Android app Pentests can become torturous when you don't have the right environment setup.
This of-course refers to the SSL-pinning that is implemented in the apps which prevents Security Researchers from intercepting the traffic.

There are a lot of great tutorials on the internet which tells you the easy way to bypass SSL pinning and setup your environment. (Linked them below).

I've often found myself doing the same steps again and again whenever I need a new environment installed or if I'm working on a new system.

So using some publicly available resources and using my poor bash scripting skills, I've written a script that does all this for me.

az0mb13/frida_setup
One-click installer for Frida and Burp certs for SSL Pinning bypass - az0mb13/frida_setup

Pre-requisites

  • This only works with Genymotion. You need to have a device ready, installed and running so that the script can interact with the ADB.
    I mostly use a Custom device with Android 8. Here's my configuration if you're interested.
  • Start your Burp before running the installer as this script downloads your certificate from Burp's proxy.
  • Run the frida_setup.sh to start the installer.

Workflow

Here's what the script does in the background.

  • Installs frida and frida-tools using pip. Don't forget to export the installed path otherwise sometimes it does not work by default.

export PATH=$PATH:/home/<your_user>/.local/bin

  • Fetches the latest released version of Frida server from GitHub.
  • Downloads certificate from Burp's proxy.
  • Pushes and installs the required files inside the ADB.
  • Cleans up the files and does a reboot of the android system.

Post-Installation

Here's what you need to do after the Android reboots.

  • Go to Burp > Proxy > Options and add a Proxy listener for your android.
  • Make sure the IP is your VirtualBox's IP. Set the same inside your Android's WiFi settings with the same port.
  • Execute adb shell and run the frida-server from /data/local/tmp.
  • Use the frida2.js OR frida.js script provided in the Github repository to bypass SSL Pinning -

frida -U -f <package_name> -l frida2.js --no-pause

  • The package name can be found using the below command. Make sure the app is running for it show in the result.

frida-ps -U | grep "your_app"

Note: Recommend using frida2.js rather than frida.js

References

https://securitychops.com/2019/08/31/dev/random/one-liner-to-install-burp-cacert-into-android.html

https://blog.it-securityguard.com/the-stony-path-of-android-🤖-bug-bounty-bypassing-certificate-pinning/