SSL Pinning Bypass Using Frida
Hello Everyone. Today I will take you to one of the apk vulnerabilities and how to bypass SSL pinning.
Check out my previous blogs stating how to install frida-tools, ADB & and all other prerequisites to get into these vulnerabilities.
What is SSL Pinning?
SSL (Secure socket layer) Certificate Pinning, or pinning for short, is the process of associating a host with its certificate or public key. Once you know a host’s certificate or public key, you pin it to that host.
SSL certificate pinning is a technique designed to prevent dangerous and complex security attacks. This security measure pins the identity of trustworthy certificates on mobile apps and blocks unknown documents from suspicious servers.
How to bypass SSL pinning with Frida?
1) Rooted Device or Emulator.
2) Platform tools (ADB)
3)Connect the device to ADB.
4) Frida Server Setup.
5) Injecting Script to Bypass SSL Pinning.
Let's get started with how to bypass the SSL pinning
Step 1:- Write the scripts in python and save it as ”SCRIPT_NAME.py”.
setTimeout(function(){
Java.perform(function (){
console.log(“”);
console.log(“[.] Cert Pinning Bypass/Re-Pinning”);
var CertificateFactory = Java.use(“java.security.cert.CertificateFactory”);
var FileInputStream = Java.use(“java.io.FileInputStream”);
var BufferedInputStream = Java.use(“java.io.BufferedInputStream”);
var X509Certificate = Java.use(“java.security.cert.X509Certificate”);
var KeyStore = Java.use(“java.security.KeyStore”);
var TrustManagerFactory = Java.use(“javax.net.ssl.TrustManagerFactory”);
var SSLContext = Java.use(“javax.net.ssl.SSLContext”);
// Load CAs from an InputStream
console.log(“[+] Loading our CA…”)
var cf = CertificateFactory.getInstance(“X.509”);
try {
var fileInputStream = FileInputStream.$new(“/data/local/tmp/cert-der.crt”);
}
catch(err) {
console.log(“[o] “ + err);
}
var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
var ca = cf.generateCertificate(bufferedInputStream);
bufferedInputStream.close();
var certInfo = Java.cast(ca, X509Certificate);
console.log(“[o] Our CA Info: “ + certInfo.getSubjectDN());
// Create a KeyStore containing our trusted CAs
console.log(“[+] Creating a KeyStore for our CA…”);
var keyStoreType = KeyStore.getDefaultType();
var keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry(“ca”, ca);
// Create a TrustManager that trusts the CAs in our KeyStore
console.log(“[+] Creating a TrustManager that trusts the CA in our KeyStore…”);
var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
console.log(“[+] Our TrustManager is ready…”);
console.log(“[+] Hijacking SSLContext methods now…”)
console.log(“[-] Waiting for the app to invoke SSLContext.init()…”)
SSLContext.init.overload(“[Ljavax.net.ssl.KeyManager;”, “[Ljavax.net.ssl.TrustManager;”, “java.security.SecureRandom”).implementation = function(a,b,c) {
console.log(“[o] App invoked javax.net.ssl.SSLContext.init…”);
SSLContext.init.overload(“[Ljavax.net.ssl.KeyManager;”, “[Ljavax.net.ssl.TrustManager;”, “java.security.SecureRandom”).call(this, a, tmf.getTrustManagers(), c);
console.log(“[+] SSLContext initialized with our custom TrustManager!”);
}
});
},0);
Step 2:- Push the script on an android device via ADB. Check my previous blog
Step 3:- Run the script to execute the SSL pinning bypass script
“frida -u -f “PACKAGE_NAME” -l “SCRIPT_NAME.py””
THANK YOU FOR READING… DO HIT LIKE AND CLAP THE BLOG :)
