Disable SSL Pinning

Resources :

Frida

# install
pip install frida-tools

# get android device architecture
getprop ro.product.cpu.abi

# get frida-server depending on the android device architecture
# https://github.com/frida/frida/releases
# extract it
adb push /path/to/frida-server /data/local/tmp

# Push the Burp Suite SSL certificate to the device
adb push /path/to/burpca-cert-der.crt /data/local/tmp/cert-der.crt

# Now we will need to make the server executable
adb shell “chmod 755 /data/local/tmp/frida-server”

# With the frida-server and certificate in place we need to execute it.
adb shell

# Once you have a shell switch to the root user of the device.
su

# Lastly, we will move to the correct folder and execute frida-server
cd /data/local/tmp
./frida-server

# SCRIPTS
# https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
# https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
# https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
# https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/

# ON HOST
# hook the script using Frida using the command:
frida -U -f $package script.js

# via codeshare
frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f $package

APK-MITM

# install
npm install -g apk-mitm

# usage
apk-mitm $apk
# reinstall the app
adb uninstall $package-app
adb install $apk_patched

Magisk - Move Certificates Module

Download Magisk.apk : https://github.com/topjohnwu/Magisk/releases
Launch it in your device : Allow SuperUser access
Follow : https://www.xda-developers.com/how-to-install-magisk/
Enable MagiskHide : Magisk App > Modules > Enable 'Move Certificates'

Objection

pip3 install objection

# start frida server on android device
adb shell 
cd /data/local/tmp
./frida-server

# on host
objection -g “com.package.android” explore
android sslpinning disable

Modifying the network_security_config.xml file

The Network Security Configuration lets apps customize their network security settings through a declarative configuration file. The entire configuration is contained within this XML file, and no code changes are required. The Network Security Configuration works in Android 7.0 or higher.

Install Burp CA certificate on the device.
Decompile the android application with apktool : apktool d app.apk -o app-decompile
Locate the network_security_config.xml file under /res/xml
Remove the <pin-set>...</pin-set> tag section and add :

<trust-anchors>
	<certificates src="user" />
	<certificates src="system" />
</trust-anchors>

If the network_security_config.xml file is not present in the application, the AndroidManifest.xml file must also be modified by adding the networkSecurityConfig tag as follows :
```
<application android:name="AppName" android:networkSecurityConfig="@xml/network_security_config">
```
Save the file and repackage the application: apktool b app-decompile -o app-ssl.apk.
Sign the application (see Reversing > Decompilation)

PreviousDynamic Analysis NextBypass Root Detection

Last updated 1 year ago

Disable SSL Pinning

Resources :

Frida

# install
pip install frida-tools

# get android device architecture
getprop ro.product.cpu.abi

# get frida-server depending on the android device architecture
# https://github.com/frida/frida/releases
# extract it
adb push /path/to/frida-server /data/local/tmp

# Push the Burp Suite SSL certificate to the device
adb push /path/to/burpca-cert-der.crt /data/local/tmp/cert-der.crt

# Now we will need to make the server executable
adb shell “chmod 755 /data/local/tmp/frida-server”

# With the frida-server and certificate in place we need to execute it.
adb shell

# Once you have a shell switch to the root user of the device.
su

# Lastly, we will move to the correct folder and execute frida-server
cd /data/local/tmp
./frida-server

# SCRIPTS
# https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
# https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
# https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
# https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/

# ON HOST
# hook the script using Frida using the command:
frida -U -f $package script.js

# via codeshare
frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f $package

APK-MITM

# install
npm install -g apk-mitm

# usage
apk-mitm $apk
# reinstall the app
adb uninstall $package-app
adb install $apk_patched

Magisk - Move Certificates Module

Download Magisk.apk : https://github.com/topjohnwu/Magisk/releases

Launch it in your device : Allow SuperUser access

Follow : https://www.xda-developers.com/how-to-install-magisk/

Enable MagiskHide : Magisk App > Modules > Enable 'Move Certificates'

Objection

pip3 install objection

# start frida server on android device
adb shell 
cd /data/local/tmp
./frida-server

# on host
objection -g “com.package.android” explore
android sslpinning disable

Modifying the network_security_config.xml file

The Network Security Configuration lets apps customize their network security settings through a declarative configuration file. The entire configuration is contained within this XML file, and no code changes are required. The Network Security Configuration works in Android 7.0 or higher.

Install Burp CA certificate on the device.

Decompile the android application with apktool : apktool d app.apk -o app-decompile

Locate the network_security_config.xml file under /res/xml

Remove the <pin-set>...</pin-set> tag section and add :

<trust-anchors>
	<certificates src="user" />
	<certificates src="system" />
</trust-anchors>

If the network_security_config.xml file is not present in the application, the AndroidManifest.xml file must also be modified by adding the networkSecurityConfig tag as follows :

<application android:name="AppName" android:networkSecurityConfig="@xml/network_security_config">

Save the file and repackage the application: apktool b app-decompile -o app-ssl.apk.

Sign the application (see Reversing > Decompilation)