Has the smartphone in your pocket become the driver of your daily life? Did you ever wonder which data the installed apps leak in the background?
We are on a mission to reveal the hidden secrets in the (sometimes) nasty byte code of Android apps from professional developers. However, inspections have become a non-trivial task, because many developers started to rely on improved security for data transmissions (HTTPS).
A few problems you’ll be confronted with:
There exist tools which can remove security measures on the fly during execution [1][2], or statically by manipulating the compiled app code [3]. However, static measures suffer from inherent limitations, e.g., the manipulated apps require a proper resigning which is not possible without the developer’s private key.
We found that no tool provides a “does it all” solution.
In this seminar project, we want to explore the possibility of bypassing HTTPS encryption, and if possible, implement strategies against such protections.
Your task will consist of:
[1] Frida, a hybrid framework for mobile app investigation
[2] Objection, a framework based on Frida to attack HTTPS protection measures
[3] Explanation on how Android apps can be repackaged to execute arbitrary commands