An Introduction to the Xposed Framework for Android Penetration Testing
When it comes to the Pen Testing of Android-based applications, the main focus and attention of the Pen Tester is to live in the mindset of the Cyber attacker literally. The Pen Tester must then carry out an attack to see how the software code can be manipulated, what the weak spots of the app are, if there are any backdoors in which private and confidential can be hijacked, or even if there this an unseen “hole” in the app to see if a Trojan Horse can be installed and launch a Botnet style attack.
A Pen Tester can conduct both static and dynamic analyses. With the former, one can try to reverse engineer the app with a tool called “smali,” and with the former, Android Hooking and runtime analyses can be conducted.
This is where the “XPOSED” framework comes into play and is further discussed in this article.
The Android Runtime & and the Xposed Framework
The Android Runtime
The overall Android Runtime architecture is illustrated in the diagram below:
As one can see, when the Android device is first activated, it goes through a number of key iterations, summarized as follows:
The Boot Loader:
This launches the Android OS kernel and initiates the first process known as the “Init”
The Init Process:
This activates the various components which run behind the Android OS.
The Zygote Process:
Once the Init step has been executed, the Zygote Process is then launched, which is at the heart of the Android OS runtime functionality and invokes the required classes.
The Dalvik VM:
The Dalvik VM is the next process to be executed and is responsible for running the mobile apps on the Android device.
This is a broadcast-based message simply stating that the entire bootup process has been completed from within the Android device after it was first activated.
The Xposed Framework
As can also be seen in the above diagram, the Xposed framework is initiated in between the Init process and the Zygote process. Further, this has been specifically written by an XDA member known as “rovo89”. Also, the Xposed framework has various API calls that interact with the Android runtime functionalities. These APIs are illustrated in the diagram below:
The above diagram depicts the actual flow of the API calls, and it can be summarized as follows:
This is a functionality that notifies the system when a package has been loaded. The Xposed framework then located this package.
This prevents the API call from being formatted back into its original state via a series of various manipulations, via the Xposed Framework.
The afterHooked Method:
This is where various actions are taken on the API call, based upon what transpired in the original method. This is where the Android mobile app is most at risk because this is where covert modifications can be made.
Xposed Framework Installation
This section outlines the required steps in to install and deploy the Xposed Framework:
Step1: The Xposed installer can be downloaded from the here. It is important to note that this only works with root access on the Android versions 4.0.3 up to Android 4.4. It is not compatible with the Android versions of Lollipop, Nougat, and O.
Step2: Install the apk on the rooted phone/ emulator by typing the following command:
“adb install package name“
In the illustration below, I have already installed the Xposed, and it shows error on the terminal:
Step3: Once the Xposed installer has been installed:
- Click on the framework;
- Then click on Install/Update.
It will then ask for a reboot once the installation is complete, as illustrated in the screenshots below:
Step4: Xposed is now up and running.
Installing and Creating Modules of Xposed
The Xposed Framework modules are nothing, but custom created android .apk files to modify the runtime of an android mobile app that is being Pen Tested. To develop Xposed modules, rovo89 provides a simple and easy tutorial here at this link. The Infosec Institute also has some tutorials on the same topic here.
We now provide an example of installing an Xposed module by circumventing the SSL pining of an Android mobile app.
In the diagrams illustrated below, we have a Paytm Android mobile app which does not allow the interception of network traffic going through the burp proxy.
The following sequence of steps permits the installation of an Xposed Framework Module:
Step1: Download the JustTrustMe apk (Xposed Module) from here
“JustTrustMe” is an Xposed module that disables the SSL certificate with a process known as “Cert Pinning.”
Step2: To install the
JustTrustMe module, drag and drop the apk if you are using an emulator or type the following command “adb install ./JustTrustMe.apk
“to install it in an Android device. Once the Xposed module is installed, it then displays the Xposed framework screen. This is illustrated in the diagrams below:
To activate the Xposed module, navigate to the module section and from there, enable it. To launch the module, reboot your Android device.
After installing the Xposed module, the interception of traffic of Paytm app through burp proxy. This is illustrated in the screenshots below:
The Xposed framework can be leveraged to Pen Test any Android mobile app in various fashions. However, the main disadvantage of it is that this framework is that after the installation of it, of any of the installed modules requires multiple Android device bootups.