Following the frida script published last year by Piergiovanni, we found another way to bypass all SSL certificate checks performed by most applications on Android devices, obviously including SSL pinning. This means that it can be used also without installing a valid CA on the device, which makes it a very nice tool to have when performing mobile applications penetration testings.
The code is as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
Java.perform(function() { var array_list = Java.use("java.util.ArrayList"); var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl'); ApiClient.checkTrustedRecursive.implementation = function(a1,a2,a3,a4,a5,a6) { // console.log('Bypassing SSL Pinning'); var k = array_list.$new(); return k; } },0); |
In order to use it:
- Launch the frida server on the device
|
1 2 3 4 |
$ adb devices $ adb root $ adb shell klte:/# ./frida-server |
- Search for the application package name (assuming the device is connected over usb)
|
1 |
frida-ps -Uai |
- Spawn the application injecting our javascript code
|
1 |
frida -U -f org.package.name -l universal-ssl-check-bypass.js --no-pause |
The script can be downloaded from Frida CodeShare.
Enjoy!
Related Posts
Brida 0.4 is out!- Brida – A step-by-step user guide
- Android OkHttp3 4.2+ certificate pinning bypass for Frida and Brida
- Advanced mobile penetration testing with Brida – Slides HackInBo 2017 WE
Tracing arbitrary Methods and Function calls on Android and iOS
Penetration testing on mobile applications – The hard way