Frida Universal™ SSL Unpinner
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Java.perform(function () { | |
console.log('\n[.] Cert Pinning Bypass'); | |
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); | |
var SSLContext = Java.use('javax.net.ssl.SSLContext'); | |
console.log('[+] Creating a TrustyTrustManager that trusts everything...'); | |
// Create a TrustManager that trusts everything | |
var TrustyTrustManager = Java.registerClass({ | |
name: 'com.example.TrustyTrustManager', | |
implements: [X509TrustManager], | |
methods: { | |
checkClientTrusted: function (chain, authType) {}, | |
checkServerTrusted: function (chain, authType) {}, | |
getAcceptedIssuers: function () { | |
return []; | |
} | |
} | |
}); | |
console.log('[+] Our TrustyTrustManagers is ready, ...'); | |
console.log('[+] Hijacking SSLContext methods now...'); | |
console.log('[-] Waiting for the app to invoke SSLContext.init()...'); | |
SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function (a, b, c) { | |
console.log('[+] App invoked SSLContext.init()...'); | |
SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').call(this, a, [TrustyTrustManager.$new()], c); | |
console.log('[+] SSLContext initialized with our custom TrustManager!'); | |
}; | |
// okhttp3 | |
try { | |
var CertificatePinner = Java.use('okhttp3.CertificatePinner'); | |
CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function (str) { | |
console.log('[+] Intercepted okhttp3: ' + str); | |
return; | |
}; | |
console.log('[+] Setup okhttp3 pinning') | |
} catch(err) { | |
console.log('[!] Unable to hook into okhttp3 pinner') | |
} | |
// trustkit | |
try { | |
var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier"); | |
Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) { | |
console.log('[+] Intercepted trustkit{1}: ' + str); | |
return true; | |
}; | |
Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) { | |
console.log('[+] Intercepted trustkit{2}: ' + str); | |
return true; | |
}; | |
console.log('[+] Setup trustkit pinning') | |
} catch(err) { | |
console.log('[!] Unable to hook into trustkit pinner') | |
} | |
// TrustManagerImpl | |
try { | |
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl'); | |
TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) { | |
console.log('[+] Intercepted TrustManagerImp: ' + host); | |
return untrustedChain; | |
} | |
console.log('[+] Setup TrustManagerImpl pinning') | |
} catch (err) { | |
console.log('[!] Unable to hook into TrustManagerImpl') | |
} | |
// Appcelerator | |
try { | |
var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager'); | |
PinningTrustManager.checkServerTrusted.implementation = function () { | |
console.log('[+] Intercepted Appcelerator'); | |
} | |
console.log('[+] Setup Appcelerator pinning') | |
} catch (err) { | |
console.log('[!] Unable to hook into Appcelerator pinning') | |
} | |
// TrustManagerImpl | |
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl'); | |
try { | |
TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) { | |
console.log('[+] Intercepted TrustManagerImpl for host: ' + host); | |
return untrustedChain; | |
} | |
console.log('[+] Setup TrustManagerImpl pinning'); | |
} catch (err) { | |
console.log('[!] Unable to hook into TrustManagerImpl') | |
} | |
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl'); | |
var Arrays = Java.use('java.util.Arrays'); | |
// Android 8 | |
try { | |
TrustManagerImpl.checkTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String', 'boolean').implementation = function(chain, type, host, b) { | |
console.log('[+] Ignoring trust check for host: ' + host); | |
return Arrays.asList(chain); | |
}; | |
} catch(err) { | |
// Android 9+ | |
try { | |
TrustManagerImpl.checkTrusted.overload('[Ljava.security.cert.X509Certificate;', '[B', '[B', 'java.lang.String', 'java.lang.String', 'boolean').implementation = function(chain, b1, b2, type, host, bool) { | |
console.log('[+] Ignoring trust check for host: ' + host); | |
return Arrays.asList(chain); | |
}; | |
} catch(err2) { | |
console.log('[!] Unable to hook either checkTrusted method'); | |
} | |
} | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment