CorSecure

Security, Hacking, Making, and Tech

Patching an APK with Objection

Many years ago I was performing a security assessment on an Android application that had SSL pinning enabled. If you don’t already know, SSL pinning essentially allows an application to only trust valid certificates. If you want to learn more about SSL pinning, you can check out my previous blog entry. In that blog entry, I describe how SSL pinning can be bypassed using Frida. However, using Frida in the way that I described in that blog entry requires a rooted device, and this application had root detection enabled. There are ways to bypass root detection with Frida as well, but I wanted to figure out a way to bypass SSL pinning with a non-rooted device. I ended up figuring out a way to do it using a tool called Objection, but I ran into several roadblocks that I had to troubleshoot along the way.

Installing Objection

During my research attempting to find a way to bypass SSL pinning without a rooted device, I came across a tool called Objection. Objection is a runtime mobile exploitation toolkit powered by Frida, so it can do a lot of the things that are often done with Frida. However, Objection has an additional feature that allows you to patch the application binary with the Frida gadget without having to install and run the Frida server on the mobile device. This means that root is not necessary, which means this is exactly what I needed to accomplish my goal!

There is plenty of documentation on the Objection wiki about patching an APK and bypassing SSL pinning, so I began to follow those instructions. More detailed documentation can be found on the wiki, but to briefly summarize the process:

  1. Install Objection, including all dependencies (https://github.com/sensepost/objection/wiki/Patching-Android-Applications#patching—dependencies)
    • Run pip3 install objection in a terminal
  2. Connect the Android device to your computer via USB and allow ADB access to the device
    • You can also use an emulator if you do not have a physical device. I have another blog post about setting up an emulator here
  3. After the device is connected and authorized (this is required so that Objection can determine the proper architecture that should be used), run objection patchapk -s <target.apk> in a terminal

This step is where my problems began to arise…

Troubleshooting

I made it to step 3 of the instructions that I summarized above before I started getting errors. When Objection tried to rebuild the APK, I was presented with a wall of scary red error messages (shown in the screenshot below), and those error messages suggested that Apktool might be the source of the problem.

Apktool is a tool that is used for reverse engineering and rebuilding Android applications, and Objection uses this tool to handle the process of repacking the APK. Naturally, I googled these error messages, but I didn’t have much luck figuring out what the problem was. However, I eventually looked at the version of Apktool that was installed on my system, and that was when I noticed that the installed version was listed as 2.3.4-dirty. After even more searching to figure out what “dirty” meant, I eventually found a comment from iBotPeaches, who is the developer for Apktool, that shed some light on the issue. According to a comment that I found, “dirty means the application was built without git support, so it couldn’t pull snapshot information.” For some reason the version of Apktool that was available from the Ubuntu repository was a dirty build, so I removed that build (apt-get remove apktool) and installed the latest build by following the official installation instructions (https://apktool.org/docs/install/).

After installing the new version of Apktool, I attempted to complete step 3 again…

This time I did not get the massive wall of errors that I was seeing previously, but I did still get a couple of error messages that mentioned No resource identifier found.

After googling this error message, I found a message board post on GitHub that talked about the exact same error that I was seeing (https://github.com/iBotPeaches/Apktool/issues/1842). This post gave a solution that reportedly solved the issue for multiple people. The solution was to run apktool empty-framework-dir --force, which empties out the framework files that are included with Apktool. Initially, I thought I would have to edit the Objection source code or something more complex in order to implement this solution during the execution of the Objection command. Fortunately, I realized with some trial and error that I could just run apktool empty-framework-dir --force once before running the Objection command, and that would actually fix my issue. I could then use Objection as many times as I would like, and I would no longer get those No resource identifier found errors.

Finally Moving on to Step 4

After spending several hours of research and trial and error, step 3 of the original process was finally complete, and I could move on to step 4. The remaining steps for using a patched APK with Objection on a non-rooted device are outlined below:

  1. Install the newly repackaged APK onto the Android device (the new APK should have the same name as the original APK, except the name should now end with .objection.apk instead of just .apk)
    • Run adb install <target.objection.apk>
  2. Open the application on the Android device
    • After installing the APK, launch the application on the device
    • The app should begin to open, but it should hang on a blank screen before fully launching
  3. While the app is on that blank screen, open a terminal window and run the command objection explore
    • The application should finish launching and you should see the message Agent injected and responds ok! in the terminal
    • You should also see a prompt in the terminal with the package name of the application
  4. At this new prompt, there are many useful commands that can be run, including a command to disable SSL pinning
    • SSL Pinning can be disabled by simply running android sslpinning disable, but there are many other useful commands that can be run within Objection
    • A list of useful Objection commands can be found here

This process can also be done with an iOS application by patching an IPA file, and Objection can also be used by simply running the Frida server on the mobile device.

If you’re interested in more content about security, hacking, making, and tech, check out my YouTube channel at https://youtube.com/@CorSecure.

, ,
, , ,

Posted by:

corsecure

Discover more from CorSecure

Subscribe now to keep reading and get access to the full archive.

Continue reading