Xamarin
Reverse Engineering
- Unpack the apk
- Inside the unkown assemblies folder use tools/Xamarin_XALZ_decompress.py at master ยท x41sec/tools ยท GitHub to parse the headers from XLZ to PE so you can decrypt it with DnSpy
Traffic Interception
One technique to rule them all
AVD does not utilise the built in proxy settings of Android Devices, it utilises some magic under the hood to proxy traffic. Works on non-proxy aware applications 1. Set up an Pixel 3a XL android emulated device (needs to have SDK < 29). 2. Use Android Studio Virtual Device Manager with the following command line args. 3. Drag and drop the APK to the device to install it. 4. Install burp certificate on the device by following the guide: https://secabit.medium.com/how-to-configure-burp-proxy-with-an-android-emulator-31b483237053
Alternatively, if the device requires Google Play services:
1. Root an Android build with Google Play services using GitHub - newbit1/rootAVD: Script to root AVDs running with QEMU Emulator from Android Studio
2. Follow the same steps described above, but don't use the -writable-system flag when starting the device.
Intercept Traffic using tooling
- Use ProxyDroid โ Apps on Google Play and Burp NoPE
- Intercepting Non-HTTP Request Using Burp Suite + Extension (NoPE Proxy) | by #Ujan | Medium
SSL Unpinning
Resources
- Intercepting Xamarin Mobile App Traffic (triskelelabs.com)
- https://deepsec.net/docs/Slides/2021/Intercepting_Mobile_App_Network_Traffic_aka_%E2%80%9CThe_Squirrel_in_the_Middle%E2%80%9D_Sven_Schleier%20.pdf
- Invisible proxying - PortSwigger
- GitHub - helviojunior/xamarin_sslunpinning
- GitHub - GoSecure/frida-xamarin-unpin: A Frida script to bypass Xamarin certificate pinning implementations
- How To Capture Non-Proxy Aware Mobile Application Traffic (IOS & Android) Xamarin/Flutter -Pentesting | by salman syed | Medium