MASTG-TEST-0341: Testing Runtime Hook Detection

Overview

This test verifies whether the app detects and responds to instrumentation and hooking attempts at runtime. For example, if the app does not terminate immediately when the following methods are called:

• Authentication tokens, OAuth tokens, session credentials, and stored account passwords could be extracted if AccountManager.getPassword(), AccountManager.getAuthToken() are hooked.
• Cryptographic keys and certificates could be extracted if KeyStore.getKey(), KeyStore.getCertificate() are hooked.
• Ephemeral/Session Keys could be extracted if Cipher.doFinal() is hooked.
• Database contents could be extracted if SQLiteDatabase.rawQuery(), SQLiteDatabase.query(), SQLiteDatabase.execSQL() are hooked.
• Encrypted data could be extracted if EncryptedSharedPreferences APIs are hooked.
• Authentication could be bypassed if KeyGenParameterSpec.Builder.setUserAuthenticationRequired() is hooked.
• Any other function that processes or returns sensitive data is hooked.

Warning

This list is just indicative, and each app may have its own defensive response mechanisms.

Steps

1. Use Installing Apps to install the app.
2. Use Method Tracing to attempt to hook a security-relevant Java method (e.g., authentication, certificate validation) and/or a native function.
3. Capture the output, including any abrupt session termination events or errors.

Observation

The output should contain one of the following:

• The expected hook callback data (e.g., function arguments, return values).
• Session termination, script errors, empty responses, or absence of expected hook data.

Evaluation

The test case fails if the hook executes successfully and returns the expected data, indicating the app lacks runtime integrity verification.

The test case passes if the hooking attempt fails due to the app's defensive response (e.g., session terminates unexpectedly, hook callbacks never execute, or the process exits).

Note

Even if the test case passes, it might still be possible to bypass the app's defensive response. Detection of Reverse Engineering Tools and Runtime Integrity Verification describe such challenges.

Best Practices

MASTG-BEST-0041: Hardening Against Runtime Hooking

Demos

MASTG-DEMO-0106: Extracting Sensitive Data from Cipher.doFinal via Frida Hooking MASTG-DEMO-0108: Bypassing Frida Detection in /proc/self/maps to Extract Sensitive Data MASTG-DEMO-0107: Detecting Frida hooks and terminating the application on response