Comprehensive testing capabilities are vital for building robust and secure Android applications in the world of Android cyber tool development.
Our next blog post highlights how Bungeegum enables Android CNO tool developers to align their testing more closely with real-world use cases. While development and testing infrastructure for standard Android applications is quite mature, the unique needs of CNO developers have been underserved. By leveraging Bungeegum, CNO development teams can automate processes that were previously manual, streamlining the creation of robust Android cyber tools.
The Limitations of Traditional Testing Methods
Imagine the following scenario: You’ve spent months developing an incredible new CNO capability, conducting tests across your entire range of devices (perhaps using Lariat), and you’re ready to confidently deliver your product. However, when you attempt to test it with a real exploit chain and remote code execution (RCE), you realize that your tool doesn’t work when running inside Telegrams’s application process due to SElinux context restrictions.
Traditionally, automated testing involved running binaries from a device’s shell via Android Debug Bridge (ADB). Experienced Android CNO developers know that before delivering a capability, it needs to be tested in the same SELinux context and seccomp sandbox that an initial RCE will land in. This testing is usually performed manually, making it non-scalable, time-consuming, and error-prone.
The run-as command is a convenient approximation of an application context, but it’s important to recognize the differences between the runas_app and untrusted_app SELinux contexts. The runas_app context provides higher privileges and fewer restrictions, which can lead to false positives where the binary works under run-as but fails in a real app environment (untrusted_app). Issues such as stricter sandboxing, SELinux denials, limited resource access, and differences in app lifecycle and environment may not be apparent when testing with run-as alone.
Introducing Bungeegum
Bungeegum is a Python tool that utilizes Frida, enabling users to easily run code from within a test Android application. This approach automates testing to closely resemble real-world use cases without relying on sensitive exploit chains or custom tooling. When code is executed with Bungeegum, it operates within the application’s context and memory space, mirroring how Android CNO tools are typically used in real-world scenarios.
Key Features and Functionality
Bungeegum currently offers two main modes of operation:
ELF
In ELF mode, users can specify either a local or remote filepath. The specified file is then called within the dummy Bungeegum Android application using the exec call. Optionally, arguments can be passed to the exec call as well.
Remote ELF
bungeegum --remote --elf /system/bin/log --args "hello world"In this example, the /system/bin/log binary located on the Android device is executed, with the argument “hello world,” resulting in a logcat message of “hello world.”
Local ELF
bungeegum --elf ~/helloIn this example, the hello ELF file is copied into the app’s data directory (i.e. /data/user/0/com.zetier.bungeegum/tmpFile) and then run via the exec call.
Shellcode
In shellcode mode, the contents of the provided shellcode file are copied into the memory space of the test application, and a function pointer pointing to the shellcode is called.
bungeegum --shellcode shellcode.binIn all three examples, the return code is collected, and returned to the python script if available.
It’s All About Context
Bungeegum can be used to verify whether an Android executable or shellcode payload can execute within an underprivileged initial access vector, such as untrusted_app. Given that numerous permissions are enforced (e.g., SELinux, seccomp-bpf, UID/GID), which can vary from vendor to vendor in the fragmented Android ecosystem, Bungeegum provides a common interface for robustly testing existing capabilities against specific target devices.
Getting Started
Check out the Bungeegum github page for more info on installation and usage.
This is another tool we’re open sourcing, so we’d love feedback or to work together to add new features.
Conclusion
In conclusion, Bungeegum brings a revolution to testing Android cyber tools by making testing in-memory execution within an untrusted app’s SELinux context easy. It offers an advanced and secure testing approach that empowers low-level Android cyber tool developers to enhance code quality, catch bugs early on, and streamline application development. With Bungeegum’s unique capabilities, teams can confidently level up their testing methods, delivering robust and secure Android cyber tools that can tackle real-world challenges head-on.
*The Android robot is modified from work created and shared by Google and is used according to terms described in the Creative Commons 3.0 Attribution License.
