Android Pentesting

Agenda

We sometimes do not receive an APK file or Play Store link to perform an Android Pentest. It could be necessary for us to install it using a invitation link supplied on the work email.
To install it from invititation, we first need to sign in with a work email on our device. It creates a separate work profile on the device which means a separate user id on the device.
The way we use tools like adb, drozer and frida does not works in this profile.
Below notes explains how to perform pentest on an app when it is installed on a work profile.

Work Account Addition

Navigate to chrome or account section on your Settings.
Add a google account
It shows something like below while setting up the account. You might need to get an approval from an administration while setting up an account.

After an installation of work profile, install the necessary applications on a profile like chrome. It looks like.

The problem

Let us suppose we had installed an application Twitter through an invitation link.

List Package through ADB

adb shell pm list packages | grep -i twitter

We will not have any packages listed. We will also not be able to install the packages on work profile.

Hook Application with Frida

  
➜ frida -U -f com.twitter.android
     ____
    / _  |   Frida 16.0.7 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to 220333QBI (id=8e0e55a9)
Failed to spawn: unable to find application with identifier 'com.twitter.android'

This might arise a problem during an assessment since we would not be able to pull the internal storage, pull an apk, hook the application’s classes and methods.
This is due to the tools like ADB and Frida use default User ID (which is 0) on a device which is an owner profile.

The Solution

Since there will be different profiles, we can list the installed profiles/users using ADB.

  
➜ adb shell pm list users
Users:
  UserInfo{0:Owner:c13} running
  UserInfo{10:Work profile:1030} running
  UserInfo{999:XSpace:801030} running

Here we can find an User ID 10 for a Work Profile and we need to specify a specific User ID on the command.
1 2 ➜ adb shell pm list packages --user 10 | grep -i twi package:com.twitter.android

Install APK to work profile with ADB

For this, we need to push an APK file into the internal storage at first.
1 ➜ adb push test.apk /data/local/tmp/

After that, install an apk into work profile.

  
➜ adb shell pm install -t --user 10 /data/local/tmp/test.apk

Pull files/APK from work profile with ADB

Locate into APK directory

➜ adb shell pm path --user 10 com.twitter.android

Pull an APK. Here we don’t need to specify an user once we got its full path

➜ adb pull /data/app/~~LIZadsddbhnwGmi8rQ==/com.twitter.android-oCM-tTVHsdddc8IxZ66A==/base.apk

Start an android activity with ADB

  
➜ adb shell am start --user 10 -n "com.twitter.android/com.twitter.android.MainActivity"

Same process for broadcast receievrs, services and content providers as well.

Work Profile and Drozer

You need to install a drozer APK on work profile and you are good to go.

Work Profile and Frida

Download and install latest frida server on Android

  
➜ adb root # might be required
➜ adb push frida-server /data/local/tmp/
➜ adb shell "chmod 755 /data/local/tmp/frida-server"
➜ adb shell "/data/local/tmp/frida-server &"

By default, frida uses default user ID (which is 0) after running a server.
Therefore while hooking up and application, it cannot find the application installed on work profile.

We can also add these custom codes on Source Code of Frida Server and Compile it to install it into device. Here the userid is hardcoded to use 10 i.e. work profile. But it may arise a problem when you need to hook the application installed on default user id. You need to reconfigure the file to use user ID as 0 again. Reference

  
var userSpecific = true;
if (!userSpecific) {
 performLaunchOperation(pkg, function () {
context.startActivity(intent);
 });
}else{
performLaunchOperation(pkg, function () {
var userid = 10;
var ContextWrapper = Java.use('android.content.ContextWrapper');
var UserHandle = Java.use('android.os.UserHandle');
var userHandle = UserHandle.of(userid);
context = ContextWrapper.$new(context);
context.startActivityAsUser(intent,userHandle);
 });
}

After some research, I found that Frida has added an option to manage Auxiliary Parameters which will provide platform-specific spawn options on the command.

Digging into it, we can see that it first check whether the user ID is 0 or not and when the user ID is not 0, it searches for the package name installed on the supplied user ID/profile i.e. user ID 10 in my case.

Which means we can hook an application using commands --aux "uid=(int)10"

  
➜ frida -U -f com.twitter.android --aux "uid=(int)10"
   ____
  / _  |   Frida 16.0.7 - A world-class dynamic instrumentation toolkit
 | (_| |
  > _  |   Commands:
 /_/ |_|       help      -> Displays the help system
 . . . .       object?   -> Display information about 'object'
 . . . .       exit/quit -> Exit
 . . . .
 . . . .   More info at https://frida.re/docs/home/
 . . . .
 . . . .   Connected to 220333QBI (id=8e0e55a9)
Spawned `com.twitter.android`. Resuming main thread!
[220333QBI::com.twitter.android ]->

Random Thoughts

By injecting the frida/objection snippet, we might also be able to hook into an application that is installed on the work profile. Since the application executes in a work environment, this could trigger a frida server to use the work profile. But need give it a shot. Maybe after a while.

Regards

https://github.com/frida/frida-tools/pull/36

Android Pentesting - WorkProfile