Xposed Framework Plugins For Android Pentesting

January 15, 2020

The workflow of Xposed framework Plugins for Android Pentesting

Xposed framework Plugins for Android Pentesting helps in various android pentesting related tasks. If we observe closely in android it includes several steps from switching on a device to successfully run the app like

  • Bootloader: to use an android device when we switched on it, the bootloader boots up the kernel by initializing the first process init.
  • Init process: init loads the various daemons and components in android OS by taking the configuration from init.rc file.
  • Zygote process: after running the init process, Android runtime starts its child process Zygote. It is the special process in Android which handles the forking of each new application process or It can be defined as the template process for each app and the service that is started on the device. This process initialization is done with /system/bin/app_process, which loads the required classes and invokes the initialization methods.it is where Xposed comes into the picture.
  • Xposed Framework: when Xposed is installed an extended app_processs executable is copied to /system/bin and this extended startup process adds an additional jar to the classpath and calls methods from there at certain places.
  • Dalvik VM: here Dalvik Virtual Environment gets ready to load and run android application.
  • Boot_Completed Broadcast: after loading the Dalvik VM, Android OS broadcasts the boot completed messages to all components and apps which gets the message via the broadcast receiver.

Remember: Xposed is initiated between the init and Zygote.

Xposed framework Setup on the Mobile device :

Nothing can be easier than installing an apk on the device

so just download the compatible version of Xposed apk from the website here on your mobile device.

Note: it works on the rooted device only and Always remember to install the apk according to your device compatibility as I am using Android version 6.0.1 marshmallow to avoid troubleshooting time. Marshmallow compatible version Downloaded from here

How to download apk and install on the device :

Step 1: Connect your android device to the host system and run CLI at the download apk directory

Step 2: adb install Xposed.apk

Getting started with Xposed Framework

Step 1: Once Xposed is installed. open Xposed app on the device and select the Framework

Xposed Installer

Step 2: it will show a popup, click on ok.


Xposed Framework alert

Step 3: it will take you to another screen with a message.you can click on install/update and Make sure to give root access to process when it asks and it’s ready to use.

Xposed installer update/active

Bypassing SSL pinning using Xposed

to analyze the network traffic of an Android application is very much important from a penetration tester point of view to find vulnerable endpoints and functionality.

Xposed framework “JustTrustMe”  module: To bypass the spinning Xposed framework “JustTrustMe”  module is used.it helps in disabling the SSL certificate checking.

Step 1: Download JustTrustMe apk  here

Step 2: Goto downloaded the folder of apk and open CLI.

Run “adb install JustTrustMe.apk” and accept the allow option in Mobile at the same time.

Step 3: Open Xposed, go to modules and checkmark “JustTrustMe”

JustTrustMe Module enabled

Step 4: Reboot your device.
Now you will be able to capture the application traffic using the proxy.

Root Detection bypass

some of the android application does not allow to install and use applications on a rooted device.so to do pentest on that application on rooted devices root detection bypass is required to have root privilege.

Rooted Device Alert

Instructions

Step 1: Make sure you have Xposed

Step 2: Install RootCloak as you can see in the screenshot

Installing root clock

Step 3: Enable RootClock in Xposed app


RootCloak Module

Step 4: reboot your mobile

Step 5: goto RootCloak App, and add/remove Apps. (so here it will hide the root from apps) Click on “+” on the right upper corner and add the package name of that app

For example: here I am using app ecardandkeys and its package name is com.ecardsandkeys so I added it.

Adding App to root cloak

Step 6: make sure to exit RootCloak app and if the app that you just added is already running close it or you can reboot your phone.

Step 7: run the app to check the root detection bypass successfully.

bypassed root check

Dynamic Analysis of Apps:

Inspackage :  it is used for dynamic analysis of Android applications.it helps in understanding what an app is doing at runtime. Inspeckage is an Android package Inspector and it hooks some of the Android API so that we can better understand runtime working of an Application.

It allows you to interact with some of the elements of the app, like activities and providers, etc.

Prerequisite:

1.Xposed Framework

2.download Inspackage from here

How does it work?

Inspeckage has an internal HTTP server that provides an interactive web interface.
The below image shows the available features of Inspeckage.

inspackage

You can access the Inspeckage dashboard on http://192.168.0.101:8008 and It shows available options to analyze the app from the host system.


inspackage

it allows you to download apk on the host system from the dashboard.


apk download from the dashboard

Tree view of the data directories


tree view

analyze apps directory structure

Shared preferences


shared prefs

App File system


file system of the app

Shows IPC


Show IPC

Device Footprinting


Device Footprinting

You can run the specific activities of the app


Start Activities

Advantages

  • No need to modify apk that means all the reverse engineering process and modifying the code can be avoided
  • Simple to use modules that are required.

checkout : – https://enciphers.com/awesome-android-application-security/

References

https://repo.xposed.info/

https://repo.xposed.info/module/de.robv.android.xposed.installer

https://resources.infosecinstitute.com/an-introduction-to-the-xposed-framework-for-android-penetration-testing/#gref

https://repo.xposed.info/module/com.devadvance.rootcloak2

https://github.com/Fuzion24/JustTrustMe

https://github.com/ac-pm/Inspeckage