Xamarin

Reverse Engineering

Unpack the apk
```
apktool b com.vulnapp.apk
```
Inside the unkown assemblies folder use tools/Xamarin_XALZ_decompress.py at master · x41sec/tools · GitHub to parse the headers from XLZ to PE so you can decrypt it with DnSpy

Traffic Interception

One technique to rule them all

AVD does not utilise the built in proxy settings of Android Devices, it utilises some magic under the hood to proxy traffic. Works on non-proxy aware applications 1. Set up an Pixel 3a XL android emulated device (needs to have SDK < 29). 2. Use Android Studio Virtual Device Manager with the following command line args. 3. Drag and drop the APK to the device to install it. 4. Install burp certificate on the device by following the guide: https://secabit.medium.com/how-to-configure-burp-proxy-with-an-android-emulator-31b483237053
# -list-avds : List virtual devices
C:\Users\Karim\AppData\Local\Android\Sdk\emulator\emulator.exe -list-avds


# --writeable : start as root
# --http-proxy
C:\Users\Karim\AppData\Local\Android\Sdk\emulator\emulator.exe -avd 'Pixel_3a_XL_API_28'  -http-proxy 127.0.0.1:8080 -writable-system

Intercept Traffic using tooling

Use ProxyDroid – Apps on Google Play and Burp NoPE Intercepting Non-HTTP Request Using Burp Suite + Extension (NoPE Proxy) | by #Ujan | Medium

SSL Unpinning

GoSecure/frida-xamarin-unpin: A Frida script to bypass Xamarin certificate pinning implementations (github.com)

Resources

Intercepting Xamarin Mobile App Traffic (triskelelabs.com)
https://deepsec.net/docs/Slides/2021/Intercepting_Mobile_App_Network_Traffic_aka_%E2%80%9CThe_Squirrel_in_the_Middle%E2%80%9D_Sven_Schleier%20.pdf
Invisible proxying - PortSwigger
GitHub - helviojunior/xamarin_sslunpinning
GitHub - GoSecure/frida-xamarin-unpin: A Frida script to bypass Xamarin certificate pinning implementations