Android APK Reverse Engineering 2

An updated guide of reverse engineering and app modification using frida and objection

androidreverse-engineeringsecurityfridanixobjection

Whats Changed?

Since last year, a lot has changed, frida has updated and I’m now permanently running NixOS.

Frida now requires you to use frida-compile when inserting a script using the frida-gadget, which as far as I can tell, isn’t documented anywhere obvious (and there is no error message or log to help you discover this!)

Tools

The tools I use haven’t changed from the last guide, but I don’t end up using all of them for this app.

Guide

Preparing the app (identical to last guide)

Using AntiSplit-M:

  1. Download and install AntiSplit-M from GitHub
  2. Click ‘Select from Installed Apps’
  3. Select the app from the list
  4. Save to default location (/sdcard)
  5. Connect device to adb
  6. Run:
Bash Bash 
adb pull /sdcard/apkname_antisplit.apk

Direct from Android package manager:

  1. List packages:
    Bash Bash 
    adb shell pm list packages
  2. Identify the package name
  3. Get path:
    Bash Bash 
    adb shell pm path com.example.packagenamehere
  4. Pull APKs:
    Bash Bash 
    adb pull (path)
  5. If split APK, merge with AntiSplit-M

Downloading from the internet:

  1. Search for the APK
  2. Choose reliable source (APKMirror, APKPure, F-Droid)
  3. Download APK/APKS/XAPK
  4. If split, merge with AntiSplit-M

Investigation / Research

For an easy demonstration, we will be attempting to locally change the role of our user to unlock premium features (remember to be ethical and only carry out research where you have permission to do so).

  1. Opening the app in jadx-gui
Bash Bash
  1. Searching for relevant strings

If the app is unobfuscated, simple string searches may provide a lot of value as variable names will be readable. If not, it may be necessary to rely on behaviour analysis by tracing back the uses of printable strings.

Try searching for easy finds such as:

  • role
  • premium
  • subscriber
  • admin
  • permission
  • user
  • account

In this case, there were lots of useful results.

For Role, we have discovered an enum:

For account, we have discovered an interface and implementation:

We are going to target the isRoleOf method, as it will allow us to easily change the role of the user.

Using frida to patch the app

Now, we will need to create a frida script to hijack the method.

This script imports the frida-java-bridge so we can perform reflection, and then gets the service implementation and the Role enum.

  1. Writing the script

Tip: By pressing F or right clicking the method name and pressing Copy as frida snippet you can easily get a snippet

The function definition is replaced with a method which will always return true if the queried role is SUBSCRIBER, for REGISTERED we use the real method.

Note: you must include the import now

ourscript.js
JavaScript JavaScript
  1. Setting up frida-compile / frida agent

Now we must setup frida-compile so the gadget will be able to execute our script

Bash Bash
  1. Compile our script

We compile our script into _agent.js and strip source maps (-S) and compress (-c)

Bash Bash
  1. Create gadget config
frida-gadget.config
JSON JSON
  1. Patch apk with objection

Ensure you connect the target device so objection can detect the target architecture, or specify with -a

Bash Bash
  1. Install app to device
Bash Bash