Skip to content

Instantly share code, notes, and snippets.

@teknogeek
Last active Nov 26, 2022
Embed
What would you like to do?
Frida Universal™ SSL Unpinner
Java.perform(function () {
console.log('\n[.] Cert Pinning Bypass');
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');
console.log('[+] Creating a TrustyTrustManager that trusts everything...');
// Create a TrustManager that trusts everything
var TrustyTrustManager = Java.registerClass({
name: 'com.example.TrustyTrustManager',
implements: [X509TrustManager],
methods: {
checkClientTrusted: function (chain, authType) {},
checkServerTrusted: function (chain, authType) {},
getAcceptedIssuers: function () {
return [];
}
}
});
console.log('[+] Our TrustyTrustManagers is ready, ...');
console.log('[+] Hijacking SSLContext methods now...');
console.log('[-] Waiting for the app to invoke SSLContext.init()...');
SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function (a, b, c) {
console.log('[+] App invoked SSLContext.init()...');
SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').call(this, a, [TrustyTrustManager.$new()], c);
console.log('[+] SSLContext initialized with our custom TrustManager!');
};
// okhttp3
try {
var CertificatePinner = Java.use('okhttp3.CertificatePinner');
CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function (str) {
console.log('[+] Intercepted okhttp3: ' + str);
return;
};
console.log('[+] Setup okhttp3 pinning')
} catch(err) {
console.log('[!] Unable to hook into okhttp3 pinner')
}
// trustkit
try {
var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier");
Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
console.log('[+] Intercepted trustkit{1}: ' + str);
return true;
};
Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
console.log('[+] Intercepted trustkit{2}: ' + str);
return true;
};
console.log('[+] Setup trustkit pinning')
} catch(err) {
console.log('[!] Unable to hook into trustkit pinner')
}
// TrustManagerImpl
try {
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
console.log('[+] Intercepted TrustManagerImp: ' + host);
return untrustedChain;
}
console.log('[+] Setup TrustManagerImpl pinning')
} catch (err) {
console.log('[!] Unable to hook into TrustManagerImpl')
}
// Appcelerator
try {
var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
PinningTrustManager.checkServerTrusted.implementation = function () {
console.log('[+] Intercepted Appcelerator');
}
console.log('[+] Setup Appcelerator pinning')
} catch (err) {
console.log('[!] Unable to hook into Appcelerator pinning')
}
// TrustManagerImpl
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
try {
TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
console.log('[+] Intercepted TrustManagerImpl for host: ' + host);
return untrustedChain;
}
console.log('[+] Setup TrustManagerImpl pinning');
} catch (err) {
console.log('[!] Unable to hook into TrustManagerImpl')
}
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
var Arrays = Java.use('java.util.Arrays');
// Android 8
try {
TrustManagerImpl.checkTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String', 'boolean').implementation = function(chain, type, host, b) {
console.log('[+] Ignoring trust check for host: ' + host);
return Arrays.asList(chain);
};
} catch(err) {
// Android 9+
try {
TrustManagerImpl.checkTrusted.overload('[Ljava.security.cert.X509Certificate;', '[B', '[B', 'java.lang.String', 'java.lang.String', 'boolean').implementation = function(chain, b1, b2, type, host, bool) {
console.log('[+] Ignoring trust check for host: ' + host);
return Arrays.asList(chain);
};
} catch(err2) {
console.log('[!] Unable to hook either checkTrusted method');
}
}
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment