[A]ndroid [A]pplication [P]entest [G]uide
  • AAPG
  • 1. MANUAL STATIC ANALYSIS
    • 1.1 Decompile APK
    • 1.2 Check certificate
    • 1.3 Analyze AndroidManifest.xml
    • 1.4 Source Code Analysis
  • 2. AUTOMATED STATIC ANALYSIS
  • 3. MANUAL DYNAMIC ANALYSIS
    • 3.1 Install application & use it
    • 3.2 Bypass detections
    • 3.3 Analyze local storage
    • 3.4 Attack surface
      • 3.4.1 Activities
      • 3.4.2 ContentProvider
      • 3.4.3 Services
    • 3.5 Log analysis
    • 3.6 More HOW and WHAT! (still work in progress)
  • 4. APK TAMPERING
    • 4.1 DIY - Simple Reverse Meterpreter (Non-Xamarin)
    • 4.2 Quick Proof-of-Concept (Meterpreter)
Powered by GitBook
On this page
  • 3.2.1 SSL PINNING
  • 3.2.2 ROOT DETECTION
  • 3.2.3 EMULATOR DETECTION
  • Identify any detection
  • Know your own environmental values
  • INFO
  • THINGS TO REPORT
  • MORE DETAILS

Was this helpful?

  1. 3. MANUAL DYNAMIC ANALYSIS

3.2 Bypass detections

3.2.1 SSL PINNING

TBD soon

3.2.2 ROOT DETECTION

TBD soon

3.2.3 EMULATOR DETECTION

Identify any detection

grep -Ei "isEmulator" -Ei "root" -Ei "carrierNameFromTelephonyManager" -Ei "smellsLikeAnEmulator" -Ei "SystemProperties" -R . 
grep -Ei "build.fingerprint" -Ei "build.hardware" -Ei "product.kernel" -Ei "product.brand" -Ei "product.name" -Ei "product.model" -Ei "product.manufacturer" -Ei "product.device" -Ei "Emulator" -Ei "qemu.hw.mainkeys" -Ei "bootloader" -Ei "bootmode" -Ei "secure" -Ei "build.version.sdk" -R .
grep -Ei "generic" -Ei "unknown" -Ei "google_sdk" -Ei "Android SDK built for x86" -Ei "Genymotion" -Ei "google_sdk" -Ei "goldfish" -R .

A lot of applications try detecting an emulator by querying known system values.

Know your own environmental values

adb shell getprop ro.product.name
adb shell getprop ro.product.device
adb shell getprop ro.product.model
adb shell getprop ro.kernel.qemu
adb shell getprop ro.hardware
adb shell getprop qemu.hw.mainkeys
adb shell getprop ro.bootloader
adb shell getprop ro.bootmode
adb shell getprop ro.secure
adb shell getprop ro.build.fingerprint
adb shell getprop ro.build.version.sdk

In order to bypass it:

  1. Know your values (have a look above)

  2. Modify the code accordingly, so YOUR device's values pass the validation

  3. Recompile project

  4. Sign apk

  5. Install and give it a try

Recompile:

apktool b ./modified_app_project_dir

Sign apk (key-creation + signing):

 keytool -genkey -v -keystore my-release-key.keystore -alias myalias  -keyalg RSA -keysize 2048 -validity 10000
/home/<user>/Android/Sdk/build-tools/<27.0.3_OR_CHECK_YOUR_USED_VERSION>/apksigner sign --ks my-release-key.keystore ./modified_app_project_dir/dist/modified_app.apk

Install apk:

adb install /path/to/modified_app.apk

INFO

  • No 100% success guaranteed

    • There might be fancy solutions out there (appreciate any input here)

    • If it is heavily obfuscated -> good luck with that

    • Emulator detection usually comes w/ root detection as well (give it a try, before you cry)

  • The grep commands above do search for known method-names or values which might get executed/checked on app-startup

THINGS TO REPORT

If bypassing the emulator detection by simple code-tampering is possible!

MORE DETAILS

  • Bypassing Android Emulator Part I

  • Bypassing Android Emulator Part II

  • Bypassing Android Emulator Part III

Previous3.1 Install application & use itNext3.3 Analyze local storage

Last updated 5 years ago

Was this helpful?