Tested on Workplace for Android version 362.0.0.29.109. This approach might work in other Facebook/Meta applications. Thank you Imre Rad for helping me analyze the binary.
The Workplace Android app uses the Fizz open source TLS-1.3 library to communicate with the backend APIs. This library is written in C++, and is compiled to native code. It is running as a native library attached to the Android app.
The certificate verification is implemented in fizz/client/ClientProtocol.cpp, on line 1944.
The easiest way to bypass this check is to patch the if (state.verifier()) { check on line 1942.
This process requires a rooted device.
- Install Workplace on the device, and open it once.
- Download
/data/data/com.facebook.work/lib-compressed/libxplat_fizz_client_protocolAndroid.sofrom the device. - Patch the
cbzinstruction at the address1d748to turn it into an uncoditionalbjump. If you don't have the necessary disassembler software open the binary using a hex editor, find the address1d748and change the bytesF7 00 00 B4to07 00 00 14. - Push the file to your device, and replace
/data/data/com.facebook.work/lib-compressed/libxplat_fizz_client_protocolAndroid.sowith the newly modified version. - Open the Workplace app, and see that it does not verify TLS certificates anymore. (If you have the proxy settings set up properly on the device, you should now see the
/graphqlcalls in Burp/your HTTP proxy. 😎)
Since this patch completely disables TLS certificate verification, make sure to only perform it on a testing device without any sensitive data. Certificates that are not trusted by Android itself will also be accepted.
Hi, that's nice, I created a non rooted version, I explained here , on Medium, how I did that. Thanks for the hints with this gist.
The new offset is 0x1D9F0 for Workplace 365.0.0.30.112 arm64