This article will explain how to bypass SSL pinning of android applications using the Frida framework. basically, Frida is a tool that let you inject scripts into native apps (in this case Android apps) to modify the application behaviour (in this case, SSL pinning bypass and can perform a MitM attack, even if the application has HTTPS / SSL connections) and make dynamic tests in real-time.
In this blog post, you will learn,
How to configure & install Burp certificate for android device.
How to connect the android device with ADB.
Install Frida server.
How to invoke the script with your application.
Note: You’d need an android virtual machine. (NoxPlayer/Genymotion)
Step 1: Install Burp Certificate
First, we need to configure our burp suite proxy.
As shown above I have configured my proxy as bind address 192.168.8.127 and bind port 8080. Now, go to the mobile phone browser and navigate the proxy’s IP and port (http://192.168.8.127:8080) and download the proxy’s certificate by clicking on the CA certificate.
Once you downloaded the CA certificate, we need to rename it cacert.der to burp.cer
After that in the android device go to settings -> security -> under credential storage select Install from SD card, and navigate to where the burp.cer certificate is located and select it, enter a name whatever you like and you will most likely be asked to set a Lock Screen PIN or a password, do it and you will see a burp installed message.
Now we can configure proxy settings in our virtual mobile device. Go to the virtual device Settings > Wi-fi > WiredSSID and long press on it. It will popup the WiredSSID window and you need to modify Network, on the proxy drop-down select Manual and you will be able to enter which proxy to connect. In this case, I entered Proxy Hostname -192.168.8.127 and Proxy Port – 8080.
Step 2: Connect to Android Device with ADB
To run the commands on the android device we need to connect our device to ADB. But to do that we need to go to the settings of the device or the emulator and then to Developer Options and start the USB-debugging mode.
After that, we can run the following command to connect our android device.
adb connect
You can check if the device is connected to the ADB.
adb devices
Step 3: Install Frida Server
First, you need to install Frida Tools on your machine. you can install Frida-tools via terminal.
pip install frida-tools
After that, you can just run the `Frida –help` to make sure it was correctly installed.
We have installed Frida-tools properly. Now, we need to download Frida server executable file. Before installation, you need to select the Frida server according to different CPU architectures. In fact, you can also see from the macro level that the core function of Frida is to supervise the operation of the CPU and memory. Now the mainstream CPU architecture of Android is divided into x86 and arm architecture, so you can enter the below command to find the CPU architecture of the Android phones.
adb shell getprop ro.product.cpu.abi
output: x86
Well, after knowing the arch, you can download the Frida server according to CPU architecture. download the Frida server from this https://github.com/frida/frida/releases. In this case, I have downloaded the frida-server-14.1.0-android-x86 version of the Frida server.
Once you downloaded it, we need to copy the Frida server binary to the android device with ADB.
Now, we can run the Frida server with the following command.
adb shell /data/local/tmp/frida-server &
The last ‘&‘ is to run the command in the background.
Now, check if the Frida is working correctly, for this, run the following command.
frida-ps -U
Step 4: Bypass SSL Pinning
we need to get the Frida script that will let you override SSL connections to create and use our own Trust Manager. You can find the script https://codeshare.frida.re/@akabe1/frida-multiple-unpinning. We will first see to use this script to bypass SSL Pinning and then we will analyze what the script does. With the script at hand, you can run the next command.
In this example, I decided to go for the Twitter app as our target. (com.twitter.android)