Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
An Android network security config pinning bypass
/* Android Network Security Config bypass script
by Maurizio Siddu
Run with:
frida -U -f [APP_ID] -l frida_netsecconfig_bypass.js --no-pause
*/
Java.perform(function(){
console.log('');
console.log('======');
console.log('[#] Android Network Security Config bypass [#]');
console.log('======');
var ANDROID_VERSION_M = 23;
var DefaultConfigSource = Java.use("android.security.net.config.ManifestConfigSource$DefaultConfigSource");
var NetworkSecurityConfig = Java.use("android.security.net.config.NetworkSecurityConfig");
var ManifestConfigSource = Java.use("android.security.net.config.ManifestConfigSource");
var NetworkSecurityTrustManager = Java.use("android.security.net.config.NetworkSecurityTrustManager");
var ApplicationInfo = Java.use("android.content.pm.ApplicationInfo");
ManifestConfigSource.getConfigSource.implementation = function() {
console.log("[+] Hooking ManifestConfigSource.getConfigSource() method...");
/*******************************************************************
Checks necessary to determine the device API level, possible cases are:
(a) API <= 25, the DefaultConfigSource() method has the following 2 args
public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion)
(b) API is 26 or 27, the DefaultConfigSource() method has the following 3 args
public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion, int targetSandboxVesrsion)
(c) API >= 28, the DefaultConfigSource() method has the following 2 args
public DefaultConfigSource(boolean usesCleartextTraffic, ApplicationInfo info)
*******************************************************************/
try {
if (DefaultConfigSource.$new.argumentTypes.length == 2) {
// Second arg for DefaultConfigSource in API <= 25 is an int32
if (DefaultConfigSource.$new.argumentTypes[1].type == 'int32') {
console.log("[+] Bypass for API level <= 25");
return DefaultConfigSource.$new(true, ANDROID_VERSION_M);
} else {
console.log("[+] Bypass for API level >= 28");
var appInfo = ApplicationInfo.$new();
// Opportunely sets some params for NetworkSecurityConfig.getDefaultBuilder method
appInfo.targetSdkVersion.value = ANDROID_VERSION_M;
appInfo.targetSandboxVersion.value = 1;
appInfo.PRIVATE_FLAG_INSTANT.value = 0;
appInfo.PRIVATE_FLAG_PRIVILEGED.value = 0;
//console.log("[+] targetsdk: "+ appInfo.targetSdkVersion.value);
return DefaultConfigSource.$new(true, appInfo);
}
} else {
console.log("[+] Bypass for API level 26 or 27");
//console.log("[+] Found arg type: "+ DefaultConfigSource.$new.argumentTypes[0].type);
return DefaultConfigSource.$new(true, ANDROID_VERSION_M, 1);
}
} catch (err) {
console.log('[-] Error, something went wrong...');
console.log(err);
}
}
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment