banner
毅种循环

毅种循环

请将那贻笑罪过以逐字吟咏 如对冰川投以游丝般倾诉

APP Security Testing - Simulator Pitfall Memo


#

Emulator Selection#

1. NoxPlayer (deprecated)
// The reason is that after setting up the environment, it always prompts you to repair the environment.
2. LDPlayer (current)
// There is one issue with LDPlayer 4.0, which is that it becomes ineffective after enabling WIFI proxy. You need to use ADB to add a proxy or use software like profile for proxy forwarding.

Version Selection#

1. Many apps no longer support systems below 7.0, so it is recommended to install an Android emulator with version 7.0 or higher.
2. Installing XP framework on 7.0 is more complicated. You need to find the corresponding package, so it is recommended to use a one-click installation of XP framework.

Certificate Configuration#

According to the outdated articles online, the common method is to export a Burp/Charles certificate, adb push it to the emulator, and then modify the extension to .crt for direct installation. This method is applicable for Android versions 6 and earlier. Starting from Android 7.0, Android has changed the default behavior of trusting user-installed certificates, and applications only trust system-level CAs. This means that after installing the certificate, if you try to access an HTTPS website through Burp or Charles proxy, the system will prompt "The certificate is not from a trusted authority":

Due to the security mechanism of Android, for systems above 7.0, installing BURP certificate requires adding it to the system trust. Here are some settings that need to be done for BURP certificate as follows:
image
image
After exporting the Burp certificate, make some modifications using openssl:

openssl x509 -inform DER -in cacert.der -out cacert.pem

image
View the hash value of the pem certificate and record it, using the following command:

openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1

image
Rename the pem certificate to "hash value.0":

mv cacert.pem 9a5ba575.0

image
Then use adb to push the .0 file to the /system/etc/security/ folder of the emulator, and change the permissions to 644:

adb push 9a5ba575.0 /system/etc/security/cacerts
adb shell chmod 644 /system/etc/security/cacerts/9a5ba575.0

If you cannot change the permissions, use adb remount to remove the partition restrictions before importing, as follows:
image
image
Finally, you should be able to see the trusted certificate in the system.

Installing Xposed Framework#

As mentioned earlier, installation can be problematic, so it is recommended to use a one-click installation based on others' experience.
Xposed_Android_7x64.exe

This file is suitable for 64-bit emulators with Android 7.0. It is not suitable for NoxPlayer, so please do not use it.

Execute the file in the root directory of the emulator and wait for the restart.

Bypassing Two-Way Verification#

Sometimes, the app will verify the server-side certificate, and in this case, the Burp we installed earlier will not work. The application will reject sending requests when it detects that the certificate is forged. Based on this error message and the inability to capture packets, we can determine that the application has one-way verification, which is SSL pinning. Let's solve the SSL pinning issue first. Use JustTrustMe to bypass client-side certificate verification. Check the JustTrustMe option below and use JustTrustMe under the Xposed framework to bypass SSL pinning.
image

Adding Proxy to LDPlayer#

As mentioned before, either use proxy forwarding or use ADB. Here, I will provide the ADB configuration.

Add proxy:

adb shell settings put global http_proxy 192.168.2.84:8080

Remove proxy:

adb shell settings delete global http_proxy&adb shell settings delete global global_http_proxy_host&adb shell settings delete global global_http_proxy_port

Or if there is no delete command:

adb shell settings put global http_proxy :0

That's all for now.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.