How can I get around apps that crash when using emulators?
How much of a task would it be to patch the apk or is there something simpler I could do?
Look inside here:
Defeating Android Emulator Detection - Virtue Security
At some point while performing vulnerability assessments on android applications you will encounter apps that don’t want to be run within an emulator. We can’t blame application owners for wanting to ensure that the user interaction they see comes from genuine devices, but it doesn’t help us do...
www.virtuesecurity.com
Related
Hello,
First off, apologies if I have posted this in the incorrect forum.
The company I work for is looking to update one of it's product lines and has been toying with the idea of using Android as a development platform. Up until now the philosophy has always been to develop simple, bespoke embedded software that provides only the functionality that is needed at the time. The device itself will be a medical device, and as such will have no telephony requirements (and associated things like contacts, calander and the large majority of the pre-installed Android apps).
I have read, and understand it is possible to re-compile Android from source and remove all of these non-required functionality. My question is really if that is worth doing? i.e. stripping out all un-needed applications that get build into a stock ROM. Or would it be a more efficient to use some form of OTS embedded Linux platform?
Something in Android 4.0 that does seem to be useful is the support for Bluetooth HDP.
Kind Regards,
Simon
Well there are other devices that aren't phones that use Android. Take the motoactv for example. It's a fitness watch that runs a stripped version of Android, but it's still Android and applications can still be programmed and installed to it.
When are we getting a XPrivacy port or equivalent? I thought the homebrew scene would have been the first to make something like this,considering how far HaRET and Root Tools went as far as accessing functionality.
We only know how to do a handful of those things right now. The same hacks that Heathcliff74 used for Root Tools policy editing could be used for other policy editing, such as removing specific permissions from apps, but you'd have to either reverse engineer the policy database yourself or get him to write the tool or document the reverse engineering he did. For homebrew apps, permissions could be edited out of the manifest pre-installation - I seriously considered coding this into my XapHandler app - but decided the likelihood of crashes made it not worthwhile.
Unfortunately, that approach would likely just cause a lot of apps to crash. To instead actually modify the way the apps work (i.e. hook their call to the location services and return a bogus address) should be possible with enough work - a normal app couldn't do it because the .NET runtime on the phones doesn't allow modifying system functionality that way, but a custom ROM or high-privilege app could work around that - but it would not be easy.
I suspect the true answer is that nobody has bothered yet.
The simple genius in achieving privacy through data spoofing is something I was mulling a way back,long before the recent scandals. My method,of course,extended way beyond the device and could render all digital information useless,technically speaking. Im gonna nominate this app for one of these awards that keep popping up,even if im not using Android.
I currently have some virtual android devices running with NOX emulator. Every 4 hours, I need to start up the devices and click a button to earn in-game rewards. I would like this to be scalable so that I can spin up as many bots that I need to run and have them just go one after another.
The systems setup by NOX are rooted and from what I've read, there is a way to simulate touch input on rooted devices. If someone could provide a basic example/tutorial on how to do this, that would be excellent. I'm thinking that I'll get this running (hopefully with some sort of command line tool) and then I can schedule something with cron or whatever tools Windows has.
My other option for this is to figure out what is being sent to their API server and see if I can somehow replicate the API call being made when collecting coins. Please let me know if there are any tools that can monitor the HTTP requests sent out by android devices.
Dear Folks,
I am trying to pentest in my Android device in order to dive into depth of Operating System in order to analyze services. This is for to make sure whether there is any malicious app having access to microphone, camera and other services in my phone. Do you know what is the best way to do that? Can anyone show me an exact guide to it? Or, anyone who knows other methods to detect malicious apps in Android?
Look inside here:
A detection method for android application security based on TF-IDF and machine learning
Android is the most widely used mobile operating system (OS). A large number of third-party Android application (app) markets have emerged. The absence of third-party market regulation has prompted research institutions to propose different malware detection techniques. However, due to...
journals.plos.org
What is the best way to watch HTTPS traffic from apps now? I will collect what I have found so far, but hoping someone more knowledgeable will add some points. Feel free to correct or point out other ways of accomplishing this. It feels like regardless of the options, the root of the problems are how to get around certificate pinning.
Emulator vs Phone
This is the first question and probably the most dependent on what you want to achieve. Working on a real device gives more space between your device and the proxy which makes things easier. The extra space is costly in other ways. For example, I would prefer to have a single instance running on the computer to collect information, but using a phone is easier but has the physical requirement of a device connected to the network.
Phone
Physical separation allows for clearer testing. Fully functional device means your input and output work as expected.
Emulator - Waydroid
Emulator running on the same computer causes more complicated networking to ensure you don't block your own traffic. Troubleshooting is trickier as it's more difficult to easily access parts of the emulator that a phone is easy to access. For example, I spent much more time than I would have expected to move a VPN configuration file from my computer to the virtual machine emulator than I would have ever expected. Adding the same configuration to the phone was a simple QR code scan.
Emulator running in a virtual machine allows for a future use case of running the whole thing in the cloud without a physical device.
Proxies
As far as I know, the only way to capture the HTTPS traffic is to use a proxy. This is in the form of an application running on a separate (virtual or physical as mentioned above) device. The hardest part here is the Certificate Authority which signs the HTTPS traffic when it leaves the app. More sophisticated apps, to prevent fraud, do a variety of actions to prevent the user or 3rd parties from capturing the data in each HTTPS request.
mitmproxy
open source, link
I tried this first as it comes with Python library which would make capturing data for later analysis much easier. Mitmproxy has a few different modes, and ultimately I found that `mitmproxy --mode wireguard` which runs via VPN captured a good amount of traffic, but still had target SDK traffic unable to be opened. Mitmproxy has a built in tool to help installing the certificate in Android as a user certificate. This will capture some HTTPs traffic, but for some apps and many SDKs this does not capture their traffic. Traffic can be captured in several ways: CLI tool for analysis of live traffic in memory, CLI dump to file and in memory live in browser of choice.
Charles Proxy
free for 30 days, shareware, link
I first used Charles nearly 10 years ago, and it doesn't feel like it's changed much, but is actively maintained. When I first started using Charles it was a breeze to use, CA was less of a problem. But as Android changed it also now has the problems of CA needing to be installed, and helps the user by providing it's own signed certificate which can be installed as a user certificate. Charles is a standalone program that you run and as such it does have a fair amount of issues on my linux environment related to it's display sizes. .
Burp Suite - Community Edition
paid/free, link
Community edition that is free to use. Runs in browser and comes with it's own CA tool.
Android Certificate Authority
These are the certificates used to sign HTTPS traffic to keep it secure. In Android there are three levels: User, System (root) and App Pinned Certificates. In Android settings you can add a CA which will be considered "user". Apps can choose whether to ignore this certificate. System CAs can only be set by a root user. While a user can install user CA's, apps do not have to use these. CAs can be set by users as root certificates. I believe this must be set regardless of device or VM. The majority of the certificates provided by the proxies don't seem to open a lot of HTTPS traffic. This is likely because Android N (API level 24) certificate pinning was introduced in 2016 and at this point most SDKs and Apps use this for transferring traffic.
JustTrustMe
open source, link
This is installed on a device or emulator. An Xposed addon that can be installed to force apps to use root authorities and prevent them from pinning their own CA.
apk-mitm
open source, link
This can be installed in a separate linux environment and is used to modify an app's apk before being installed into a VM emultator or phone. It attempts to get around the app's certificate pinning by patching the APK to disable certificate pinning.
This is just my notes on what I'm looking into. I figured I'd post here to see if anyone has some advice or pointers. Please feel free to correct / add to this! Meanwhile I'll also keep my notes here if it helps anyone.
To anyone later who is interested in this topic, I was able to finally get a working solution using Magisk + LSPosed and two certificate modules which unpinned certificates and set my user certificate to system. I wrote my detailed steps here if anyone needs the help.