Skip to content

Instantly share code, notes, and snippets.

Last active June 2, 2022 08:25
  • Star 8 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
root & ssl pinning bypass with Frida
console.log("\nRoot detection & SSL pinning bypass with Frida");
var CertificateFactory = Java.use("");
var FileInputStream = Java.use("");
var BufferedInputStream = Java.use("");
var X509Certificate = Java.use("");
var KeyStore = Java.use("");
var TrustManagerFactory = Java.use("");
var SSLContext = Java.use("");
var Volley = Java.use("");
var HurlStack = Java.use("");
var ImageLoader = Java.use("");
var LruBitmapCache = Java.use("utils.LruBitmapCache");
var ActivityManager = Java.use("");
var DeviceUtils = Java.use("utils.DeviceUtils");
var Vo = Java.use("utils.MyVolley");
console.log("\nHijacking isDeviceRooted function in DeviceUtils class");
DeviceUtils.isDeviceRooted.implementation = function(){
console.log("\nInside the isDeviceRooted function");
return false;
console.log("\nRoot detection bypassed");
console.log("\nTrying to disable SSL pinning");
Vo.init.implementation = function(context){
console.log("\nHijacking init function in MyVolley class");
console.log("\nLoading BURPSUITE certificate stored on device")
cf = CertificateFactory.getInstance("X.509");
try {
var fileInputStream = FileInputStream.$new("/sdcard/Download/burpsuite.crt");
catch(err) {
console.log("error: " + err);
var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
var ca = cf.generateCertificate(bufferedInputStream);
var certInfo = Java.cast(ca, X509Certificate);
console.log("\nLoaded CA Info: " + certInfo.getSubjectDN());
var keyStoreType = KeyStore.getDefaultType();
var keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
console.log("\nCreating a TrustManager that trusts BURPSUITE CA in the KeyStore");
var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
console.log("\nCustom TrustManager is ready");
var mContext = SSLContext.getInstance("TLS");
mContext.init(null, tmf.getTrustManagers(), null);
var sf = mContext.getSocketFactory();
if(Vo.mRequestQueue.value == null){
Vo.mRequestQueue.value = Volley.newRequestQueue(context.getApplicationContext(), HurlStack.$new(null, sf));
var x = Java.cast(context.getSystemService("activity"), ActivityManager);
var xx = x.getMemoryClass();
var mImageLoader = ImageLoader.$new(Vo.mRequestQueue.value, LruBitmapCache.$new((1048576 * xx)/8));
Vo.mImageLoader = mImageLoader;
console.log("\nSSL pinning bypassed")
Copy link

Doesn't work for me. I get Error: java.lang.ClassNotFoundException: Didn't find class "" on path: for every app I try to open.

Copy link

@ lionaneesh How did you resolve the above issue?

Copy link this similar code worked for me and doesn't need Volley

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment