Using Frida to bypass certificate pinning

Ilias el Matani

Using Frida to bypass certificate pinning

Often the TLS negotation fails for Android applications when you try to intercept the HTTP(S) traffic. A network capture trace can give you a good indication of certificate pinning is in place. Frida makes it possible to manipulate the application in runtime, very helpful when trying to bypass SSL pinning.

Tools requirements

  • Python3
  • Objection
  • Frida
  • Android Studio

Tools installation procedure

  • Step 1: Download latest version of python3 and install it. Make sure to tab enable path environment as well.
  • Step 2: Install Objection using pip3. (pip3 install objection) Note: Frida is a pre-requisite for objection, hence frida will get installed automatically.
  • Step 3: Download and install latest version of Android studio (https://developer.android.com/studio).
  • Step 4: Download any Android images (above 7.0) for the emulator.
  • Step 5: Download the Android SDK Platform-Tools (adb) (https://dl.google.com/android/repository/platform-tools-latest-windows.zip).

Injection script

Download the injection script from below which will be pushed into the device for injecting into the target application. https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/ Or copy and save this code as frida.js in same folder as adb.

/* 
   Android SSL Re-pinning frida script v0.2 030417-pier 

   $ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
   $ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause

   https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
   
   UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !
*/

setTimeout(function(){
    Java.perform(function (){
        console.log("");
        console.log("[.] Cert Pinning Bypass/Re-Pinning");

        var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
        var FileInputStream = Java.use("java.io.FileInputStream");
        var BufferedInputStream = Java.use("java.io.BufferedInputStream");
        var X509Certificate = Java.use("java.security.cert.X509Certificate");
        var KeyStore = Java.use("java.security.KeyStore");
        var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
        var SSLContext = Java.use("javax.net.ssl.SSLContext");

        // Load CAs from an InputStream
        console.log("[+] Loading our CA...")
        var cf = CertificateFactory.getInstance("X.509");
        
        try {
            var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
        }
        catch(err) {
            console.log("[o] " + err);
        }
        
        var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
        var ca = cf.generateCertificate(bufferedInputStream);
        bufferedInputStream.close();

        var certInfo = Java.cast(ca, X509Certificate);
        console.log("[o] Our CA Info: " + certInfo.getSubjectDN());

        // Create a KeyStore containing our trusted CAs
        console.log("[+] Creating a KeyStore for our CA...");
        var keyStoreType = KeyStore.getDefaultType();
        var keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("ca", ca);
        
        // Create a TrustManager that trusts the CAs in our KeyStore
        console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
        var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
        tmf.init(keyStore);
        console.log("[+] Our TrustManager is ready...");

        console.log("[+] Hijacking SSLContext methods now...")
        console.log("[-] Waiting for the app to invoke SSLContext.init()...")

        SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
            console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
            SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
            console.log("[+] SSLContext initialized with our custom TrustManager!");
        }
    });
},0);

Frida server

Download frida server for supported android device’s architecture version. To find the architecture version run the command:

adb shell getprop ro.product.cpu.abi

Now go to the download page: https://github.com/frida/frida/releases/ and choose the appropriate version. For example, if your architecture version is x86, you must download: frida-server-16.0.8-android-x86.xz.

Now extract the xz file and move frida-server file to the Android device.

adb push C:\xyz\frida-server-16.0.8-android-x86 /data/local/tmp/frida-server
adb shell chmod 777 /data/local/tmp/frida-server

configure Android device to work with Burp

Follow the guide to configure configure an Android device to work with Burp https://portswigger.net/burp/documentation/desktop/mobile/config-android-device

The exported certificate can be pushed

adb push cacert.der /data/local/tmp/cert-der.crt

Start Frida

Copy the frida.js script to the Android device by using the command

adb push C:\xyz\frida.js /data/local/tmp

Start now Frida

adb shell /data/local/tmp/frida-server &

Now check if Frida is running and get a list of running processes:

frida-ps -U

Copy the application name of the applicatoin you want to MiTM from the output above.

Start now the application and ssl pinning bypass:

frida -U -f <your_application_package_name> -l <path_to_fridascript.js_on_your_computer>

Note: work in progress. Still working on finishing this article/post.