SSL Pinning Bypass with Frida for Beginners

This article will explain how to bypass SSL pinning of android applications using the Frida framework. basically, Frida is a tool that let you inject scripts into native apps (in this case Android apps) to modify the application behaviour (in this case, SSL pinning bypass and can perform a MitM attack, even if the application has HTTPS / SSL connections) and make dynamic tests in real-time.

In this blog post, you will learn,

  • How to configure & install Burp certificate for android device.
  • How to connect the android device with ADB.
  • Install Frida server. 
  • How to invoke the script with your application.

Note: You’d need an android virtual machine. (NoxPlayer/Genymotion)

Step 1: Install Burp Certificate

First, we need to configure our burp suite proxy.

As shown above I have configured my proxy as bind address 192.168.8.127 and bind port 8080. Now, go to the mobile phone browser and navigate the proxy’s IP and port (http://192.168.8.127:8080) and download the proxy’s certificate by clicking on the CA certificate.

Once you downloaded the CA certificate, we need to rename it cacert.der to burp.cer

After that in the android device go to settings -> security -> under credential storage select Install from SD card, and navigate to where the burp.cer certificate is located and select it, enter a name whatever you like and you will most likely be asked to set a Lock Screen PIN or a password, do it and you will see a burp installed message.

Now we can configure proxy settings in our virtual mobile device. Go to the virtual device Settings > Wi-fi > WiredSSID and long press on it. It will popup the WiredSSID window and you need to modify Network, on the proxy drop-down select Manual and you will be able to enter which proxy to connect. In this case, I entered Proxy Hostname -192.168.8.127 and Proxy Port – 8080.

Step 2: Connect to Android Device with ADB

To run the commands on the android device we need to connect our device to ADB. But to do that we need to go to the settings of the device or the emulator and then to Developer Options and start the USB-debugging mode.

After that, we can run the following command to connect our android device.

				
					adb connect <IP address of the android device>
				
			

You can check if the device is connected to the ADB.

				
					adb devices
				
			

Step 3: Install Frida Server

First, you need to install Frida Tools on your machine. you can install Frida-tools via terminal.

				
					pip install frida-tools
				
			

After that, you can just run the `Frida –help` to make sure it was correctly installed.

We have installed Frida-tools properly. Now, we need to download Frida server executable file. Before installation, you need to select the Frida server according to different CPU architectures. In fact, you can also see from the macro level that the core function of Frida is to supervise the operation of the CPU and memory. Now the mainstream CPU architecture of Android is divided into x86 and arm architecture, so you can enter the below command to find the CPU architecture of the Android phones.

				
					adb shell getprop ro.product.cpu.abi
				
			

output: x86

Well, after knowing the arch, you can download the Frida server according to CPU architecture. download the Frida server from this https://github.com/frida/frida/releases. In this case, I have downloaded the frida-server-14.1.0-android-x86 version of the Frida server.

Once you downloaded it, we need to copy the Frida server binary to the android device with ADB.

				
					adb push ./ frida-server-14.1.0-android-x86 /data/local/tmp/Frida-server
				
			

Give execution permission to Frida server:

				
					adb shell chmod 755 /data/local/tmp/frida-server
				
			

Now, we can run the Frida server with the following command.

				
					adb shell /data/local/tmp/frida-server &
				
			

The last ‘&‘ is to run the command in the background.

Now, check if the Frida is working correctly, for this, run the following command.

				
					frida-ps -U
				
			

Step 4: Bypass SSL Pinning

we need to get the Frida script that will let you override SSL connections to create and use our own Trust Manager. You can find the script https://codeshare.frida.re/@akabe1/frida-multiple-unpinning. We will first see to use this script to bypass SSL Pinning and then we will analyze what the script does. With the script at hand, you can run the next command.

In this example, I decided to go for the Twitter app as our target. (com.twitter.android)

				
					frida -U -f com.twitter.android -l sslbypass.js --no-pause
				
			

Once all things go well, all traffic of the target app will get intercepted into Burp Suite. 😎

References

Share this post:
udesh

udesh

Leave a Reply

Your email address will not be published. Required fields are marked *