MobSF: Root Detection & Certificate Pinning Bypass
Summary
This documentation provides step-by-step instructions for setting up and using MobSF (Mobile Security Framework) for dynamic analysis on Kali Linux. It covers the setup process, bypassing root detection using default and custom scripts, and bypassing SSL pinning. Detailed commands and screenshots are included to ensure successful implementation.
Requirements
- Operating System: Kali Linux
- Installed Android Studio (Guide)
- Android Studio emulator with a Non-production android image (Guide)
- Installed Apps on the emulator device
Setup
Use the following commands in the terminal:
Install Git
sudo apt-get install git
Install Python 3.8
sudo apt-get install python3.8
Install the latest version of JDK
Install the required dependencies
sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg62-turbo-dev zlib1g-dev wkhtmltopdf
Clone the MobSF repository
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
Change working directory to MobSF
cd Mobile-Security-Framework-MobSF/
Setup MobSF
./setup.sh
Run MobSF
./run.sh 127.0.0.1:8000
Access the MobSF web interface with the following URL http://127.0.0.1:8000
Root Detection Bypass using MobSF
Root Detection Bypass using Default Scripts
Follow the steps exactly in the shown order!
1. Start your emulator
emulator -avd Pixel_6_Pro_API_28 -writable-system -no-snapshot
2. Wait for the successful boot of the device
The Error "Unable to connect to adb daemon on port:5037" has no impact on successful boot.
3. Start MobSF
./run.sh 127.0.0.1:8000
4. Wait for successful boot of MobSF, the CLI should look like this
5. Open MobSF in the Browser (http://127.0.0.1:8000/)
6. Click on Dynamic Analyzer -> Android Dynamic Analyzer -> Select the App you want to test -> Click on "Start Dynamic Analysis"
7. The CLI output of MobSF should look like this
8. Now Select "Root Detection Bypass" under the Default headline
9. Press Spawn&Inject, wait for the Application to Startup & leave it open like it is
Here the Root Detection still works, so you should see a notification, as MobSF First Spawns & then injects the script, therefore you need to restart the application as shown in Step 10.
10. As the Application is still opened, press "StartActivity" to startup the Application with Root Detection Bypass
If you followed the Steps in this order, your MobSF CLI should look like this, as you successfully bypassed Root Detection.
Root Detection Bypass using Custom Scripts
Follow the steps exactly in the shown order!
1. Start your emulator
emulator -avd Pixel_6_Pro_API_28 -writable-system -no-snapshot
2. Wait for the successful boot of the device
The ERROR "Unable to connect to adb daemon on port:5037" has no impact on successful boot.
3. Start MobSF
./run.sh 127.0.0.1:8000
4. Open MobSF in Browser (http://127.0.0.1:8000/)
5. Click on Dynamic Analyzer -> Android Dynamic Analyzer -> Select the App you want to Test -> Click on "Start Dynamic Analysis"
6. Now copy & paste the fridaantiroot script into the window on the right in MobSF (Script Window)
7. Press Spawn&Inject, wait for the Application to startup & leave it open like it is
Here the Root Detection still works so you should see a notification, as MobSF First Spawns & then injects the script, therefore you need to restart the application as shown in Step 8.
8. As the Application is still opened, press "StartActivity" to startup the Application with Root Detection Bypass
SSL Pinning Bypass using MobSF
1. Start emulator
emulator -avd Pixel_6_Pro_API_28 -writable-system -no-snapshot
2. Start MobSF
./run.sh 127.0.0.1:8000
3. Start Dynamic Analysis of your App Select your App & press Start Dynamic Analysis
4. Choose Configurations
- Select SSL Pinning Bypass
- Check if Root CA is installed
- Check if HTTP(S) Proxy is set
5. Spawn & Inject
6. Test the App, do your Activities
7. Press Generate Report, the creation can take a while.
8. Then you are able to see the Logs
- Start HTTPTools: Launches tool to analyze HTTP(S) traffic between the mobile application and the server.
- Frida Logs: Displays logs generated by Frida, a dynamic instrumentation toolkit used for runtime manipulation of applications.
- HTTP(S) Traffic: Shows the captured HTTP and HTTPS traffic logs.
- Logcat Logs: Provides logs from Logcat, a system-wide logging utility for Android.
- Dumpsys Logs: Displays logs generated by the dumpsys tool, which provides detailed information about the system and application state.
- Application Data: Downloads the application's data stored on the device.
HTTPTools
In HTTPTools you can analyze HTTP(S) traffic. You also have the Option to replay your captured traffic to a Fuzzer(Burpsuite).