Author: admin

Android Reverse Engineering Lab: Deep Dive into Native ARM64 Hooks with Frida

Introduction to Native ARM64 Hooking with Frida

Frida, a dynamic instrumentation toolkit, is an indispensable asset for reverse engineers. While often lauded for its ease of use in hooking Java methods on Android, its true power extends to the native realm, allowing deep inspection and manipulation of ARM64 machine code. This guide will walk you through setting up a dedicated lab and performing advanced native ARM64 hooking on Android using Frida, enabling you to intercept, modify, and understand low-level behaviors within shared libraries.

Setting Up Your Android Reverse Engineering Lab

Before diving into the intricacies of ARM64 hooks, ensure your environment is correctly configured. You’ll need an Android device or emulator with root access, ADB installed on your host machine, and the Frida toolkit.

Requirements:

Rooted Android Device or Emulator (e.g., AVD, Genymotion, physical phone)
Android Debug Bridge (ADB) installed and configured on your host
Python 3 and `pip` for Frida tools
A basic understanding of ARM64 assembly (beneficial but not strictly required for this tutorial)

Installation Steps:

Install Frida Tools on Host:
```
pip install frida-tools
```
Download Frida Server for Android:Visit Frida’s GitHub releases page and download the `frida-server` binary matching your device’s architecture (typically `arm64`).

Push Frida Server to Device:

adb push /path/to/frida-server /data/local/tmp/frida-server

Set Permissions and Run Frida Server:
```
adb shellsu -c "chmod 755 /data/local/tmp/frida-server"su -c "/data/local/tmp/frida-server &"
```
Verify Frida server is running using `adb logcat | grep frida` or `frida-ps -U`. You should see processes listed.

Understanding Native Hooking on ARM64

Unlike Java methods, which are high-level abstractions, native functions directly interact with the CPU and memory. When hooking native ARM64 functions, you’re dealing with raw machine code instructions, register states, and stack frames. Frida’s `Interceptor` API provides a powerful way to insert your code before (`onEnter`) and after (`onLeave`) a target function executes, allowing you to inspect and modify its arguments, registers, and return value.

ARM64 Calling Conventions (Brief Overview)

For functions with up to 8 arguments, ARM64 typically uses registers `x0` to `x7` to pass integer or pointer arguments. The return value is usually placed in `x0`. For more arguments, the stack is used. Floating-point arguments use `v0` to `v7`. Understanding this helps when inspecting `this.context` in Frida hooks.

Identifying Target Functions

To hook a native function, you first need to identify its symbol within a shared library (`.so` file). You can often find these using `nm` or `readelf` on the library file. Let’s create a simple native library `libnativehookme.so` to demonstrate.

Dummy Native Library (`nativehookme.cpp`):

#include <string>#include <vector>#include <iostream>extern "C" __attribute__((visibility("default")))int calculate_xor_checksum(const char* data, size_t len) {    if (!data || len == 0) {        return 0;    }    int checksum = 0;    for (size_t i = 0; i < len; ++i) {        checksum ^= data[i];    }    return checksum;}extern "C" __attribute__((visibility("default")))void log_sensitive_data(const char* tag, const char* message, int level) {    std::cout << "[NATIVE_LOG] [" << tag << "] [Level: " << level << "] " << message << std::endl;}

Compile this into `libnativehookme.so` for your ARM64 target (e.g., using Android NDK toolchain). Then, push it to your device (e.g., `/data/local/tmp/libnativehookme.so`).

Finding Symbols with `nm`:

adb shellnm -D /data/local/tmp/libnativehookme.so | grep calculate_xor_checksum

You should see something like: `0000000000001234 T calculate_xor_checksum`. The `T` indicates a Text (code) symbol, and the address `0x1234` is its offset within the library.

Basic Native Function Hooking with Frida

Let’s create a simple Frida script to attach to `calculate_xor_checksum`.

`native_hook_checksum.js`:

Java.perform(function () {    var targetLibrary = Module.findExportByName(null, "calculate_xor_checksum"); // Initial attempt, might need library name    if (!targetLibrary) {        // Try finding it within a specific module if the above fails        targetLibrary = Module.findExportByName("libnativehookme.so", "calculate_xor_checksum");    }    if (targetLibrary) {        console.log("[*] Found calculate_xor_checksum at: " + targetLibrary);        Interceptor.attach(targetLibrary, {            onEnter: function (args) {                console.log("[*] Entering calculate_xor_checksum");                console.log("    data (ptr): " + args[0]);                console.log("    data (str): " + args[0].readCString());                console.log("    len: " + args[1].toInt32());            },            onLeave: function (retval) {                console.log("[*] Leaving calculate_xor_checksum, original return: " + retval);            }        });        console.log("[*] Hooked calculate_xor_checksum");    } else {        console.log("[-] Could not find calculate_xor_checksum");    }});

Run this script using `frida -U -l native_hook_checksum.js –no-pause -f com.your.app.package` (replace `com.your.app.package` with the target app). When your app calls `calculate_xor_checksum`, you’ll see the logs.

Advanced Hooking: Argument and Return Value Manipulation

Frida allows you to not only observe but also modify the execution flow. Let’s modify the input `data` and the `checksum` return value.

`advanced_native_hook.js`:

Java.perform(function () {    var targetLibrary = Module.findExportByName("libnativehookme.so", "calculate_xor_checksum");    if (targetLibrary) {        console.log("[*] Found calculate_xor_checksum at: " + targetLibrary);        Interceptor.attach(targetLibrary, {            onEnter: function (args) {                this.log_tag = "XOR_HOOK";                this.original_data_ptr = args[0];                this.original_data_len = args[1].toInt32();                this.original_data_str = this.original_data_ptr.readCString();                console.log("[" + this.log_tag + "] Entering calculate_xor_checksum");                console.log("    Original data: " + this.original_data_str);                console.log("    Original length: " + this.original_data_len);                // Modify the input data                var newString = "HOOKED_DATA_BY_FRIDA!";                var newLength = newString.length;                // Allocate new memory and write the modified string                var newBuffer = Memory.allocUtf8String(newString);                args[0] = newBuffer; // Replace the pointer to the data                args[1] = new NativePointer(newLength); // Replace the length                console.log("[" + this.log_tag + "] Modified input to: " + newString + " (len: " + newLength + ")");            },            onLeave: function (retval) {                console.log("[" + this.log_tag + "] Leaving calculate_xor_checksum");                console.log("    Original return value: " + retval);                // Modify the return value                var modifiedRetval = 0xDEADBEEF; // Custom value                retval.replace(new NativePointer(modifiedRetval));                console.log("    Modified return value to: " + retval);            }        });        console.log("[*] Hooked calculate_xor_checksum for modification");    } else {        console.log("[-] Could not find calculate_xor_checksum in libnativehookme.so");    }    // Hooking another function for demonstration: log_sensitive_data    var logSensitiveDataPtr = Module.findExportByName("libnativehookme.so", "log_sensitive_data");    if (logSensitiveDataPtr) {        console.log("[*] Found log_sensitive_data at: " + logSensitiveDataPtr);        Interceptor.attach(logSensitiveDataPtr, {            onEnter: function (args) {                console.log("[LOG_HOOK] Intercepted log_sensitive_data:");                console.log("    Tag: " + args[0].readCString());                console.log("    Message: " + args[1].readCString());                console.log("    Level: " + args[2].toInt32());                // Change the log level to a less severe one                args[2] = new NativePointer(1); // Set level to 1 (e.g., INFO)            }        });        console.log("[*] Hooked log_sensitive_data");    } else {        console.log("[-] Could not find log_sensitive_data in libnativehookme.so");    }});

This script demonstrates:

Reading `NativePointer` arguments as C strings (`readCString()`).
Allocating new memory (`Memory.allocUtf8String`) and replacing argument pointers.
Casting arguments to integers (`toInt32()`).
Modifying the return value using `retval.replace()`.
Hooking multiple functions within the same script.

When the application calls `calculate_xor_checksum`, Frida will intercept it, modify the input data to

May 29, 2026

Runtime Patching Masterclass: Modifying Android App Logic On-the-Fly with Frida
Introduction: The Power of Dynamic Instrumentation with Frida

In the intricate world of Android application security, reverse engineering, and penetration testing, the ability to modify an app’s logic during runtime is an invaluable skill. This is precisely where Frida, a dynamic instrumentation toolkit, shines. Frida allows developers and security researchers to inject their own scripts into black-box processes, hook into any function (whether Java or native C/C++), and manipulate its behavior. This masterclass will guide you through setting up Frida, understanding its core concepts, and demonstrating practical runtime patching techniques on Android applications, transforming how you analyze and interact with mobile software.

Frida operates by injecting a JavaScript engine (V8) into target processes. This enables unparalleled flexibility, allowing you to not only observe but also actively alter the application’s flow, modify arguments, change return values, and even call unexported functions. For Android, this means you can bypass security checks, debug complex interactions, and gain insights into application internals without needing to recompile or decompile the APK.

Setting Up Your Frida Environment for Android

Prerequisites

Before diving into runtime patching, ensure you have the following:
- A Rooted Android Device or Emulator: Frida requires elevated privileges to inject into arbitrary processes.
- ADB (Android Debug Bridge) Installed: Essential for communicating with your Android device.
- Python 3.x Installed: Frida’s host-side tools are Python-based.
Installing Frida Tools on Your Host Machine

Frida’s command-line tools can be easily installed via pip:
```
pip install frida-tools
```
Verify the installation by running `frida –version`.

Deploying Frida Server on Your Android Device

The Frida server is the component that runs on the Android device, listening for commands from your host machine. You’ll need to download the correct server binary for your device’s architecture (ARM or ARM64 typically). Visit the Frida GitHub releases page and download `frida-server-*-android-ARCH` (e.g., `frida-server-16.1.4-android-arm64`).

Once downloaded, push it to your device and start it:
```
# Push the server to a temporary location
adb push frida-server-*-android-ARCH /data/local/tmp/

# Make it executable
adb shell "chmod 755 /data/local/tmp/frida-server"

# Start the server in the background
adb shell "/data/local/tmp/frida-server &"
```
To confirm the server is running and accessible, execute `frida-ps -U` on your host. You should see a list of running processes on your Android device.

Basic Hooking: Modifying Java Logic On-the-Fly

Let’s illustrate with a common scenario: bypassing a license or premium check in an application. Imagine an Android app `com.example.premiumapp` with a `LicenseChecker` class that has a method `isPremium()` returning a boolean value.

Target Application Scenario

Consider a simplified Java class within an Android application:
```
package com.example.premiumapp;

public class LicenseChecker {
    public boolean checkLicense(String userToken) {
        // In a real app, this would validate with a server
        if (userToken != null && userToken.equals("VALID_TOKEN_123")) {
            return true; // Valid license
        }
        return false; // Invalid license
    }

    public String getFeatureStatus() {
        if (checkLicense("DUMMY_TOKEN")) { // This is where we want to patch
            return "Premium Features Enabled!";
        }
        return "Basic Features Only.";
    }
}
```
Our goal is to always make `checkLicense` return `true` regardless of the input token when called by `getFeatureStatus`.

Writing Your First Frida Script (Java Hooking)

Create a file named `patch_license.js` with the following content:
```
Java.perform(function () {
    console.log("[*] Frida script loaded successfully.");

    // Get a reference to the target class
    var LicenseChecker = Java.use('com.example.premiumapp.LicenseChecker');

    // Hook the checkLicense method
    LicenseChecker.checkLicense.implementation = function (userToken) {
        console.log("[*] Original checkLicense called with token: " + userToken);
        // Always return true, effectively bypassing the license check
        return true;
    };

    console.log("[*] LicenseChecker.checkLicense method hooked.");

    // You can also hook getFeatureStatus to confirm the effect
    LicenseChecker.getFeatureStatus.implementation = function () {
        var originalStatus = this.getFeatureStatus(); // Call original to show comparison
        console.log("[*] Original getFeatureStatus returned: " + originalStatus);
        
        // We expect this to now return premium because checkLicense is hooked
        var patchedStatus = this.getFeatureStatus(); 
        console.log("[*] Patched getFeatureStatus would return: " + patchedStatus);
        return patchedStatus; // Or simply "Premium Features Enabled!"
    };
    console.log("[*] LicenseChecker.getFeatureStatus method hooked.");
});
```
Executing the Patch

To inject and run this script, use the `frida` command-line tool. The `-U` flag targets a USB-connected device, `-f` spawns and attaches to the given package, and `-l` loads our script. `–no-paus` tells Frida to immediately resume the app after injection without waiting for explicit input.
```
frida -U -l patch_license.js -f com.example.premiumapp --no-paus
```
When `com.example.premiumapp` runs and calls `checkLicense`, Frida will intercept it, and your script’s `implementation` will execute, causing `checkLicense` to always return `true`. You’ll see the console logs confirming the hook and the modified return value.

Advanced Techniques: Argument Manipulation and Native Hooks

Modifying Method Arguments

Frida isn’t limited to just changing return values. You can also inspect and modify arguments passed to a method. Let’s say you have a method `calculateSum(int a, int b)`. You could modify `b`:
```
Java.perform(function () {
    var Calculator = Java.use('com.example.myapp.Calculator');

    Calculator.calculateSum.implementation = function (a, b) {
        console.log(`[*] Original calculateSum called with a=${a}, b=${b}`);
        // Modify 'b' before calling the original implementation
        var modified_b = b * 2;
        console.log(`[*] Modifying b to ${modified_b}`);
        var result = this.calculateSum(a, modified_b); // Call original with modified arg
        console.log(`[*] calculateSum returned: ${result}`);
        return result;
    };
});
```
Hooking Native Functions (JNI / C/C++)

Many performance-critical or security-sensitive operations in Android apps are implemented in native code (C/C++), exposed via JNI (Java Native Interface). Frida can hook these too.

First, identify the native library and function. For example, a function `native_calculate_hash` in `libnative.so`.
```
Interceptor.attach(Module.findExportByName('libnative.so', 'native_calculate_hash'), {
    onEnter: function (args) {
        console.log("[+] Entering native_calculate_hash");
        // args[0] is the first argument, args[1] the second, etc.
        // You can read and modify them, e.g., args[0].writeUtf8String("new_input");
        this.original_arg0 = args[0].readUtf8String();
        console.log("[*] Original input: " + this.original_arg0);
        
        // Optionally modify an argument
        // args[0].writeUtf8String("modified_input");
    },
    onLeave: function (retval) {
        console.log("[+] Leaving native_calculate_hash");
        console.log("[*] Original return value: " + retval.readUtf8String());
        // Modify the return value
        // retval.writeUtf8String("hooked_hash_value");
    }
});
```
This script uses `Interceptor.attach` to hook the native function. `onEnter` is called before the function executes, allowing argument inspection/modification. `onLeave` is called after execution, enabling return value manipulation. Ensure you replace `libnative.so` and `native_calculate_hash` with your target library and function names.

Practical Use Cases in Android Security and Reverse Engineering

Frida’s capabilities extend far beyond simple license bypasses:
- Bypassing Root Detection: Hooking methods like `isRooted()` or checks for root-related files and always returning `false`.
- Disabling SSL Pinning: Intercepting certificate validation logic to allow proxying HTTPS traffic.
- Modifying API Requests/Responses: Debugging network interactions by changing data sent or received from the server.
- Reverse Engineering Obfuscated Logic: Tracing function calls and inspecting variables to understand complex, obfuscated code paths.
- Dynamic Analysis of Malware: Observing malware behavior, decrypting strings, and understanding command-and-control communication.
- Exploring Hidden Functionality: Uncovering developer backdoors or undocumented features.
Conclusion

Frida is an indispensable tool for anyone involved in Android security, reverse engineering, or even advanced debugging. Its dynamic instrumentation capabilities open up a world of possibilities for interacting with and manipulating applications at runtime. By mastering the techniques discussed – from basic Java method hooking to advanced native code manipulation – you gain unprecedented control over Android applications, allowing for deeper analysis, more effective security research, and sophisticated exploit development. Remember to use these powerful capabilities ethically and responsibly.
May 29, 2026
Real-World SELinux Bypass: Analyzing Recent Android Vulnerabilities and Exploits
Introduction: The Imperative of SELinux in Android Security

In the evolving landscape of mobile security, Android’s intricate security mechanisms stand as formidable barriers against malicious actors. Among these, SELinux (Security-Enhanced Linux) is paramount, enforcing Mandatory Access Control (MAC) policies that restrict even privileged processes to a predefined set of actions. While kernel vulnerabilities often capture headlines, a successful exploit on Android typically requires a subsequent SELinux bypass to achieve full system compromise or persistence. This article delves into real-world SELinux bypass techniques, examining how attackers leverage policy misconfigurations, trusted domain abuse, and kernel vulnerabilities to circumvent granular access controls and elevate privileges on Android devices.

Understanding SELinux Fundamentals

Mandatory Access Control (MAC) vs. Discretionary Access Control (DAC)

Traditional Linux systems primarily use Discretionary Access Control (DAC), where file owners dictate access permissions. In contrast, SELinux implements MAC, where a centralized policy dictates all interactions, regardless of traditional Unix permissions. Every process, file, and IPC mechanism is assigned a security context, and the SELinux policy defines what interactions are permitted between these contexts.

SELinux in Android: Contexts, Types, and Domains

In Android, SELinux contexts are composed of user, role, type, and sensitivity (e.g., u:r:untrusted_app:s0). The ‘type’ is the most critical component, defining the domain for processes and the type for objects (files, sockets, etc.). Domains are types assigned to processes, and the SELinux policy specifies how domains can interact with object types and other domains. Bypassing SELinux often involves manipulating these contexts or finding policy gaps.

You can inspect SELinux status and contexts on an Android device using adb shell commands:
```
adb shell getenforce # Check SELinux enforcement status (Enforcing/Permissive)adb shell id -Z # Show current process's SELinux contextadb shell ls -Z /data/app # List app directories with their SELinux contextadb shell ps -Z # List running processes with their SELinux context
```
Common SELinux Bypass Vector Categories

Attackers primarily target SELinux through several categories of vulnerabilities:

Policy Misconfigurations and Omissions

The most straightforward bypasses arise from flaws in the SELinux policy itself. These can include:
- Overly Permissive Rules: Policies that grant more permissions than necessary to a specific domain or object type. For example, allowing an application to write to a system-critical directory.
- Incorrect Labeling: Mislabeling files, directories, or services can lead to unintended access. If a sensitive file is incorrectly labeled with a type accessible by a lower-privileged domain, a bypass is possible.
- Missing Rules: New services or functionalities might be introduced without adequately defined SELinux rules, falling back to default, potentially insecure contexts.
A hypothetical, simplified example of an overly permissive rule might look like this in a policy language:
```
# Potentially dangerous policy snippet:allow untrusted_app system_data_file:file { read write open };
```
This rule, if present, would allow any application running in the untrusted_app domain to read, write, and open files labeled as system_data_file, which is a significant policy flaw.

Kernel Vulnerabilities Exploited Pre-SELinux

While not a direct SELinux bypass, exploiting a kernel vulnerability (e.g., Use-After-Free, Out-of-Bounds Write) can often give an attacker arbitrary read/write primitives in kernel space. With such power, an attacker can directly modify in-kernel SELinux data structures, disable SELinux enforcement entirely, or load a custom policy, effectively bypassing it at its core. These are generally the most powerful, yet complex, bypasses.

Trusted Domain Abuse via IPC

Many Android services run in highly privileged SELinux domains (e.g., system_server, init, various HAL services). If a less privileged domain can trick a more privileged service (via Binder IPC or other inter-process communication mechanisms) into performing an action on its behalf that it normally wouldn’t be allowed, a privilege escalation and effective SELinux bypass can occur. This is a common pattern in Android vulnerability research.

Case Study: Analyzing a Hypothetical SELinux Weakness

Scenario: Abusing an Overly Permissive Binder Service

Consider a hypothetical Binder service, my_privileged_service, running in a domain, say my_privileged_service_domain, which has legitimate permissions to write to certain system configuration files (e.g., system_config_file type). A vulnerability exists where this service exposes a Binder API to update a configuration file specified by an arbitrary path, without sufficient validation. An untrusted_app, typically confined to its own data and specific system interactions, could exploit this.

If the SELinux policy allows untrusted_app to communicate with my_privileged_service_domain:
```
allow untrusted_app my_privileged_service_domain:binder { call transfer };
```
And the service’s implementation is flawed, an attacker could instruct the privileged service to write to a file labeled as system_config_file that is actually controlled by the attacker or is part of a sensitive area. For example, if the service writes to /data/misc/system_configs/attacker_controlled_config after being triggered by the untrusted app, and this file is incorrectly labeled, or the service can be tricked into writing to /data/system/packages.xml (highly sensitive).

An attacker might trigger this via `service call` (though typically more complex code would be used):
```
adb shell su 0 service call my_privileged_service 1 s16
```
May 29, 2026


		
		
			
			Frida SSL Pinning Bypass: Intercepting HTTPS Traffic on Any Android App (How-To Guide)
			Introduction to SSL Pinning and Why it Matters
SSL Pinning, or Certificate Pinning, is a security mechanism employed by applications to prevent Man-in-the-Middle (MITM) attacks. Instead of relying on the device’s trust store to validate server certificates, applications with SSL pinning explicitly ‘pin’ or hardcode specific certificates or public keys. This means the app will only trust a predefined certificate, rejecting any other certificate, even if it’s signed by a trusted Certificate Authority (CA) on the device. While enhancing security by preventing attackers from intercepting encrypted traffic via rogue CAs, it significantly complicates security testing, penetration testing, and reverse engineering efforts.
For security researchers and developers, intercepting an app’s HTTPS traffic is crucial for understanding its communication, identifying vulnerabilities, and debugging. When an app implements SSL pinning, traditional proxying methods (like setting up Burp Suite or OWASP ZAP with a trusted CA) fail, as the app actively rejects the proxy’s certificate. This is where dynamic instrumentation tools like Frida become indispensable.
Frida: Dynamic Instrumentation for Android
Frida is a powerful toolkit for dynamic instrumentation, allowing you to inject custom scripts into running processes on Windows, macOS, Linux, iOS, Android, and QNX. It enables you to hook into native functions, inspect memory, modify code, and, crucially for our purpose, bypass security mechanisms like SSL pinning by runtime modification of the app’s behavior. Frida works by injecting the V8 JavaScript engine into the target process, allowing you to write JavaScript code that interacts directly with the application’s runtime.
Prerequisites and Lab Setup
Before we dive into bypassing SSL pinning, ensure you have the following setup:

Rooted Android Device or Emulator: A rooted device is necessary to run the Frida server and access necessary permissions. Emulators like Android Studio’s AVD or Genymotion work well.
ADB (Android Debug Bridge): Essential for interacting with your Android device. Ensure it’s installed and configured on your host machine.
Frida-tools: Install Frida on your host machine:
pip install frida-tools

Frida-server: Download the correct Frida server binary for your device’s architecture (e.g., arm, arm64, x86) from Frida Releases. Push it to your device, make it executable, and run it.
Proxy Tool: Burp Suite Professional or Community Edition is highly recommended. Configure it to listen on all interfaces and set up your device’s Wi-Fi proxy to point to your host machine’s IP address and Burp’s listening port.
Proxy’s CA Certificate: Install your proxy’s CA certificate on your Android device. For Burp Suite, visit http://burp/cert in the device browser to download cacert.der, then install it as a user- or system-trusted certificate. For Android 7.0+ (Nougat) and above, apps by default only trust system CAs. You might need to root and move the Burp certificate to the system trust store (e.g., /system/etc/security/cacerts/) or target older Android versions.

Setting up Frida Server on Android:

Download the appropriate frida-server binary for your device’s architecture from Frida Releases.
Push it to your device:
adb push /path/to/frida-server /data/local/tmp/

Make it executable and run it:
adb shell"chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &"


The Frida SSL Pinning Bypass Script
SSL pinning implementations vary widely across applications, from custom checks to popular libraries like OkHttp. A robust bypass script needs to address multiple common pinning techniques. The following comprehensive Frida script aims to hook various Android API calls related to certificate validation, effectively disabling pinning for most scenarios.
frida_ssl_bypass.js
Java.perform(function() {    console.log("[*] Frida Loaded: Attempting to bypass SSL Pinning...");    // Common SSL Pinning Bypass Methods    // 1. TrustManager bypass (most common)    try {        var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');        TrustManagerImpl.checkServerTrusted.implementation = function(chain, authType, host) {            console.log('[+] TrustManagerImpl.checkServerTrusted hooked for ' + host);            return; // Simply return, bypassing the check        };        console.log('[+] Hooked TrustManagerImpl.checkServerTrusted');    } catch (e) {        console.log('[-] TrustManagerImpl.checkServerTrusted hook failed: ' + e.message);    }    // 2. OkHttp3.x bypass    try {        var OkHttpClient = Java.use('okhttp3.OkHttpClient');        OkHttpClient.build.overload().implementation = function() {            console.log('[+] OkHttpClient.build hooked');            var okHttpClientBuilder = this.build();            okHttpClientBuilder.sslSocketFactory = Java.use('javax.net.ssl.SSLContext').getInstance('TLS').getSocketFactory();            okHttpClientBuilder.hostnameVerifier = Java.use('javax.net.ssl.HostnameVerifier').$new({                verify: function(hostname, session) {                    return true;                }            });            return okHttpClientBuilder;        };        console.log('[+] Hooked OkHttpClient.build');    } catch (e) {        console.log('[-] OkHttpClient.build hook failed: ' + e.message);    }    // 3. Apache HttpClient (legacy)    try {        var DefaultHttpClient = Java.use('org.apache.http.impl.client.DefaultHttpClient');        DefaultHttpClient.$init.overload('org.apache.http.conn.ClientConnectionManager', 'org.apache.http.params.HttpParams').implementation = function(ccm, params) {            console.log('[+] DefaultHttpClient hooked');            this.$init(ccm, params);            var SSLContext = Java.use('javax.net.ssl.SSLContext');            var TrustManager = Java.use('[Ljavax.net.ssl.TrustManager;');            var trustAllCerts = Java.array(TrustManager, [                Java.use('javax.net.ssl.X509TrustManager').$new({                    checkClientTrusted: function(chain, authType) {},                    checkServerTrusted: function(chain, authType) {},                    getAcceptedIssuers: function() {                        return Java.array('java.security.cert.X509Certificate', []);                    }                })            ]);            var sslcontext = SSLContext.getInstance('TLS');            sslcontext.init(null, trustAllCerts, null);            var SSLSocketFactory = Java.use('org.apache.http.conn.ssl.SSLSocketFactory');            var socketFactory = SSLSocketFactory.getSocketFactory();            socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);            this.setSSLSocketFactory(sslcontext.getSocketFactory());            return this;        };        console.log('[+] Hooked DefaultHttpClient');    } catch (e) {        console.log('[-] DefaultHttpClient hook failed: ' + e.message);    }    // 4. WebView Client Bypass    try {        var WebViewClient = Java.use('android.webkit.WebViewClient');        WebViewClient.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.SslErrorHandler', 'android.net.http.SslError').implementation = function(view, handler, error) {            console.log('[+] WebViewClient.onReceivedSslError hooked');            handler.proceed(); // Ignore SSL errors            return;        };        WebViewClient.onReceivedHttpError.overload('android.webkit.WebView', 'android.webkit.WebResourceRequest', 'android.webkit.WebResourceResponse').implementation = function(view, request, errorResponse) {            console.log('[+] WebViewClient.onReceivedHttpError hooked');            return;        };        console.log('[+] Hooked WebViewClient.onReceivedSslError and onReceivedHttpError');    } catch (e) {        console.log('[-] WebViewClient hook failed: ' + e.message);    }    // 5. Trustkit bypass (if app uses it)    try {        var Trustkit = Java.use('com.datatheorem.android.trustkit.TrustKit');        Trustkit.is  DeveloperOverrideActive.overload().implementation = function() {            console.log('[+] TrustKit.isDeveloperOverrideActive hooked');            return true;        };        Trustkit.verifyServerHostname.overload('java.lang.String', 'java.lang.String', 'java.security.cert.X509Certificate[]').implementation = function(hostname, pinValidationResult, chain) {            console.log('[+] TrustKit.verifyServerHostname hooked');            return;        };        console.log('[+] Hooked TrustKit');    } catch (e) {        console.log('[-] TrustKit hook failed: ' + e.message);    }    console.log('[*] SSL Pinning bypass script loaded successfully.');});
Step-by-Step Guide to Bypassing SSL Pinning


Ensure Frida Server is Running: Confirm that the Frida server is running on your Android device (as detailed in the

			May 29, 2026

SELinux Policy Enforcement: Practical Strategies for Evading Android’s Security Sandbox Introduction to SELinux on Android Android’s security model is a multi-layered defense system, with SELinux (Security-Enhanced Linux) serving as a critical component for Mandatory Access Control (MAC). Introduced in Android 4.3, SELinux ensures that even if a process gains root privileges, its actions are still constrained by policy rules. This prevents applications and system components from performing operations they are not explicitly allowed to, effectively confining them within a “security sandbox.” For security researchers, exploit developers, and system integrators, understanding how to analyze and potentially bypass these policies is paramount for uncovering vulnerabilities or hardening systems. This article delves into practical strategies for identifying and exploiting weaknesses in SELinux policies, providing an expert-level guide to navigating Android’s robust security architecture. Understanding SELinux Fundamentals on Android SELinux operates on the principle of least privilege, where every resource (files, processes, sockets, etc.) and every action is labeled with a security context. The SELinux policy, a set of rules defined by Google and device manufacturers, dictates what interactions are allowed between these labeled entities. Key concepts include: Security Contexts: Labels applied to processes and files, e.g., u:r:untrusted_app:s0 for an unprivileged application. Types (Domains): The most common attribute used in Android’s TE (Type Enforcement) model, defining a set of permissions for processes (domains) and files (types). Policy Rules: Directives like allow, dontaudit, type_transition, and neverallow that define permissible interactions. On Android, the SELinux policy is compiled into a binary format and loaded at boot. Any attempt to violate this policy results in an Access Vector Cache (AVC) denial, which is typically logged to the kernel ring buffer. Monitoring these denials is crucial for policy analysis. You can check the current SELinux enforcement status and review denials using adb shell: adb shell getenforce # Should output "Enforcing" on production devicesadb shell su -c "dmesg | grep avc" # View Access Vector Cache denials Initial Reconnaissance: Identifying Policy Weaknesses The first step in evading SELinux is thorough reconnaissance of the active policy. This involves extracting and analyzing the policy rules to identify potential misconfigurations or overly broad permissions. 1. Extracting the Policy The active SELinux policy can usually be found at /sys/fs/selinux/policy or /vendor/etc/selinux/precompiled_sepolicy (and similar paths for individual `.te` files). Pulling the binary policy is essential for static analysis: adb pull /sys/fs/selinux/policy sepolicy.bin 2. Policy Analysis Tools Once you have the binary policy, tools like AOSP’s sepolicy-analyze, audit2allow, and sesearch are invaluable. For instance, to search for specific permissions granted to a domain: # Example using sesearch from libsepol/sepolicy-tools# Search for 'create' permissions for 'untrusted_app_t' on 'system_file'sesearch -A -s untrusted_app_t -t system_file -c file -p create sepolicy.bin# List all type transitions from 'untrusted_app_t'sesearch -T -s untrusted_app_t sepolicy.bin Practical Strategies for SELinux Policy Evation Evading SELinux policies often involves identifying rules that, while seemingly benign, can be chained to elevate privileges or bypass restrictions within specific contexts. 1. Type Transition Exploits Type transitions are powerful rules that allow a process creating a new object (e.g., file, directory) in a specific location to automatically assign it a different, potentially more privileged, security type. If an unprivileged domain can trigger a transition to a type with broader permissions, it opens an avenue for attack. Scenario: Abusing file_type_transition Consider a rule like: type_transition untrusted_app_t /data/data/com.example.app/files/ my_app_data_t; This means if untrusted_app_t creates a file in /data/data/com.example.app/files/, that file automatically gets the my_app_data_t context. If my_app_data_t is configured to be readable by a privileged service (e.g., a system daemon in system_server_t domain) which it shouldn’t normally be able to interact with through untrusted_app_t directly, this could be a bypass. The key is to find shared locations where an unprivileged domain can create files that transition to a type with specific, exploitable permissions. 2. Domain Transition / Executable Exploits Similar to type transitions, domain transitions allow a process to switch to a new security domain when executing a specific program. If an unprivileged domain can execute a binary that is configured to transition to a more privileged domain, it can gain elevated permissions. Scenario: Exploiting exec_transition An attacker might look for rules like: domain_auto_trans(untrusted_app, myservice_exec, myservice_t); This rule dictates that if a process in the untrusted_app domain executes a file labeled myservice_exec_t, the executing process will transition to the myservice_t domain. If myservice_t has more permissions than untrusted_app_t (e.g., access to sensitive system properties or files), and the attacker can write to or hijack the myservice_exec_t binary, or even just execute an existing one with vulnerabilities, it presents a significant bypass opportunity. 3. Policy Misconfigurations and Overly Permissive Rules Sometimes, the policy itself contains overly broad `allow` rules or simply forgets to restrict certain interactions. These are often easier to identify through static analysis. Example: Broad File System Access An entry like: allow appdomain { rootfs dev_t } dir { search }; While search might seem innocent, if combined with other permissions, it could enable information disclosure or path traversal attacks. More critical would be `allow untrusted_app_t { system_file } { file } { write };` which would be an egregious error. Look for rules that grant permissions to broad sets of types or classes, or that use very general attributes (e.g., `allow domain type:class { permission };` where `type` is very broad). 4. Abusing Privileged IPC Channels (Binder) While not a direct SELinux bypass, abusing inter-process communication (IPC) channels like Binder can indirectly lead to privilege escalation by leveraging privileged services. If a service running in a highly privileged domain (e.g., system_server_t) performs sensitive operations based on insufficiently validated input from a less privileged domain, SELinux might allow the service to perform the action, effectively bypassing the restriction on the lower-privileged app. This technique relies on finding logical flaws in service implementations rather than policy flaws directly, but SELinux policy analysis helps identify which services might be exploitable by revealing what permissions they hold. Developing an Exploit Strategy: A Conceptual Walkthrough Let’s consider a hypothetical scenario where we want to gain write access to a protected system file, /data/vendor_configs/config.txt, from an untrusted_app. Identify Target File Context: First, determine the SELinux context of the target file.adb shell ls -Z /data/vendor_configs/config.txt # Output: u:object_r:vendor_config_file:s0 config.txtSo, the target context is vendor_config_file_t. Analyze Policy for untrusted_app_t: Use sesearch to find what permissions untrusted_app_t has on vendor_config_file_t. We’d likely find no write permissions. Look for Intermediate Privileged Domains: We need to find a domain that can write to vendor_config_file_t and which untrusted_app_t can potentially transition into or communicate with. Let’s say we identify a custom service, my_custom_service, running in my_custom_service_t domain, which has allow my_custom_service_t vendor_config_file_t:file { write };. Search for Type/Domain Transitions or IPC Vulnerabilities: Type Transition: Is there a writable directory for untrusted_app_t where creating a file triggers a transition to a type that my_custom_service_t will read and act upon, or perhaps even transition to my_custom_service_t? Domain Transition: Can untrusted_app_t execute a binary (e.g., a CLI tool for my_custom_service) that causes it to transition to my_custom_service_t? IPC Abuse: Does my_custom_service expose a Binder interface that takes a filename as input and writes data to it without proper path validation or ownership checks? If so, the untrusted_app could call this Binder method, instructing the privileged service to write to /data/vendor_configs/config.txt on its behalf. Craft the Exploit: If an IPC vulnerability is found, the exploit might involve a simple Android application making a Binder call: // Example (pseudo-code) in Java for an Android appimport android.os.IBinder;import android.os.Parcel;import android.os.ServiceManager;public class Exploit { public static void main(String[] args) { try { IBinder binder = ServiceManager.getService("my_custom_service"); if (binder != null) { Parcel data = Parcel.obtain(); Parcel reply = Parcel.obtain(); data.writeString("/data/vendor_configs/config.txt"); data.writeString("new_config_value"); binder.transact(0xDEADBEEF, data, reply, 0); // Assuming 0xDEADBEEF is the writeToFile code reply.readException(); System.out.println("File write attempted."); data.recycle(); reply.recycle(); } } catch (Exception e) { e.printStackTrace(); } }} This example demonstrates how an `untrusted_app` could indirectly achieve privileged file modification by exploiting a vulnerability in a more privileged service’s Binder interface, with SELinux allowing the service itself to perform the action. Conclusion SELinux is a formidable security barrier on Android, designed to contain malicious actors even in the presence of kernel or root exploits. However, the complexity of these policies often leads to misconfigurations or unintended permission grants that can be leveraged for privilege escalation or sandbox escapes. By meticulously analyzing policy files, monitoring AVC denials, and understanding the nuances of type and domain transitions, security researchers can uncover the cracks in this otherwise robust security model. Ethical hacking and thorough policy review are critical for maintaining the integrity of the Android ecosystem. May 29, 2026
Binder IPC & SELinux: Exploiting Inter-Process Communication for Policy Evasion Introduction to Android Security and IPC Android’s security model is a multi-layered fortress, with SELinux (Security-Enhanced Linux) serving as a crucial Mandatory Access Control (MAC) mechanism. Complementing the traditional Discretionary Access Control (DAC) via UIDs/GIDs, SELinux policies dictate what processes can access what resources based on their security contexts. At the heart of inter-process communication (IPC) in Android lies the Binder framework, a powerful and efficient mechanism that allows different components to communicate across process boundaries. While Binder itself provides a robust RPC-like interface, its interaction with SELinux policy enforcement can sometimes create subtle vulnerabilities, leading to policy evasion. This article delves into how SELinux enforces security on Binder transactions and explores specific techniques attackers might use to bypass these policies, primarily focusing on exploiting insecure delegation within privileged services. Understanding these concepts is vital for both defensive hardening and offensive security research in the Android ecosystem. Binder IPC Fundamentals Binder is the primary IPC mechanism in Android, allowing application components and system services to communicate. It’s a client-server architecture built on a single Linux kernel driver. Key components include: Binder Driver: The kernel module responsible for managing Binder transactions and memory. Service Manager: A special Binder service (`servicemanager`) that helps clients discover and obtain references to other Binder services. IBinder Interface: The base interface for Binder objects. Proxies and Stubs: Client-side proxies implement the service interface and marshal data into a `Parcel` for the Binder driver. Server-side stubs unmarshal the data and call the actual service implementation. Parcels: Light-weight, flattenable data containers used for serialization and deserialization of data transferred over Binder. When an application wants to use a system service, it queries the Service Manager for a reference to that service. Once it has the `IBinder` object, it can perform method calls on it as if it were a local object, with the Binder driver handling the cross-process communication. SELinux on Android: A Brief Overview SELinux enforces MAC by assigning a security context (e.g., `u:r:untrusted_app:s0`) to every process and resource (files, directories, sockets, etc.). Policies are defined as rules that specify what actions a source context can perform on a target context for a given object class. For example, a rule might permit the `system_app` domain to read a file of type `app_data_file`. SELinux policies for Android are stored in `sepolicy` files, which are compiled into a binary policy at boot time. Key elements include: Domains: Represent processes (e.g., `untrusted_app`, `system_server`). Types: Represent resources (e.g., `app_data_file`, `system_file`). Classes: Represent types of objects (e.g., `file`, `directory`, `binder`). Permissions: Specific actions (e.g., `read`, `write`, `call`, `transfer`). When a Binder transaction occurs, SELinux mediates not only the process’s access to files but also its ability to communicate with other processes via Binder. This is typically done through the `binder` object class and associated permissions like `call`, `transfer`, `set_context`, and `impersonate`. SELinux and Binder Enforcement SELinux policy rules govern which domains can `call` a Binder service running in another domain. For example, a rule like `allow untrusted_app system_server:binder call;` permits applications in the `untrusted_app` domain to invoke Binder methods on the `system_server`. However, this rule only allows the *invocation* of the service; the actions performed *by* the service are then subject to the *server’s* own SELinux permissions. This distinction is crucial for understanding policy evasion. SELinux will prevent an `untrusted_app` from directly writing to a sensitive system file (e.g., `/data/misc/wifi/wpa_supplicant.conf`), because `untrusted_app` lacks `wifi_data_file` write permissions. However, if a privileged service (e.g., `wifi_server`) *does* have permission to write to `wifi_data_file`, and it exposes a Binder interface that takes a file path as an argument, a vulnerability might arise. Example SELinux Policy Snippets: # Allow untrusted apps to call system_server Binder services. This is very general. allow untrusted_app system_server:binder call; # Allow a privileged service (priv_service) to access wifi configuration files. # This rule is valid for the priv_service domain. allow priv_service wifi_data_file:file { read write open getattr }; allow priv_service wifi_data_file:dir { search add_name remove_name }; # Deny untrusted_app direct access to wifi configuration files. (Implicit by absence of allow rule) # type wifi_data_file, file_type, data_file_type; Exploiting Insecure Delegation for Policy Evasion The core of a Binder-based SELinux policy evasion often lies in exploiting insecure delegation. This occurs when a highly privileged Binder service (running in a domain with broad permissions) exposes an API that allows a less privileged client to trigger actions that the client itself would normally be forbidden from performing directly. The bypass isn’t about circumventing SELinux itself, but rather about leveraging a legitimate permission held by the privileged service. SELinux *still* enforces its policy on the server process, but if the server is allowed to perform the action and doesn’t adequately validate the client’s request, the client effectively proxies its restricted action through the privileged service. Vulnerability Scenario: File Manager Service Consider a hypothetical `FileManagerService` running under the `priv_service` SELinux domain. This service might be responsible for managing specific configuration files or logs in a restricted directory like `/data/vendor/secure_files/`. Its SELinux policy correctly grants it write access to files within this secure directory and other sensitive system files (e.g., `wifi_data_file`). A simplified AIDL interface for such a service might look like this: // com/example/service/IFileManagerService.aidl package com.example.service; interface IFileManagerService { void writeFile(String path, String content); String readFile(String path); } Now, let’s look at a vulnerable server implementation: // com/example/service/FileManagerService.java (running in priv_service domain) public class FileManagerService extends IFileManagerService.Stub { // This BASE_DIR is relevant for its *intended* usage private static final String BASE_DIR = "/data/vendor/secure_files/"; @Override public void writeFile(String path, String content) { // VULNERABLE: Does not adequately sanitize or validate 'path'. // An attacker could provide a path like "../../../../data/misc/wifi/wpa_supplicant.conf" // or even an absolute path if the service is not careful with Path.normalize() or new File(). File targetFile = new File(path); // Or new File(BASE_DIR, path) without proper canonicalization Log.d("FMS", "Attempting to write to: " + targetFile.getAbsolutePath()); try (FileOutputStream fos = new FileOutputStream(targetFile)) { fos.write(content.getBytes()); Log.i("FMS", "Successfully wrote to " + targetFile.getAbsolutePath()); } catch (IOException e) { Log.e("FMS", "Failed to write file: " + e.getMessage()); } } @Override public String readFile(String path) { // Similar vulnerability possible for reading sensitive files // ... return ""; } } An `untrusted_app` wants to modify `/data/misc/wifi/wpa_supplicant.conf`, but its SELinux policy prevents direct access. However, the `priv_service` process *does* have permission to write to `wifi_data_file`. If the `FileManagerService`’s `writeFile` method is vulnerable to path traversal or simply accepts an absolute path without proper validation, the `untrusted_app` can execute the following client-side code: // From an untrusted_app process // Assume fileManagerService is an IFileManagerService proxy obtained via ServiceManager try { String targetPath = "/data/misc/wifi/wpa_supplicant.conf"; String maliciousConfig = "network={n ssid="backdoor_wifi"n psk="password123"n}n"; fileManagerService.writeFile(targetPath, maliciousConfig); Log.d("UntrustedApp", "Attempted to write to " + targetPath + " via privileged service."); } catch (RemoteException e) { Log.e("UntrustedApp", "Binder call failed: " + e.getMessage()); } When this code runs: The `untrusted_app` calls `fileManagerService.writeFile()`. SELinux checks if `untrusted_app` is allowed to `call` `priv_service`’s Binder interface. This is typically allowed: `allow untrusted_app priv_service:binder call;`. The Binder transaction proceeds to the `priv_service`. The `priv_service` executes its `writeFile` method. Inside `writeFile`, a file operation is attempted on `/data/misc/wifi/wpa_supplicant.conf`. SELinux checks if `priv_service` is allowed to write to `wifi_data_file` (the type of `/data/misc/wifi/wpa_supplicant.conf`). This *is* allowed by its policy: `allow priv_service wifi_data_file:file { write };`. The write operation succeeds. Crucially, no SELinux denial occurs because the *acting process* (`priv_service`) is *permitted* to perform the action. The bypass occurs because the `untrusted_app` effectively coerced a privileged actor to perform an action on its behalf, circumventing its own restrictions. Identifying Such Vulnerabilities Policy Analysis: Reviewing `sepolicy` rules for privileged domains to identify what resources they can access that untrusted apps cannot. Binder Interface Enumeration: Identifying Binder services exposed by privileged domains (e.g., using `dumpsys` or reversing system apps) and understanding their exposed methods. Input Validation Review: Scrutinizing the input handling logic of privileged Binder methods, especially those taking file paths, URLs, or other resource identifiers, for path traversal (`../`) or absolute path issues. Fuzzing: Systematically providing malformed or unexpected inputs to Binder interfaces to discover unexpected behavior. Mitigations and Best Practices Preventing such policy evasions requires careful design and implementation: Strict Input Validation: All Binder methods that accept paths or resource identifiers from potentially untrusted callers must rigorously validate these inputs. This includes canonicalizing paths, checking for path traversal sequences (`../`), and ensuring the path falls within an intended, confined directory. Least Privilege Principle: Services should only be granted the absolute minimum SELinux permissions necessary to perform their intended function. Over-privileged services increase the attack surface. Caller Identity Verification: For critical operations, services should verify the identity of the calling process using `Binder.getCallingUid()` and `Binder.getCallingPid()` to apply additional DAC checks or custom security logic beyond SELinux. Confined API Design: Design Binder APIs such that they expose high-level operations rather than low-level file system access. Instead of `writeFile(String path, String content)`, consider `updateConfiguration(int configId, String data)` where `configId` maps to an internally managed, hardcoded file path. Regular Policy Review: Periodically audit SELinux policies, especially when introducing new services or features, to ensure no unintended permissions are granted. Conclusion SELinux and Binder are foundational to Android’s security, but their interaction can create complex attack surfaces. Exploiting insecure delegation through Binder IPC allows lower-privileged applications to circumvent SELinux policies by leveraging the legitimate permissions of a vulnerable, higher-privileged service. By understanding these mechanisms, developers and security researchers can better identify, prevent, and mitigate such policy evasion techniques, enhancing the overall security posture of the Android platform. May 29, 2026
Deep Dive: Understanding and Exploiting ‘neverallow’ Rules in Android SELinux Policies Introduction: The Unyielding Guard of Android SELinux Android’s security model relies heavily on SELinux (Security-Enhanced Linux), a mandatory access control (MAC) system that enforces granular permissions beyond traditional Linux discretionary access control (DAC). At its core, SELinux prevents processes from performing actions not explicitly permitted by the policy. Among the most stringent directives in SELinux policy are neverallow rules. These rules are compile-time assertions designed to guarantee that certain critical security invariants are maintained, acting as a safeguard against accidental policy relaxations or subtle logic errors that could lead to privilege escalation. For security researchers and penetration testers, understanding and potentially circumventing neverallow rules is crucial for discovering novel attack paths. Understanding ‘neverallow’ Rules in SELinux A neverallow rule is a powerful declarative statement within an SELinux policy that forbids a specific interaction between a source domain, a target type, and a set of permissions. Unlike regular allow rules, which grant permissions, neverallow rules explicitly deny them, and this denial is enforced during policy compilation. If any combination of allow rules in the policy would, even indirectly, grant a permission forbidden by a neverallow rule, the policy compilation will fail. The primary purpose of neverallow rules is multifaceted: Preventing Policy Bugs: They act as a sanity check, catching errors where developers might inadvertently grant overly broad permissions. Enforcing Security Critical Invariants: For example, ensuring that untrusted applications can never directly access highly sensitive system resources or perform actions that would compromise the system’s integrity. Simplifying Policy Audits: By explicitly stating what *should never* happen, it makes policy review clearer and helps maintain a robust security posture over time, even as the policy evolves. A typical neverallow rule might look like this: neverallow untrusted_app { system_file_type } { read write execute }; This rule explicitly states that the untrusted_app domain can never have read, write, or execute permissions on any resource labeled with system_file_type. If an allow rule, or a chain of allow rules, were to implicitly grant such access, the policy compiler would flag it as an error and refuse to build the policy. Identifying ‘neverallow’ Violations During development, neverallow violations are often caught by tools like sepolicy-analyze or during the policy compilation process itself. When a violation occurs, the compilation typically fails with a detailed error message indicating the specific neverallow rule that was broken and the offending allow rule(s). For example, using sepolicy-analyze with a compiled policy: sepolicy-analyze -P /path/to/sepolicy neverallow This command can help identify existing neverallow rules. To detect potential violations, developers usually rely on the build system’s integrated checks. The Challenge and Art of Bypassing ‘neverallow’ Rules Directly May 29, 2026
From Permissive to Enforcing: Architecting Advanced SELinux Kernel Bypasses on Android Introduction: The Enforcing Wall SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system that forms a critical line of defense in modern Android security. While many exploits achieve root privileges, transitioning an Android device from a "permissive" SELinux state (where violations are logged but not blocked) to "enforcing" (where violations are blocked) presents a far greater challenge. This article delves into expert-level techniques for architecting SELinux kernel bypasses, moving beyond simple policy violations to directly subvert the system’s core access control mechanisms, even when a device is in enforcing mode. Understanding SELinux on Android SELinux operates on the principle of least privilege, defining strict rules (the SELinux policy) that dictate what processes can access what resources. Every process and file has an SELinux context (e.g., u:r:untrusted_app:s0 for an untrusted application). When a process attempts an action (e.g., reading a file, executing a system call), the SELinux kernel module intercepts the request, consults the loaded policy, and makes a decision based on the source context, target context, object class, and permission requested. If the action is denied in enforcing mode, it’s blocked. In permissive mode, it’s only logged (an "AVC denial"). Changing SELinux mode itself usually requires kernel-level privileges or a specific SELinux permission (setenforce) that is typically only granted to the init process in the kernel domain. This means an attacker needs more than just root; they need a way to manipulate the kernel itself or its loaded policy. The Problem: Beyond Simple Policy Violations Traditional Android exploits often focus on achieving arbitrary code execution within a process, then escalating privileges to root. However, even with root, an enforcing SELinux policy can still prevent critical actions, such as modifying system partitions, injecting into sensitive processes, or directly accessing kernel memory, unless the policy explicitly permits it for the root user’s context. The goal of an advanced bypass is not to find a gap *in* the policy, but to find a way to circumvent the policy engine entirely or force it to accept actions it would normally deny. Approach 1: Leveraging Kernel Vulnerabilities for Policy Manipulation The most direct way to bypass enforcing SELinux is to gain arbitrary kernel read/write capabilities through a kernel vulnerability. Once you have this primitive, you can directly modify kernel data structures that control SELinux behavior. Targeting the selinux_enforcing Flag The global selinux_enforcing variable (or similar structure, depending on kernel version) in the Linux kernel determines the SELinux mode. If we can locate and change its value from 1 (enforcing) to 0 (permissive), we effectively neutralize SELinux’s enforcement capabilities. To do this, you’d typically need: A kernel R/W primitive. Knowledge of the kernel’s memory layout (KASLR bypass) to find the address of selinux_enforcing. The ability to write to that address. Conceptual kernel memory manipulation (after gaining R/W and KASLR bypass): // Pseudocode - Assuming kernel_write_dword(address, value) function exists// Locate selinux_enforcing address (e.g., via symbol table or kernel text scan)unsigned long selinux_enforcing_addr = find_kernel_symbol("selinux_enforcing");if (selinux_enforcing_addr) { // Read current value (should be 1 for enforcing) unsigned int current_val = kernel_read_dword(selinux_enforcing_addr); print("Current selinux_enforcing: %d", current_val); // Set to 0 (permissive) kernel_write_dword(selinux_enforcing_addr, 0); print("SELinux mode changed to permissive!");} Modifying Policy Decision Points A more subtle bypass involves modifying the kernel’s security_operations structure. This structure is a table of function pointers that the kernel calls for various security-related operations (e.g., inode_permission, task_alloc_security). If you can overwrite a specific function pointer in this table with a pointer to your own kernel-mode shellcode that always returns success (0), you can effectively bypass SELinux for specific operations. For example, if you target inode_permission, which is called for file access checks: // Pseudocode - Targetting security_operations to bypass inode permissionsstruct security_operations *selinux_ops_ptr = find_kernel_symbol("selinux_security_ops");if (selinux_ops_ptr) { // Define a dummy function in kernel memory that always returns 0 (success) // This requires injecting shellcode into kernel memory. void *dummy_permission_func_addr = inject_kernel_shellcode( "mov eax, 0; ret;" // x86_64 example, ARM would be different ); // Overwrite the inode_permission function pointer kernel_write_qword( (unsigned long)&selinux_ops_ptr->inode_permission, (unsigned long)dummy_permission_func_addr ); print("SELinux inode_permission hooked!");} This is extremely powerful but requires a deep understanding of kernel internals, KASLR bypasses, and the ability to inject and execute arbitrary kernel-mode code. Approach 2: Exploiting Policy Loader Vulnerabilities While rarer, vulnerabilities in the SELinux policy loading mechanism itself could be exploited. The Android init process loads the SELinux policy at boot. If there’s a flaw (e.g., an integer overflow, buffer overflow) in the selinux_load_policy syscall handler or the parsing logic, an attacker might be able to inject a custom policy or a corrupted policy that forces permissive mode or grants excessive permissions to their controlled domain. This would typically involve crafting a malicious SELinux policy file, triggering the loading vulnerability, and then potentially calling setenforce 0 via an allowed context if the policy granted it, or directly manipulating kernel memory if the vulnerability allows R/W. // Hypothetical scenario: Exploiting a policy parser vulnerability// 1. Craft a malicious policy file (e.g., custom.policy) designed to trigger a bug.// 2. Push it to the device.// adb push custom.policy /data/local/tmp/// 3. Attempt to load it via a compromised privileged process or syscall injection.// This step is highly dependent on the nature of the specific bug.// For example, if a privileged process calls load_policy and is vulnerable:// char *policy_data = read_file("/data/local/tmp/custom.policy"); // if (policy_data) { // load_selinux_policy(policy_data, policy_size); // Vulnerable function // } Advanced Technique: Context Overrides through Kernel Object Manipulation This technique focuses on abusing legitimate kernel objects or structures to achieve an effective bypass, rather than outright disabling SELinux. Consider a scenario where an attacker gains write access to a kernel data structure that influences how file descriptors (FDs) are handled, or how processes transition contexts. For example, if you can corrupt a task_struct (the kernel representation of a process) to point to a different security_struct, or if you can manipulate a file descriptor’s associated SELinux context information (e.g., through an UAF on a file object where the context pointer is overwritten), you could trick SELinux into believing an operation is originating from a highly privileged context. Another advanced technique involves identifying specific kernel module functions that operate on sensitive data but might not always perform explicit SELinux checks, relying instead on initial checks performed by higher-level syscalls. If a kernel bug allows calling such a function directly (e.g., via a carefully crafted ioctl) with improper arguments from a less privileged context, an implicit bypass can occur. // Pseudocode example: Hijacking a security context pointer// Assuming a kernel UAF vulnerability on a `file` objectstruct file *fd_file_obj = get_file_object_from_fd(attacker_fd);if (fd_file_obj && is_vulnerable_to_uaf(fd_file_obj)) { // Trigger UAF to free and reallocate 'file' object with controlled data // Overwrite the 'f_security' pointer within the reallocated 'file' object // to point to a crafted security context that grants 'system_server' or 'kernel' privileges void *crafted_security_context = create_privileged_security_context_in_kernel_memory(); kernel_write_qword( (unsigned long)&fd_file_obj->f_security, (unsigned long)crafted_security_context ); print("File object's security context hijacked!");}// Subsequent operations on 'attacker_fd' would then be evaluated // against the spoofed, privileged context. Mitigation and Defense Android’s SELinux implementation is robust and continually strengthened. Key mitigations include: **Verified Boot & DM-Verity:** Ensures the integrity of the kernel and SELinux policy files. **KASLR & CFI (Control Flow Integrity):** Makes it harder to find kernel symbols and hijack function pointers. **Robust Kernel Hardening:** Constant patching of kernel vulnerabilities that could lead to R/W primitives. **Policy Strictness:** Android’s SELinux policy is highly restrictive by default, limiting what even root can do. **Kernel Lockdown:** Prevents root from modifying kernel code or directly accessing kernel memory in newer Android versions. Conclusion Bypassing SELinux in enforcing mode on Android is a formidable challenge, requiring deep kernel-level exploits and a sophisticated understanding of both SELinux internals and the target kernel’s architecture. While achieving root is often the first step, true system compromise against a hardened Android device necessitates a subsequent kernel-level exploit to either disable SELinux directly, manipulate its decision-making processes, or subvert its context management. These advanced techniques highlight the continuous cat-and-mouse game between security researchers and system defenders in the ever-evolving landscape of mobile security. May 29, 2026
Fuzzing ART: Setting Up a Lab to Discover New Android Runtime Vulnerabilities Introduction: The Criticality of ART Security The Android Runtime (ART) is the heart of the Android operating system, responsible for compiling and executing all application code. Given its privileged position and fundamental role, any vulnerability within ART can have catastrophic consequences, potentially leading to arbitrary code execution, privilege escalation, or data exfiltration. Fuzzing, a powerful software testing technique, involves feeding malformed or unexpected inputs to a program to expose bugs and security flaws. While traditional application fuzzing is common, systematically fuzzing a complex runtime like ART requires a specialized approach and a carefully constructed lab environment. This guide will walk you through setting up such a lab to embark on your journey of discovering new ART vulnerabilities. Understanding the Android Runtime (ART) for Fuzzing Before diving into the setup, it’s crucial to understand ART’s key components that make it a prime target for fuzzing: Ahead-of-Time (AOT) Compiler: Compiles app bytecode into native machine code during installation. Just-in-Time (JIT) Compiler: Dynamically compiles frequently executed code paths during runtime for performance. Garbage Collector (GC): Manages memory allocation and deallocation. Bytecode Verifier: Ensures that application bytecode is valid and safe before execution. Class Loader: Loads classes and manages their lifecycle. Each of these components processes various forms of input (Dex files, method bytecode, memory allocation requests, etc.), making them potential surfaces for fuzzing. Lab Setup Prerequisites To effectively fuzz ART, you’ll need a robust development environment: High-Performance Workstation: A Linux machine (Ubuntu recommended) with ample RAM (64GB+), a fast multi-core CPU, and substantial SSD storage (500GB+). Building AOSP is resource-intensive. AOSP Source Code: We’ll be working with a specific Android Open Source Project branch, ideally one that supports sanitizers well (e.g., Android 12 or 13). Rooted Device or Emulator: An Android emulator built from your AOSP source or a rooted physical device capable of running your custom AOSP build. Emulators are often easier for initial setup and debugging. Step 1: Building a Fuzz-Friendly AOSP Environment Downloading AOSP Source First, initialize and sync your AOSP repository. Choose a recent branch, for example, android-13.0.0_rX. mkdir android-art-fuzzingcd android-art-fuzzingrepo init -u https://android.googlesource.com/platform/manifest -b android-13.0.0_rXrepo sync -j8 # Adjust -j based on your CPU cores Enabling Sanitizers (ASan, UBSan) Sanitizers are critical for fuzzing as they help detect memory safety and undefined behavior issues at runtime. AddressSanitizer (ASan) is particularly effective for ART. You’ll want to build AOSP with ASan enabled for ART components. source build/envsetup.sh# For ASan on the target device/emulatorlunch aosp_arm64-userdebug # Or aosp_x86_64-userdebug, depending on your targetexport ASAN_OPTIONS=abort_on_error=1make -j$(nproc) Building AOSP with sanitizers can take several hours, depending on your hardware. This build will include the necessary instrumentation for ART modules. Step 2: Crafting an ART Fuzzer Harness A fuzzer harness is a small program that takes fuzzer-generated input and feeds it to the target component (e.g., an ART function). For ART, a common approach is to fuzz its handling of Dex files or specific bytecode sequences. Let’s consider fuzzing the Dex file parsing component. You’ll need to locate the relevant source code (e.g., in art/libdexfile/) and create a test harness that integrates with libFuzzer. Example: Fuzzing DexFile Parsing Create a new directory for your fuzzer, e.g., art/fuzz/dexfile_fuzzer/, and add an Android.bp file: // art/fuzz/dexfile_fuzzer/Android.bpandroid_fuzzer { name: "art_dexfile_fuzzer", fuzz_data: [ "dex_fuzz_corpus", ], srcs: [ "dexfile_fuzzer.cpp", ], shared_libs: [ "libartbase", "libdexfile", "liblog", ], sanitize: { misc_undefined: ["unsigned-integer-overflow"], address: true, }, // Add other ART specific includes if needed cflags: [ "-Wno-unused-parameter", "-Wall", ],} Now, create the dexfile_fuzzer.cpp: // art/fuzz/dexfile_fuzzer/dexfile_fuzzer.cpp#include <fuzzer/libfuzzer_macro.h>#include "dex/dex_file_loader.h"#include "base/logging.h" // For LOG(FATAL) on error#include <vector>extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { // It's crucial to wrap the ART calls in a try-catch block // if ART itself doesn't always handle malformed inputs gracefully // and you want to prevent the fuzzer from crashing prematurely. // However, for fuzzing, we often want the underlying component to crash. art::DexFileLoader loader; std::string error_msg; std::vector<std::unique_ptr<const art::DexFile>> dex_files; if (!loader.LoadDex(data, size, "fuzz.dex", /*container=*/nullptr, &dex_files, &error_msg)) { // This path is expected for invalid inputs. // No action needed, just return. } // Optionally iterate through loaded dex files and do something with them // if you want to fuzz deeper components, e.g., bytecode verification. // For now, simply loading is enough to hit parsing logic. return 0;} This simple harness feeds arbitrary byte streams directly to ART’s Dex file loader. Remember to include necessary ART headers and link against relevant libraries as shown in Android.bp. Step 3: Building and Deploying the Fuzzer After creating your fuzzer harness, you need to build it and push it to your AOSP image. # Make sure you're in the AOSP root and envsetup.sh is sourcedmmma art/fuzz/dexfile_fuzzer # Build only your fuzzer This command compiles your fuzzer executable. Once built, you can push it to your device/emulator. If you’re building a full AOSP image with the fuzzer, it will be included. # If you rebuilt AOSP with the fuzzer:adb reboot bootloaderfastboot flashall -w# Or if you just built the fuzzer module:adb push $ANDROID_PRODUCT_OUT/data/fuzz/arm64/art_dexfile_fuzzer /data/local/tmp/art_dexfile_fuzzer Ensure the fuzzer has execute permissions: adb shell chmod +x /data/local/tmp/art_dexfile_fuzzer Step 4: Running the Fuzzer and Analyzing Crashes Now, you can execute your fuzzer on the target device: adb shell /data/local/tmp/art_dexfile_fuzzer LibFuzzer will start generating inputs and feeding them to your harness. If it detects a crash (e.g., due to ASan instrumentation), it will typically save the crashing input to a file (e.g., crash-<hash>) and provide a detailed stack trace in logcat. Monitoring and Triaging Crashes Keep a separate terminal for logcat: adb logcat -s "art" "ASAN" When a crash occurs, logcat will display an ASan report, which includes: Type of memory error (e.g., heap-buffer-overflow, use-after-free). Address of the invalid access. Stack trace at the point of the error. Information about the allocated/deallocated memory region. Retrieve the crashing input from the device: adb pull /data/local/tmp/crash-<hash> . You can then use this input to reproduce the crash reliably on your host machine with debugging tools like GDB, often by setting up a minimal environment to load the crashing input directly into the vulnerable ART function without needing the full Android system. Advanced Fuzzing Techniques Once you have a basic setup, consider these advanced techniques: Corpus Minimization: Use -minimize_crash=1 with libFuzzer to reduce crashing inputs to their smallest form. Custom Mutators: Implement domain-specific mutators to generate more intelligent inputs (e.g., respecting Dex file structure). Coverage-Guided Fuzzing: LibFuzzer inherently uses coverage, but understanding coverage reports can guide further development. Stateful Fuzzing: For components that maintain state, develop fuzzers that interact with the component over multiple operations. Syzkaller: While typically used for kernel fuzzing, its principles can inspire complex, system-level ART interaction fuzzers. Conclusion Setting up an ART fuzzing lab is a significant undertaking, but it provides an unparalleled opportunity to discover critical vulnerabilities in the core of Android. By systematically building AOSP with sanitizers, crafting targeted fuzzer harnesses, and diligently analyzing crashes, security researchers can contribute significantly to the robustness and security of the Android ecosystem. The journey of finding and reporting such vulnerabilities is both challenging and incredibly rewarding, pushing the boundaries of mobile security research. May 29, 2026
Beyond Denials: Debugging SELinux to Discover Zero-Day Bypass Opportunities Introduction to Android SELinux and Advanced Debugging Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) system that provides an additional layer of security beyond traditional discretionary access control (DAC). On Android, SELinux policies strictly define what each process (domain) can do and which resources (types) it can access, serving as a cornerstone of the platform’s sandboxing mechanism. While `audit.log` often reveals explicit denial messages, the real challenge for advanced exploit development and zero-day discovery lies not in *denied* access, but in *allowed yet abusable* access. This article delves into advanced SELinux debugging techniques to uncover subtle policy misconfigurations and over-permissioning that can lead to potent bypass opportunities. Understanding SELinux Policy Enforcement on Android Android’s SELinux policy is compiled from a set of Common Intermediate Language (CIL) files found primarily in system/sepolicy/ and vendor/etc/selinux/. These policies define domains (processes), types (files, IPC objects, devices), classes (file, socket, binder), and permissions (read, write, execute, call). A simple denial in dmesg (e.g., avc: denied { read } for pid=X comm="Y" name="Z" dev="A" ino=B scontext=u:r:source_domain:s0 tcontext=u:object_type:s0 tclass=file permissive=0) merely indicates a missing permission. True bypasses exploit situations where a domain has legitimate access to a resource, but that access can be leveraged for unintended purposes, violating security boundaries. Key SELinux Concepts for Exploit Development: Domains: Represent executing processes, e.g., u:r:untrusted_app:s0, u:r:mediaserver:s0. Types: Labels for resources, e.g., app_data_file, system_data_file, ashmem_device. Classes: Categories of objects, e.g., file, dir, socket, binder, fd. Permissions: Actions a domain can perform on a resource of a specific class, e.g., read, write, open, call, transfer. Tools and Techniques for Deeper SELinux Analysis Moving beyond simple log analysis requires a deeper dive into the compiled policy and runtime context. 1. Static Policy Analysis with sesearch sesearch is an invaluable tool for querying the compiled SELinux policy. It allows you to enumerate all permissions granted to a specific domain or identify which domains can access a particular type. First, obtain the compiled policy from the device (usually /sys/fs/selinux/policy) or from a firmware image. Then, use sesearch: # Enumerate all permissions granted to 'mediaserver' domain: sesearch -A -s mediaserver # Find all domains that can write to 'system_data_file' type: sesearch -A -t system_data_file -c file -p write # Find specific interactions, e.g., 'mediaserver' calling 'audioserver': sesearch -s mediaserver -t audioserver -c binder -p call The output reveals a granular view of allowed interactions. Look for permissions that seem overly broad or that allow interaction with sensitive types (e.g., writing to a system config file, calling an arbitrary method on a privileged service, or transferring file descriptors to an unexpected domain). 2. Runtime Context Inspection Understanding the runtime context is crucial. Tools like ls -Z, ps -Z, and id -Z help identify the SELinux contexts of files, processes, and the current shell. # Check SELinux context of files in /data: adb shell ls -Z /data/misc/ # Check SELinux context of running processes: adb shell ps -Z | grep system_server # Check current shell's context: adb shell id -Z Misconfigured file contexts (e.g., an application creating a file with a sensitive type that it shouldn’t be able to) can open doors. Similarly, a process running under an unexpected or overly privileged domain can indicate a policy flaw. 3. Analyzing type_transition and domain_transition These rules define how contexts change. type_transition specifies the default type for objects created within a certain directory by a certain process, while domain_transition defines how a new process inherits or changes its domain. Vulnerabilities often arise here: Overly Permissive type_transition: A service (e.g., updateservice_t) creates a file in a shared directory (e.g., /data/vendor) and the policy sets its type to a highly privileged one (e.g., system_data_file) when it should be something more restricted (e.g., updateservice_data_file). An attacker might then manipulate this file if they can make the service create it or if they can trick the service into interacting with it in a privileged way. Abusable domain_transition: A less privileged process can trick a privileged process into executing code under its own, more powerful domain. While direct execution is often prevented, binder services can sometimes be coaxed into performing actions that transition to a more powerful domain for specific sub-tasks, and if the input to that sub-task isn’t sufficiently validated, it becomes an exploit vector. Example (conceptual policy snippet): type_transition system_app system_data_file : file system_file_type; If system_app can be tricked into writing to a user-controlled location, and that location then gets the type system_file_type due to an overly broad rule, an attacker gains unexpected access. Identifying Over-Permissioning and Abusable Interactions The goal is to find where a domain has permissions that, while seemingly benign, can be chained or abused under specific conditions to achieve privilege escalation or sandbox escape. 1. Binder IPC Vulnerabilities Android heavily relies on Binder IPC. Policies define which domains can `call` methods on which Binder services. Look for services that: Have broad `binder_call` permissions to many other sensitive services. Accept file descriptors (fd class, transfer permission) from untrusted sources without robust validation, potentially allowing an attacker to inject a privileged file descriptor. # Find domains that can transfer file descriptors: sesearch -A -c fd -p transfer 2. Device and IOCTL Abuses Access to /dev/ entries is governed by SELinux. Policies often grant `ioctl` permissions based on broad device classes. An overly broad `ioctl` permission can allow an attacker to trigger kernel vulnerabilities through device drivers. # Find domains with ioctl permissions on a device type: sesearch -A -s target_domain -t device_type -c chr_file -p ioctl 3. Shared Memory (ASharedMemory) ASharedMemory allows processes to share memory regions. The SELinux policy must correctly label these shared regions and restrict access. If a less privileged domain can create or gain read/write access to a shared memory region that a privileged domain interacts with, this can lead to data leakage or corruption. Case Study Methodology: Finding a Hypothetical Bypass Let’s outline a methodology for finding a bypass targeting a hypothetical privileged_daemon. Step 1: Target Identification and Scope Identify a privileged daemon or service, e.g., privileged_daemon_t, that interacts with sensitive data or has critical capabilities. Focus on its entry points (Binder services, sockets, files). Step 2: Policy Mapping and Enumeration Use sesearch to get a comprehensive view of privileged_daemon_t‘s capabilities: # What can privileged_daemon_t do? sesearch -A -s privileged_daemon_t # What can interact with privileged_daemon_t (via Binder)? sesearch -A -t privileged_daemon_t -c binder -p call # What files can privileged_daemon_t access/create? sesearch -A -s privileged_daemon_t -c file -p read,write,open,create Pay close attention to interactions with types like system_data_file, system_block_device, or IPC with other critical services. Step 3: Interaction Analysis and Vulnerability Scouting Analyze the sesearch output for suspicious entries: Unexpected write access: Can privileged_daemon_t write to any user-controlled or world-writable directory, and if so, what type would the created file have? Overly broad IPC: Does it have `call` permissions to services that it doesn’t strictly need to interact with? Sensitive `type_transition` rules: Are there rules where `privileged_daemon_t` creates a file that ends up with a type granting more permissions than necessary? File descriptor handling: Does it accept FDs from less privileged domains, and how does it validate them? For example, if sesearch -A -s privileged_daemon_t -c file -p write reveals it can write to app_data_file, and your untrusted_app domain can manipulate paths within `app_data_file` contexts, you might find a path traversal vulnerability that causes the privileged daemon to write a malicious payload to a sensitive location. Step 4: Exploit Vector Development Once a potential over-permissioning is identified, devise a method to trigger it. This often involves: **Input Fuzzing:** Sending malformed or unexpected input via IPC to trigger edge cases in policy enforcement. **Race Conditions:** Exploiting time-of-check-time-of-use (TOCTOU) issues where a context or file type changes between permission checks. **Logic Flaws:** Tricking the privileged process into performing actions with its elevated permissions on attacker-controlled data. Conclusion: The Path to Zero-Day Discovery Debugging SELinux for zero-day bypasses is a deep dive into the intricacies of Android’s security model. It requires moving beyond passive `audit.log` monitoring and actively querying the policy, analyzing runtime contexts, and understanding subtle implications of `type_transition` and `domain_transition` rules. The key is to think like a policy author and then like an attacker, looking for the gaps between intended security and actual enforcement. This level of analysis demands patience, a thorough understanding of the Android platform, and a creative mind to connect seemingly disparate permissions into a powerful exploit chain. May 29, 2026


	
	
		
	
	
	
	
		
			←Previous Page
			1
…
567
568
569
570
571
…
705
			Next Page→

Author: admin

Introduction to Native ARM64 Hooking with Frida

Setting Up Your Android Reverse Engineering Lab

Requirements:

Installation Steps:

Understanding Native Hooking on ARM64

ARM64 Calling Conventions (Brief Overview)

Identifying Target Functions

Dummy Native Library (`nativehookme.cpp`):

Finding Symbols with `nm`:

Basic Native Function Hooking with Frida

`native_hook_checksum.js`:

Advanced Hooking: Argument and Return Value Manipulation

`advanced_native_hook.js`:

Introduction: The Power of Dynamic Instrumentation with Frida

Setting Up Your Frida Environment for Android

Prerequisites

Installing Frida Tools on Your Host Machine

Deploying Frida Server on Your Android Device

Basic Hooking: Modifying Java Logic On-the-Fly

Target Application Scenario

Writing Your First Frida Script (Java Hooking)

Executing the Patch

Advanced Techniques: Argument Manipulation and Native Hooks

Modifying Method Arguments

Hooking Native Functions (JNI / C/C++)

Practical Use Cases in Android Security and Reverse Engineering

Conclusion

Introduction: The Imperative of SELinux in Android Security

Understanding SELinux Fundamentals

Mandatory Access Control (MAC) vs. Discretionary Access Control (DAC)

SELinux in Android: Contexts, Types, and Domains

Common SELinux Bypass Vector Categories

Policy Misconfigurations and Omissions

Kernel Vulnerabilities Exploited Pre-SELinux

Trusted Domain Abuse via IPC

Case Study: Analyzing a Hypothetical SELinux Weakness

Scenario: Abusing an Overly Permissive Binder Service

Introduction to SSL Pinning and Why it Matters

Frida: Dynamic Instrumentation for Android

Prerequisites and Lab Setup

Setting up Frida Server on Android:

The Frida SSL Pinning Bypass Script

frida_ssl_bypass.js

Step-by-Step Guide to Bypassing SSL Pinning

Introduction to SELinux on Android

Understanding SELinux Fundamentals on Android

Initial Reconnaissance: Identifying Policy Weaknesses

1. Extracting the Policy

2. Policy Analysis Tools

Practical Strategies for SELinux Policy Evation

1. Type Transition Exploits

Scenario: Abusing file_type_transition

2. Domain Transition / Executable Exploits

Scenario: Exploiting exec_transition

3. Policy Misconfigurations and Overly Permissive Rules

Example: Broad File System Access

4. Abusing Privileged IPC Channels (Binder)

Developing an Exploit Strategy: A Conceptual Walkthrough

Conclusion

Introduction to Android Security and IPC

Binder IPC Fundamentals

SELinux on Android: A Brief Overview

SELinux and Binder Enforcement

Example SELinux Policy Snippets:

Exploiting Insecure Delegation for Policy Evasion

Vulnerability Scenario: File Manager Service

Identifying Such Vulnerabilities

Mitigations and Best Practices

Conclusion

Introduction: The Unyielding Guard of Android SELinux

Understanding ‘neverallow’ Rules in SELinux

Identifying ‘neverallow’ Violations

The Challenge and Art of Bypassing ‘neverallow’ Rules

Introduction: The Enforcing Wall

Understanding SELinux on Android

The Problem: Beyond Simple Policy Violations

Approach 1: Leveraging Kernel Vulnerabilities for Policy Manipulation

Targeting the selinux_enforcing Flag

Modifying Policy Decision Points

`frida_ssl_bypass.js`

Scenario: Abusing `file_type_transition`

Scenario: Exploiting `exec_transition`

Targeting the `selinux_enforcing` Flag

1. Static Policy Analysis with `sesearch`

3. Analyzing `type_transition` and `domain_transition`