-
-
Save umar14/51b1beaee8af1358a559f5d86a20c211 to your computer and use it in GitHub Desktop.
Another Android ssl certificate pinning bypass for various methods
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* Android ssl certificate pinning bypass script for various methods | |
by Maurizio Siddu | |
Run with: | |
frida -U -f [APP_ID] -l frida_multiple_unpinning.js --no-pause | |
*/ | |
setTimeout(function() { | |
Java.perform(function() { | |
console.log(''); | |
console.log('======'); | |
console.log('[#] Android Bypass for various Certificate Pinning methods [#]'); | |
console.log('======'); | |
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); | |
var SSLContext = Java.use('javax.net.ssl.SSLContext'); | |
// TrustManager (Android < 7) // | |
//////////////////////////////// | |
var TrustManager = Java.registerClass({ | |
// Implement a custom TrustManager | |
name: 'dev.asd.test.TrustManager', | |
implements: [X509TrustManager], | |
methods: { | |
checkClientTrusted: function(chain, authType) {}, | |
checkServerTrusted: function(chain, authType) {}, | |
getAcceptedIssuers: function() {return []; } | |
} | |
}); | |
// Prepare the TrustManager array to pass to SSLContext.init() | |
var TrustManagers = [TrustManager.$new()]; | |
// Get a handle on the init() on the SSLContext class | |
var SSLContext_init = SSLContext.init.overload( | |
'[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom'); | |
try { | |
// Override the init method, specifying the custom TrustManager | |
SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) { | |
console.log('[+] Bypassing Trustmanager (Android < 7) pinner'); | |
SSLContext_init.call(this, keyManager, TrustManagers, secureRandom); | |
}; | |
} catch (err) { | |
console.log('[-] TrustManager (Android < 7) pinner not found'); | |
//console.log(err); | |
} | |
// OkHTTPv3 (quadruple bypass) // | |
///////////////////////////////// | |
try { | |
// Bypass OkHTTPv3 {1} | |
var okhttp3_Activity_1 = Java.use('okhttp3.CertificatePinner'); | |
okhttp3_Activity_1.check.overload('java.lang.String', 'java.util.List').implementation = function(a, b) { | |
console.log('[+] Bypassing OkHTTPv3 {1}: ' + a); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] OkHTTPv3 {1} pinner not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass OkHTTPv3 {2} | |
// This method of CertificatePinner.check is deprecated but could be found in some old Android apps | |
var okhttp3_Activity_2 = Java.use('okhttp3.CertificatePinner'); | |
okhttp3_Activity_2.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function(a, b) { | |
console.log('[+] Bypassing OkHTTPv3 {2}: ' + a); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] OkHTTPv3 {2} pinner not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass OkHTTPv3 {3} | |
var okhttp3_Activity_3 = Java.use('okhttp3.CertificatePinner'); | |
okhttp3_Activity_3.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function(a, b) { | |
console.log('[+] Bypassing OkHTTPv3 {3}: ' + a); | |
return; | |
}; | |
} catch(err) { | |
console.log('[-] OkHTTPv3 {3} pinner not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass OkHTTPv3 {4} | |
var okhttp3_Activity_4 = Java.use('okhttp3.CertificatePinner'); | |
//okhttp3_Activity_4['check$okhttp'].implementation = function(a, b) { | |
okhttp3_Activity_4.check$okhttp.overload('java.lang.String', 'kotlin.jvm.functions.Function0').implementation = function(a, b) { | |
console.log('[+] Bypassing OkHTTPv3 {4}: ' + a); | |
return; | |
}; | |
} catch(err) { | |
console.log('[-] OkHTTPv3 {4} pinner not found'); | |
//console.log(err); | |
} | |
// Trustkit (triple bypass) // | |
////////////////////////////// | |
try { | |
// Bypass Trustkit {1} | |
var trustkit_Activity_1 = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier'); | |
trustkit_Activity_1.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function(a, b) { | |
console.log('[+] Bypassing Trustkit {1}: ' + a); | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] Trustkit {1} pinner not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass Trustkit {2} | |
var trustkit_Activity_2 = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier'); | |
trustkit_Activity_2.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function(a, b) { | |
console.log('[+] Bypassing Trustkit {2}: ' + a); | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] Trustkit {2} pinner not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass Trustkit {3} | |
var trustkit_PinningTrustManager = Java.use('com.datatheorem.android.trustkit.pinning.PinningTrustManager'); | |
trustkit_PinningTrustManager.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String').implementation = function(chain, authType) { | |
console.log('[+] Bypassing Trustkit {3}'); | |
//return; | |
}; | |
} catch (err) { | |
console.log('[-] Trustkit {3} pinner not found'); | |
//console.log(err); | |
} | |
// TrustManagerImpl (Android > 7) // | |
//////////////////////////////////// | |
try { | |
// Bypass TrustManagerImpl (Android > 7) {1} | |
var array_list = Java.use("java.util.ArrayList"); | |
var TrustManagerImpl_Activity_1 = Java.use('com.android.org.conscrypt.TrustManagerImpl'); | |
TrustManagerImpl_Activity_1.checkTrustedRecursive.implementation = function(certs, ocspData, tlsSctData, host, clientAuth, untrustedChain, trustAnchorChain, used) { | |
console.log('[+] Bypassing TrustManagerImpl (Android > 7) checkTrustedRecursive check: '+ host); | |
return array_list.$new(); | |
}; | |
} catch (err) { | |
console.log('[-] TrustManagerImpl (Android > 7) checkTrustedRecursive check not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass TrustManagerImpl (Android > 7) {2} (probably no more necessary) | |
var TrustManagerImpl_Activity_2 = Java.use('com.android.org.conscrypt.TrustManagerImpl'); | |
TrustManagerImpl_Activity_2.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) { | |
console.log('[+] Bypassing TrustManagerImpl (Android > 7) verifyChain check: ' + host); | |
return untrustedChain; | |
}; | |
} catch (err) { | |
console.log('[-] TrustManagerImpl (Android > 7) verifyChain check not found'); | |
//console.log(err); | |
} | |
// Appcelerator Titanium PinningTrustManager // | |
/////////////////////////////////////////////// | |
try { | |
var appcelerator_PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager'); | |
appcelerator_PinningTrustManager.checkServerTrusted.implementation = function(chain, authType) { | |
console.log('[+] Bypassing Appcelerator PinningTrustManager'); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] Appcelerator PinningTrustManager pinner not found'); | |
//console.log(err); | |
} | |
// Fabric PinningTrustManager // | |
//////////////////////////////// | |
try { | |
var fabric_PinningTrustManager = Java.use('io.fabric.sdk.android.services.network.PinningTrustManager'); | |
fabric_PinningTrustManager.checkServerTrusted.implementation = function(chain, authType) { | |
console.log('[+] Bypassing Fabric PinningTrustManager'); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] Fabric PinningTrustManager pinner not found'); | |
//console.log(err); | |
} | |
// OpenSSLSocketImpl Conscrypt (double bypass) // | |
///////////////////////////////////////////////// | |
try { | |
var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl'); | |
OpenSSLSocketImpl.verifyCertificateChain.implementation = function(certRefs, JavaObject, authMethod) { | |
console.log('[+] Bypassing OpenSSLSocketImpl Conscrypt {1}'); | |
}; | |
} catch (err) { | |
console.log('[-] OpenSSLSocketImpl Conscrypt {1} pinner not found'); | |
//console.log(err); | |
} | |
try { | |
var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl'); | |
OpenSSLSocketImpl.verifyCertificateChain.implementation = function(certChain, authMethod) { | |
console.log('[+] Bypassing OpenSSLSocketImpl Conscrypt {2}'); | |
}; | |
} catch (err) { | |
console.log('[-] OpenSSLSocketImpl Conscrypt {2} pinner not found'); | |
//console.log(err); | |
} | |
// OpenSSLEngineSocketImpl Conscrypt // | |
/////////////////////////////////////// | |
try { | |
var OpenSSLEngineSocketImpl_Activity = Java.use('com.android.org.conscrypt.OpenSSLEngineSocketImpl'); | |
OpenSSLEngineSocketImpl_Activity.verifyCertificateChain.overload('[Ljava.lang.Long;', 'java.lang.String').implementation = function(a, b) { | |
console.log('[+] Bypassing OpenSSLEngineSocketImpl Conscrypt: ' + b); | |
}; | |
} catch (err) { | |
console.log('[-] OpenSSLEngineSocketImpl Conscrypt pinner not found'); | |
//console.log(err); | |
} | |
// OpenSSLSocketImpl Apache Harmony // | |
////////////////////////////////////// | |
try { | |
var OpenSSLSocketImpl_Harmony = Java.use('org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl'); | |
OpenSSLSocketImpl_Harmony.verifyCertificateChain.implementation = function(asn1DerEncodedCertificateChain, authMethod) { | |
console.log('[+] Bypassing OpenSSLSocketImpl Apache Harmony'); | |
}; | |
} catch (err) { | |
console.log('[-] OpenSSLSocketImpl Apache Harmony pinner not found'); | |
//console.log(err); | |
} | |
// PhoneGap sslCertificateChecker // | |
//////////////////////////////////// | |
try { | |
var phonegap_Activity = Java.use('nl.xservices.plugins.sslCertificateChecker'); | |
phonegap_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function(a, b, c) { | |
console.log('[+] Bypassing PhoneGap sslCertificateChecker: ' + a); | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] PhoneGap sslCertificateChecker pinner not found'); | |
//console.log(err); | |
} | |
// IBM MobileFirst pinTrustedCertificatePublicKey (double bypass) // | |
//////////////////////////////////////////////////////////////////// | |
try { | |
// Bypass IBM MobileFirst {1} | |
var WLClient_Activity_1 = Java.use('com.worklight.wlclient.api.WLClient'); | |
WLClient_Activity_1.getInstance().pinTrustedCertificatePublicKey.overload('java.lang.String').implementation = function(cert) { | |
console.log('[+] Bypassing IBM MobileFirst pinTrustedCertificatePublicKey {1}: ' + cert); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] IBM MobileFirst pinTrustedCertificatePublicKey {1} pinner not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass IBM MobileFirst {2} | |
var WLClient_Activity_2 = Java.use('com.worklight.wlclient.api.WLClient'); | |
WLClient_Activity_2.getInstance().pinTrustedCertificatePublicKey.overload('[Ljava.lang.String;').implementation = function(cert) { | |
console.log('[+] Bypassing IBM MobileFirst pinTrustedCertificatePublicKey {2}: ' + cert); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] IBM MobileFirst pinTrustedCertificatePublicKey {2} pinner not found'); | |
//console.log(err); | |
} | |
// IBM WorkLight (ancestor of MobileFirst) HostNameVerifierWithCertificatePinning (quadruple bypass) // | |
/////////////////////////////////////////////////////////////////////////////////////////////////////// | |
try { | |
// Bypass IBM WorkLight {1} | |
var worklight_Activity_1 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning'); | |
worklight_Activity_1.verify.overload('java.lang.String', 'javax.net.ssl.SSLSocket').implementation = function(a, b) { | |
console.log('[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning {1}: ' + a); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] IBM WorkLight HostNameVerifierWithCertificatePinning {1} pinner not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass IBM WorkLight {2} | |
var worklight_Activity_2 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning'); | |
worklight_Activity_2.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function(a, b) { | |
console.log('[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning {2}: ' + a); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] IBM WorkLight HostNameVerifierWithCertificatePinning {2} pinner not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass IBM WorkLight {3} | |
var worklight_Activity_3 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning'); | |
worklight_Activity_3.verify.overload('java.lang.String', '[Ljava.lang.String;', '[Ljava.lang.String;').implementation = function(a, b) { | |
console.log('[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning {3}: ' + a); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] IBM WorkLight HostNameVerifierWithCertificatePinning {3} pinner not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass IBM WorkLight {4} | |
var worklight_Activity_4 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning'); | |
worklight_Activity_4.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function(a, b) { | |
console.log('[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning {4}: ' + a); | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] IBM WorkLight HostNameVerifierWithCertificatePinning {4} pinner not found'); | |
//console.log(err); | |
} | |
// Conscrypt CertPinManager // | |
////////////////////////////// | |
try { | |
var conscrypt_CertPinManager_Activity = Java.use('com.android.org.conscrypt.CertPinManager'); | |
conscrypt_CertPinManager_Activity.checkChainPinning.overload('java.lang.String', 'java.util.List').implementation = function(a, b) { | |
console.log('[+] Bypassing Conscrypt CertPinManager: ' + a); | |
//return; | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] Conscrypt CertPinManager pinner not found'); | |
//console.log(err); | |
} | |
// Conscrypt CertPinManager (Legacy) // | |
/////////////////////////////////////// | |
try { | |
var legacy_conscrypt_CertPinManager_Activity = Java.use('com.android.org.conscrypt.CertPinManager'); | |
legacy_conscrypt_CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function(a, b) { | |
console.log('[+] Bypassing Conscrypt CertPinManager (Legacy): ' + a); | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] Conscrypt CertPinManager (Legacy) pinner not found'); | |
//console.log(err); | |
} | |
// CWAC-Netsecurity (unofficial back-port pinner for Android<4.2) CertPinManager // | |
/////////////////////////////////////////////////////////////////////////////////// | |
try { | |
var cwac_CertPinManager_Activity = Java.use('com.commonsware.cwac.netsecurity.conscrypt.CertPinManager'); | |
cwac_CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function(a, b) { | |
console.log('[+] Bypassing CWAC-Netsecurity CertPinManager: ' + a); | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] CWAC-Netsecurity CertPinManager pinner not found'); | |
//console.log(err); | |
} | |
// Worklight Androidgap WLCertificatePinningPlugin // | |
///////////////////////////////////////////////////// | |
try { | |
var androidgap_WLCertificatePinningPlugin_Activity = Java.use('com.worklight.androidgap.plugin.WLCertificatePinningPlugin'); | |
androidgap_WLCertificatePinningPlugin_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function(a, b, c) { | |
console.log('[+] Bypassing Worklight Androidgap WLCertificatePinningPlugin: ' + a); | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] Worklight Androidgap WLCertificatePinningPlugin pinner not found'); | |
//console.log(err); | |
} | |
// Netty FingerprintTrustManagerFactory // | |
////////////////////////////////////////// | |
try { | |
var netty_FingerprintTrustManagerFactory = Java.use('io.netty.handler.ssl.util.FingerprintTrustManagerFactory'); | |
//NOTE: sometimes this below implementation could be useful | |
//var netty_FingerprintTrustManagerFactory = Java.use('org.jboss.netty.handler.ssl.util.FingerprintTrustManagerFactory'); | |
netty_FingerprintTrustManagerFactory.checkTrusted.implementation = function(type, chain) { | |
console.log('[+] Bypassing Netty FingerprintTrustManagerFactory'); | |
}; | |
} catch (err) { | |
console.log('[-] Netty FingerprintTrustManagerFactory pinner not found'); | |
//console.log(err); | |
} | |
// Squareup CertificatePinner [OkHTTP<v3] (double bypass) // | |
//////////////////////////////////////////////////////////// | |
try { | |
// Bypass Squareup CertificatePinner {1} | |
var Squareup_CertificatePinner_Activity_1 = Java.use('com.squareup.okhttp.CertificatePinner'); | |
Squareup_CertificatePinner_Activity_1.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function(a, b) { | |
console.log('[+] Bypassing Squareup CertificatePinner {1}: ' + a); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] Squareup CertificatePinner {1} pinner not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass Squareup CertificatePinner {2} | |
var Squareup_CertificatePinner_Activity_2 = Java.use('com.squareup.okhttp.CertificatePinner'); | |
Squareup_CertificatePinner_Activity_2.check.overload('java.lang.String', 'java.util.List').implementation = function(a, b) { | |
console.log('[+] Bypassing Squareup CertificatePinner {2}: ' + a); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] Squareup CertificatePinner {2} pinner not found'); | |
//console.log(err); | |
} | |
// Squareup OkHostnameVerifier [OkHTTP v3] (double bypass) // | |
///////////////////////////////////////////////////////////// | |
try { | |
// Bypass Squareup OkHostnameVerifier {1} | |
var Squareup_OkHostnameVerifier_Activity_1 = Java.use('com.squareup.okhttp.internal.tls.OkHostnameVerifier'); | |
Squareup_OkHostnameVerifier_Activity_1.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function(a, b) { | |
console.log('[+] Bypassing Squareup OkHostnameVerifier {1}: ' + a); | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] Squareup OkHostnameVerifier check not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass Squareup OkHostnameVerifier {2} | |
var Squareup_OkHostnameVerifier_Activity_2 = Java.use('com.squareup.okhttp.internal.tls.OkHostnameVerifier'); | |
Squareup_OkHostnameVerifier_Activity_2.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function(a, b) { | |
console.log('[+] Bypassing Squareup OkHostnameVerifier {2}: ' + a); | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] Squareup OkHostnameVerifier check not found'); | |
//console.log(err); | |
} | |
// Android WebViewClient (quadruple bypass) // | |
////////////////////////////////////////////// | |
try { | |
// Bypass WebViewClient {1} (deprecated from Android 6) | |
var AndroidWebViewClient_Activity_1 = Java.use('android.webkit.WebViewClient'); | |
AndroidWebViewClient_Activity_1.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.SslErrorHandler', 'android.net.http.SslError').implementation = function(obj1, obj2, obj3) { | |
console.log('[+] Bypassing Android WebViewClient check {1}'); | |
}; | |
} catch (err) { | |
console.log('[-] Android WebViewClient {1} check not found'); | |
//console.log(err) | |
} | |
try { | |
// Bypass WebViewClient {2} | |
var AndroidWebViewClient_Activity_2 = Java.use('android.webkit.WebViewClient'); | |
AndroidWebViewClient_Activity_2.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.WebResourceRequest', 'android.webkit.WebResourceError').implementation = function(obj1, obj2, obj3) { | |
console.log('[+] Bypassing Android WebViewClient check {2}'); | |
}; | |
} catch (err) { | |
console.log('[-] Android WebViewClient {2} check not found'); | |
//console.log(err) | |
} | |
try { | |
// Bypass WebViewClient {3} | |
var AndroidWebViewClient_Activity_3 = Java.use('android.webkit.WebViewClient'); | |
AndroidWebViewClient_Activity_3.onReceivedError.overload('android.webkit.WebView', 'int', 'java.lang.String', 'java.lang.String').implementation = function(obj1, obj2, obj3, obj4) { | |
console.log('[+] Bypassing Android WebViewClient check {3}'); | |
}; | |
} catch (err) { | |
console.log('[-] Android WebViewClient {3} check not found'); | |
//console.log(err) | |
} | |
try { | |
// Bypass WebViewClient {4} | |
var AndroidWebViewClient_Activity_4 = Java.use('android.webkit.WebViewClient'); | |
AndroidWebViewClient_Activity_4.onReceivedError.overload('android.webkit.WebView', 'android.webkit.WebResourceRequest', 'android.webkit.WebResourceError').implementation = function(obj1, obj2, obj3) { | |
console.log('[+] Bypassing Android WebViewClient check {4}'); | |
}; | |
} catch (err) { | |
console.log('[-] Android WebViewClient {4} check not found'); | |
//console.log(err) | |
} | |
// Apache Cordova WebViewClient // | |
////////////////////////////////// | |
try { | |
var CordovaWebViewClient_Activity = Java.use('org.apache.cordova.CordovaWebViewClient'); | |
CordovaWebViewClient_Activity.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.SslErrorHandler', 'android.net.http.SslError').implementation = function(obj1, obj2, obj3) { | |
console.log('[+] Bypassing Apache Cordova WebViewClient check'); | |
obj3.proceed(); | |
}; | |
} catch (err) { | |
console.log('[-] Apache Cordova WebViewClient check not found'); | |
//console.log(err); | |
} | |
// Boye AbstractVerifier // | |
/////////////////////////// | |
try { | |
var boye_AbstractVerifier = Java.use('ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier'); | |
boye_AbstractVerifier.verify.implementation = function(host, ssl) { | |
console.log('[+] Bypassing Boye AbstractVerifier check: ' + host); | |
}; | |
} catch (err) { | |
console.log('[-] Boye AbstractVerifier check not found'); | |
//console.log(err); | |
} | |
// Apache AbstractVerifier // | |
///////////////////////////// | |
try { | |
var apache_AbstractVerifier = Java.use('org.apache.http.conn.ssl.AbstractVerifier'); | |
apache_AbstractVerifier.verify.implementation = function(a, b, c, d) { | |
console.log('[+] Bypassing Apache AbstractVerifier check: ' + a); | |
return; | |
}; | |
} catch (err) { | |
console.log('[-] Apache AbstractVerifier check not found'); | |
//console.log(err); | |
} | |
// Chromium Cronet // | |
///////////////////// | |
try { | |
var CronetEngineBuilderImpl_Activity = Java.use("org.chromium.net.impl.CronetEngineBuilderImpl"); | |
// Setting argument to TRUE (default is TRUE) to disable Public Key pinning for local trust anchors | |
CronetEngine_Activity.enablePublicKeyPinningBypassForLocalTrustAnchors.overload('boolean').implementation = function(a) { | |
console.log("[+] Disabling Public Key pinning for local trust anchors in Chromium Cronet"); | |
var cronet_obj_1 = CronetEngine_Activity.enablePublicKeyPinningBypassForLocalTrustAnchors.call(this, true); | |
return cronet_obj_1; | |
}; | |
// Bypassing Chromium Cronet pinner | |
CronetEngine_Activity.addPublicKeyPins.overload('java.lang.String', 'java.util.Set', 'boolean', 'java.util.Date').implementation = function(hostName, pinsSha256, includeSubdomains, expirationDate) { | |
console.log("[+] Bypassing Chromium Cronet pinner: " + hostName); | |
var cronet_obj_2 = CronetEngine_Activity.addPublicKeyPins.call(this, hostName, pinsSha256, includeSubdomains, expirationDate); | |
return cronet_obj_2; | |
}; | |
} catch (err) { | |
console.log('[-] Chromium Cronet pinner not found') | |
//console.log(err); | |
} | |
// Flutter Pinning packages http_certificate_pinning and ssl_pinning_plugin (double bypass) // | |
////////////////////////////////////////////////////////////////////////////////////////////// | |
try { | |
// Bypass HttpCertificatePinning.check {1} | |
var HttpCertificatePinning_Activity = Java.use('diefferson.http_certificate_pinning.HttpCertificatePinning'); | |
HttpCertificatePinning_Activity.checkConnexion.overload("java.lang.String", "java.util.List", "java.util.Map", "int", "java.lang.String").implementation = function (a, b, c ,d, e) { | |
console.log('[+] Bypassing Flutter HttpCertificatePinning : ' + a); | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] Flutter HttpCertificatePinning pinner not found'); | |
//console.log(err); | |
} | |
try { | |
// Bypass SslPinningPlugin.check {2} | |
var SslPinningPlugin_Activity = Java.use('com.macif.plugin.sslpinningplugin.SslPinningPlugin'); | |
SslPinningPlugin_Activity.checkConnexion.overload("java.lang.String", "java.util.List", "java.util.Map", "int", "java.lang.String").implementation = function (a, b, c ,d, e) { | |
console.log('[+] Bypassing Flutter SslPinningPlugin: ' + a); | |
return true; | |
}; | |
} catch (err) { | |
console.log('[-] Flutter SslPinningPlugin pinner not found'); | |
//console.log(err); | |
} | |
// Dynamic SSLPeerUnverifiedException Patcher // | |
// An useful technique to bypass SSLPeerUnverifiedException failures raising // | |
// when the Android app uses some uncommon SSL Pinning methods or an heavily // | |
// code obfuscation. Inspired by an idea of: https://github.com/httptoolkit // | |
/////////////////////////////////////////////////////////////////////////////// | |
function rudimentaryFix(typeName) { | |
// This is a improvable rudimentary fix, if not works you can patch it manually | |
if (typeName === undefined){ | |
return; | |
} else if (typeName === 'boolean') { | |
return true; | |
} else { | |
return null; | |
} | |
} | |
try { | |
var UnverifiedCertError = Java.use('javax.net.ssl.SSLPeerUnverifiedException'); | |
UnverifiedCertError.$init.implementation = function (str) { | |
console.log('\x1b[36m[!] Unexpected SSLPeerUnverifiedException occurred, trying to patch it dynamically...\x1b[0m'); | |
try { | |
var stackTrace = Java.use('java.lang.Thread').currentThread().getStackTrace(); | |
var exceptionStackIndex = stackTrace.findIndex(stack => | |
stack.getClassName() === "javax.net.ssl.SSLPeerUnverifiedException" | |
); | |
// Retrieve the method raising the SSLPeerUnverifiedException | |
var callingFunctionStack = stackTrace[exceptionStackIndex + 1]; | |
var className = callingFunctionStack.getClassName(); | |
var methodName = callingFunctionStack.getMethodName(); | |
var callingClass = Java.use(className); | |
var callingMethod = callingClass[methodName]; | |
console.log('\x1b[36m[!] Attempting to bypass uncommon SSL Pinning method on: '+className+'.'+methodName+'\x1b[0m'); | |
// Skip it when already patched by Frida | |
if (callingMethod.implementation) { | |
return; | |
} | |
// Trying to patch the uncommon SSL Pinning method via implementation | |
var returnTypeName = callingMethod.returnType.type; | |
callingMethod.implementation = function() { | |
rudimentaryFix(returnTypeName); | |
}; | |
} catch (e) { | |
// Dynamic patching via implementation does not works, then trying via function overloading | |
//console.log('[!] The uncommon SSL Pinning method has more than one overload); | |
if (String(e).includes(".overload")) { | |
var splittedList = String(e).split(".overload"); | |
for (let i=2; i<splittedList.length; i++) { | |
var extractedOverload = splittedList[i].trim().split("(")[1].slice(0,-1).replaceAll("'",""); | |
// Check if extractedOverload has multiple arguments | |
if (extractedOverload.includes(",")) { | |
// Go here if overloaded method has multiple arguments (NOTE: max 6 args are covered here) | |
var argList = extractedOverload.split(", "); | |
console.log('\x1b[36m[!] Attempting overload of '+className+'.'+methodName+' with arguments: '+extractedOverload+'\x1b[0m'); | |
if (argList.length == 2) { | |
callingMethod.overload(argList[0], argList[1]).implementation = function(a,b) { | |
rudimentaryFix(returnTypeName); | |
} | |
} else if (argNum == 3) { | |
callingMethod.overload(argList[0], argList[1], argList[2]).implementation = function(a,b,c) { | |
rudimentaryFix(returnTypeName); | |
} | |
} else if (argNum == 4) { | |
callingMethod.overload(argList[0], argList[1], argList[2], argList[3]).implementation = function(a,b,c,d) { | |
rudimentaryFix(returnTypeName); | |
} | |
} else if (argNum == 5) { | |
callingMethod.overload(argList[0], argList[1], argList[2], argList[3], argList[4]).implementation = function(a,b,c,d,e) { | |
rudimentaryFix(returnTypeName); | |
} | |
} else if (argNum == 6) { | |
callingMethod.overload(argList[0], argList[1], argList[2], argList[3], argList[4], argList[5]).implementation = function(a,b,c,d,e,f) { | |
rudimentaryFix(returnTypeName); | |
} | |
} | |
// Go here if overloaded method has a single argument | |
} else { | |
callingMethod.overload(extractedOverload).implementation = function(a) { | |
rudimentaryFix(returnTypeName); | |
} | |
} | |
} | |
} else { | |
console.log('\x1b[36m[-] Failed to dynamically patch SSLPeerUnverifiedException '+e+'\x1b[0m'); | |
} | |
} | |
//console.log('\x1b[36m[+] SSLPeerUnverifiedException hooked\x1b[0m'); | |
return this.$init(str); | |
}; | |
} catch (err) { | |
//console.log('\x1b[36m[-] SSLPeerUnverifiedException not found\x1b[0m'); | |
//console.log('\x1b[36m'+err+'\x1b[0m'); | |
} | |
}); | |
}, 0); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment