ı got this error. is there any way to handle it Error: getPackageInfoNoCheck(): has more than one overload, use .overload() to choose from: .overload('android.content.pm.ApplicationInfo', 'android.content.res.CompatibilityInfo') .overload('android.content.pm.ApplicationInfo', 'android.content.res.CompatibilityInfo', 'boolean') at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:569) at K (frida/node_modules/frida-java-bridge/lib/class-factory.js:564) at set (frida/node_modules/frida-java-bridge/lib/class-factory.js:932) at (frida/node_modules/frida-java-bridge/index.js:224) at (frida/node_modules/frida-java-bridge/lib/vm.js:12) at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244) at perform (frida/node_modules/frida-java-bridge/index.js:204) at (/frida/repl-2.js:520) at apply (native) at (frida/runtime/core.js:51)

Came across your article on how to defeat pinning with Frida and I'm trying to work my way through it as I'm a bit of newb, but I'm tryin!

For some context, I'm running Windows 10, an Android Pixel XL emulator, and OWASP ZAP as my proxy. I've installed the OWASP certificate onto the device, and I can now parse HTTPS traffic from the Chrome app. I'm wanting to now intercept traffic via apps!

I'm using the dating app Bumble as my first "target", so I've installed the APK file onto the device (which does NOT have Google Play Store as I've read that's important). I have the Frida server running in one terminal window as root (running frida-server-15.1.22-android-x86 which I don't know for sure if that's the correct server to be running, maybe x86_64 should be run instead? Anyway...)

So I fire up the App, where it just hangs on the main loading screen and I do not see any traffic from it in OWASP (again, even though it IS proxying internet requests fine, so that part IS working):

...and in a separate terminal window, I run the command:

frida --no-pause -U -l ./frida-script.js -f com.bumble.app

...and this is my resulting output (beware, it's long, and the trailing end just infinitely prints until the frida server dies):

frida --no-pause -U -l ./frida-script.js -f com.bumble.app
     ____
    / _  |   Frida 15.1.22 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `com.bumble.app`. Resuming main thread!
[Android Emulator 5554::com.bumble.app ]-> ---
Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[ ] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[ ] OkHTTPv3 (cert array)
[ ] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
Unpinning setup completed
---
  --> Bypassing Trustmanager (Android < 7) request
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by android.net.SSLCertificateSocketFactory->verifyHostname
      Attempting to patch automatically...
      [+] android.net.SSLCertificateSocketFactory->verifyHostname (automatic exception patch)
  --> Bypassing TrustManagerImpl checkTrusted
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing android.net.SSLCertificateSocketFactory->verifyHostname (automatic exception patch)
  --> Bypassing TrustManagerImpl checkTrusted
  --> Bypassing TrustManagerImpl checkTrusted
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Bypassing TrustManagerImpl checkTrusted
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by com.android.okhttp.internal.io.RealConnection->connectTls
      Attempting to patch automatically...
      [+] com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
      Thrown by com.android.okhttp.internal.io.RealConnection->connectTls
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
...........................

SO, what can a guy try from here? Would be cool to get some insight from the community on this one so I can get started on the app traffic track :P Thanks!!!

For some reason I get this error for every app I try the script on. The app launches and this is the error it gives. My devices is running on Android 11

Error: VM::AttachCurrentThread failed: -1
    at o (frida/node_modules/frida-java-bridge/lib/result.js:4)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:25)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:14)
    at Xe (frida/node_modules/frida-java-bridge/lib/android.js:499)
    at Ie (frida/node_modules/frida-java-bridge/lib/android.js:195)
    at Ce (frida/node_modules/frida-java-bridge/lib/android.js:16)
    at _tryInitialize (frida/node_modules/frida-java-bridge/index.js:17)
    at g (frida/node_modules/frida-java-bridge/index.js:9)
    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:317)
    at call (native)
    at o (/_java.js)
    at <anonymous> (/_java.js)
    at <anonymous> (frida/runtime/java.js:1)
    at call (native)
    at o (/_java.js)
    at r (/_java.js)
    at <eval> (frida/runtime/java.js:3)
    at _loadJava (native)
    at get (frida/runtime/core.js:114)
    at <anonymous> (/frida-script.js:448)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:45)

This solution is nice as it avoids the trouble of repacking and patching apps statically and some of the integrity checks they do. Can we patch the known checks automatically on startup of the app somehow? It is a bit complicated to start apps manually with frida that interact with each other like apps that use the google play store&services to check licenses. Same is true for automatically started OS components and oem bloatware apps. There used to be Magisk Modules but they are outdated and not maintained at the moment.

Maybe it’s not the right place to ask this question. I am trying to intercept an android app(it doesn’t have ssl Pinner). I am able to get all the links while using http tool kit but not when trying with burpsuite. Most of the links are not showing in burp. I am sure that it’s not because of the filtering . Kindly help me with it. What’s the difference between using http toolkit and burp. Both should work the same way isn’t it?

Hi, I was trying to unpin SSL from the Dogorama app but that didn't work:

$ frida --no-pause -U -l ../../Downloads/frida-script.js -f app.dogorama
     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `app.dogorama`. Resuming main thread!                           
[Android Emulator 5554::app.dogorama ]-> ---
Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[+] Squareup CertificatePinner (list)
[+] Squareup OkHostnameVerifier (cert)
[+] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (Transparency)
Unpinning setup completed
---
Process crashed: java.lang.UnsatisfiedLinkError: couldn't find DSO to load: libhermes.so

***
FATAL EXCEPTION: create_react_context
Process: app.dogorama, PID: 5240
java.lang.UnsatisfiedLinkError: couldn't find DSO to load: libhermes.so
	SoSource 0: com.facebook.soloader.ApkSoSource[root = /data/data/app.dogorama/lib-main flags = 1]
	SoSource 1: com.facebook.soloader.DirectorySoSource[root = /data/app/~~Js_W8z118rVG9AxCVcowrQ==/app.dogorama-C0q6l1U3SOxP2VO_M3NyhQ==/lib/x86_64 flags = 0]
	SoSource 2: com.facebook.soloader.DirectorySoSource[root = /vendor/lib64 flags = 2]
	SoSource 3: com.facebook.soloader.DirectorySoSource[root = /system/lib64 flags = 2]
	Native lib dir: /data/app/~~Js_W8z118rVG9AxCVcowrQ==/app.dogorama-C0q6l1U3SOxP2VO_M3NyhQ==/lib/x86_64
 result: 0
	at com.facebook.soloader.SoLoader.doLoadLibraryBySoName(SoLoader.java:918)
	at com.facebook.soloader.SoLoader.loadLibraryBySoNameImpl(SoLoader.java:740)
	at com.facebook.soloader.SoLoader.loadLibraryBySoName(SoLoader.java:654)
	at com.facebook.soloader.SoLoader.loadLibrary(SoLoader.java:634)
	at com.facebook.soloader.SoLoader.loadLibrary(SoLoader.java:582)
	at com.facebook.hermes.reactexecutor.HermesExecutor.<clinit>(HermesExecutor.java:20)
	at com.facebook.hermes.reactexecutor.HermesExecutorFactory.create(HermesExecutorFactory.java:29)
	at com.facebook.react.ReactInstanceManager$5.run(ReactInstanceManager.java:1054)
	at java.lang.Thread.run(Thread.java:920)
***
[Android Emulator 5554::app.dogorama ]->

Thank you for using Frida!

Device: Android Emulator, API 31, Android 12, x86_64

Unable to solve google recaptcha(In app) while connected to the burpsuite. I used Frida with the ssl unpinning script. The error I got is unexpected ssl verification failed at "com.android.org.conscrypt.ActiveSession->checkPeerCertificatesPresent"

Device : Google Pixel 3XL (Android V9.0)

Change SSLContext_init.call(this, keyManager, TrustManagers, secureRandom); to this.init(keyManager, TrustManagers, secureRandom);

Clearly the method is not static and so it should be called from it's instance, maybe I am missing some inner forbidden knowledge, but this.init is proper way to call instance method

Hi, When I try to use frida-script.js I get an error:

frida --no-pause -U -l ./frida-script.js -f tech.httptoolkit.pinning_demo
     ____
    / _  |   Frida 15.1.14 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `tech.httptoolkit.pinning_demo`. Resuming main thread!
Error: VM::AttachCurrentThread failed: -1
    at o (frida/node_modules/frida-java-bridge/lib/result.js:4)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:25)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:14)
    at Xe (frida/node_modules/frida-java-bridge/lib/android.js:500)
    at Ie (frida/node_modules/frida-java-bridge/lib/android.js:196)
    at Ce (frida/node_modules/frida-java-bridge/lib/android.js:16)
    at _tryInitialize (frida/node_modules/frida-java-bridge/index.js:17)
    at y (frida/node_modules/frida-java-bridge/index.js:9)
    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:320)
    at call (native)
    at o (/_java.js)
    at <anonymous> (/_java.js)
    at <anonymous> (frida/runtime/java.js:1)
    at call (native)
    at o (/_java.js)
    at r (/_java.js)
    at <eval> (frida/runtime/java.js:3)
    at _loadJava (native)
    at get (frida/runtime/core.js:125)
    at <anonymous> (/frida-script.js:510)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:45)

It doesn't matter which app I use (com.twitter.android, tech.httptoolkit.pinning_demo, etc) the result is always the same.

Android 11, Samsung SM G998B (s21 Ultra) rooted. Frida is installed on Windows 11 / Python3.7

Any idea how to fix this? Thank you.

Hey team, there seem to be some internal changes when shifting from Frida 15.x to 16.x and now it started throwing error as defined in the title. Do anyone has any idea how can we resolve the above error?

Tried it on Nike app: com.nike.omega

Frida on terminal returned error below:

Process crashed: java.lang.NullPointerException: interceptor com.nike.mpe.plugin.certtransparency.internal.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor@2c65125 returned null

Just to make sure, I tried it on Twitter and it works.

Tried intercepting requests with Http Toolkit as well. Responses kept being aborted and after running the script the same thing continued to happen. Only that now the entire data traffic was blocked: all incoming and outgoing messages wouldn't be sent/received on the device.

Additional info: I used a rooted Samsung Galaxy S10 with Android 12.

Hey I tried out your SSL unpinning script on some apps and it didnt work for most of them (Whatsapp, Snapchat, McDonald's App). Is that fixable or is it because of some different issue? Would be nice if we could have a talk, Discord: RequestFX#1541

It prints out

--> Bypassing OpenSSLSocketImpl Conscrypt
 --> Bypassing OpenSSLSocketImpl Conscrypt
 --> Bypassing OpenSSLSocketImpl Conscrypt
 --> Bypassing OpenSSLSocketImpl Conscrypt

, but still fails to unpin it as seen in the photo

Hello,

I have been looking forward for the frida script to bypass unity based applications ssl pinning which are using below code.

https://docs.unity3d.com/ScriptReference/Networking.CertificateHandler.ValidateCertificate.html

Any help?

Process crashed: java.lang.NullPointerException: interceptor se0.e@1c6a394 returned null

FATAL EXCEPTION: OkHttp Dispatcher Process: cn.adidas.app, PID: 1455