MBX-02 & MBX-08 — App Interception Toolkit
MBX-02 & MBX-08 — App Interception Toolkit
This document provides the complete working setup for test cases MBX-02 (UE to carrier apps) and MBX-08 (UE to app data path) using Frida + Burp Suite on Pixel 9.
Quick Start
If you already have a rooted Pixel 9 with frida-server running and Burp Suite configured, jump to One-Line Launch.
Prerequisites Checklist
See Support_Hardware_Pixel9.md Section 4.3 for full setup instructions.
Device State Verification
Before starting interception, confirm your device is in the correct state:
# 1. Device sees ADB
adb devices
# Output: 47141FDAQ000YG device
# 2. Magisk root is available
adb shell su -c id
# Output: uid=0(root) gid=0(root) groups=0(root)
# 3. Frida-server is on device
adb shell ls -la /data/local/tmp/frida-server
# Output: -rwxr-xr-x frida-server (or similar)
# 4. Burp is running locally
curl -s http://127.0.0.1:8080 > /dev/null && echo "✓ Burp listening" || echo "✗ Burp NOT listening"
# 5. Reverse tunnel is set up
adb reverse tcp:8080 tcp:8080
Setup Workflow
Phase 1: Frida Server Startup (Device)
# Terminal 1: Start frida-server on device (persistent in background)
adb shell su -c "/data/local/tmp/frida-server &"
# Verify it's running
sleep 2
adb shell ps aux | grep frida-server
# Output should show: /data/local/tmp/frida-server
Phase 2: ADB Reverse Tunnel (Laptop)
# Terminal 2: Set up tunnel so device can reach laptop's Burp
adb reverse tcp:8080 tcp:8080
# Verify tunnel
adb reverse --list
# Output: 127.0.0.1:8080 tcp:8080
Phase 3: Frida Launcher (Laptop)
# Terminal 3: Use intercept.sh to launch interception
# Copy intercept.sh to your home directory:
cp utilities/intercept.sh ~/intercept.sh
chmod +x ~/intercept.sh
# Or launch manually:
frida -U \
-l ~/frida-interception-and-unpinning/config.js \
-l ~/frida-interception-and-unpinning/native-connect-hook.js \
-l ~/frida-interception-and-unpinning/android/android-proxy-override.js \
-l ~/frida-interception-and-unpinning/android/android-system-certificate-injection.js \
-l ~/frida-interception-and-unpinning/android/android-certificate-unpinning.js \
-l ~/frida-interception-and-unpinning/android/android-certificate-unpinning-fallback.js \
-l ~/frida-interception-and-unpinning/android/android-disable-root-detection.js \
-f com.att.personalcloud
One-Line Launch
Once the setup is complete, you can resume a session with:
# Kill any stale frida-server
adb shell pkill frida-server 2>/dev/null
# Start fresh
adb shell su -c "/data/local/tmp/frida-server &" && \
adb reverse tcp:8080 tcp:8080 && \
sleep 1 && \
~/intercept.sh com.att.personalcloud
Or wrap it in a function:
# Add to ~/.bashrc or ~/.zshrc
intercept_app() {
local pkg="${1:-com.att.personalcloud}"
adb shell pkill frida-server 2>/dev/null
adb shell su -c "/data/local/tmp/frida-server &" && \
adb reverse tcp:8080 tcp:8080 && \
sleep 1 && \
~/intercept.sh "$pkg"
}
# Usage:
intercept_app com.gmail.android
Interception Script Files
intercept.sh
Location: ./utilities/intercept.sh
Purpose: Automate Frida launcher with all unpinning modules
Dependencies:
$SCRIPTS— path tofrida-interception-and-unpinningrepo (default:~/frida-interception-and-unpinning)$PACKAGE— target app package (arg 1, default:com.att.personalcloud)
Modules loaded:
config.js— proxy + cert confignative-connect-hook.js— native code interceptionandroid-proxy-override.js— force all traffic through Burpandroid-system-certificate-injection.js— inject system certandroid-certificate-unpinning.js— SSL pinning bypassandroid-certificate-unpinning-fallback.js— fallback pinning bypassandroid-disable-root-detection.js— hide Magisk from app
Usage:
~/intercept.sh com.gmail.android
~/intercept.sh com.uber
config.js
Place in ~/frida-interception-and-unpinning/config.js:
var CONFIG = {
PROXY_ENABLED: true,
PROXY_HOST: "127.0.0.1",
PROXY_PORT: 8080,
CA_CERT_PATH: "/system/etc/security/cacerts/9a5ba575.0",
CA_CERT_FALLBACK: "/apex/com.android.conscrypt/cacerts/9a5ba575.0"
};
if (typeof module !== 'undefined' && module.exports) {
module.exports = CONFIG;
}
Key fields:
PROXY_HOST/PORT— Burp listener (laptop)CA_CERT_PATH— Burp CA cert hash (must match your export)
Burp Suite Configuration
Export CA Certificate
- Open Burp Suite → Proxy → Settings → CA Certificate
- Click Export → DER format → save as
~/cacert.der - Convert to PEM:
openssl x509 -inform DER -in ~/cacert.der -out ~/cacert.pem - Get cert hash:
openssl x509 -inform PEM -subject_hash_old -in ~/cacert.pem | head -1 # Output: 9a5ba575 - Update
config.jswith correct hash (if different from9a5ba575)
Verify Proxy Listener
- Proxy → Settings → Proxy listeners
- Confirm:
127.0.0.1:8080is listening - When app launches via Frida, traffic should appear in Proxy → HTTP history
Test Case Integration
MBX-02: UE to Carrier Apps
Objective: Identify externally visible carrier-app risk at the application layer.
Evidence collection:
- Launch target app with
intercept.sh - Perform workflows: login, billing, device-management, support
- Capture screenshots and evidence:
- Certificate validation failures (in Burp)
- Weak headers (missing HSTS, security headers)
- Token/credential handling
- Telemetry volume and destinations
- Exported components (run
adb shell dumpsys package com.att.personalcloud)
Expected findings:
- Inventory of API endpoints
- Pinning status (unpinned vs. unpinned with Frida)
- Telemetry destinations
- Excessive permissions in manifest
Evidence template:
| Test | Target App | Workflow | Traffic Captured? | Findings | Pass/Fail |
|---|---|---|---|---|---|
| MBX-02-001 | com.att.personalcloud | Login flow | Yes — Burp shows 8 HTTPS requests | Clear-text credentials? No | PASS |
| MBX-02-002 | com.att.personalcloud | Profile update | Yes — Burp shows 2 requests | Excessive telemetry? Yes — to analytics.att.com | FLAG |
| ... | ... | ... | ... | ... | ... |
MBX-08: UE to App Data Path
Objective: Validate application-layer data-path trust from the handset outward.
Evidence collection:
- Capture HTTP/HTTPS traffic for each app
- Separate pinned vs. non-pinned workflows
- Record certificate validation behavior
- Note device identifiers and sensitive data exposure
Pinning status check:
# Which apps have pinned certificates?
# Use Frida unpinning status:
# If app connects AFTER Frida injects unpinning scripts → pinned ✓
# If app refuses connection even with scripts → strong pinning ✗
# If app connects without Frida → non-pinned ✓
# Android network_security_config check:
adb shell run-as com.att.personalcloud cat /data/data/com.att.personalcloud/files/.../network_security_config.xml 2>/dev/null
# Or decompile APK with jadx and search for <domain-config>
Expected findings:
- Non-pinned endpoints (interceptable)
- Pinned endpoints (requires Frida or system cert injection)
- Sensitive data leakage (IMEIs, session tokens, location)
- Weak TLS versions (if any)
- Unencrypted HTTP usage (if any)
Evidence template:
| Test | App | Endpoint | TLS Version | Pinning | Certificate Validation | Sensitive Data Exposed | Result |
|---|---|---|---|---|---|---|---|
| MBX-08-001 | com.gmail.android | api.google.com | TLS 1.3 | Yes (Google) | Strict | None visible | PASS |
| MBX-08-002 | com.uber | api.uber.com | TLS 1.2 | No | Standard | Device ID in headers | FLAG |
| ... | ... | ... | ... | ... | ... | ... | ... |
Troubleshooting
| Issue | Symptom | Solution |
|---|---|---|
| Frida won't connect | Unable to attach to target |
Restart frida-server: adb shell pkill frida-server && adb shell su -c "/data/local/tmp/frida-server &" |
| App closes after Frida inject | App crashes immediately | Try without scripts: frida -U -f com.app (no -l args) to isolate bad script |
| Burp not seeing traffic | Frida running but no traffic in Burp | Check: (1) adb reverse tcp:8080 tcp:8080 is set (2) Burp proxy listeners on 8080 (3) config.js has correct Burp host/port |
| Certificate not trusted | SSL error even with Frida | Verify: (1) Burp CA installed on device (2) config.js cert path correct (3) Device rebooted after cert install |
| Google/Gmail traffic still pinned | Gmail app won't decrypt even with Frida | This is expected — Google has strong pinning. Test against non-Google apps. |
| Root detection bypass fails | App detects Magisk and refuses to run | Try: android-disable-root-detection.js is loaded in Frida (check ~/intercept.sh); if app still detects, it has custom checks |
Data Collection
Burp Suite Export
After interception, export evidence:
# 1. In Burp: Dashboard → Export captured items
# 2. Export as: "all requests and responses"
# 3. Format: XML or CSV
# 2. Or: Proxy → HTTP history → select → right-click → Copy all → save to file
Frida Console Logs
Frida prints to console during injection. Save:
# Redirect frida output to log:
~/intercept.sh com.att.personalcloud 2>&1 | tee ~/frida-intercept-$(date +%s).log
# Later: review frida-intercept-*.log for injection status and errors
ADB Logs
Capture device logcat during interception:
# Terminal 4: Capture device logs
adb logcat -v threadtime > ~/device-logcat-$(date +%s).log
# Filter for target app:
adb logcat --pid=$(adb shell pidof com.att.personalcloud) -v threadtime
Screenshots
Document UI state before/after interception:
adb shell screencap -p /sdcard/screenshot-$(date +%s).png
adb pull /sdcard/screenshot-*.png ~/screenshots/
Evidence Storage
Recommended directory structure:
~/mobility-research/
├── mbx-02-carrier-apps/
│ ├── 2026-05-11_att-app_burp-export.xml
│ ├── 2026-05-11_att-app_frida.log
│ ├── 2026-05-11_att-app_logcat.log
│ ├── 2026-05-11_att-app_screenshots/
│ │ ├── login-flow-01.png
│ │ ├── permissions-dialog.png
│ │ └── success-screen.png
│ └── 2026-05-11_mbx-02_findings.md
└── mbx-08-data-path/
├── 2026-05-11_endpoint-matrix.xlsx
├── 2026-05-11_pinning-status.csv
└── 2026-05-11_sensitive-data-exposure.md
Next Steps
- MBX-01 — UE baseline (prerequisites for MBX-02/08)
- MBX-02 — Carrier apps (use this toolkit)
- MBX-08 — App data path (use this toolkit)
- MBX-09-11 — Core network baselines (Open5GS lab, no app toolkit needed)
- MBX-12-15 — LibreSDR RF testing (requires Faraday enclosure)
References
- Support_Hardware_Pixel9.md — Device setup details
- Master_Blackbox_UE_to_Node_Test_Plan.md — Full test plan context
- Frida Interception & Unpinning — Script repo
- Burp Suite Community Edition
Document Version: 1.0
Last Updated: 2026-05-11
Status: Active — Ready for MBX-02 & MBX-08 execution
Appendix A: APK Decompilation & Static Analysis
apktool — Extract APK Structure
apktool d target-app.apk
cd target-app/
ls -la
Output directory structure:
| Folder | Purpose | Example |
|---|---|---|
original/META-INF |
Signatures, certificates, manifest verification | MANIFEST.MF, CERT.SF, CERT.RSA |
res/ |
Resources (images, layouts, strings, configs) | Images, XML layouts, drawable assets |
res/raw |
Direct-access files (certificates, configs) | certificate.der, custom configs |
smali/ |
Compiled Java bytecode in Smali format | App logic, custom classes |
smali/android, smali/androidx |
Framework components | System classes, Jetpack libraries |
AndroidManifest.xml |
App metadata, permissions, intent filters | Permissions, exported components |
Extract and Analyze Certificate Pinning
# 1. Search for cert references in smali
grep -r "certificate" smali/ | grep -i "pin\|trust\|check"
# 2. Check for embedded certs in res/raw
ls -la res/raw/ | grep -i cert
# 3. Find network security config
find . -name "network_security_config.xml"
cat res/xml/network_security_config.xml 2>/dev/null
# 4. Decompile to Java with jadx for readability
jadx -d out target-app.apk
grep -r "CertificatePinner\|SSLContext\|TrustManager" out/sources/ 2>/dev/null
Identify Pinning Mechanisms
| Pattern | Indicates | Bypass Method |
|---|---|---|
<domain-config> in network_security_config.xml |
Network security config pinning | Recompile APK + Frida unpinning |
CertificatePinner in code |
OkHttp/Retrofit pinning | Frida unpinning hooks |
TrustManager override |
Custom cert validation | Frida inject TrustAll |
SSLContext.getInstance("TLS") |
Low-level SSL setup | Frida native hooks |
Appendix B: APK Certificate Pinning Bypass — Recompile Method
When to Use Static Bypass
- App embeds certificate in
res/raw/ - Legacy app with weak pinning
- Quick POC without Frida complexity
- CTF/intentionally vulnerable app
Step-by-Step Workflow
Step 1: Extract APK
apktool d target-app.apk
cd target-app/res/raw
ls
Step 2: Replace Embedded Certificate
# Identify cert file (usually certificate.der, ca.crt, etc.)
# Replace with Burp CA cert
cp ~/cacert.der certificate.der
Step 3: Recompile APK
cd ../..
export PATH=$PATH:/usr/bin/aapt
apktool b target-app target-app-modified.apk --aapt /usr/bin/aapt
Step 4: Sign APK
Option A — Uber APK Signer (recommended):
java -jar uber-apk-signer.jar --apks target-app-modified.apk
# Output: target-app-modified-aligned-debugSigned.apk
Option B — Manual signing:
jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 \
-keystore ~/.android/debug.keystore \
-storepass android \
-keypass android \
target-app-modified.apk androiddebugkey
Step 5: Install on Device
adb install -r target-app-modified-signed.apk
Limitations
- ❌ Does NOT work against runtime pinning (OkHttp, custom TrustManager)
- ❌ Does NOT work if app uses code obfuscation or anti-tampering
- ❌ Does NOT work if APK signature check fails
- ✅ Works for static embedded certs only
When to Fall Back to Frida
- App has runtime pinning (OkHttp, custom TrustManager)
- Static bypass fails or app detects tampering
- Need to preserve original app binary
- Testing requires APK installation time < static approach
Appendix C: Mobile Security Frameworks
MobSF — Mobile Security Framework
GitHub: https://github.com/MobSF/Mobile-Security-Framework-MobSF
Docker Quick Start:
docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
# Default credentials: mobsf / mobsf
Features:
- APK decompilation and bytecode analysis
- Permission audit (dangerous permissions)
- Hardcoded secrets scanning (API keys, tokens)
- YARA-based malware detection
- Certificate and signing analysis
- Manifest inspection
Workflow:
- Upload APK to web interface (http://localhost:8000)
- MobSF decompiles and analyzes automatically
- Review: Permissions, Strings, Certificate, Smali code
- Export report
Uber APK Signer
GitHub: https://github.com/patrickfav/uber-apk-signer
Usage:
java -jar uber-apk-signer.jar --apks modified.apk
# Outputs: modified-aligned-debugSigned.apk (ready to install)
Advantages:
- No keystore manipulation required
- Handles APK alignment automatically
- Works with any APK (modified or original)
Appendix D: Pixel 9 Hardware Reality
Device Specifications
| Property | Value | Impact |
|---|---|---|
| SoC | Google Tensor G4 | Uses Samsung Exynos Modem 5400 (NOT Qualcomm) |
| Modem | Samsung Exynos 5400 | Limited SCAT support; QXDM/QPST incompatible |
| Bootloader | Unlockable | Full root access via Magisk |
| Secure Boot | Rollback protected | Device verified boot (can disable for testing) |
| ADB | USB 3.1 Gen 2 Type-C | High-speed data transfer |
| Build | BP3A.251105.015 | Android 16, fully patched as of test date |
Frida Compatibility
- ✅ Frida 17.9.8+ fully supported
- ✅ User-mode instrumentation works on all Android processes
- ✅ Kernel-mode/modem instrumentation NOT available (Tensor G4 limitation)
- ✅ Rooted access enables system cert injection (Magisk)
Notes for Researchers
Important: Pixel 9 uses Tensor G4 + Samsung Exynos Modem, NOT Snapdragon + Qualcomm.
This means:
- SCAT support is limited
- QXDM/QPST tools are incompatible
- RF/modem research requires different toolchain
- App-level testing (Frida/Burp) works normally
Appendix E: ADB Command Reference
Device Management
# List connected devices
adb devices -l
# Enable USB debugging (must do once on device)
adb usb
# Get device properties
adb shell getprop ro.build.version.release # Android version
adb shell getprop ro.hardware # Hardware codename
adb shell getprop ro.board.platform # Board platform
Proxy & Network
# Set global HTTP proxy
adb shell settings put global http_proxy 127.0.0.1:8080
# Clear HTTP proxy
adb shell settings put global http_proxy :0
# Reverse tunnel (phone:8080 → laptop:8080)
adb reverse tcp:8080 tcp:8080
# List active tunnels
adb reverse --list
# Kill specific tunnel
adb reverse --remove tcp:8080
Process Management
# Force-stop app
adb shell am force-stop com.example.app
# Start app with Frida
frida -U -f com.example.app
# Check if process running
adb shell ps aux | grep com.example.app
# Get PID
adb shell pidof com.example.app
Root Operations
# Verify Magisk root
adb shell su -c id # Output: uid=0(root)
# Run frida-server as root
adb shell su -c "/data/local/tmp/frida-server &"
# Kill frida-server
adb shell pkill frida-server
# Check Magisk
adb shell su -c "magisk -v"
File Transfer
# Push file to device
adb push ~/cacert.der /sdcard/cacert.der
# Pull file from device
adb pull /system/etc/security/cacerts/9a5ba575.0 ~/9a5ba575.0
# Push and execute
adb push script.sh /data/local/tmp/
adb shell su -c "chmod +x /data/local/tmp/script.sh && /data/local/tmp/script.sh"
Certificate Management
# List system certs
adb shell ls /system/etc/security/cacerts/
# Pull Burp CA cert from device
adb pull /system/etc/security/cacerts/9a5ba575.0 ~/9a5ba575.0
# Check cert hash on device
adb shell openssl x509 -inform PEM -subject_hash_old -in /system/etc/security/cacerts/9a5ba575.0 | head -1
Logging
# Real-time logcat
adb logcat -v threadtime
# Filter by app
adb logcat --pid=$(adb shell pidof com.example.app)
# Save logcat to file
adb logcat -v threadtime > ~/device.log
# Clear logcat
adb logcat -c
Appendix F: Troubleshooting Matrix
| Symptom | Likely Cause | Solution |
|---|---|---|
frida: error: unable to connect |
frida-server not running | adb shell su -c "/data/local/tmp/frida-server &" |
App crashes on Frida inject |
Bad Frida script or conflicting hook | Test: frida -U -f com.app (no scripts) |
No traffic in Burp |
Proxy not configured or tunnel missing | Check: (1) adb reverse tcp:8080 tcp:8080 (2) adb shell settings put global http_proxy 127.0.0.1:8080 (3) Burp listening on 8080 |
SSL_ERROR_INVALID_CERT |
Burp CA not installed or trusted | Verify: (1) /system/etc/security/cacerts/9a5ba575.0 exists (2) Magisk module is active (3) Device rebooted |
Google/Gmail won't decrypt |
Built-in cert pinning (Google domains) | Expected behavior. Test non-Google apps instead. |
Magisk root detection fails |
App has custom root detection | Frida script android-disable-root-detection.js may be insufficient; requires app-specific bypass |
APK recompile failed |
Missing aapt or wrong path | export PATH=$PATH:/usr/bin/aapt before apktool b |
APK install fails |
APK not properly signed | Use Uber APK Signer: java -jar uber-apk-signer.jar --apks app.apk |
Session Origin: bd9dfeb3-818d-4c28-90b6-fe3951163d56
Created: 2026-05-11
Maintainer: tester
Last Updated: 2026-05-11 18:30