Por: Fábio Sartorato e Vinícius Henrique Marangoni
For the Portuguese version, click here.
The process of security assessment intends to find vulnerabilities in a software that would let an attacker perform operations that were not predicted by the programmer. Depending on the vulnerability the privacy of an end user may be completely compromised.
Finding these vulnerabilities can be hard. Reverse engineering may help understanding how a software works, but this task can also demand much more from the security analyst, as there are many ways a programmer can obfuscate a code. In a different approach, one can try to come up with hypotheses of vulnerabilities that could easily be tested if changing the original source code and recompiling it, which, many times, cannot be done due to signature checks.
These are the difficulties that encourage many researchers to develop tools to assist in these security assessment tasks. FRIDA, for instance, was born to make reverse engineering more productive and interactive.
In this post we will present Badada, a tool created to help in the process of security assessment of not only Android applications, but also its own framework code. As an initial post of this tool we will show its usage bypassing a security checking from a very simple application created for this purpose.
Frida
Frida (https://www.frida.re) is a toolkit to instrument code at runtime. This tool let you inject code into an application that is running in order to change its original behavior. Many security enthusiasts started to study this tool and use it while security assessing components. Frida's power is not limited to only instrumenting code, it may also enumerate all instantiated classes from a process, as well as methods from each class. Frida has many modes of operation that are detailed here. In this post we will talk about one of the 3 modes of operation: the one that uses frida-gadge.
To install Frida you can follow the guide in this link:
https://www.frida.re/docs/installation/
To install Frida you can follow the guide in this link:
https://www.frida.re/docs/installation/
Badada
Although Frida has all these features, we could not find, until now, an interface that offers all these resources to the end user in a simple manner. Due to this need we started developing an interactive client for Frida that we called Badada (https://github.com/badadaf/badada). This client communicates directly with frida-server using a Python module created by Frida's development team.
The requirements to use Badada are: Python 2.7, Frida and Android Debug Bridge (ADB). The official documentation of ADB can be found here.
Badada repository needs to be cloned by, e.g. the following command:
Now add Badada directory to your path. In order to do this in Linux lets edit the file found in ~/.bashrc with your favorite text editor, adding the following line:
Notice that what comes after "$PATH:" is exactly the path where Badada was cloned.
Finally load the modifications we did to .bashrc file by running the following command:
The requirements to use Badada are: Python 2.7, Frida and Android Debug Bridge (ADB). The official documentation of ADB can be found here.
Badada repository needs to be cloned by, e.g. the following command:
git clone https://github.com/badadaf/badada
Now add Badada directory to your path. In order to do this in Linux lets edit the file found in ~/.bashrc with your favorite text editor, adding the following line:
export PATH=$PATH:/home/username/Tools/badada
Notice that what comes after "$PATH:" is exactly the path where Badada was cloned.
Finally load the modifications we did to .bashrc file by running the following command:
source ~/.bashrc
OK. Badada is ready to run. Run the following command to test it:
badada --help
This command should return the help text about Badada.
Hands On
Now that we are all set with Badada, we will show some of its features and how this tool can make the process of analyzing Android a little bit easier. We created a simple application that shows an image if the user has permission to see it. Our aim is to bypass this check and see this picture without having official permission.
The apk of this app can be downloaded here and the source code is published on GitHub.
The apk of this app can be downloaded here and the source code is published on GitHub.
First things first. We need to install the application on our phone. After connecting it to an USB port, run the following command:
adb install BadadaPatos.apk
After the installation process is completed, the app should be available on Android launch screen with the name "BadadaPatos". When opened you will be able to see the following screen:
 |
| Image 1 - Main Activity |
The text asks if you like rubber ducks with a button that says "Click me". Try clicking it and you will see that you do not have permission to see the rubber duck, as shown below:
 |
| Image 2 - Permission not granted |
To understand what is happening when the button is clicked lets read the source code here.
The click triggers a permission check and, if the method hasPermission returns True, then the visibility of the duckView is set to Visible, as the code below:
In the original code the method hasPermission always returns false:
OK. So there is no way to see the rubber duck. =[
This is where Frida can help us. The bridge between client and application will be done using frida-gadget. This component is a dynamic library that is inserted on the entry point class constructor that we want to instrument and has the purpose of exposing an interface to the Frida client. This is an interesting option when you can't use frida-server. In cases you do not have access to a rooted device (this is the scenario proposed in this post), frida-gadget is the best option. The gadget can be inserted into the apk using the tool apkpatcher, that is published here.
The first thing to do after downloading apkpatcher is update the list of gadgets. The gadgets are associated with the current Frida version installed on the user computer. To update this list run the command:
This is where Frida can help us. The bridge between client and application will be done using frida-gadget. This component is a dynamic library that is inserted on the entry point class constructor that we want to instrument and has the purpose of exposing an interface to the Frida client. This is an interesting option when you can't use frida-server. In cases you do not have access to a rooted device (this is the scenario proposed in this post), frida-gadget is the best option. The gadget can be inserted into the apk using the tool apkpatcher, that is published here.
The first thing to do after downloading apkpatcher is update the list of gadgets. The gadgets are associated with the current Frida version installed on the user computer. To update this list run the command:
apkpatcher --update
The output should be as the image shows:
 |
| Image 3 - Updating apkpatcher |
To insert the gadget into our app, connect your smartphone into your computer with debugger mode turned on. With this, apkpatcher will retrieve the architecture of the device and then choose the correct gadget. To finally insert the gadget into the apk, run the command:
apkpatcher -a BadadaPatos.apk
The tool will extract the apk, insert frida-gadget and then remount the files of the new patched apk.
 |
| Image 4 - apkpatcher in action |
Now you can install the new patched app.
adb install BadadaPatos_patched.apk
Remember that apkpatcher re-signs the apk, so the signature of the patched apk will be different from the original one.
Now we can finally use Frida to instrument our application. When we run it, initially it will be paused, waiting connection to our client. When this connection is finished the execution flow will resume.
First, start BadadaPatos. If everything runs smoothly, a white screen will appear, as if the application has frozen. In fact this is frida-gadget waiting for our connection. Now lets connect to the application using Badada. Run the command below to start our client.
First, start BadadaPatos. If everything runs smoothly, a white screen will appear, as if the application has frozen. In fact this is frida-gadget waiting for our connection. Now lets connect to the application using Badada. Run the command below to start our client.
badada Gadget
This will connect Badada (that is running Frida's module) to the application that has the gadget.
 |
| Image 5 - Badada's initial screen |
If you want to list the available commands you can invoke help, as well as information of a specific command, for instance, help getclasses. Besides that, the interactive shell also offers system commands that can be run with an exclamation point in the beginning, for example !ls /tmp will list the contents of /tmp directory.
First, let's list all existing classes of our application to gain some kind of information about the running process To do this, first we need the name of the package of BadadaPatos. Using aapt to get this information is a way to find the name:
First, let's list all existing classes of our application to gain some kind of information about the running process To do this, first we need the name of the package of BadadaPatos. Using aapt to get this information is a way to find the name:
!aapt dump badging BadadaPatos.apk | grep package
This will run, through your Linux shell, the program aapt. In this case, we have that the name is com.badadaf.badadapatos.
 |
| Image 6 - Finding package name |
As said before, we can use the command getclasses to look though all classes in this package.
getclasses com.badadaf.badadapatos
 |
| Image 7 - Enumerating available classes |
We found there is a class named MainActivity. This should be an entry point, so it is a good idea to list its methods.
getmethods com.badadaf.badadapatos.MainActivity
 |
| Image 8 - Enumerating methods from class MainActivity |
Now we can see all methods from MainActivity class, with their return type and arguments. We can see a method called hasPermission() we talked about before. Remember it always returns False, so let's instrument it so it returns True.
To do so, we need to write a JavaScript code (we named ours hook.js):
To do so, we need to write a JavaScript code (we named ours hook.js):
And to load it, we just need to use the load command from Badada.
 |
| Image 9 - Loading script that instruments hasPermission() method |
Now that the script is loaded we can try to see the rubber duck picture again clicking on the same button as before.
 |
| Figura 10 - Verification bypassed |
AHA! Now that is a nice rubber duck!
https://www.frida.re/docs/hacking/
https://www.frida.re/docs/modes/
https://www.frida.re/docs/javascript-api/
https://www.frida.re/docs/presentations/osdc-2015-the-engineering-behind-the-reverse-engineering.pdf
https://www.youtube.com/watch?v=uc1mbN9EJKQ
https://en.wikipedia.org/wiki/Reverse_engineering#Reverse_engineering_of_software
https://en.wikipedia.org/wiki/Code_signing
https://github.com/badadaf/badada
https://developer.android.com/studio/command-line/adb.html?hl=pt-br
https://github.com/badadaf/BadadaPatos
https://github.com/badadaf/apkpatcher
References:
https://www.frida.re/docs/modes/
https://www.frida.re/docs/javascript-api/
https://www.frida.re/docs/presentations/osdc-2015-the-engineering-behind-the-reverse-engineering.pdf
https://www.youtube.com/watch?v=uc1mbN9EJKQ
https://en.wikipedia.org/wiki/Reverse_engineering#Reverse_engineering_of_software
https://en.wikipedia.org/wiki/Code_signing
https://github.com/badadaf/badada
https://developer.android.com/studio/command-line/adb.html?hl=pt-br
https://github.com/badadaf/BadadaPatos
https://github.com/badadaf/apkpatcher
