on hide root:
3. Then select the application you want to block root detection:
5.2. Frida
1. Reverse analyze the APP, find the root detection function method and then bypass it, decompile the client, analyze and find the root detection function method:
2. Hook the root detection function method and modify the return value to false:
Java.perform(function () {
var PostLogin = Java.use("com.android.insecurebank2.PostLogin");
PostLogin.doesSUexist.implementation = function(){
console.log("\n Inside the ShowRootStatus function");
return false
};
console.log("\n not detection bypassed");
});
3. Use frida to inject the script:
5.3. Objection
1. Run Frida on the test device:
2. Start Objection:
3. Use the command to block root detection:
5.4. Non-Root detection
1. When all the above methods cannot be bypassed, you can use a non-root environment for testing. The hook problem can be solved using other tools.
6. Frida detection bypass
6.1. Use frida to inject in advance
1. For simple client-side injection prevention, you can use frida -U -f appname --no-pause to bypass injection in advance:
6.2. Use magic modified Frida
1. Use strong Frida for injection. This version of frida has modified most Frida feature values and can bypass some anti-Frida injection detection: StrongFrida
2. Then upload to Android system and run:
3. Then inject the target:
6.3. Magisk+riru+riru-gadget insult injection
1. Install the magsik+Riru +riru-gadget module to inject Frida gadget. Module installation address: Riru-FridaGadget
2. How to use:
6.4. Virtualapp for injection
1. Install the virtualapp I rewrote, which can automatically inject frida gadgets in a non-root environment, and can bypass some hardened applications for injection. When using it, first add the application that needs to be injected:
2. Then run the application and inject frida -U gadget into the target application:
7. Frame capture
7.1. flutter
1. Applications using the flutter framework cannot use the system's proxy function for traffic proxy, and need to use ProxyDroid for global traffic proxy:
2. Use Frida to bypass flutter certificate verification, and inject the command into the Frida script of SDIC UBS:
frida -U -f package name/application name -l andriod-flutter-ssl-ad.js --no-pause
script is as follows :
8. Use Hook to send package function method
1. Conduct reverse analysis on the APP, find the application's contracting function method, perform hook toburp and then modify it. You need to be proficient in using xserver or HTTP Decrypt tools.
HTTP Decrypt provides the Finds Hooks module, which can quickly find the encryption and decryption algorithms used by the APP without reversing or unpacking. The toBurp module provides methods to directly use the APP. Encryption and decryption without typing the code yourself. For the overall POST encryption, automatic encryption and decryption functions are provided, which can realize Burp one-stop, Burp Scanner, and Intruder automatic encryption and decryption.
Case: A bank app was developed using the Alibaba weex framework. It cannot intercept data packets through the proxy using various methods. At this time, you can analyze the application contract function method to hook it and then forward it to burp for modification.
Finally, I share a universal and ultimate method: analyze by yourself, research by yourself, and Hook by yourself **