Hooking and Patching Android Apps Using Cydia Substrate Extensions 2023
In this article we will learn about Hooking and Patching Android Apps Using Cydia Substrate Extensions.
Introduction to Hooking and Patching Android Apps :
In one of the previous articles, we discussed how to exploit debuggable apps on Android. You can find it here. There are some limitations to using debuggable applications with JDB, as the application’s debuggability flag must be set to true for this to be possible on a real device. Additionally, we saw that it runs on the command line where we need to set breakpoints and control the flow. Although this technique is useful in analyzing applications, we need a solution that controls the flow of the application at runtime when the application is running. This is where the awesomeness of tools like Cydia Substrate, Xposed Framework and Frida come into play. Although we will use Xposed and Frida later in this series, we will write Cydia Substrate extensioRooted Android Device with Cydia Substrate installed.
Cydia Substrate can be found here.
Create a new Android app (this is a Cydia Substrate extension) using your favorite IDE and add the substrate-api.jar library to your libs folder. Substrate-api.jar can be found here.
Target application – you can download it here:
Now let’s start writing the Substrate extension. Like every other article of mine, we will have a vulnerable app every now and then; we will take advantage of it with this Cydia Substrate extension. The following is the first activity of our target application.
ns for application flow control is what we will discuss in this article.
Related article:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
To be clear before you start, the following is required to practically follow this article.
When the user enters invalid credentials, an error will be thrown as shown in the figure below.
Our goal is to bypass this login by writing a Cydia Substrate extension. Obviously, we need to understand the application logic first before proceeding with the Substrate extension.
We can decompile the APK and get the Java code version to understand the logic. To keep it simple, I’m showing the original source because the idea is to understand how to write a Cydia Substrate extension, assuming we have access to the app’s logic.
Following is the code snippet for Login.java
Login.java
package com.androidpentesting.targetapp;
if(isValidLogin(username,password))
{
Intent in=new Intent(getApplicationContext(),Welcome.class);
startActivity(in);
}
otherwise {
Toast.makeText(getApplicationContext(), “Invalid username or password”, Toast.LENGTH_LONG).show();
}
public boolean isValidLogin(string username, string password)
{
String uname=pref.getString(“username”,null);
String pass=pref.getString(“password”,null);
if(username.contentEquals(uname) && password.contentEquals(pass))
{
return true;
}
other{
return false;
}
}
As you can see in the code snippet above, the application gets the username and password from the user and then compares them with the values stored in SharedPreferences. If the credentials entered by the user match, the application returns a boolean value of true and then redirects the user to the private activity. This is the perfect testbed for us to write a Cydia extension so that the app always returns true regardless of user input.
Details we gleaned from the above excerpt:
Class Name: com.androidpentesting.targetapp.Login
Method name: isValidLogin
Let’s begin.
As mentioned in the Cydia Substrate documentation here, first set up our AndroidManifest.xml file.
We need to add two entries to the AndroidManifest.xml file as highlighted in the code below.
<manifest xmlns_android=”http://schemas.android.com/apk/res/android”
package=”com.androidpentesting.cydia”
android_versionCode=”1″
android_versionName=”1.0″ >
<uses-permission android_name=”cydia.permission.SUBSTRATE” />
<uses-sdk
android_minSdkVersion=”8″
android_targetSdkVersion=”21″ />
<application
android_allowBackup=”true”
android_icon=”@drawable/ic_launcher”
android_label=”@string/app_name”
android_theme=”@style/AppTheme” >
<meta-data android_name=”com.saurik.substrate.main”
android_value=”.BypassLogin”/>
</application>
</manifest>
First we need to ask for cydia.permission.SUBSTRATE.
We need to add a metadata element in the application section.
Now for the fun part. We need to write the actual implementation that hooks into our target method that is responsible for validating the user’s credentials, and then modify its definition.
We will use two important functions to achieve this goal.
MS.hookClassLoad
MS.hookMethod
MS.hookClassLoad can be used to detect the classes of our interest on load.
MS.hookMethod can be used to make the desired changes to our target method.
More details on what these methods do and how they work can be found here and here.
Now we will create a new class called BypassLogin. After this extension is loaded, the initialize() method is executed first.
Below is the basic code we need to write in the BypassLogin class.
public class Main {
static void initialize() {
// code that runs when the extension is loaded
}
}
Now we’ll write code that detects when the com.androidpentesting.targetapp.Login class is loaded. As mentioned, we can do this using MS.hookClassLoad.
MS.hookClassLoad(“com.androidpentesting.targetapp.Login”, new MS.ClassLoadHook() {
public void classLoaded(Class resources) {
// … code to modify the class on load
}
});
When this class is loaded, we do the following.
We are going to write a piece of code to check if our target method exists.
If the method does not exist, log the entry to logcat
If the method exists, change its definition using MS.hookMethod.
That is all.
Following is a piece of code to implement the above steps.
Method methodToHook;
Try{
methodToHook = resources.getMethod(“isValidLogin”, String.class, String.class);}catch(NoSuchMethodException e){
methodToHook = null;}
if (methodToHook == null) {
Log.v("cydia","Method not found");
}
other{
MS.hookMethod(resources, methodToHook, new MS.MethodAlteration<Object, Boolean>() {
public Boolean invoked(Object _class, Object… args) invokes Throwable
{
return true;
}
});
}It is important to notice the pieces highlighted in red. We know from the source code that the isLoginMethod method of the target application takes two string arguments, so we specify String.class twice along with the method name in resources.getMethod();
When a method is detected, we simply return the actual value, regardless of its actual implementation.
Following is the complete code we wrote.
package com.androidpentesting.cydia;
import java.lang.reflect.Method;
import android.util.Log;
import com.saurik.substrate.*;
public class BypassLogin {
public static void initialize() {MS.hookClassLoad(“com.androidpentesting.targetapp.Login”, new MS.ClassLoadHook() {
@SuppressWarnings({ “unchecked”, “rawtypes” })
public void classLoaded(Class<?> resources) {
Method methodToHook;Try{
methodToHook = resources.getMethod(“isValidLogin”, String.class, String.class);}catch(NoSuchMethodException e){
methodToHook = null;}
if (methodToHook == null) {
Log.v("cydia","Method not found");
}
other{
MS.hookMethod(resources, methodToHook, new MS.MethodAlteration<Object, Boolean>() {
public Boolean invoked(Object _class, Object… args) invokes Throwable
{
return true;
}
});
}}
});
}}
Now install this extension just like installing a normal app and make sure you reboot your device once to activate this extension. Restart the target application. When you click the Login button, you will automatically be redirected to the login screen, bypassing authentication checks.
Nice! We skipped authentication. Cydia Substrate extensions are useful when you need to bypass client-side controls on the fly. Examples include root detection bypass, SSL Pinning bypass, etc.
http://www.cydiasubstrate.com/id/20cf4700-6379-4a14-9bc2-853fde8cc9d1/
