frida-android-unpinning
A Frida script to disable SSL certificate pinning in a target application
For more information and detailed setup instructions, take a look at https://httptoolkit.tech/blog/frida-certificate-pinning/
A Frida script to disable SSL certificate pinning in a target application
For more information and detailed setup instructions, take a look at https://httptoolkit.tech/blog/frida-certificate-pinning/
ı got this error. is there any way to handle it
Error: getPackageInfoNoCheck(): has more than one overload, use .overload(
Came across your article on how to defeat pinning with Frida and I'm trying to work my way through it as I'm a bit of newb, but I'm tryin!
For some context, I'm running Windows 10, an Android Pixel XL emulator, and OWASP ZAP as my proxy. I've installed the OWASP certificate onto the device, and I can now parse HTTPS traffic from the Chrome app. I'm wanting to now intercept traffic via apps!
I'm using the dating app Bumble as my first "target", so I've installed the APK file onto the device (which does NOT have Google Play Store as I've read that's important). I have the Frida server running in one terminal window as root (running frida-server-15.1.22-android-x86 which I don't know for sure if that's the correct server to be running, maybe x86_64 should be run instead? Anyway...)
So I fire up the App, where it just hangs on the main loading screen and I do not see any traffic from it in OWASP (again, even though it IS proxying internet requests fine, so that part IS working):
...and in a separate terminal window, I run the command:
frida --no-pause -U -l ./frida-script.js -f com.bumble.app
...and this is my resulting output (beware, it's long, and the trailing end just infinitely prints until the frida server dies):
frida --no-pause -U -l ./frida-script.js -f com.bumble.app
____
/ _ | Frida 15.1.22 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `com.bumble.app`. Resuming main thread!
[Android Emulator 5554::com.bumble.app ]-> ---
Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[ ] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[ ] OkHTTPv3 (cert array)
[ ] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
Unpinning setup completed
---
--> Bypassing Trustmanager (Android < 7) request
--> Unexpected SSL verification failure, adding dynamic patch...
Thrown by android.net.SSLCertificateSocketFactory->verifyHostname
Attempting to patch automatically...
[+] android.net.SSLCertificateSocketFactory->verifyHostname (automatic exception patch)
--> Bypassing TrustManagerImpl checkTrusted
--> Bypassing Trustmanager (Android < 7) request
--> Bypassing android.net.SSLCertificateSocketFactory->verifyHostname (automatic exception patch)
--> Bypassing TrustManagerImpl checkTrusted
--> Bypassing TrustManagerImpl checkTrusted
--> Unexpected SSL verification failure, adding dynamic patch...
--> Bypassing TrustManagerImpl checkTrusted
--> Unexpected SSL verification failure, adding dynamic patch...
Thrown by com.android.okhttp.internal.io.RealConnection->connectTls
Attempting to patch automatically...
[+] com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
Thrown by com.android.okhttp.internal.io.RealConnection->connectTls
--> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
--> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
--> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
--> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
--> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
--> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
...........................
SO, what can a guy try from here? Would be cool to get some insight from the community on this one so I can get started on the app traffic track :P Thanks!!!
For some reason I get this error for every app I try the script on. The app launches and this is the error it gives. My devices is running on Android 11
Error: VM::AttachCurrentThread failed: -1
at o (frida/node_modules/frida-java-bridge/lib/result.js:4)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:25)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:14)
at Xe (frida/node_modules/frida-java-bridge/lib/android.js:499)
at Ie (frida/node_modules/frida-java-bridge/lib/android.js:195)
at Ce (frida/node_modules/frida-java-bridge/lib/android.js:16)
at _tryInitialize (frida/node_modules/frida-java-bridge/index.js:17)
at g (frida/node_modules/frida-java-bridge/index.js:9)
at <anonymous> (frida/node_modules/frida-java-bridge/index.js:317)
at call (native)
at o (/_java.js)
at <anonymous> (/_java.js)
at <anonymous> (frida/runtime/java.js:1)
at call (native)
at o (/_java.js)
at r (/_java.js)
at <eval> (frida/runtime/java.js:3)
at _loadJava (native)
at get (frida/runtime/core.js:114)
at <anonymous> (/frida-script.js:448)
at apply (native)
at <anonymous> (frida/runtime/core.js:45)
This solution is nice as it avoids the trouble of repacking and patching apps statically and some of the integrity checks they do. Can we patch the known checks automatically on startup of the app somehow? It is a bit complicated to start apps manually with frida that interact with each other like apps that use the google play store&services to check licenses. Same is true for automatically started OS components and oem bloatware apps. There used to be Magisk Modules but they are outdated and not maintained at the moment.
Maybe it’s not the right place to ask this question. I am trying to intercept an android app(it doesn’t have ssl Pinner). I am able to get all the links while using http tool kit but not when trying with burpsuite. Most of the links are not showing in burp. I am sure that it’s not because of the filtering . Kindly help me with it. What’s the difference between using http toolkit and burp. Both should work the same way isn’t it?
Hi, I was trying to unpin SSL from the Dogorama app but that didn't work:
$ frida --no-pause -U -l ../../Downloads/frida-script.js -f app.dogorama
____
/ _ | Frida 15.2.2 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `app.dogorama`. Resuming main thread!
[Android Emulator 5554::app.dogorama ]-> ---
Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[+] Squareup CertificatePinner (list)
[+] Squareup OkHostnameVerifier (cert)
[+] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (Transparency)
Unpinning setup completed
---
Process crashed: java.lang.UnsatisfiedLinkError: couldn't find DSO to load: libhermes.so
***
FATAL EXCEPTION: create_react_context
Process: app.dogorama, PID: 5240
java.lang.UnsatisfiedLinkError: couldn't find DSO to load: libhermes.so
SoSource 0: com.facebook.soloader.ApkSoSource[root = /data/data/app.dogorama/lib-main flags = 1]
SoSource 1: com.facebook.soloader.DirectorySoSource[root = /data/app/~~Js_W8z118rVG9AxCVcowrQ==/app.dogorama-C0q6l1U3SOxP2VO_M3NyhQ==/lib/x86_64 flags = 0]
SoSource 2: com.facebook.soloader.DirectorySoSource[root = /vendor/lib64 flags = 2]
SoSource 3: com.facebook.soloader.DirectorySoSource[root = /system/lib64 flags = 2]
Native lib dir: /data/app/~~Js_W8z118rVG9AxCVcowrQ==/app.dogorama-C0q6l1U3SOxP2VO_M3NyhQ==/lib/x86_64
result: 0
at com.facebook.soloader.SoLoader.doLoadLibraryBySoName(SoLoader.java:918)
at com.facebook.soloader.SoLoader.loadLibraryBySoNameImpl(SoLoader.java:740)
at com.facebook.soloader.SoLoader.loadLibraryBySoName(SoLoader.java:654)
at com.facebook.soloader.SoLoader.loadLibrary(SoLoader.java:634)
at com.facebook.soloader.SoLoader.loadLibrary(SoLoader.java:582)
at com.facebook.hermes.reactexecutor.HermesExecutor.<clinit>(HermesExecutor.java:20)
at com.facebook.hermes.reactexecutor.HermesExecutorFactory.create(HermesExecutorFactory.java:29)
at com.facebook.react.ReactInstanceManager$5.run(ReactInstanceManager.java:1054)
at java.lang.Thread.run(Thread.java:920)
***
[Android Emulator 5554::app.dogorama ]->
Thank you for using Frida!
Device: Android Emulator, API 31, Android 12, x86_64
Unable to solve google recaptcha(In app) while connected to the burpsuite. I used Frida with the ssl unpinning script. The error I got is unexpected ssl verification failed at "com.android.org.conscrypt.ActiveSession->checkPeerCertificatesPresent"
Device : Google Pixel 3XL (Android V9.0)
Change
SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
to
this.init(keyManager, TrustManagers, secureRandom);
Clearly the method is not static and so it should be called from it's instance, maybe I am missing some inner forbidden knowledge, but this.init is proper way to call instance method
Hi,
When I try to use frida-script.js
I get an error:
frida --no-pause -U -l ./frida-script.js -f tech.httptoolkit.pinning_demo
____
/ _ | Frida 15.1.14 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
Spawned `tech.httptoolkit.pinning_demo`. Resuming main thread!
Error: VM::AttachCurrentThread failed: -1
at o (frida/node_modules/frida-java-bridge/lib/result.js:4)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:25)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:14)
at Xe (frida/node_modules/frida-java-bridge/lib/android.js:500)
at Ie (frida/node_modules/frida-java-bridge/lib/android.js:196)
at Ce (frida/node_modules/frida-java-bridge/lib/android.js:16)
at _tryInitialize (frida/node_modules/frida-java-bridge/index.js:17)
at y (frida/node_modules/frida-java-bridge/index.js:9)
at <anonymous> (frida/node_modules/frida-java-bridge/index.js:320)
at call (native)
at o (/_java.js)
at <anonymous> (/_java.js)
at <anonymous> (frida/runtime/java.js:1)
at call (native)
at o (/_java.js)
at r (/_java.js)
at <eval> (frida/runtime/java.js:3)
at _loadJava (native)
at get (frida/runtime/core.js:125)
at <anonymous> (/frida-script.js:510)
at apply (native)
at <anonymous> (frida/runtime/core.js:45)
It doesn't matter which app I use (com.twitter.android, tech.httptoolkit.pinning_demo, etc) the result is always the same.
Android 11, Samsung SM G998B (s21 Ultra) rooted. Frida is installed on Windows 11 / Python3.7
Any idea how to fix this? Thank you.
Hey team, there seem to be some internal changes when shifting from Frida 15.x to 16.x and now it started throwing error as defined in the title. Do anyone has any idea how can we resolve the above error?
Tried it on Nike app: com.nike.omega
Frida on terminal returned error below:
Process crashed: java.lang.NullPointerException: interceptor com.nike.mpe.plugin.certtransparency.internal.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor@2c65125 returned null
Just to make sure, I tried it on Twitter and it works.
Tried intercepting requests with Http Toolkit as well. Responses kept being aborted and after running the script the same thing continued to happen. Only that now the entire data traffic was blocked: all incoming and outgoing messages wouldn't be sent/received on the device.
Additional info: I used a rooted Samsung Galaxy S10 with Android 12.
Hey I tried out your SSL unpinning script on some apps and it didnt work for most of them (Whatsapp, Snapchat, McDonald's App). Is that fixable or is it because of some different issue? Would be nice if we could have a talk, Discord: RequestFX#1541
It prints out
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt
, but still fails to unpin it as seen in the photo
Hello,
I have been looking forward for the frida script to bypass unity based applications ssl pinning which are using below code.
https://docs.unity3d.com/ScriptReference/Networking.CertificateHandler.ValidateCertificate.html
Any help?
Process crashed: java.lang.NullPointerException: interceptor se0.e@1c6a394 returned null
FATAL EXCEPTION: OkHttp Dispatcher Process: cn.adidas.app, PID: 1455
File Vacuum 5000 ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ WARNING: This script is designed to manipulate files on both an external drive and another specif
Ultimate Script to complete PostgreSQL-to-PostgreSQL Migration right after AWS DMS task done
Clean Architecture With NestJS Description It's been a while since my last article on how to implement clean architecture on Node.js applications, git
E-Commerce Application This Application has been developed with nodejs and mongodb. Environment Variables Create a file named config.env in config dir
graphql-insta-example Application made to show the basic concepts of GraphQL with Apollo Server. Getting Started Run npm install Run npm run dev Go to
Application Bot MeCodes Application Bot It is a Discord bot whose goal is to make it easier for server owners to create a so-called administration sub
Shop App Description This project is a simplified implementation of a shopping system, the project aims to provide the basic features that are expecte
PELT Studio The Python Extract, Load, Transform Studio is an application for performing ELT (and ETL) tasks. Under the hood the application consists o
Database manager for MySQL, PostgreSQL, SQL Server, MongoDB, SQLite and others. Runs under Windows, Linux, Mac or as web application
connectNOW Live web application that allows you to connect with people around the world! You can share images, quotes, and anything on your mind! It a
A progressive Node.js framework for building efficient and scalable server-side applications. Description Nest framework TypeScript starter repository
Table of Contents What is StashQL? Install Getting Started Queries Mutations refillCache clearRelatedFields Logging The Team What is StashQL? StashQL
Introduction Almost every application nowadays, requires a database to persist data. We have integrated ObjectionJS as our supported ORM. ObjectionJS
Hexagonal architecture Table of Contents Overview Code architecture source code Service build information Regular user Advanced user Deployment Helm K
Create new NestJS project $ npm i -g @nestjs/cli $ npm i -g yarn $ nest new api-lesson # set strict true in tsconfig.json Install packages # install
frida_rootansslbypas ██████╗ ██████╗ ██████╗ ████████╗ █████╗ ███╗ ██╗██████╗ ███████╗███████╗██╗ ██████╗ ██╗ ██╗██████╗ █████╗
patch-fitbit-simulator Only for Mac OS currently A simple CLI to patch the Fitbit OS Simulator certificate with the new SSL certificate for the Device
Akamai BMP - RSA/AES Frida Hook This Frida script can be used to find the public RSA key used in the encryption process in Akamai BMP 3.3.0. Since ver
Current Implementation technologies Nextjs with Typescript. Static pages/ Server side rendering. Easy peasy state management (Might not need it with i
NoPrint.js Disable Print, Screenshot, Copy & Paste in HTML by JavaScript. NoPrint.js is a small and neat open source JS library that disables print, s