Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to use the Frida framework to bypass the SSL Pinning of Android applications". In daily operations, I believe many people have doubts about how to use the Frida framework to bypass the SSL Pinning of Android applications. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "how to use the Frida framework to bypass the SSL Pinning of Android applications". Next, please follow the editor to study!

Hello everyone! In this article, I will explain in detail how to use the frida framework to bypass the SSL pinning of Android applications.

The following is what will be covered in this article:

Introduction to Frida and SSL pinning

Request

Setup and installation

Frida server settings

Set up BurpSuite

CA certificate of the push agent:

Script injection bypassing SSL pinning

Overview of steps

Troubleshooting

Introduction to Frida and SSL pinning

What is Frida?

This is what the Frida official website says:

It's a kind of oil monkey plug-in for native APP, and in more technical terms, it's a dynamic code detection toolkit. It allows you to inject JavaScript snippets or your own libraries into APP in Windows, or into APP in macOS,GNU/Linux,iOS,Android and QNX. Frida also provides some simple tools built on top of Frida. You can use these tools directly, adjust them to your own needs, or serve as examples of how to use API.

In short, Frida is a tool that allows you to inject scripts into local APP (in this case we'll be injected into Android APP) to modify APP's behavior (in this case, we can bypass ssl pinning and perform man-in-the-middle attacks, even if APP uses a HTTPS/SSL connection) and dynamically test it in real time.

Today, most applications have implemented SSL pinning in their mobile applications. Why is that? Let's think about a problem, suppose we want to exchange some data securely between the device and the server. Will SSL transport layer encryption make data transmission secure and reliable? Before data transfer, if the server's SSL certificate matches the requested hostname and trusted root certificate, the client checks the certificate.

It does not guarantee that the certificate provided is the actual certificate provided by the server for the requested host name. Therefore, relying on the trusted storage certificate of the device does not make the data transfer "secure".

Certificate locking (Certificate pinning) is a hard-coded certificate that the remote server trusts in the application itself, so it ignores the device certificate store and trusts its own hard-coded certificate, which is used by further applications to "securely" communicate with the remote server.

When we dynamically analyze HTTP requests from most mobile applications, SSL pinning bypass is a major step that needs to be done, because nowadays organizations are paying more attention to data privacy and secure data transmission over the network, such as threats from man-in-the-middle attacks.

Frida is a framework that injects scripts into native applications to manipulate the application's logic at runtime, a more dynamic approach that can be used for penetration testing tasks for mobile applications.

Request

We need to make some settings before we start using it, which may take some time for the first time, but it will be easy after that. If you have a problem at any step, you can refer to the "troubleshooting" section at the end of the article. It is recommended that you save all downloads in one folder.

i. Devices / emulators that have been root:

We need a root device or emulator because we need to inject the script into the root directory of the device. I am using genymotion. Genymotion is very easy to set up and use, you can download it here.

Once the genymotion installation is complete, we need to install an Android device (Android 7 +). I will use the "Google pixel XL" device with the following configuration.

II. Python frida package installation:

Install Python for Windows from here.

We need to install some python packages for the frida server. Enter the following command in the terminal:

Python-m pip install Fridapython-m pip install objectionpython-m pip install frida-toolsorpip install Fridapip install objectionpip install frida-toolsIII. Platform tools (adb):

Download the platform tools for Windows from here.

iv. Download the injection script:

Download the injection script that we will push to the device to inject the target application from here.

Or you can save this code as fridascript.js in the same folder as adb.

/ * Android SSL Re-pinning frida script v0.2 030417 adb push burpca-cert-der.crt / data/local/tmp/cert-der.crt$ frida- U-f it.app.mobile-l frida-android-repinning.js-- no-pause https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/UPDATE 20191605: Fixed undeclared var. Thanks to @ oleavr and @ ehsanpc9999! * / setTimeout (function () {Java.perform (function () {console.log ("); console.log (" [.] Cert Pinning Bypass/Re-Pinning "); var CertificateFactory = Java.use (" java.security.cert.CertificateFactory "); var FileInputStream = Java.use (" java.io.FileInputStream "); var BufferedInputStream = Java.use (" java.io.BufferedInputStream "); var X509Certificate = Java.use (" java.security.cert.X509Certificate "); var KeyStore = Java.use (" java.security.KeyStore "); var TrustManagerFactory = Java.use (" javax.net.ssl.TrustManagerFactory "); var SSLContext = Java.use (" javax.net.ssl.SSLContext ") / / Load CAs from an InputStreamconsole.log ("[+] Loading our CA...") var cf = CertificateFactory.getInstance ("X.509"); try {var fileInputStream = FileInputStream.$new ("/ data/local/tmp/cert-der.crt");} catch (err) {console.log ("[o]" + err);} var bufferedInputStream = BufferedInputStream.$new (fileInputStream); var ca = cf.generateCertificate (bufferedInputStream); bufferedInputStream.close (); var certInfo = Java.cast (ca, X509Certificate) Console.log ("[o] Our CA Info:" + certInfo.getSubjectDN ()); / / Create a KeyStore containing our trusted CAsconsole.log ("[+] Creating a KeyStore for our CA..."); var keyStoreType = KeyStore.getDefaultType (); var keyStore = KeyStore.getInstance (keyStoreType); keyStore.load (null, null); keyStore.setCertificateEntry ("ca", ca); / / Create a TrustManager that trusts the CAs in our KeyStoreconsole.log ("[+] Creating a TrustManager that trusts the CA in our KeyStore...") Var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm (); var tmf = TrustManagerFactory.getInstance (tmfAlgorithm); tmf.init (keyStore); console.log ("[+] Our TrustManager is ready..."); console.log ("[+] Hijacking SSLContext methods now...") console.log ("[-] Waiting for the app to invoke SSLContext.init ()") SSLContext.init.overload ("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager") "," java.security.SecureRandom "). Implementation = function (" [o] App invoked javax.net.ssl.SSLContext.init... ") {console.log (" [o] App invoked javax.net.ssl.SSLContext.init... "); SSLContext.init.overload (" [Ljavax.net.ssl.KeyManager; "," [Ljavax.net.ssl.TrustManager; "," java.security.SecureRandom ") .call (this, a, tmf.getTrustManagers (), c); console.log (" [+] SSLContext initialized with our custom TrustManager! ");}});}, 0) Setup and installation: I. Connect the device to the adb:

We need to connect the device to the adb to run the command on the device. But first go to settings > > Developer options and enable debug mode on the device so that adb can communicate with the device.

Go to the folder where the platform tools have been extracted and run the following command to connect the device to adb

/ / adb connect adb connect 192.168.1.190:5555

If a pop-up window appears in the device, click allow Allow.

Check that the device is connected to the adb:

Adb devices

You should be able to see the IP and name of the device.

ii. Download the frida server to obtain the arch version that supports Android devices:

We need to download the frida server package for our Android device based on the arch version of our device.

To find the arch version of the device, run the following command.

Adb shell getprop ro.product.cpu.abi

If the device configuration is the same as mentioned above, download:

Frida-server-12.4.7-android-x86.xzfrida-server-12.4.7-android-x86_64.xzIV. Install the target application on the device.

Install applications that need to bypass SSL pinning on our devices. Open the application and make it run in the background.

Frida server settings:

Before injecting the script, we need to run the frida server on the device. Follow these steps:

i. Push frida-server to the device:

Now, we need to push our frida-server file to the device. Copy the "frida-server-12.4.7-android-x86.xz" file in the adb folder and run the following command.

/ / adb push adb push C:\ ADB\ frida-server / data/local/tmpII. Grant frida-server permission: adb shell chmod 777 / data/local/tmp/frida-server set BurpSuite:

Follow this guide to set up a proxy in burp for android devices.

CA certificate of the push agent:

To be able to block traffic, frida needs to access our Burpsuite CA certificate. We will push the same certificate we downloaded in step 5 in BurpSuite Setup.

Push the certificate to the device and place it in the same location as frida-server and name it cert-der.crt (because this name and path are already mentioned in fridascript.js, which avoids some unnecessary problems)

/ / adb push / data/local/tmp/cert-der.crtadb push cacert.der / data/local/tmp/cert-der.crt script injection bypasses SSL pinning:

Now, let's inject fridascript.js into the target application.

i. Push the fridascript.js script to the device:

Copy the fridascript.js to the adb folder and run the following command to push the fridascript.js to the device.

/ / adb push / data/local/tmpadb push C:\ ADB\ fridascript.js / data/local/tmpII. Check and run the frida server adb shell / data/local/tmp/frida-server & III. List all running processes on the device

Now, we need to find out the ID of the target application. We will list all the running services on the device, including your application processes.

Open a new terminal and type the following command.

Frida-ps-U

iv. Find the package name of your application.

v. Put fridascript.js hook into the target application:

Finally, we will use the following command to put fridascript.js hook into the native application:

/ / frida-U-f-l-- no-pausfrida-U-f com.twitter.android-l D:\ frida\ fridascript.js-- no-paus

vi. Go around!

If all goes well, all traffic from the target application will be blocked by BurpSuite.

In short:

1. Download and install the device on genymotion

two。 Install frida and objection tools

Python-m pip install Frida python-m pip install frida-tools python-m pip install objection or pip install Frida pip install frida-tools pip install objection

3. Download adb platform tools

4. Download the frida injection script

5. Connect the device to the adb

/ / adb connect

6. Download the frida server to get the arch version that supports Android devices

7. Find out the arch version of the device

Adb shell getprop ro.product.cpu.abi

8. Install the target application on the device.

9. Push frida-server to the device:

/ / adb push

10. Grant frida-server permissions:

Adb shell chmod 777 / data/local/tmp/frida-server

11. Set up burpsuite

twelve。 CA certificate of the push agent

/ / adb push / data/local/tmp/cert-der.crt

13. Push the fridascript.js to the device:

/ / adb push / data/local/tmp

14. Check and run the frida server in the device

Adb shell / data/local/tmp/frida-server &

15. List all running processes on the device:

Frida-ps-U

16. Find the package name of your application

17. Put fridascript.js hook into the target application

/ / frida-U-f-l-no-paus

18. Block traffic in BurpSuite.

Troubleshooting

1. The ADB daemon cannot connect

If the following error occurs:

Adb devicesadb server is out of date. Killing...cannot bind 'tcp:5037'ADB server didn't ACK*failed to start daemon*error:

i. Open environment System properties > > Advanced > > Environment Variables

ii. Click the path and delete the C:/Android entry or the path to the adb tool

iii. Copy all platform tools to the genymotion > > tools folder

iv. Create a new path and add the path to the genymotion > > tools folder.

2. Frida/ pip is not recognized as an internal or external command

i. Open environment System properties > > Advanced > > Environment Variables

ii. Create a new path and add the path to the Python > > script folder

3. Arm translation error appears when the application is installed on the device.

i. Download the arm translation file from here

ii. Drag and drop the file into the device simulator, or refresh the file from the restore while using the physical device

iii. After rebooting the device, you will be able to drag and drop to install the target application

The argv option is not supported on 4.Failed to spawn:spawn Android apps

Check the fridascript.js path on the computer. The path may be incorrect. You must give the absolute path to the fridascript.js file.

5. The frida server is started but the services cannot be listed

Disconnect and reconnect the wifi in the device.

At this point, the study on "how to use the Frida framework to bypass the SSL Pinning of Android applications" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.