The Security Assessment process aims to find vulnerabilities in software that allow an attacker to carry out operations that were not foreseen by the programmer. Depending on the vulnerability, the user's privacy can be completely compromised.
The search for vulnerabilities can be very complex. Software reverse engineering can help the security analyst to understand how a piece of software works in order to find bugs, but this task can be made more difficult when the programmer has executed a code obfuscator. Other times it is necessary to start from hypotheses to try to find a flaw, and these hypotheses can only be tested by changing part of the original code and recompiling the software, which is often not possible, as is the case with applications that undergo signature checking.
It is these difficulties that have encouraged many people to develop tools to help with this type of task. Frida, for example, was born with the aim of making the task of reverse engineering more productive and interactive.
The aim of this post is to present Badada, a tool created to help with the Security Assessmentprocess, bothin applications and in the Android framework itself. As this is an initial post about Badada, we'll exemplify its use by circumventing an existing security check in a simple application.
Frida(https://www.frida.re) is a toolkit for dynamic code instrumentation. This tool allows you to inject code into applications that are already running in order to modify their original behavior. With this in mind, a number of security enthusiasts have begun to study this tool and use it in security assessments in search of bugs. Frida's power is not only limited to instrumenting methods, but it is also possible to enumerate all the instantiated classes of a process, as well as each method present in each class. Frida has several modes of operation which are described in detail here. In this article we'll talk about 1 of the 3 modes of operation using frida-gadget.
The Frida installation process is described in the following link:
https://www.frida.re/docs/installation/
Although Frida offers all these features, we couldn't find an interface that made these resources easily available to the end user. With this in mind, we started developing an interactive client for Frida that we call Badada(https://github.com/badadaf/badada). It communicates directly with the frida-server using the Python module made by the Frida development team.
The only prerequisites for Badada to work are: Python 2.7, Frida and Android Debug Bridge (ADB). The official ADB documentation can be found at the following link:
https://developer.android.com/studio/command-line/adb.html?hl=pt-br
To install Badada, we first need to clone the repository. To do this, run the command below:
git clone https://github.com/badadaf/badada
Now all you have to do is put the Badada directory in your path. To do this on Linux, let's edit the file located at ~/.bashrc with your favorite text editor so that it contains the following line:
export PATH=$PATH:/home/username/Tools/badada
Note that what comes after "$PATH:" is the directory where Badada was cloned.
Finally, to load the changes made to .bashrc, just run the following command:
source ~/.bashrc
You should now be able to run Badada in your terminal. To test, type:
badada -help
This command should return a help text about Badada.
Below we'll show you some of Badada's features and how this tool can make the task of analyzing Android applications a little easier. To do this, we have developed a simple application. Our aim is to bypass a security check carried out by the application in order to gain access to an originally unauthorized feature.
The application apk used in this post can be downloaded here and its source is available at https://github.com/badadaf/BadadaPatos.
After downloading the apk, the first step is to install it on our Android device. To do this, run the following command:
adb install BadadaPatos.apk
After installation, the application should be available in the Android menu under the name "BadadaPatos". When you open the application, you will be presented with a screen. It displays a message that says "Do you like rubber duckies?" and a button that says "Click Here". When you click on the button, you are presented with the message "You are not allowed to see the rubber duck!"
To understand what's going on, let's look at the application's source code(https://github.com/badadaf/BadadaPatos/blob/master/app/src/main/java/com/badadaf/badadapatos/MainActivity.java#L24)
When you click on the button, a permission check is carried out and, if the "hasPermission" method returns the value "True", the visibility of the duckView is set to "Visible".
In the original code, the "hasPermission" method always returns false.
This way, if we don't change something in the original code, we'll never be able to see the duckView. This is where Frida will help us. The bridge between the client and the application will be made using the frida-gadget. The frida-gadget is a dynamic library that is inserted into the constructor of the entrypoint class of the application we want to instrument, and its purpose is to expose an interface to a Frida client. It's an interesting alternative when you can't use frida-server. In cases where you don't have root access to the device (which is the scenario proposed in this post), frida-gadget is our best option. You can find more information about how Frida works at this link. This gadget can be inserted using the apkpatcher tool, which is available at https://github.com/badadaf/apkpatcher.
The first step after downloading apkpatcher is to update the list of gadgets. The gadgets will be downloaded according to the version of Frida installed on your computer. To update the list of gadgets, run the following command:
apkpatcher -update
Now, to insert the gadget into our application, connect your smartphone to your computer with USB debugging mode active. This way, apkpatcher will be able to recognize the architecture of the smartphone so that it can select the correct gadget. After connecting the smartphone, run the following command:
apkpatcher -a BadadaPatos.apk
apkpatcher will extract the apk, insert the frida-gadget and "repackage" the files into a new apk.
To install the application, run the command below:
adb install BadadaPatos_patched.apk
Remember that if you run the apkpatcher on an application that has been distributed by another publisher, the apk signature will be different from the original.
Our application is now ready to be instrumented with Frida and installed on our smartphone. When it runs, it will initially be "paused" waiting for a client connection. When the client connects, the application will continue running as normal.
Now we're going to start the instrumentation with Frida, and to do this we're going to use Badada to help with some tasks. First, let's start the BadadaPatos application installed on our smartphone. If all goes well, you'll see a white screen, as if the application was "stuck". This is actually the frida-gadget waiting for us to connect. Now let's connect to the application using Badada. To do this, run the following command:
badada Gadget
This will make Badada (using the Frida module) connect to the application that has the gadget.
If you want to list which commands are available, you can use the help command, as well as information on a specific command, for example help getclasses. The interactive shell also provides system commands. To execute them, put an exclamation mark at the beginning of the command, e.g. !ls /tmp will list the contents of the /tmp directory.
First, let's list the existing classes in our application to start getting information about the process. To do this, let's first find out the name of the BadadaPatos package using the command below.
!aapt dump badging BadadaPatos.apk | grep package
This will run the aapt program through your Linux shell and return the package name of BadadaPatos.apk. In our case, com.badadaf.badadapatos.
We can use Badada'sgetclassescommand to search for the classes that exist in this package.
getclasses com.badadaf.badadapatos
Let's now list the existing methods in the com.badadaf.badadapatos.MainActivityclass .
getmethods com.badadaf.badadapatos.MainActivity
As you can see, the hasPermission() method has been listed. Originally, this method always returned False. Our goal is to rewrite the implementation of this method so that it returns True. To do this, we'll open a new tab in the terminal and write a script, which we'll call hook.js, which will be responsible for rewriting the hasPermission method and making it return True.
To load the script, we'll use the load hook.js command.
Now that the script has been loaded, let's go back to the application and click on the button again. If all goes well, the image of a duckling should be displayed.
AHA! What a nice rubber ducky!
https://www.frida.re/docs/hacking/
https://www.frida.re/docs/modes/
https://www.frida.re/docs/presentations/osdc-2015-the-engineering-behind-the-reverse-engineering.pdfhttps://www.youtube.com/watch?v=uc1mbN9EJKQ
https://en.wikipedia.org/wiki/Reverse_engineering#Reverse_engineering_of_software
https://en.wikipedia.org/wiki/Code_signing
https://github.com/badadaf/badada
https://developer.android.com/studio/command-line/adb.html?hl=pt-br
https://github.com/badadaf/BadadaPatos
https://github.com/badadaf/apkpatcher