Hooking in Android
We are going to be using Frida for bypassing Root detections and SSL-Pinning in Android
Initially run the application to see if root is getting detected and if there is a SSL-Pinning to prevent MiTM attacks.
To run frida, we must have 2 things.
1. Server running in the rooted device
2. Client ready to link to server from the machine
Here i have used the Frida app from playstore to host my frida server. Maigsk Built-in module can also be used as well as custom hosting manually.
1. Server running in the rooted device
2. Client ready to link to server from the machine
Here i have used the Frida app from playstore to host my frida server. Maigsk Built-in module can also be used as well as custom hosting manually.
Make sure you have updated both server and client of frida to same version or latest version before starting the exploitation.
Use a anti-root script. For now im using my script that ive made to bypass most of the root detections till date.
To list all processes running in Android using frida run the frida-ps -Ua command.
Once we get the process name, run the frida client to load the bypassing script to the frida server. This process is known as hooking.
To run the command do the following:
frida -U -f <package-name> -l <script.js>
To list all processes running in Android using frida run the frida-ps -Ua command.
Once we get the process name, run the frida client to load the bypassing script to the frida server. This process is known as hooking.
To run the command do the following:
frida -U -f <package-name> -l <script.js>
I have made a single code to bypass root and ssl simultaneously and will be using that here.
After running the script we can see that the root detection has been bypassed. And the application shows device is not rooted, despite running on rooted device.
Instead of struggling on writing code to bypass such detections, Magisk has comeup with Zygisk, a zygote process based root hiding mechanism which can be run simultaneously alongside Frida to run apps on rooted devices.
The same can be done with SSL-Pinning as well to capture HTTPS traffic in the burpsuite even if there are mechanisms to protect.
We can see HTTP traffic being captured without anybypass.
The same code if we run, we can see the successful bypass of Certificate Pinning method implemented in the application.
This is how you can utilize hooking to bypass a few functionalities and get through the applications basic security measures.
