Over the last few months, I had a quite luck finding IDOR vulnerabilities in mobile API of Android applications. Nowadays most of the apps are obfuscated and using certificate pinning to prevent MiTMs.
If you are late in the game or want to shift your bug bounty hunting on Android apps, there are awesome tools that can help you catch up fairly quickly 🙂
I’m myself using an older rooted phone with Burp Suite and tools mentioned bellow.
- smartphone with rooted Android 7+ (I’m using Nexus 5x with latest LineageOS; Android 8.1.0)
- computer with Linux (latest Ubuntu is just fine)
- Burp Suite (community edition is fine)
- ADB (sudo apt-get install adb OR sudo yum install android-tools)
- Frida (pip install frida-tools)
- Objection (pip3 install objection)
Intercepting HTTPS traffic
Since the Android Nougat 7.0 (API >= 24), it is no longer possible to simply install the Burp Suite CA certificate, as it’s no longer trust user or admin-added CAs for secure connections, by default.
Protection of all application data is a key goal of the Android application sandbox. Android Nougat changes how applications interact with user- and admin-supplied CAs. By default, apps that target API level 24 will—by design—not honor such CAs unless the app explicitly opts in. This safe-by-default setting reduces application attack surface and encourages consistent handling of network and file-based application data.https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
For the guide on how to install Burp cert as a system with root permissions, best description that I come over was from @ropnop, so please look at his article Configuring Burp Suite with Android Nougat.
Next, you need to install Frida framework to your PC. The best way to install Frida’s CLI tools is via PyPI:
$ pip3 install frida-tools
It also needs to run on the phone, so enable USB debugging and connect to your device. To install ADB & Fastboot on Ubuntu systems, execute the following command from the terminal:
$ sudo apt-get install android-tools-adb android-tools-fastboot
I prefer connection over the network because sometimes I don’t have USB-C cable laying around and this is a workaround most of the time.
On the phone, allow debugging in
Settings/System/Developer options and turn on `ADB over network`. You should be able to connect like this:
$ adb connect 10.10.10.10:5555 * daemon not running; starting now at tcp:5037 * daemon started successfully connected to 10.10.10.10:5555 $ adb root restarting adbd as root $ adb connect 10.10.10.10:5555 connected to 10.10.10.10:5555 $ adb shell
$ wget https://github.com/frida/frida/releases/download/12.7.0/frida-server-12.7.0-android-arm64.xz $ unxz frida-server-12.7.0-android-arm64.xz $ mv frida-server-12.7.0-android-arm64 frida-server $ adb push frida-server /data/local/tmp/ $ adb shell "chmod 755 /data/local/tmp/frida-server $ adb shell "/data/local/tmp/frida-server &
Don’t forget that root permissions on the phone are required. Next, start the installation of Objection using pip3 with:
$ pip3 install objection
At this point, frida-server is running on the phone, you are connected over adb from the PC and have installed all prerequisites.
To be able to use a smartphone with Burp Suite, you need to change proxy listener from
Loopback only to
And modify Wi-Fi on the phone. In the advanced options you can change proxy settings, so with the manual settings enter the local IP and port for Burp Suite.
Finally, its time to select any installed Android application and try to bypass certificate pinning and see requests in Burp suite. With Frida, you list application on the phone like this:
$ frida-ps -Ua
Or if you already know the identifier of the application, for example
com.*******.kln, hook it with Objection like this:
$ objection -g c**********n explore -q
And the best part is that after running:
# android sslpinning disable
you should be able to see all requests from a mobile application in Burp Suite with successfully bypassed certificate pinning.
Sometimes if you experience some issues, for example with Facebooks authentication or things like that, it’s best to configure “SSL Pass Through” in “Burp Suite > Proxy > Options” check
Automatically add entries on client SSL negotiation failure.
Back to the Burp proxy, I once did this entire setup and the first thing that I saw in HTTP history was this request:
GET /api/2.0/user/64296783669/messages HTTP/1.1 X-SessionId: d98d861ef5fd X-Token: ak1tUXhPRFl5WkdZeU1qa3pOakZrT0RJMFpUazVaV1E1Wmc= User-Agent: App|Android|22.214.171.124|2.3 Connection: close Host: redacted Accept-Encoding: gzip, deflate
and just by modifying userID was able to see other user’s messages 🙂 That was a lucky day.