MobSF: Root Detection & Certificate Pinning Bypass

From Embedded Lab Vienna for IoT & Security
Revision as of 16:11, 23 September 2024 by NKirnbauer (talk | contribs) (expired link changed with link from wayback machine)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
MobSF Logo

Summary

This documentation provides step-by-step instructions for setting up and using MobSF (Mobile Security Framework) for dynamic analysis on Kali Linux. It covers the setup process, bypassing root detection using default and custom scripts, and bypassing SSL pinning. Detailed commands and screenshots are included to ensure successful implementation.

Requirements

  • Operating System: Kali Linux
  • Installed Android Studio (Guide)
  • Android Studio emulator with a Non-production android image (Guide)
  • Installed Apps on the emulator device

Setup

Use the following commands in the terminal:

Install Git

sudo apt-get install git

Install Python 3.8

sudo apt-get install python3.8

Install the latest version of JDK

Oracle Downloads

Install the required dependencies

sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg62-turbo-dev zlib1g-dev wkhtmltopdf

Clone the MobSF repository

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git

Change working directory to MobSF

cd Mobile-Security-Framework-MobSF/

Setup MobSF

./setup.sh

Run MobSF

./run.sh 127.0.0.1:8000

Access the MobSF web interface with the following URL http://127.0.0.1:8000

Root Detection Bypass using MobSF

Root Detection Bypass using Default Scripts

Follow the steps exactly in the shown order!

1. Start your emulator

emulator -avd Pixel_6_Pro_API_28 -writable-system -no-snapshot

2. Wait for the successful boot of the device

The Error "Unable to connect to adb daemon on port:5037" has no impact on successful boot.

3. Start MobSF

./run.sh 127.0.0.1:8000

4. Wait for successful boot of MobSF, the CLI should look like this

Mobsf sucessfulboot.png

5. Open MobSF in the Browser (http://127.0.0.1:8000/)

6. Click on Dynamic Analyzer -> Android Dynamic Analyzer -> Select the App you want to test -> Click on "Start Dynamic Analysis"

7. The CLI output of MobSF should look like this

Mobsf dynamicanalysis start.png

8. Now Select "Root Detection Bypass" under the Default headline

9. Press Spawn&Inject, wait for the Application to Startup & leave it open like it is

Here the Root Detection still works, so you should see a notification, as MobSF First Spawns & then injects the script, therefore you need to restart the application as shown in Step 10.

10. As the Application is still opened, press "StartActivity" to startup the Application with Root Detection Bypass

If you followed the Steps in this order, your MobSF CLI should look like this, as you successfully bypassed Root Detection.

Mobsf successful rootbypass.png

Root Detection Bypass using Custom Scripts

Follow the steps exactly in the shown order!

1. Start your emulator

emulator -avd Pixel_6_Pro_API_28 -writable-system -no-snapshot

2. Wait for the successful boot of the device

The ERROR "Unable to connect to adb daemon on port:5037" has no impact on successful boot.

3. Start MobSF

./run.sh 127.0.0.1:8000

4. Open MobSF in Browser (http://127.0.0.1:8000/)

5. Click on Dynamic Analyzer -> Android Dynamic Analyzer -> Select the App you want to Test -> Click on "Start Dynamic Analysis"

6. Now copy & paste the fridaantiroot script into the window on the right in MobSF (Script Window)

7. Press Spawn&Inject, wait for the Application to startup & leave it open like it is

Here the Root Detection still works so you should see a notification, as MobSF First Spawns & then injects the script, therefore you need to restart the application as shown in Step 8.

8. As the Application is still opened, press "StartActivity" to startup the Application with Root Detection Bypass

SSL Pinning Bypass using MobSF

1. Start emulator

emulator -avd Pixel_6_Pro_API_28 -writable-system -no-snapshot

2. Start MobSF

./run.sh 127.0.0.1:8000

3. Start Dynamic Analysis of your App Select your App & press Start Dynamic Analysis

4. Choose Configurations

  • Select SSL Pinning Bypass
  • Check if Root CA is installed
  • Check if HTTP(S) Proxy is set

Mobsf dynamicanalysis config1.png

5. Spawn & Inject

6. Test the App, do your Activities

7. Press Generate Report, the creation can take a while.

Mobsf dynamicanalysis generatereport.png

8. Then you are able to see the Logs

Mobsf dynamicanalysis logs.png

  • Start HTTPTools: Launches tool to analyze HTTP(S) traffic between the mobile application and the server.
  • Frida Logs: Displays logs generated by Frida, a dynamic instrumentation toolkit used for runtime manipulation of applications.
  • HTTP(S) Traffic: Shows the captured HTTP and HTTPS traffic logs.
  • Logcat Logs: Provides logs from Logcat, a system-wide logging utility for Android.
  • Dumpsys Logs: Displays logs generated by the dumpsys tool, which provides detailed information about the system and application state.
  • Application Data: Downloads the application's data stored on the device.

HTTPTools

In HTTPTools you can analyze HTTP(S) traffic. You also have the Option to replay your captured traffic to a Fuzzer(Burpsuite).

Mobsf dynamicanalysis httptools.png

References