This is a continuation of the blog on Bypass SSL Pinning in Android Phones — Part 1. Please go through the Part 1 blog to understand the basics of SSL Pinning and how it works.
In part 2, I will be showcasing to you how to bypass SSL pinning from the android applications using Frida.
Frida is a powerful and extensible instrumentation toolkit — among its many strengths, it is ideally suited to testing and evaluating native Android apps. Frida allows you to intercept data received and sent by apps and inject your own code into the process.
1. Rooted Device or Emulator
we will be needing a rooted device or the emulator because of all the scripts we inject. It will store in the device’s tmp directory. For the demo purpose, I’ll be using Genymotion and you can download it from here.
It is a complete Android emulator for Windows. It’s very powerful and easy to use even for casual users, who shouldn’t have any problem navigating and controlling the program.
after the installation, set up an android device of your choice according to your machine capacity give 3GB of ram and 2 processors, and install it.
2. Android Debug Bridge(ADB) Platform-Tools
Now we will be needing ADB for that we install Platform-tools from here.
Android SDK Platform-Tools is a component for the Android SDK. It includes tools that interface with the Android platform, primarily ADB and fastboot. Although ADB is required for Android app development, app developers will normally just use the copy Studio installs.
3. Frida Packages
For Frida, we need to install some packages or libraries. it can be installed directly through the terminal.
$ pip3 install Frida
$ pip3 install frida-tools
4. Scripts for injection
we will download or copy the “Universal Android SSL Pinning Bypass with Frida” script from here. this we will be using in our targeted android application.
5. Proxy Tools (Burp Suite)
Last but not least the Burpsuite intercepts the HTTP Request and Response of the target application.
with this, we have all our tools ready to bypass pinning.
Now Let’s Bypass SSL Pinning!!!
First, we need to start our genymotion emulator, or if you are using your phone we have to make sure that debugging mode is on. To do this go to setting -> developer option and turn on the debugging mode on either of the devices so that adb can communicate with the device.
Now go to the platform-tools folder and open the command prompt or the terminal in which we can connect it with ADB.
If our devices are connected properly this will reflect in the ADB. we can check this by using the below commands
The emulator is running on IP 192.168.56.104 and port 5555
Genymotion is detected in adb now let’s connect to this device.
adb connect <DeviceIP:Port>
adb connect 192.168.1.102:5555
adb is already connected to the mobile emulator
Now we will download the Frida server from the GitHub repository for our android emulator according to its architecture version.
adb shell getprop ro.product.cpu.abi
the above command will tell you the architecture version used
I have installed frida-server-16.0.8-android-x86.xz according to my device architecture.
Now we need to push the Frida server into the tmp directory of the device
adb push <path_of_frida_server_folder> /data/local/tmp
adb push "/home/rapso/Desktop/tools/mobtest/frida-server-x86" /data/local/tmp
above-mentioned command will push the Frida server into the tmp directory.
now we will provide the executable permission to this server.
adb shell chmod 777 /data/local/tmp/frida-server-x86
the second command shows us that now we have the read, write and execute permission on the Frida-server binary.
let’s start this Frida server
adb shell /data/local/tmp/frida-server-x86 &
our Frida server is up and running.
Now let’s check if it is working or not, the below command will list all the installed applications in the device along with their process if they are running.
Now we will also inject the SSL bypass script into the same tmp directory as well as the burp’s certificate. I have already saved this script named sslbypass.js in my local directory.
Our sslbypass.js script uses the burp’s certificate so that it can intercept the requests.
Now it’s time to inject the uploaded script into the application to test I have installed (Country Delight application) whose package name is “app.mycountrydelight.in.countrydelight”
frida -U -f <application_package_name> -l <path_to_sslbypass.js_script>
frida -U -f app.mycountrydelight.in.countrydelight -l "sslbypass.js"
now this is up and running with this we will now capture this request in the burp as long as we are using the proxy. as shown below.
the above image shows that we have successfully bypassed the SSL Pinning of the Country Delight application and with the help of the burp suite, we are able to intercept the HTTP request and HTTP Responses.
Thanks for reading the write-up! Any feedback is appreciated.