Disable SSL Pinning

Resources :

Hail Frida!! The Universal SSL pinning bypass for Android.Medium

It's all about Bypassing Android SSL Pinning and Intercepting Proxy Unaware applications.Medium

Android SSL Pinning Bypass With FridaCertcube labs Cyber Security Research Blogs

Frida

# install
pip install frida-tools

# get android device architecture
getprop ro.product.cpu.abi

# get frida-server depending on the android device architecture
# https://github.com/frida/frida/releases
# extract it
adb push /path/to/frida-server /data/local/tmp

# Push the Burp Suite SSL certificate to the device
adb push /path/to/burpca-cert-der.crt /data/local/tmp/cert-der.crt

# Now we will need to make the server executable
adb shell “chmod 755 /data/local/tmp/frida-server”

# With the frida-server and certificate in place we need to execute it.
adb shell

# Once you have a shell switch to the root user of the device.
su

# Lastly, we will move to the correct folder and execute frida-server
cd /data/local/tmp
./frida-server

# SCRIPTS
# https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
# https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
# https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
# https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/

# ON HOST
# hook the script using Frida using the command:
frida -U -f $package script.js

# via codeshare
frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f $package

APK-MITM

# install
npm install -g apk-mitm

# usage
apk-mitm $apk
# reinstall the app
adb uninstall $package-app
adb install $apk_patched

Magisk - Move Certificates Module

Download Magisk.apk : https://github.com/topjohnwu/Magisk/releases
Launch it in your device : Allow SuperUser access
Follow : https://www.xda-developers.com/how-to-install-magisk/
Enable MagiskHide : Magisk App > Modules > Enable 'Move Certificates'

Objection

pip3 install objection

# start frida server on android device
adb shell 
cd /data/local/tmp
./frida-server

# on host
objection -g “com.package.android” explore
android sslpinning disable

Modifying the network_security_config.xml file

The Network Security Configuration lets apps customize their network security settings through a declarative configuration file. The entire configuration is contained within this XML file, and no code changes are required. The Network Security Configuration works in Android 7.0 or higher.

Install Burp CA certificate on the device.
Decompile the android application with apktool : apktool d app.apk -o app-decompile
Locate the network_security_config.xml file under /res/xml
Remove the <pin-set>...</pin-set> tag section and add :

<trust-anchors>
	<certificates src="user" />
	<certificates src="system" />
</trust-anchors>

If the network_security_config.xml file is not present in the application, the AndroidManifest.xml file must also be modified by adding the networkSecurityConfig tag as follows :
```
<application android:name="AppName" android:networkSecurityConfig="@xml/network_security_config">
```
Save the file and repackage the application: apktool b app-decompile -o app-ssl.apk.
Sign the application (see Reversing > Decompilation)

PreviousDynamic Analysis NextBypass Root Detection

Last updated 2 years ago

hashtagDisable SSL Pinning

hashtagFrida

hashtagAPK-MITM

hashtagMagisk - Move Certificates Module

hashtagObjection

hashtagModifying the network_security_config.xml file

Disable SSL Pinning

Frida

APK-MITM

Magisk - Move Certificates Module

Objection

Modifying the network_security_config.xml file