Skip to content

Evil-Pro/Shity-RMS-Runtime-Mobile-Security

BranchesTags

Repository files navigation

Runtime Mobile Security (RMS) πŸ“±πŸ”₯

RMS_logo

by @mobilesecurity_

Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime.

You can easily dump all the loaded classes and relative methods, hook everything on the fly, trace methods args and return value, load custom scripts and many other useful stuff.

Please check below a short video (1min42s) that shows RMS in action on an iOS device. Same functionalities are of course also available for Android devices.

iOS DEMO - VIDEO

RMS - iOS DEMO

Android DEMO - VIDEO

RMS - Android DEMO

Tutorial - Android

Prerequisites

FRIDA server up and running on the target device

Refer to the official FRIDA guide for the installation:

Some cool projects that can help you to auto install, update and run frida on Android devices:

They are not needed on iOS devices, since FRIDA starts just after the boot of the device (jailbreak mode).

Installation

  1. (optional) Create a python virtual environment
  2. pip3 install -r requirements.txt
  3. python3 mobilesecurity.py
  4. Open your browser at http://127.0.0.1:5000/

NOTE: In case of issue with your favorite Browser, please use Google Chrome (fully supported).

General Info

Runtime Mobile Security (RMS) supports Android and iOS devices.

It has been tested on MacOS and with the following devices:

  • AVD emulator
  • Genymotion emulator
  • Amazon Fire Stick 4K
  • iPhone 7
  • Chrome (Web Interface)

It should also work well on Windows and Linux but some minor adjustments may be needed.

Do not connect more than one device at the same time. RMS is not so smart at the moment πŸ˜‰

NOTE: Socket are not working on Safari, please use Chrome instead.

Known issues and improvements

  • Sometime RMS fails to load complex methods. Use a filter when this happens or feel free to improve the algo (agent/RMS_core.js).
  • Code is not optimized
  • Feel free to send me your best JS sript via a Pull request. I'll be happy to bundle all the best as default scripts in the next RMS release (e.g. root detection bypass, ssl pinning, etc)

Usage

1. Run your favorite app by simply inserting its package name

NOTE RMS attachs a persistence process called com.android.systemui on Android and SpringBoard on iOS devices to get the list of all the classes that are already loaded in memory before the launch of the target app. If you have an issue with them, try to find a different default package that works well on your device. You can set another default package via the Config Tab or by simply editing the config.json file.

DEMO_1_Android

DEMO_1_iOS

2. Check which Classes and Methods have been loaded in memory

DEMO_2_Android

DEMO_2_iOS

3. Hook on the fly Classes/Methods and trace their args and return values

DEMO_3_a

Go back to the dump page in order to have an overview of all the hooked methods that have been executed by the app βœ…

DEMO_3_b

4. Search instances of a specific class on the Heap and call its methods

DEMO_4_Android

DEMO_4_iOS

5. Select a Class and generate on the fly an Hook template for all its methods

DEMO_5_Android

DEMO_5_iOS

6. Easily detect new classes that have been loaded in memory

DEMO_6

7. Inject your favorite FRIDA CUSTOM SCRIPTS on the fly

Just add your .js files inside the custom_script folder and they will be automatically loaded by the web interface ready to be executed.

DEMO_7_Android

DEMO_7_iOS

8. API Monitor - Android Only

via the API Monitor TAB you can easily monitor tons of Android APIs organized in 20 different Categories. Support can be easily extended by adding more classes/methods to the api_monitor.json file.

DEMO_10

You can also monitor native functions: libc.so - open, close, read, write, unlink, remove

DEMO_8

9. FRIDA Script to load Stetho by Facebook [BONUS]

Inject the FRIDA script to load the amazing Stetho.

Stetho is a sophisticated debug bridge for Android applications. When enabled, developers have access to the Chrome Developer Tools feature natively part of the Chrome desktop browser. Developers can also choose to enable the optional dumpapp tool which offers a powerful command-line interface to application internals.

DEMO_9

10. File Manager [BETA]

A simple File Manager has been implemented to help you exploring app's private folders and files. This feature is still in BETA.

frida-fs has been implemented to enable files download directly from the browser (File Manager TAB).

In order to enable the download button, follow the steps below:

  1. Open the file called "mobilesecurity.py" and set the BETA variable to True
  2. Compile the "RMS_Core.js" agent via frida-compile! Just run the command npm install directly from the agent folder. A file called "_RMS_Core_BETA.js" will be generated.
  3. Run RMS!

DEMO_11_Android

DEMO_11_iOS

11. Static Analysis - iOS Only

DEMO_12_iOS

Acknowledgements

Special thanks to the following Open Source projects for the inspiration:

FRIDA Custom Scripts bundled in RMS - Credits:

DEMO apps:

  • RootBeer Sample is the DEMO app used to show how RMS works. RootBeer is an amazing root detection library. I decided to use the Sample app as DEMO just to show that, as every client-side only check, its root detection logic can be easily bypassed if not combined with a server-side validation.
  • DVIA a vulnerable app to test your iOS Penetration Testing Skills
  • Anti-Frida Frida Detection Examples by Bernhard Mueller.

License

RMS is licensed under a GNU General Public v3 License.

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

5 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases

14 tags

Packages

No packages published

Contributors 5

Languages