TerribleCodeClub
/
AndroidAppRE
12
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
AndroidAppRE/Bypass Certificate Pinning.md

2.4 KiB
Raw Blame History

Bypass certificate pinning

In-app certificate pinning can be bypassed using the Objection utility (built on top of Frida).

Requirements

  1. Android Platform Tools.
  2. A rooted Android device.
  3. Frida
  4. Objection

Instructions

** N.B. Please ensure USAP has been disabled otherwise Frida will not work. This can be achieved from a root console on the handset by running setprop persist.device_config.runtime_native.usap_pool_enabled false. **

Setup a Python 3 virtual environment, and install Frida and Objection.

$ python3 -m venv venv
$ source ./venv/bin/activate
$ pip install frida-tools objection

Download frida-server to your Android handset, ensuring that the architecture is correct. At the time of writing, the latest version for Android arm64 is frida-server-14.2.18-android-arm64.xz.

$ unxz frida-server-14.2.18-android-arm64.xz
$ mv frida-server-14.2.18-android-arm64 frida-server
$ adb push frida-server /sdcard/
$ adb root
$ adb shell "mv /sdcard/frida-server /data/local/tmp/frida-server"
$ adb shell "chmod 755 /data/local/tmp/frida-server"

Run frida-server on the handset in the background.

$ adb shell "/data/local/tmp/frida-server &"

Identify the package name for the app whose certificate pinning you will disable.

$ adb shell pm list packages
...
package:com.example.certpinning
...

Launch the application using Objection, and disable certificate pinning.

$ objection --gadget com.example.certpinning explore
Using USB device `JackPhone`
Agent injected and responds ok!

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.11.0

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.example.certpinning on (JackPhone: 11) [usb] # android sslpinning disable
(agent) Custom TrustManager ready, overriding SSLContext.init()
(agent) Found okhttp3.CertificatePinner, overriding CertificatePinner.check()
(agent) Found okhttp3.CertificatePinner, overriding CertificatePinner.check$okhttp()
(agent) Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.verifyChain()
(agent) Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.checkTrustedRecursive()
(agent) Registering job 586622. Type: android-sslpinning-disable