Frida

  1. Download frida-tools (pipx install frida-tools). See https://frida.re/

  2. Download frida-server for your device (arm(64)/x86/x64):

Protip: No idea which arch? Download all of them!

wget $(curl https://api.github.com/repos/frida/frida/releases/latest | jq -r '.assets | .[] | select(.name | test("server-.+-android")) | .browser_download_url')

unxz frida-server-*-android-*.xz
adb push frida-server-*-android-* /data/local/tmp/
adb shell
cd /data/local/tmp/
chmod 755 frida-server-*
ls
./frida-server-*  # <-- need to specify arch

  1. Check frida-tools can see frida-server: frida-ls-devices

  2. Running frida

frida --usb -f dk.rejsekort.checkudvej --runtime=v8 -l script.js

# Or use premade MITM unpinning script:
frida --usb -f dk.rejsekort.checkudvej --runtime=v8 --codeshare akabe1/frida-multiple-unpinning

App management

List ‘dk.example.*’ apps:

adb shell pm list packages | cut -d':' -f2 | grep "dk\.example\."

If no non-default apps are found, you can use this:

wget https://xn--sb-lka.org/checkudvej.apk

# Install 'checkudvej.apk':
adb push checkudvej.apk /data/local/tmp/app.apk
adb shell pm install -i "com.android.vending" -r /data/local/tmp/app.apk
adb shell rm /data/local/tmp/app.apk

Download dk.someapp:

adb shell pm path "dk.someapp" | sed 's/^package://'
adb pull "/full/path/base.apk"

Guide for installing ‘split apks’:

https://raccoon.onyxbits.de/blog/install-split-apk-adb/

Display mirroring

scrcpy --show-touches --always-on-top

Decompiling apps

Download the app to your computer and install “jadx”.

jadx --show-bad-code --no-debug-info --deobf --deobf-min 2 --deobf-use-sourcename --use-kotlin-methods-for-var-names=apply-and-hide someapp.apk

# Check for interesting strings/urls
cat base/resources/res/values/strings.xml

Xamarin: file *.dll returns “Sony PlayStation Audio”

If your extracted *.dll files starts with the magic bytes XALZ, then decompress them using https://github.com/x41sec/tools/blob/master/Mobile/Xamarin/Xamarin_XALZ_decompress.py

Batch process a bunch of DLLs:

mkdir decoded/
find . -iname '*.dll' -exec python3 /path/to/amarin_XALZ_decompress.py {} decoded/{} \;

Interactive Debugging

Problem: The frida REPL is somewhat limited (e.g. tedious to wrap everything in Java.perform(() => { ... }))

Solution: Start frida with argument --debug, then open Chromium and go to chrome://inspect => Open dedicated DevTools for Node Now you have a “proper” REPL where auto-complete works and no need to wrap Java bindings in Java.perform().

Proxying

Enable proxy:

adb shell settings put global http_proxy localhost:8080
adb shell settings put global captive_portal_mode 0
adb reverse tcp:8080 tcp:8080

Disable proxy:

adb shell settings delete global global_http_proxy_host
adb shell settings delete global global_http_proxy_port
adb shell settings delete global http_proxy
adb shell reboot

Example: “re-implement String.toString() and print stacktrace when TLS error”:

Java.perform(() => {
    let printStackTrace = () => console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));

    let strCls = Java.use("java.lang.String");

    strCls.toString.overload().implementation = function () {
        let result = this.toString();

        if (result.includes("Der opstod en fejl i kommunikationen med systemet"))
            printStackTrace();

        return result;
    }

    //Java.use("java.net.URL").toString.overload().implementation = function () {
    //      var result = this.toString();
    //      console.log(result);
    //      return result;
    //}
});

F-Droid

Getting this error after enabling Google Advanced Protection Program?

INSTALL_FAILED_VERIFICATION_FAILURE: Install not allowed for file:///data/app/[…].tmp

Trick, enable ADB and …

  1. Go to https://f-droid.org/ and find the small “Download APK” link
  2. Use these commands to install the app, having F-Droid being the “installer”:
adb push "/path/to/app.apk" /data/local/tmp/app.apk
adb shell pm install -i "org.fdroid.fdroid" -r /data/local/tmp/app.apk
adb shell rm /data/local/tmp/app.apk