The workflow of Xposed framework Plugins for Android Pentesting
Xposed framework Plugins for Android Pentesting helps in various android pentesting related tasks. If we observe closely in android it includes several steps from switching on a device to successfully run the app like
- Bootloader: to use an android device when we switched on it, the bootloader boots up the kernel by initializing the first process init.
- Init process: init loads the various daemons and components in android OS by taking the configuration from init.rc file.
- Zygote process: after running the init process, Android runtime starts its child process Zygote. It is the special process in Android which handles the forking of each new application process or It can be defined as the template process for each app and the service that is started on the device. This process initialization is done with /system/bin/app_process, which loads the required classes and invokes the initialization methods.it is where Xposed comes into the picture.
- Xposed Framework: when Xposed is installed an extended app_processs executable is copied to /system/bin and this extended startup process adds an additional jar to the classpath and calls methods from there at certain places.
- Dalvik VM: here Dalvik Virtual Environment gets ready to load and run android application.
- Boot_Completed Broadcast: after loading the Dalvik VM, Android OS broadcasts the boot completed messages to all components and apps which gets the message via the broadcast receiver.
Remember: Xposed is initiated between the init and Zygote.
Xposed framework Setup on the Mobile device :
Nothing can be easier than installing an apk on the device 🙂 so just download the compatible version of Xposed apk from the website here on your mobile device.
Note: it works on the rooted device only and Always remember to install the apk according to your device compatibility as I am using Android version 6.0.1 marshmallow to avoid troubleshooting time. Marshmallow compatible version Downloaded from here
How to download apk and install on the device :
Step 1: Connect your android device to the host system and run CLI at the download apk directory
Step 2: adb install Xposed.apk
Getting started with Xposed Framework
Step 1: Once Xposed is installed. open Xposed app on the device and select the Framework
Step 2: it will show a popup, click on ok.
Step 3: it will take you to another screen with a message.you can click on install/update and Make sure to give root access to process when it asks and it’s ready to use.
Bypassing SSL pinning using Xposed
to analyze the network traffic of an Android application is very much important from a penetration tester point of view to find vulnerable endpoints and functionality.
Xposed framework “JustTrustMe” module: To bypass the spinning Xposed framework “JustTrustMe” module is used.it helps in disabling the SSL certificate checking.
Step 1: Download JustTrustMe apk here
Step 2: Goto downloaded the folder of apk and open CLI.
Run “adb install JustTrustMe.apk” and accept the allow option in Mobile at the same time.
Step 3: Open Xposed, go to modules and checkmark “JustTrustMe”
Step 4: Reboot your device.
Now you will be able to capture the application traffic using the proxy.
Root Detection bypass
some of the android application does not allow to install and use applications on a rooted device.so to do pentest on that application on rooted devices root detection bypass is required to have root privilege.
Step 1: Make sure you have Xposed
Step 2: Install RootCloak as you can see in the screenshot
Step 3: Enable RootClock in Xposed app
Step 4: reboot your mobile
Step 5: goto RootCloak App, and add/remove Apps. (so here it will hide the root from apps) Click on “+” on the right upper corner and add the package name of that app
For example: here I am using app ecardandkeys and its package name is com.ecardsandkeys so I added it.
Step 6: make sure to exit RootCloak app and if the app that you just added is already running close it or you can reboot your phone.
Step 7: run the app to check the root detection bypass successfully.
Dynamic Analysis of Apps:
Inspackage : it is used for dynamic analysis of Android applications.it helps in understanding what an app is doing at runtime. Inspeckage is an Android package Inspector and it hooks some of the Android API so that we can better understand runtime working of an Application.
It allows you to interact with some of the elements of the app, like activities and providers, etc.
2.download Inspackage from here
How does it work?
Inspeckage has an internal HTTP server that provides an interactive web interface.
The below image shows the available features of Inspeckage.
You can access the Inspeckage dashboard on http://192.168.0.101:8008 and It shows available options to analyze the app from the host system.
it allows you to download apk on the host system from the dashboard.
Tree view of the data directories
App File system
You can run the specific activities of the app
- No need to modify apk that means all the reverse engineering process and modifying the code can be avoided
- Simple to use modules that are required.