SSL unpining frida + Fiddler/Burp

1. Install Fiddler Everywhere + CERT

Fiddler Everywhere | Debugging Proxy for Mac, Linux, Windows
Telerik.com
After that, check the option "Capture HTTPS traffic", and install the certificate.
Next, click on "Advanced Settings", and export the certificate.
Now, we need to push the certificate into the android emulator and install it. See more details below.
Android Dynamic Analysis
Red Teaming and Malware Analysis
We need to install it inside the SYSTEM trusted certificates.
For that, convert first the .crt to .pem format.
1
openssl x509 -inform der -in FiddlerRootCertificate.crt -out certificate.pem
2
openssl x509 -inform PEM -subject_hash_old -in certificate.pem
3
e5c3944b
4
-----BEGIN CERTIFICATE-----
5
MIIDozCCAougAwIBAgIQAKPzRj150AoV9QaH05oFgzANBgkqhkiG9w0BAQsFADBq
6
MSswKQYDVQQLDCJDcmVhdGVkIGJ5IGh0dHA6Ly93d3cuZmlkZGxlcjIuY29tMRgw
7
FgYDVQQKDA9ET19OT1RfVFJVU1RfQkMxITAfBgNVBAMMGERPX05PVF9UUlVTVF9G
8
aWRkbGVyUm9vdDAeFw0yMTA2MTUwMDAwMDBaFw0zMTA2MjIxODA0MTBaMGoxKzAp
9
(...)
10
11
mv certificate.pem e5c3944b.0
12
13
-- Import it--
14
.\adb.exe connect localhost:21503
15
.\adb.exe remount
16
.\adb.exe push e5c3944b.0 /system/etc/security/cacerts/
Copied!
At this step, we have the certificate in the USER and SYSTEM trusted credentials.

2. Configure the Proxy

On the Fiddle settings window, copy the listener port and mark the option "Allows remote computers connect".
On the android emulator, configure the proxy.

3. Frida unpinning

Copy the Fiddler certificate to the same folder where frida server is installed.
1
.\adb.exe connect localhost:21503
2
.\adb.exe push 'FiddlerRootCertificate.crt' /data/local/temp
3
4
.\adb.exe shell
5
G011A:/data/local/temp # ls
6
FiddlerRootCertificate.crt frida-server-14.2.18-android-x86
7
mv FiddlerRootCertificate.crt cert-der.crt
Copied!
After that, download the SSL unpining from Frida code repository.
We need to change the path where we copied it into the Fiddler certificate (line 25 below).
1
/data/local/temp/cert-der.crt
Copied!
Frida CodeShare
1
/*
2
Android SSL Re-pinning frida script v0.2 030417-pier
3
$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
4
$ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause
5
https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
6
7
UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !
8
*/
9
setTimeout(function(){
10
Java.perform(function (){
11
console.log("");
12
console.log("[.] Cert Pinning Bypass/Re-Pinning");
13
var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
14
var FileInputStream = Java.use("java.io.FileInputStream");
15
var BufferedInputStream = Java.use("java.io.BufferedInputStream");
16
var X509Certificate = Java.use("java.security.cert.X509Certificate");
17
var KeyStore = Java.use("java.security.KeyStore");
18
var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
19
var SSLContext = Java.use("javax.net.ssl.SSLContext");
20
// Load CAs from an InputStream
21
console.log("[+] Loading our CA...")
22
var cf = CertificateFactory.getInstance("X.509");
23
24
try {
25
var fileInputStream = FileInputStream.$new("/data/local/temp/cert-der.crt");
26
}
27
catch(err) {
28
console.log("[o] " + err);
29
}
30
31
var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
32
var ca = cf.generateCertificate(bufferedInputStream);
33
bufferedInputStream.close();
34
var certInfo = Java.cast(ca, X509Certificate);
35
console.log("[o] Our CA Info: " + certInfo.getSubjectDN());
36
// Create a KeyStore containing our trusted CAs
37
console.log("[+] Creating a KeyStore for our CA...");
38
var keyStoreType = KeyStore.getDefaultType();
39
var keyStore = KeyStore.getInstance(keyStoreType);
40
keyStore.load(null, null);
41
keyStore.setCertificateEntry("ca", ca);
42
43
// Create a TrustManager that trusts the CAs in our KeyStore
44
console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
45
var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
46
var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
47
tmf.init(keyStore);
48
console.log("[+] Our TrustManager is ready...");
49
console.log("[+] Hijacking SSLContext methods now...")
50
console.log("[-] Waiting for the app to invoke SSLContext.init()...")
51
SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
52
console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
53
SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
54
console.log("[+] SSLContext initialized with our custom TrustManager!");
55
}
56
});
57
},0);
Copied!
After that, it's time to run the application.
1
--run frida server--
2
.\adb.exe shell '/data/local/temp/frida-server-14.2.18-android-x86 &'
3
4
--execute ssl unpinning--
5
frida.exe -U -f 'com.xx.xxx.xxxx' -l .\frida_ssl.js --no-pause
Copied!
and ... we got it
😎
The same approach can be used with burpsuite, just by changing the certificate.

Resources

https://infosecwriteups.com/hail-frida-the-universal-ssl-pinning-bypass-for-android-e9e1d733d29
infosecwriteups.com
Last modified 3mo ago