diff --git a/Bypass Certificate Pinning.md b/Bypass Certificate Pinning.md new file mode 100644 index 0000000..7364a3e --- /dev/null +++ b/Bypass Certificate Pinning.md @@ -0,0 +1,74 @@ +# Bypass certificate pinning + +In-app certificate pinning can be bypassed using the Objection utility (built on top of Frida). + +## Requirements + +1. Android Platform Tools. +2. A rooted Android device. +3. Frida +4. Objection + +## Instructions + +** N.B. Please ensure USAP has been disabled otherwise Frida will not work. This can be achieved from a root console on the handset by running `setprop persist.device_config.runtime_native.usap_pool_enabled false`. ** + +Setup a Python 3 virtual environment, and install Frida and Objection. + +```bash +$ python3 -m venv venv +$ source ./venv/bin/activate +$ pip install frida-tools objection +``` + +Download [`frida-server`](https://github.com/frida/frida/releases) to your Android handset, ensuring that the architecture is correct. At the time of writing, the latest version for Android arm64 is `frida-server-14.2.18-android-arm64.xz`. + +```bash +$ unxz frida-server-14.2.18-android-arm64.xz +$ mv frida-server-14.2.18-android-arm64 frida-server +$ adb push frida-server /sdcard/ +$ adb root +$ adb shell "mv /sdcard/frida-server /data/local/tmp/frida-server" +$ adb shell "chmod 755 /data/local/tmp/frida-server" +``` + +Run `frida-server` on the handset in the background. + +```bash +$ adb shell "/data/local/tmp/frida-server &" +``` + +Identify the package name for the app whose certificate pinning you will disable. + +```bash +$ adb shell pm list packages +... +package:com.example.certpinning +... +``` + +Launch the application using Objection, and disable certificate pinning. + +```bash +$ objection --gadget com.example.certpinning explore +Using USB device `JackPhone` +Agent injected and responds ok! + + _ _ _ _ + ___| |_|_|___ ___| |_|_|___ ___ +| . | . | | -_| _| _| | . | | +|___|___| |___|___|_| |_|___|_|_| + |___|(object)inject(ion) v1.11.0 + + Runtime Mobile Exploration + by: @leonjza from @sensepost + +[tab] for command suggestions +com.example.certpinning on (JackPhone: 11) [usb] # android sslpinning disable +(agent) Custom TrustManager ready, overriding SSLContext.init() +(agent) Found okhttp3.CertificatePinner, overriding CertificatePinner.check() +(agent) Found okhttp3.CertificatePinner, overriding CertificatePinner.check$okhttp() +(agent) Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.verifyChain() +(agent) Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.checkTrustedRecursive() +(agent) Registering job 586622. Type: android-sslpinning-disable +```