Foreign Caller

EasyMobile Security

Overview

The APK seems harmless at first glance, with a single activity that shows only a message. But a deeper look reveals a native function hiding beneath the surface—never called, never revealed. Can you take control at runtime and coax the truth from within? flag format: flag{*****_***_****_**}

Lab Details

Prerequisites & Requirements

  • Android App Structure & Lifecycle:
    • Understanding the Activity Lifecycle (specifically the onCreate method) to know when an application initializes and when it is safe to inject code.
    • Familiarity with JNI (Java Native Interface): Understanding how Java code communicates with native C/C++ libraries (native-lib) and how native keywords function in Android code.
  • Java to JavaScript Logic:
    • Basic knowledge of writing JavaScript to interface with the Frida API.
    • Understanding of Object-Oriented Programming concepts, specifically the this keyword, to access the current instance of a class.
  • Dynamic Instrumentation Basics:
    • The ability to set up a Frida environment (server on device/emulator and client on PC) to intercept process execution at runtime.

What will you learn?

  • Static Analysis with JADX:
    • Analyzing decompiled Java code to identify Unused/Dead Code .
    • Recognizing the signature of native functions (public native String stringFromJNI() ) that are defined but never invoked by the application logic.
  • Dynamic Hooking with Frida:
    • Method Interception: Learning how to hook into the MainActivity.onCreate method using implementation to inject custom logic during the app startup.
    • Handling Overloads: Using .overload(' android.os.Bundle ') to target the specific signature of the onCreate method.
    • Instance Manipulation: Learning how to capture the instance (this) of an active class.
    • Forced Execution: Manually invoking a hidden or uncalled function ( this.stringFromJNI ()) from within the hook to retrieve the return value (the flag) without modifying the original APK.

Tools

  • JADX (Dex to Java Decompiler):
    • Used for Static Analysis . It converts the compiled .dex files inside the APK back into readable Java source code. This allows us to find the MainActivity, spot the missing logic, and identify the target function stringFromJNI.
  • Frida:
    • A dynamic code instrumentation toolkit used for Runtime Manipulation . It injects the JavaScript payload into the running application process.

Job Positions

Mobile Security Engineer

Tags

Static AnalysisDynamic AnalysisDecompilerProcess InjectionHookingApi CallsFunction ProbesCode Flow