Avatar
Aditya is a Penetration Tester and Security Researcher based in India. He occasionally blogs about his findings and adventures in pentesting

One-click SSL-Pinning Bypass Setup

Android app Pentests can become torturous when you don’t have the right environment setup.
This of-course refers to the SSL-pinning that is implemented in the apps which prevents Security Researchers from intercepting the traffic.

There are a lot of great tutorials on the internet which tells you the easy way to bypass SSL pinning and setup your environment. (Linked them below).

I’ve often found myself doing the same steps again and again whenever I need a new environment installed or if I’m working on a new system.

So using some publicly available resources and using my poor bash scripting skills, I’ve written a script that does all this for me. You can find it here - Frida Setup


Pre-requisites

  • This only works with Genymotion. You need to have a device ready, installed and running so that the script can interact with the ADB.
    I mostly use a Custom device with Android 8. Here’s my configuration if you’re interested.
geny
  • Start your Burp before running the installer as this script downloads your certificate from Burp’s proxy.
  • Run the frida_setup.sh to start the installer.

Workflow

Here’s what the script does in the background.

  • Installs frida and frida-tools using pip. Don’t forget to export the installed path otherwise sometimes it does not work by default.

export PATH=$PATH:/home/<your_user>/.local/bin

  • Fetches the latest released version of Frida server from GitHub.
  • Downloads certificate from Burp’s proxy.
  • Pushes and installs the required files inside the ADB.
  • Cleans up the files and does a reboot of the android system.

Post-Installation

Here’s what you need to do after the Android reboots.

  • Go to Burp > Proxy > Options and add a Proxy listener for your android.
burp
  • Make sure the IP is your VirtualBox’s IP. Set the same inside your Android’s WiFi settings with the same port.
  • Execute adb shell and run the frida-server from /data/local/tmp.
  • Use the frida2.js OR frida.js script provided in the Github repository to bypass SSL Pinning -

frida -U -f <package_name> -l frida2.js --no-pause

  • The package name can be found using the below command. Make sure the app is running for it show in the result.

frida-ps -U | grep "your_app"

Note: Recommend using frida2.js instead of frida.js


References

all tags