Following the frida script published last year by Piergiovanni, we found another way to bypass all SSL certificate checks performed by most applications on Android devices, obviously including SSL pinning. This means that it can be used also without installing a valid CA on the device, which makes it a very nice tool to have when performing mobile applications penetration testings.
The code is as follows:
1 2 3 4 5 6 7 8 9 10 11 12 |
Java.perform(function() { var array_list = Java.use("java.util.ArrayList"); var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl'); ApiClient.checkTrustedRecursive.implementation = function(a1,a2,a3,a4,a5,a6) { // console.log('Bypassing SSL Pinning'); var k = array_list.$new(); return k; } },0); |
In order to use it:
- Launch the frida server on the device
1 2 3 4 |
$ adb devices $ adb root $ adb shell klte:/# ./frida-server |
- Search for the application package name (assuming the device is connected over usb)
1 |
frida-ps -Uai |
- Spawn the application injecting our javascript code
1 |
frida -U -f org.package.name -l universal-ssl-check-bypass.js --no-pause |
The script can be downloaded from Frida CodeShare.
Enjoy!