Firstly, A huge shoutout to SensePost,Frida and various Frida script authors for the awesome and continuous contribution to Android & iOS security community.
Below are the different ways to perform SSL Pinning bypass on non-rooted device using Objection tool and on root privilege enabled emulator with Custom Frida scripts.
Note: In case of using the tool in non-corporate environment, please avoid the mentions of proxies and the changes mentioned in the tool’s source code.
TOOLS REQUIREMENT:
- Python3
- Objection
- Frida
- Android Studio
TOOLS INSTALLATION PROCEDURE:
Step 1: Download latest version of python3 (for ex: python 3.6) and install it. Make sure to enable path environment set tab as well.
Step 2: Install Objection using pip3. (Command : pip3 install objection –proxy=proxy:port)
Note: Frida is a pre-requisite for objection, hence frida will get installed automatically.
Step 3: Download and install latest version of Android studio.
Step 4: Download any Android images (above 7.0) for emulator.
STEPS TO PERFORM PINNING BYPASS USING OBJECTION:
Objection — runtime mobile exploration toolkit (https://github.com/sensepost/objection)
Before explaining the usage of objection, there may be certain tweaks required/ environmental setup or changes. Below are the changes that I made to make the tool work.
Problem #1: Corporate proxy is used and the tool is packaged with the setup to use no proxy.
Solution: The below changes were made in the source code.
File Location: \AppData\Local\Programs\Python\Python37\Lib\site-packages\objection\utils\patchers\android.py
Changes made: ‘-J-Dhttp.proxyHost= <proxy address>’,
‘-J-Dhttp.proxyPort= <proxy port> ‘,
Note: Please free to look into this to understand the exact root cause (https://github.com/sensepost/objection/issues/75). My Git Handle — blueeyes3
Problem #2: Objection cannot locate certain dependencies such as zipalign.exe,jarsigner.exe tools.
Solution 1: Move zipalign.exe, jarsigner.exe in system path common folder.
(OR)
Solution 2: Try invoking objection from platform-tools folder since all the dependencies will be present by default in this folder. Only drawback is objection can’t be invoked anywhere from the system rather only from this folder.
Problem #3: Apktool cannot be located by objection.
Solution: Follow the link to set apktool as global variable. https://ibotpeaches.github.io/Apktool/install/
Once the changes are made and the tool starts to work properly, below are the steps to be followed in order to perform automatic pinning bypass. Please note that it’s best advisable to use the tool from platform-tools folder since adb and other small pre-requisites are already present.
Perform the below steps to generate patched apk.
Step 1: Open command prompt and enter objection patchapk –s apkfile . (please note that device architecture –a option needs to be mentioned if tool doesn’t recognize target arch)
Step 2: The patched apk file will be available in the pwd (present working directory) with objection word added to new package.
Step 3: Now deploy the patched apk in test device (emulator to be preferred. In case of real devices, make sure USB debugging is on and device is in developer mode)
Step 4: Open the apk and now a blank screen will appear.
Step 5: Initiate frida connection to make the application work normally. Open command prompt and enter frida-trace -U -i open Gadget
Step 6: Once the application proceeds further, open command prompt and enter Objection explore
Step 7: The process will be spawned and a shell is available now for the target application. Initial command to try to bypass pinning is android sslpinning disable.
Step 8: If step 7 fails, then hook an activity in order to perform the bypass again. (This might work as it worked in couple of instances :P)
Command 1: android hooking list activities.
Command 2: android intent launch_activity activity_name (Pick any activity that doesn’t require any input from user side.)
Command 3: Android sslpinning disable
Step 9: Pinning will be disabled which can be observed from logcat in studio as well and tester will be able to intercept all requests/ responses.
STEPS TO PERFORM PINNING BYPASS USING CUSTOM FRIDA SCRIPTS:
Objection holds good for majority of the apks. But there are certain applications which will have multiple dex files and objection faces hard time to bypass pinning. This is the case where frida scripts comes handy to make things easy for the tester.
Frida — Dynamic instrumentation toolkit (https://www.frida.re/) . Frida uses JavaScript in order to perform various hooking activities.
Below are the steps to setup Frida environment in mobile device and attacker machine. Once the emulator is up, provide root privilege by using the command adb root.
Step 1: Identify device architecture (ex: x86,x86_64 etc.,) and download appropriate frida server. (https://github.com/frida/frida/releases)
Step 2: Push the server into the device — adb push fridaserver /data/local/tmp
Step 3: Change file permission of the server — chmod +x /data/local/tmp/fridaserver
Step 4: Push burp certificate into the device — adb push cert-der.crt /data/local/tmp
Step 5: Start the Frida server in device — adb shell /data/local/tmp/frida-server &
Step 6: Once the server is up, invoke Frida from command prompt — frida -l pin.js -U -f com.test.test — no-pause (Universal Frida script: https://techblog.mediaservice.net/wp-content/uploads/2017/07/frida-android-repinning_sa-1.js)
Please note that manual tweaks may be required to the Frida JavaScript if the above script doesn’t work or feel free to use scripts from https://codeshare.frida.re/browse
The above methods will be successful in most cases and this helps the tester to enhance the testing scope. Happy Hacking :)
* The whole content is strictly for educational purpose *
