Created
October 7, 2021 10:25
-
-
Save akabe1/3da684903d8e57ec3328432358289b65 to your computer and use it in GitHub Desktop.
An Android network security config pinning bypass
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Android Network Security Config bypass script | |
| by Maurizio Siddu | |
| Run with: | |
| frida -U -f [APP_ID] -l frida_netsecconfig_bypass.js --no-pause | |
| */ | |
| Java.perform(function(){ | |
| console.log(''); | |
| console.log('======'); | |
| console.log('[#] Android Network Security Config bypass [#]'); | |
| console.log('======'); | |
| var ANDROID_VERSION_M = 23; | |
| var DefaultConfigSource = Java.use("android.security.net.config.ManifestConfigSource$DefaultConfigSource"); | |
| var NetworkSecurityConfig = Java.use("android.security.net.config.NetworkSecurityConfig"); | |
| var ManifestConfigSource = Java.use("android.security.net.config.ManifestConfigSource"); | |
| var NetworkSecurityTrustManager = Java.use("android.security.net.config.NetworkSecurityTrustManager"); | |
| var ApplicationInfo = Java.use("android.content.pm.ApplicationInfo"); | |
| ManifestConfigSource.getConfigSource.implementation = function() { | |
| console.log("[+] Hooking ManifestConfigSource.getConfigSource() method..."); | |
| /******************************************************************* | |
| Checks necessary to determine the device API level, possible cases are: | |
| (a) API <= 25, the DefaultConfigSource() method has the following 2 args | |
| public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion) | |
| (b) API is 26 or 27, the DefaultConfigSource() method has the following 3 args | |
| public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion, int targetSandboxVesrsion) | |
| (c) API >= 28, the DefaultConfigSource() method has the following 2 args | |
| public DefaultConfigSource(boolean usesCleartextTraffic, ApplicationInfo info) | |
| *******************************************************************/ | |
| try { | |
| if (DefaultConfigSource.$new.argumentTypes.length == 2) { | |
| // Second arg for DefaultConfigSource in API <= 25 is an int32 | |
| if (DefaultConfigSource.$new.argumentTypes[1].type == 'int32') { | |
| console.log("[+] Bypass for API level <= 25"); | |
| return DefaultConfigSource.$new(true, ANDROID_VERSION_M); | |
| } else { | |
| console.log("[+] Bypass for API level >= 28"); | |
| var appInfo = ApplicationInfo.$new(); | |
| // Opportunely sets some params for NetworkSecurityConfig.getDefaultBuilder method | |
| appInfo.targetSdkVersion.value = ANDROID_VERSION_M; | |
| appInfo.targetSandboxVersion.value = 1; | |
| appInfo.PRIVATE_FLAG_INSTANT.value = 0; | |
| appInfo.PRIVATE_FLAG_PRIVILEGED.value = 0; | |
| //console.log("[+] targetsdk: "+ appInfo.targetSdkVersion.value); | |
| return DefaultConfigSource.$new(true, appInfo); | |
| } | |
| } else { | |
| console.log("[+] Bypass for API level 26 or 27"); | |
| //console.log("[+] Found arg type: "+ DefaultConfigSource.$new.argumentTypes[0].type); | |
| return DefaultConfigSource.$new(true, ANDROID_VERSION_M, 1); | |
| } | |
| } catch (err) { | |
| console.log('[-] Error, something went wrong...'); | |
| console.log(err); | |
| } | |
| } | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment