# SSL unpining frida + Fiddler/Burp

## 1. Install Fiddler Everywhere + CERT

{% embed url="<https://www.telerik.com/fiddler/fiddler-everywhere>" %}

After that, check the option "**Capture HTTPS traffic**", and install the certificate.

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Md2pKpIJj-4-e4kxqMH%2F-Md365tlrytd0YYHynpA%2Fimage.png?alt=media\&token=101254c8-f55e-4f05-b909-ea41130dd15f)

Next, click on "**Advanced Settings**", and export the certificate.

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Md2pKpIJj-4-e4kxqMH%2F-Md36S_U8P56xRsZtrfG%2Fimage.png?alt=media\&token=01042f76-8d45-4363-97b8-bfd43c9b1e7f)

Now, we need to push the certificate into the android emulator and install it. See more details below.

{% embed url="<https://gitbook.seguranca-informatica.pt/mobile/reverse-android-apks/android-dinamic-analysis>" %}

We need to install it inside the **SYSTEM trusted certificates**.

For that, convert first the .crt to .pem format.

```
openssl x509 -inform der -in FiddlerRootCertificate.crt -out certificate.pem
openssl x509 -inform PEM -subject_hash_old -in certificate.pem
e5c3944b
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIQAKPzRj150AoV9QaH05oFgzANBgkqhkiG9w0BAQsFADBq
MSswKQYDVQQLDCJDcmVhdGVkIGJ5IGh0dHA6Ly93d3cuZmlkZGxlcjIuY29tMRgw
FgYDVQQKDA9ET19OT1RfVFJVU1RfQkMxITAfBgNVBAMMGERPX05PVF9UUlVTVF9G
aWRkbGVyUm9vdDAeFw0yMTA2MTUwMDAwMDBaFw0zMTA2MjIxODA0MTBaMGoxKzAp
(...)

mv certificate.pem e5c3944b.0

-- Import it--
.\adb.exe connect localhost:21503
.\adb.exe remount
.\adb.exe push e5c3944b.0 /system/etc/security/cacerts/
```

At this step, we have the certificate in the **USER** and **SYSTEM** trusted credentials.

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Md2pKpIJj-4-e4kxqMH%2F-Md37U42g8eOkjhW7zAU%2Fimage.png?alt=media\&token=d02a77ea-0b3b-4daf-a461-77f117ed0590)

## 2. Configure the Proxy

On the Fiddle settings window, **copy the listener port** and mark the option "**Allows remote computers connect**".

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Md2pKpIJj-4-e4kxqMH%2F-Md37iZQAbG5xAdhmjl6%2Fimage.png?alt=media\&token=cc8e5089-2257-4885-a3ad-909f940c7f9b)

On the android emulator, configure the proxy.

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Md2pKpIJj-4-e4kxqMH%2F-Md381EV2JixPZnJkreD%2Fimage.png?alt=media\&token=d686496b-2e2b-4313-8eb3-884103976e91)

## 3. Frida unpinning

Copy the Fiddler certificate to the same folder where frida server is installed.

```
.\adb.exe connect localhost:21503
.\adb.exe push 'FiddlerRootCertificate.crt' /data/local/temp

.\adb.exe shell
G011A:/data/local/temp # ls
FiddlerRootCertificate.crt  frida-server-14.2.18-android-x86
mv FiddlerRootCertificate.crt cert-der.crt
```

After that, download the SSL unpining from Frida code repository.

We need to change the path where we copied it into the Fiddler certificate (line 25 below).

```javascript
/data/local/temp/cert-der.crt
```

{% embed url="<https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/>" %}

```javascript
/* 
   Android SSL Re-pinning frida script v0.2 030417-pier
$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
   $ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause
https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
   
   UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !
*/
setTimeout(function(){
    Java.perform(function (){
     console.log("");
     console.log("[.] Cert Pinning Bypass/Re-Pinning");
var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
     var FileInputStream = Java.use("java.io.FileInputStream");
     var BufferedInputStream = Java.use("java.io.BufferedInputStream");
     var X509Certificate = Java.use("java.security.cert.X509Certificate");
     var KeyStore = Java.use("java.security.KeyStore");
     var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
     var SSLContext = Java.use("javax.net.ssl.SSLContext");
// Load CAs from an InputStream
     console.log("[+] Loading our CA...")
     var cf = CertificateFactory.getInstance("X.509");
     
     try {
      var fileInputStream = FileInputStream.$new("/data/local/temp/cert-der.crt");
     }
     catch(err) {
      console.log("[o] " + err);
     }
     
     var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
    var ca = cf.generateCertificate(bufferedInputStream);
     bufferedInputStream.close();
var certInfo = Java.cast(ca, X509Certificate);
     console.log("[o] Our CA Info: " + certInfo.getSubjectDN());
// Create a KeyStore containing our trusted CAs
     console.log("[+] Creating a KeyStore for our CA...");
     var keyStoreType = KeyStore.getDefaultType();
     var keyStore = KeyStore.getInstance(keyStoreType);
     keyStore.load(null, null);
     keyStore.setCertificateEntry("ca", ca);
     
     // Create a TrustManager that trusts the CAs in our KeyStore
     console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
     var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
     var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
     tmf.init(keyStore);
     console.log("[+] Our TrustManager is ready...");
console.log("[+] Hijacking SSLContext methods now...")
     console.log("[-] Waiting for the app to invoke SSLContext.init()...")
SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
      console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
      SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
      console.log("[+] SSLContext initialized with our custom TrustManager!");
     }
    });
},0);
```

After that, it's time to run the application.

```javascript
--run frida server--
.\adb.exe shell '/data/local/temp/frida-server-14.2.18-android-x86 &'

--execute ssl unpinning--
frida.exe -U -f 'com.xx.xxx.xxxx' -l .\frida_ssl.js --no-pause
```

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Md2pKpIJj-4-e4kxqMH%2F-Md39LZqLT_83k1kOekN%2Fimage.png?alt=media\&token=c564f3c6-473a-44ad-b9b4-253f5d21cc64)

and ... we got it :sunglasses:&#x20;

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Md2pKpIJj-4-e4kxqMH%2F-Md39YifNw4Tb05up3ym%2Fimage.png?alt=media\&token=2bd05cf3-aa4f-467b-a6b3-efebd79e58a9)

The same approach can be used with burpsuite, just by changing the certificate.

## Resources

{% embed url="<https://infosecwriteups.com/hail-frida-the-universal-ssl-pinning-bypass-for-android-e9e1d733d29>" %}