RMS-Runtime-Mobile-Security
Runtime Mobile Security (RMS) 📱🔥 - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime
Top Related Projects
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Documentation:
📱 objection - runtime mobile exploration
Clone this repo to build Frida
Dex to Java decompiler
Quick Overview
RMS-Runtime-Mobile-Security is a powerful web interface for dynamic analysis and manipulation of Android and iOS applications. It leverages Frida, a dynamic instrumentation toolkit, to provide real-time insights into app behavior and allows for runtime modifications. This tool is particularly useful for security researchers, penetration testers, and mobile app developers.
Pros
- User-friendly web interface for easy interaction with mobile apps
- Supports both Android and iOS platforms
- Provides a wide range of pre-built scripts for common analysis tasks
- Allows custom script injection for advanced users
Cons
- Requires a rooted/jailbroken device for full functionality
- May not work with all apps, especially those with advanced anti-tampering measures
- Setup process can be complex for beginners
- Limited documentation for some advanced features
Getting Started
-
Install the required dependencies:
pip install -r requirements.txt
-
Start the RMS server:
python3 mobilesecurity.py
-
Access the web interface at
http://127.0.0.1:5000
-
Connect your mobile device and start analyzing apps using the provided interface.
Note: Ensure that Frida is properly set up on your target device before using RMS. Refer to the project's README for detailed setup instructions and troubleshooting tips.
Competitor Comparisons
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Pros of Mobile-Security-Framework-MobSF
- Comprehensive mobile app security testing framework supporting both static and dynamic analysis
- Extensive reporting capabilities with detailed vulnerability assessments
- Active development and community support with regular updates
Cons of Mobile-Security-Framework-MobSF
- Steeper learning curve due to its comprehensive nature
- Requires more system resources for full functionality
- May be overkill for simple runtime analysis tasks
Code Comparison
MobSF (Python):
def scan_file(self, file_path):
# Perform static analysis
static_analysis_result = self.static_analyzer.analyze(file_path)
# Perform dynamic analysis
dynamic_analysis_result = self.dynamic_analyzer.analyze(file_path)
return self.generate_report(static_analysis_result, dynamic_analysis_result)
RMS-Runtime-Mobile-Security (JavaScript):
function analyzeRuntime(app) {
// Hook into app runtime
frida.attach(app);
// Monitor runtime behavior
frida.monitor(app);
return generateReport();
}
The code snippets illustrate the different approaches:
- MobSF performs both static and dynamic analysis
- RMS focuses on runtime analysis using Frida
Both tools serve different purposes in mobile app security testing, with MobSF offering a more comprehensive solution and RMS providing specialized runtime analysis capabilities.
Documentation:
Pros of appmon
- Supports both Android and iOS platforms
- Provides a graphical user interface for easier interaction
- Offers real-time monitoring and analysis of mobile app traffic
Cons of appmon
- Less actively maintained (last update in 2019)
- Requires more setup and dependencies
- Limited documentation and community support
Code Comparison
appmon:
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
RMS-Runtime-Mobile-Security:
function hookNativeFunctionByName(functionName) {
var nativeFunction = Module.findExportByName(null, functionName);
if (nativeFunction != null) {
Interceptor.attach(nativeFunction, {
onEnter: function(args) {
console.log("[*] " + functionName + " called");
}
});
}
}
Both projects aim to enhance mobile app security analysis, but RMS-Runtime-Mobile-Security focuses specifically on Android and provides a more modern, web-based interface. It also offers more frequent updates and better documentation. appmon, while supporting both Android and iOS, has a more traditional approach with its GUI and hasn't been updated recently. The code snippets show different approaches to message handling and function hooking, reflecting the distinct focuses of each project.
📱 objection - runtime mobile exploration
Pros of objection
- More comprehensive feature set for mobile app security testing
- Active development and regular updates
- Extensive documentation and community support
Cons of objection
- Steeper learning curve for beginners
- Requires more setup and configuration
- May be overkill for simple runtime analysis tasks
Code Comparison
RMS-Runtime-Mobile-Security:
@app.route('/api/loadFrida', methods=['POST'])
def load_frida():
# Load Frida script
device = frida.get_usb_device()
pid = device.spawn([package_name])
session = device.attach(pid)
objection:
def _spawn_target(self):
try:
self.device.spawn(self.package)
return self.device.attach(self.package)
except frida.ProcessNotFoundError:
click.secho('Unable to spawn {0}'.format(self.package), fg='red')
Both projects use Frida for runtime manipulation, but objection offers a more abstracted and feature-rich approach to mobile app security testing. RMS-Runtime-Mobile-Security provides a simpler, web-based interface for quick analysis, while objection offers a more powerful command-line tool with extensive capabilities. The choice between the two depends on the user's needs and expertise level in mobile app security testing.
Clone this repo to build Frida
Pros of Frida
- More mature and widely adopted project with extensive documentation and community support
- Supports a broader range of platforms, including iOS, Android, Windows, macOS, and Linux
- Offers powerful dynamic instrumentation capabilities with a flexible scripting API
Cons of Frida
- Steeper learning curve, especially for users new to dynamic analysis
- Requires more setup and configuration compared to RMS
- May be overkill for simple mobile app analysis tasks
Code Comparison
Frida script example:
Java.perform(function() {
var MainActivity = Java.use("com.example.app.MainActivity");
MainActivity.sensitiveMethod.implementation = function() {
console.log("sensitiveMethod called");
return this.sensitiveMethod();
};
});
RMS doesn't require writing custom scripts for basic hooking. Instead, it provides a web interface for runtime manipulation:
# No equivalent code snippet, as RMS uses a GUI for most operations
RMS focuses on providing a user-friendly interface for mobile app analysis, while Frida offers more flexibility and power through its scripting capabilities. RMS is easier to use for beginners, but Frida provides more advanced features for experienced security researchers.
Dex to Java decompiler
Pros of jadx
- Provides a graphical user interface for easier navigation and analysis of decompiled code
- Supports multiple output formats, including Java source code and Smali
- Actively maintained with frequent updates and improvements
Cons of jadx
- Focused primarily on static analysis, lacking runtime inspection capabilities
- Limited to Android APK and Dex files, not as versatile for other mobile platforms
- May struggle with heavily obfuscated code or complex applications
Code comparison
RMS-Runtime-Mobile-Security:
def get_loaded_classes(self):
loaded_classes = self.java.jvm.java.lang.Class.getClasses()
return [str(c) for c in loaded_classes]
jadx:
public static List<ClassNode> getClassesWithField(DexNode dex, Field field) {
List<ClassNode> list = new ArrayList<>();
for (ClassNode cls : dex.getClasses()) {
if (cls.searchFieldByName(field.getName()) != null) {
list.add(cls);
}
}
return list;
}
While RMS-Runtime-Mobile-Security focuses on runtime analysis and dynamic inspection of loaded classes, jadx primarily deals with static analysis and decompilation of Android applications. RMS provides more flexibility for runtime manipulation, while jadx excels in generating readable source code from compiled Android apps.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Runtime Mobile Security (RMS) ð±ð¥
Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime.
With RMS you can easily dump all loaded classes and relative methods, hook everything on the fly, trace methods args and return value, load custom scripts and many other useful stuff.
iOS DEMO - VIDEO
Android DEMO - VIDEO
Tutorial - Android
- Solving OWASP UnCrackable Android App Level 1 with Runtime Mobile Security (RMS)
- Solving OWASP UnCrackable Android App Level 2 with Runtime Mobile Security (RMS)
- Solving SANS Holiday Hack Challenge 2024 with Runtime Mobile Security (RMS) by Andrea Lamonato
Prerequisites
- NodeJS installed on your computer
- FRIDA's CLI tools installed on your computer
- FRIDA server up and running on the target device
Quick smoke-test
As suggested by the official FRIDA doc, please perform a quick smoke-test to make sure FRIDA is working properly on your test device.
By running the frida-ps -U
command from your desktop, you should receive the list of the processes running on your connected mobile device.
Android | iOS
PID NAME | PID NAME
1590 com.facebook.katana | 488 Clock
3282 com.twitter.android | 116 Facebook
⦠â¦
Tips
Some cool projects that can help you to auto install, update and run FRIDA on Android devices are:
They are not needed on iOS devices, since FRIDA starts just after the boot of the device (jailbreak mode).
Installation
- Open the terminal and run the following command to install the npm package
npm install -g rms-runtime-mobile-security
- If you can't install the frida-node dependency, please check this troubleshooting post written by Chichou to choose another version of Node.js
- Make sure frida-server is up and running on the target device.
- Instructions are here: prerequisites / quick smoke-test
- Launch RMS via the following command
rms
(orRMS-Runtime-Mobile-Security
)
- Open your browser at
http://127.0.0.1:5491/
- Start enjoying RMS ð±ð¥
NOTE
Default RMS port has been changed from 5000 to 5491 because since MacOS Ventura, port 5000 is the Control Center's default port. If you wish to change the default port, you can also run RMS with the --port parameter followed by the desired port number e.g. rms --port 9000
Notes and possibile issues
- In case of issues with the npm package installed as a global cli app, please try the local installation (development mode)
- In case of issues with your favorite Browser (e.g. logs not printed in the web console), please use Google Chrome (fully supported)
- If RMS is not able to detect your device, please perform the following checks:
- double check if frida-server is up and running on the target device. Instructions are here: prerequisites / quick smoke-test
- RMS must be started after frida-server
- make sure that only 1 device is connected to your computer. RMS is currently not able to detect multiple devices
- kill RMS and start it again
Development mode
Follow the steps below if you want to develop new features for RMS ð
git clone https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security.git
cd RMS-Runtime-Mobile-Security
npm install
(local installation)- Launch RMS via
node rms.js
- You can also install RMS as global package by running the following commands:
npm install -g
to install dependenciesnpm run compile
to compile the frida-agentrms
to run RMS (anywhere)
NOTE: If you add new features to the agent (/agent/RMS_core.js), please remember to recompile the code by running npm run compile
or directly via the frida-compile command (frida-compile agent/RMS_core.js -o agent/compiled_RMS_core.js
)
General Info
Runtime Mobile Security (RMS) supports Android and iOS devices.
It has been tested on MacOS and with the following devices:
- AVD emulator
- Genymotion emulator
- Amazon Fire Stick 4K
- iPhone 7
- Chrome (Web Interface)
It should also work well on Windows and Linux but some minor adjustments may be needed.
Known issues and improvements
- Sometime RMS fails to load complex methods. Use a filter when this happens or feel free to improve the algo (agent/RMS_core.js)
- Socket are not working on Safari, please use Chrome instead
- RMS is not able to recognize multiple devices. Please do not connect more than one device at the same time
- Code is not optimized
- Feel free to send me your best JS script via a Pull Request. I'll be happy to bundle all the best as default scripts in the next RMS release (e.g. root detection bypass, ssl pinning, etc)
Usage
1. Run your favorite app by simply inserting its package name
NOTE RMS attachs a persistence process called com.android.systemui on Android and SpringBoard on iOS devices to get the list of all the classes that are already loaded in memory before the launch of the target app. If you have an issue with them, try to find a different default package that works well on your device. You can set another default package via the Config Tab or by simply editing the /config/config.json file.
2. Check which Classes and Methods have been loaded in memory
3. Hook on the fly Classes/Methods and trace their args and return values
Go back to the dump page in order to have an overview of all the hooked methods that have been executed by the app â
4. Search instances of a specific class on the Heap and call its methods
5. Select a Class and generate on the fly an Hook template for all its methods
6. Easily detect new classes that have been loaded in memory
7. Inject your favorite FRIDA CUSTOM SCRIPTS on the fly
Just add your .js files inside the custom_script folder and they will be automatically loaded by the web interface ready to be executed.
8. API Monitor - Android Only
via the API Monitor TAB you can easily monitor tons of Android APIs organized in 20 different Categories. Support can be easily extended by adding more classes/methods to the /config/api_monitor.json file.
You can also monitor native functions: libc.so - open, close, read, write, unlink, remove
9. FRIDA Script to load Stetho by Facebook [BONUS]
Inject the FRIDA script to load the amazing Stetho.
Stetho is a sophisticated debug bridge for Android applications. When enabled, developers have access to the Chrome Developer Tools feature natively part of the Chrome desktop browser. Developers can also choose to enable the optional dumpapp tool which offers a powerful command-line interface to application internals.
10. File Manager [BETA]
A simple File Manager has been implemented to help you exploring app's private folders and files. This feature is still in BETA.
improvement: frida-fs needs to be implemented to enable files download directly from the browser (File Manager TAB).
11. Static Analysis - iOS Only
Acknowledgements
Special thanks to the following Open Source projects for the inspiration:
FRIDA Custom Scripts bundled in RMS - Credits:
- Runtime Mobile Security (RMS)
- FSecureLABS
- Mediaservice
- federicodotta
- iddoeldor
- dzonerzy
- akabe1
- Areizen
- int3rf3r3nc3
- dki
- ay-kay
- chaitin
- lich4
- fadeevab
- realgam3
- noobpk
- enovella
DEMO apps:
- RootBeer Sample is the DEMO app used to show how RMS works. RootBeer is an amazing root detection library. I decided to use the Sample app as DEMO just to show that, as every client-side only check, its root detection logic can be easily bypassed if not combined with a server-side validation.
- DVIA a vulnerable app to test your iOS Penetration Testing Skills
- Anti-Frida Frida Detection Examples by Bernhard Mueller.
License
RMS is licensed under a GNU General Public v3 License.
Top Related Projects
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Documentation:
📱 objection - runtime mobile exploration
Clone this repo to build Frida
Dex to Java decompiler
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot