Category: Mobile

Androguard usage

Androguard is a python tool for analyzing Android applications. It can decompile and analyze APK files.   Install Androguard Androguard is written in python 2.7. The first step in installing Androguard is determining the path to python 2.7 and creating a virtual environment. The virtual environment is a container and has its own installation directories…


OWASP Uncrackable – Android Level3

This is the solution of the OWASP Uncrackable Android Level3. The binary can be found under https://github.com/OWASP/owasp-mstg/tree/master/Crackmes. In my previous post I detailed: how to patch an apk file with apktool how to patch a binary with IdaPro how to debug an android binary with gdb I will not detail these steps here. This challenge…


OWASP Uncrackable – Android Level2

This is the solution of the OWASP Uncrackable Android Level2. The binary can be found under https://github.com/OWASP/owasp-mstg/tree/master/Crackmes.   I started the analysis with loading the apk file into Jadx-GUI. I opened the MainActivity first. The system loads a native library called foo. The native function init is called in the onInit of the MainActivity. The…


How to install Appmon and Frida on a Mac

Appmon is a framework which makes it easier to deploy iOS application with frida. It inserts a Frida gadget dylib into the iOS application, resigns it and install it onto a connected device. I found it helpful, because it is not necessary to use a jailbroken device for mobile application testing. However the installation is…


OWASP Uncrackable – Android Level1

This is the solution of the OWASP Uncrackable Android Level1. The binary can be found under https://github.com/OWASP/owasp-mstg/tree/master/Crackmes.   I started the analysis with loading the apk file into Jadx-GUI. I opened the MainActivity first. This is a very simple application. The onCreate contains two checks. The first one tests if the device is rooted, the…


Certificate pinning

Recently I tried to test the bypassing of certificate pinning on an Android device. I used the SSLPinningExample.apk, which can be downloaded from here. This sample program downloads the https://github.com HTML page and opens it. It uses the certificate of the github.com site to create the SSL. Unfortunately the original program did not work for me,…