initialization
1. https://github.com/sensepost/objection install objection as the instruction.
2. patch your apk https://github.com/sensepost/objection/wiki/Patching-Android-Applications
3. adb install -t your apk
4. once you launch your app, the app will be white black and waiting for the `objection explore`
5. memory search xxxx
hook
useful command lines
577 frida -U -f com.dbs.mbanking.tw -l android-keystore-audit/frida-scripts/fingerprint-bypass.js
578 adb shell pm path `package name`
579 adb pull /data/app/~~6ohSJjUoGZa22X_AhKiKxA==/com.dbs.mbanking.tw-W2_ViQB4emAQjMRXvDkcSg==/base.apk
580 objection patchapk --source base.apk
581 adb install -t base.objection.apk
There's easier way to detect password
1. dump hprof file from your runtime app.
2. grep "keyword" xxx.hprof
you can dump hprof file via Profiler or using some commend line
https://github.com/hydrated/Android-Utilities/blob/master/DumpMemory/log_memory.sh
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#overview-2
Starting 2021, mstg will scan sensitive data in memory. Either in Jvm or ios environment. The immutable String will be in the heap space and hard to be collected. So what you can do is don't use string to transit it until e2ee. In that case, you need to salting your password in the String instance or passing it always using char array. Here is an example of salting.
https://github.com/hydrated/Android-Utilities/blob/master/ReverseSpannableStringBuilder.java
沒有留言:
張貼留言