M 521: Stealing Secrets from Keeper on Android (15 pts extra)

What You Need for This Project

A rooted Android emulator or device to test the app on
Android Debug Bridge on the host system
A Frida server running on the Android emulator
frida-tools installed on your host system
You should have that already set up from previous projects

Purpose

To examine how the Keeper Android app uses RAM. Very badly.

Testing Frida-Server

On your host system, in a Terminal window, use adb to launch frida-server on your rooted Android emulator, as you did in project M 513.

On your host system, open a new Terminal.

If your frida-tools were installed in a virtual environment, execute this command:

source venv/bin/activate

Execute this command

frida-ps -U

A long list of processes running on Android appears, as shown below.

Installing Keeper

I've saved two versions of Keeper: one for Intel x86_64 processors and one for ARM64 processors.

Follow the instructions for your emulator's processor below.

Intel x86_64 Processors
Download this file:
keeper_x86_64.zip
Then, on your host system, execute these commands:
adb push keeper_x86_64.zip /data/local/tmp adb shell su cd /data/local/tmp unzip keeper_x86_64.zip pm install-create 116550323
The response tells you the session ID, highlighted in the image below.
Execute these commands, inserting your correct session ID instead of 1150567310 in each command below.
cd keeper_x86_64 pm install-write -S 104857620 1150567310 0 base.apk pm install-write -S 328089 1150567310 1 split_config.en.apk pm install-write -S 9929516 1150567310 2 split_config.x86_64.apk pm install-write -S 1435098 1150567310 3 split_config.xxhdpi.apk pm install-commit 1150567310
The reply to the last command should be "success".

ARM64 Processors
Download this file:
keeperARM64.zip
Then, on your host system, execute these commands:
adb push keeperARM64.zip /data/local/tmp adb shell su cd /data/local/tmp unzip keeperARM64.zip pm install-create 115944133
The response tells you the session ID, highlighted in the image below.
Execute these commands, inserting your correct session ID instead of 277062312 in each command below.
cd keeperARM64 pm install-write -S 104857620 277062312 0 base.apk pm install-write -S 328089 277062312 1 split_config.en.apk pm install-write -S 9323326 277062312 2 split_config.arm64_v8a.apk pm install-write -S 1435098 277062312 3 split_config.xxhdpi.apk pm install-commit 277062312
The reply to the last command should be "success".

Cold Boot

Shut down and cold boot your Android emulator.

Creating a Keeper Account

Open Keeper.

If an Alert box warns you that it's not safe to run it on a rooted phone. They're not wrong. Click "CONTINUE ANYWAY".

In the "Welcome to Your Keeper Vault" screen, click "CREATE ACCOUNT".

Enter an email address ending in mailinator.com, as shown below, and click NEXT.

Enter a master password of CCSF#masterpw! twice, as shown below, and click NEXT.

On your host system, open a browser and go to https://mailinator.com.

At the top left, enter your mail account name and click GO.

In the email from Keeper, find your Verification Code, as shown below.

Adding Private Data

On your Android phone, enter your Verification Code and click VERIFY.

On your Android device, a box appears saying "Creating your first record", as shown below.

click "LET'S DO IT".

At the lower right, click the yellow plus-sign.

Enter a Facebook username and password, both containing the string CCSF#, as shown below.

At the top right, click the check mark.

A box pops up saying "You created your first record". as shown below.

Restarting Frida-Server on the Android Device

Using a Terminal, reconnect to your phone and start Frida-Server again, as shown below.

Testing Frida-Server

On your host system, open a new Terminal or Command Prompt.

If your frida-tools were installed in a virtual environment, execute this command:

source venv/bin/activate

Execute this command

frida-ps -U

A long list of processes running on Android appears, as shown below.

Getting Fridump

Fridump is a great utility to acquire RAM from the phone.

On your host system, execute these commands:

git clone https://github.com/Nightbringer21/fridump.git python3 fridump/fridump.py -h

You see the Fridump help message, as shown below.

Finding the Keeper Process Name

On your host system, execute this command:

frida-ps -U | grep eep

You see the name of the Keeper process, which was Keeper when I did it, as shown below.

Dumping Memory from Keeper

Flag M 521.1: Dumping Memory from Keeper (15 pts)
On your host system, execute these commands.
Be patient, the first one may take a minute or so to start.
python3 fridump/fridump.py -U -s Keeper grep -a CCSF# dump/strings.txt
Many copies of your private data are found, ending with your master password, as shown below.
The flag is covered by a green rectangle in the image below.

Posted 11-8-22
Uses archived Keeper version, works for both x86_64 and ARM64 4-16-24
Video added 4-18-24