Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
root & ssl pinning bypass with Frida
console.log("\nRoot detection & SSL pinning bypass with Frida");
var CertificateFactory = Java.use("");
var FileInputStream = Java.use("");
var BufferedInputStream = Java.use("");
var X509Certificate = Java.use("");
var KeyStore = Java.use("");
var TrustManagerFactory = Java.use("");
var SSLContext = Java.use("");
var Volley = Java.use("");
var HurlStack = Java.use("");
var ImageLoader = Java.use("");
var LruBitmapCache = Java.use("utils.LruBitmapCache");
var ActivityManager = Java.use("");
var DeviceUtils = Java.use("utils.DeviceUtils");
var Vo = Java.use("utils.MyVolley");
console.log("\nHijacking isDeviceRooted function in DeviceUtils class");
DeviceUtils.isDeviceRooted.implementation = function(){
console.log("\nInside the isDeviceRooted function");
return false;
console.log("\nRoot detection bypassed");
console.log("\nTrying to disable SSL pinning");
Vo.init.implementation = function(context){
console.log("\nHijacking init function in MyVolley class");
console.log("\nLoading BURPSUITE certificate stored on device")
cf = CertificateFactory.getInstance("X.509");
try {
var fileInputStream = FileInputStream.$new("/sdcard/Download/burpsuite.crt");
catch(err) {
console.log("error: " + err);
var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
var ca = cf.generateCertificate(bufferedInputStream);
var certInfo = Java.cast(ca, X509Certificate);
console.log("\nLoaded CA Info: " + certInfo.getSubjectDN());
var keyStoreType = KeyStore.getDefaultType();
var keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
console.log("\nCreating a TrustManager that trusts BURPSUITE CA in the KeyStore");
var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
console.log("\nCustom TrustManager is ready");
var mContext = SSLContext.getInstance("TLS");
mContext.init(null, tmf.getTrustManagers(), null);
var sf = mContext.getSocketFactory();
if(Vo.mRequestQueue.value == null){
Vo.mRequestQueue.value = Volley.newRequestQueue(context.getApplicationContext(), HurlStack.$new(null, sf));
var x = Java.cast(context.getSystemService("activity"), ActivityManager);
var xx = x.getMemoryClass();
var mImageLoader = ImageLoader.$new(Vo.mRequestQueue.value, LruBitmapCache.$new((1048576 * xx)/8));
Vo.mImageLoader = mImageLoader;
console.log("\nSSL pinning bypassed")

This comment has been minimized.

Copy link

lionaneesh commented Dec 25, 2019

Doesn't work for me. I get Error: java.lang.ClassNotFoundException: Didn't find class "" on path: for every app I try to open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.