akabe1/frida_netsecconfig_bypass.js

## frida_netsecconfig_bypass.js
/*  Android Network Security Config bypass script
	by Maurizio Siddu

	Run with:
	frida -U -f [APP_ID] -l frida_netsecconfig_bypass.js --no-pause
*/

Java.perform(function(){
    console.log('');
    console.log('======');
    console.log('[#] Android Network Security Config bypass [#]');
    console.log('======');

    var ANDROID_VERSION_M = 23;
    var DefaultConfigSource = Java.use("android.security.net.config.ManifestConfigSource$DefaultConfigSource");
    var NetworkSecurityConfig = Java.use("android.security.net.config.NetworkSecurityConfig");
    var ManifestConfigSource = Java.use("android.security.net.config.ManifestConfigSource");
    var NetworkSecurityTrustManager = Java.use("android.security.net.config.NetworkSecurityTrustManager");
    var ApplicationInfo = Java.use("android.content.pm.ApplicationInfo");


    ManifestConfigSource.getConfigSource.implementation = function() {
        console.log("[+] Hooking ManifestConfigSource.getConfigSource() method...");
        /*******************************************************************
        Checks necessary to determine the device API level, possible cases are:
        (a) API <= 25, the DefaultConfigSource() method has the following 2 args
             public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion)
        (b) API is 26 or 27, the DefaultConfigSource() method has the following 3 args
             public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion, int targetSandboxVesrsion)
        (c) API >= 28, the DefaultConfigSource() method has the following 2 args
             public DefaultConfigSource(boolean usesCleartextTraffic, ApplicationInfo info)
        *******************************************************************/
        try {
            if (DefaultConfigSource.$new.argumentTypes.length == 2) {
                // Second arg for DefaultConfigSource in API <= 25 is an int32
                if (DefaultConfigSource.$new.argumentTypes[1].type == 'int32') {
                    console.log("[+] Bypass for API level <= 25");
                    return DefaultConfigSource.$new(true, ANDROID_VERSION_M);
                } else {
                    console.log("[+] Bypass for API level >= 28");
                    var appInfo = ApplicationInfo.$new();
                    // Opportunely sets some params for NetworkSecurityConfig.getDefaultBuilder method
                    appInfo.targetSdkVersion.value = ANDROID_VERSION_M;
                    appInfo.targetSandboxVersion.value = 1;
                    appInfo.PRIVATE_FLAG_INSTANT.value = 0;
                    appInfo.PRIVATE_FLAG_PRIVILEGED.value = 0;
                    //console.log("[+] targetsdk: "+ appInfo.targetSdkVersion.value);
                    return DefaultConfigSource.$new(true, appInfo);
                }
            } else {
                console.log("[+] Bypass for API level 26 or 27");
                //console.log("[+] Found arg type: "+ DefaultConfigSource.$new.argumentTypes[0].type);
                return DefaultConfigSource.$new(true, ANDROID_VERSION_M, 1);
            }
        } catch (err) {
	    console.log('[-] Error, something went wrong...');
	    console.log(err);
	}

    }
});
	/* Android Network Security Config bypass script
	by Maurizio Siddu

	Run with:
	frida -U -f [APP_ID] -l frida_netsecconfig_bypass.js --no-pause
	*/

	Java.perform(function(){
	console.log('');
	console.log('======');
	console.log('[#] Android Network Security Config bypass [#]');
	console.log('======');

	var ANDROID_VERSION_M = 23;
	var DefaultConfigSource = Java.use("android.security.net.config.ManifestConfigSource$DefaultConfigSource");
	var NetworkSecurityConfig = Java.use("android.security.net.config.NetworkSecurityConfig");
	var ManifestConfigSource = Java.use("android.security.net.config.ManifestConfigSource");
	var NetworkSecurityTrustManager = Java.use("android.security.net.config.NetworkSecurityTrustManager");
	var ApplicationInfo = Java.use("android.content.pm.ApplicationInfo");


	ManifestConfigSource.getConfigSource.implementation = function() {
	console.log("[+] Hooking ManifestConfigSource.getConfigSource() method...");
	/*******************************************************************
	Checks necessary to determine the device API level, possible cases are:
	(a) API <= 25, the DefaultConfigSource() method has the following 2 args
	public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion)
	(b) API is 26 or 27, the DefaultConfigSource() method has the following 3 args
	public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion, int targetSandboxVesrsion)
	(c) API >= 28, the DefaultConfigSource() method has the following 2 args
	public DefaultConfigSource(boolean usesCleartextTraffic, ApplicationInfo info)
	*******************************************************************/
	try {
	if (DefaultConfigSource.$new.argumentTypes.length == 2) {
	// Second arg for DefaultConfigSource in API <= 25 is an int32
	if (DefaultConfigSource.$new.argumentTypes[1].type == 'int32') {
	console.log("[+] Bypass for API level <= 25");
	return DefaultConfigSource.$new(true, ANDROID_VERSION_M);
	} else {
	console.log("[+] Bypass for API level >= 28");
	var appInfo = ApplicationInfo.$new();
	// Opportunely sets some params for NetworkSecurityConfig.getDefaultBuilder method
	appInfo.targetSdkVersion.value = ANDROID_VERSION_M;
	appInfo.targetSandboxVersion.value = 1;
	appInfo.PRIVATE_FLAG_INSTANT.value = 0;
	appInfo.PRIVATE_FLAG_PRIVILEGED.value = 0;
	//console.log("[+] targetsdk: "+ appInfo.targetSdkVersion.value);
	return DefaultConfigSource.$new(true, appInfo);
	}
	} else {
	console.log("[+] Bypass for API level 26 or 27");
	//console.log("[+] Found arg type: "+ DefaultConfigSource.$new.argumentTypes[0].type);
	return DefaultConfigSource.$new(true, ANDROID_VERSION_M, 1);
	}
	} catch (err) {
	console.log('[-] Error, something went wrong...');
	console.log(err);
	}

	}
	});