Recently tweeted on a bypass for Snapchat's cert pinning. It required monitoring 'android_dlopen_ext' to instrument the native target library directly after load.
Absence of 'adroid_dlopen_ext' on older Android SDKs raised some questions, so I'll share a partial solution.
1/n
The appended screenshot shows an alternative approach to monitor loading of dynamic modules for JNI based on 'JavaVMExt::LoadNativeLibrary'.
Below it is showcased with @fridadotre frida-trace (upper terminal) and a modified script for the frida-trace hook (lower terminal)
2/n
As pointed out in the comments, you have to deal with C++ mangled function names and the std::string implementation of the respective C++ library, to do it in this way (less clean than the 'android_dlopen_ext' approach).
3/n
No matter which approach you use, once you are sure the native library is loaded, you could hook it as needed, before returning execution to the instrumented Thread (in case of Snapchat, the target would be 'libclient<.>so' for example).
4/n
Also, one might think monitoring 'dlopen' directly could do the trick, but this would miss a decent amount of hot-loaded JNI modules. Also I often faced crashes when using Frida's Interceptor.attach on 'dlopen', which could be partially mitigated by using ...
5/n
... Interceptor.replace with a proxy function instead (see screenshot for an example).
That's it ... happy hooking friends!
6/6
• • •
Missing some Tweet in this thread? You can try to
force a refresh
You want to know what the Facebook app sends home?
Let's look into 1 out of many GraphQL requests ("LocationUpdateMutation" serves as example)
The excerpt of the full request is hard to read, so let's get into some details...
1/n
1) Top-level message object, contains device identifiers and stats.
Pay attention on the empty "scan_result" and "connected" array under "cell_info" ... this likely would be filled, if my test device would have a mobile connection (operator info is included, anyways)
2/n
And here are the scan results with proper BSSIDs and RSSI values for all WiFi networks in range.
Helps to determin your precise position, also great for creation of WiFi maps, if GPS data would be included
Hatte noch Fragen zu 3rd-party data sharing und deshalb nochmal drauf geschaut.
Vor der Registrierung werden scheinbar nur die "üblichen" Daten an 3rd party services gesendet, aber...
...das liegt daran, dass die mit AppsFlyer ausgetauschten Daten nochmals verschlüsselt sind. Öffnet man die, sieht das ganze schon wie folgt aus (2. Bild: exemplarische Daten EINES AppsFlyer events von Scoolio)
PS: die Facebook Attr ID gab's schon einmal letzten Tweet
...
Noch ohne Registrierung, lege ich einen Stundenplan an. Die Speicherung erfolgt nicht in einer eigenen Datenbank, sondern bei "Google Firebase"
Thx @oleavr for the tip to run @fridadotre onetime Android system-level tasks inside 'system_server'.
Example: collect per-app AndroidIDs
1) Agent (TypeScript) 2) App excerpt (calls function of compiled agent in 'system_server' once device connects and detaches) 3) App output
For this use-case alone, it is a big time-saver.
Previous approach:
Monitor 'Binder' (native) or 'android.provider.Settings$Secure' (Java) for AndroidID retrieval **for each process of relevance** (lots of processing overhead).
Add up info on "Android IDs".
While the Android ID could be assumed to be persistent Identifier (unless a device is re-installed), it differs per Android user (usually only one) and package-signer.
For Android SDK <26 Android IDs do not differ on a single device.
Um Klarheit zu schaffen ob/wie die #LucaApp Nutzer warnt, habe ich eine Abfrage eines Locationbesuches durch "Gesundheitsamt Saalfeld-Rudolstadt" gespooft:
1) Popup Notification 2) !!generische!! Abfragebenachrichtigung 3) Info welches GA welche Location abgefragt hat (gepixelt)
Es gibt keine spezifische Warnung über Infektionsrelevanten Kontakten, noch eine ereignisspezifische Nachricht vom Gesundheitsamt INNERHALB der #LucaApp (da kein Rückkanal zum Nutzer existiert).
Alles weitere (so nötig) muss MANUELL durch Direktkommunikation mit GA erfolgen.
Wie es der @kreis_rostock geschafft hat über #LucaApp eine angepasste Warnmeldung zu versenden, um "Betroffene direkt anzusprechen" bleibt unklar.
Getestet wurde von mir die aktuellste Android Version der App v1.11.1