Skip to content

Instantly share code, notes, and snippets.

@xdavidhu
Last active April 25, 2024 16:32
Show Gist options
  • Save xdavidhu/c9808c428d3c4a4a2e3c9f99840e05b4 to your computer and use it in GitHub Desktop.
Save xdavidhu/c9808c428d3c4a4a2e3c9f99840e05b4 to your computer and use it in GitHub Desktop.
Bypassing SSL Pinning in Facebook/Meta Workplace (Android)

Tested on Workplace for Android version 362.0.0.29.109. This approach might work in other Facebook/Meta applications. Thank you Imre Rad for helping me analyze the binary.

How does it work?

The Workplace Android app uses the Fizz open source TLS-1.3 library to communicate with the backend APIs. This library is written in C++, and is compiled to native code. It is running as a native library attached to the Android app.

The certificate verification is implemented in fizz/client/ClientProtocol.cpp, on line 1944. The easiest way to bypass this check is to patch the if (state.verifier()) { check on line 1942.

How to do it?

This process requires a rooted device.

  1. Install Workplace on the device, and open it once.
  2. Download /data/data/com.facebook.work/lib-compressed/libxplat_fizz_client_protocolAndroid.so from the device.
  3. Patch the cbz instruction at the address 1d748 to turn it into an uncoditional b jump. If you don't have the necessary disassembler software open the binary using a hex editor, find the address 1d748 and change the bytes F7 00 00 B4 to 07 00 00 14.
  4. Push the file to your device, and replace /data/data/com.facebook.work/lib-compressed/libxplat_fizz_client_protocolAndroid.so with the newly modified version.
  5. Open the Workplace app, and see that it does not verify TLS certificates anymore. (If you have the proxy settings set up properly on the device, you should now see the /graphql calls in Burp/your HTTP proxy. 😎)

Since this patch completely disables TLS certificate verification, make sure to only perform it on a testing device without any sensitive data. Certificates that are not trusted by Android itself will also be accepted.

@michelerenzullo
Copy link

Hi, that's nice, I created a non rooted version, I explained here , on Medium, how I did that. Thanks for the hints with this gist.

The new offset is 0x1D9F0 for Workplace 365.0.0.30.112 arm64

@AYAZ-101
Copy link

this is so depeculte bro

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment