TUTORIAL – UNIVERSAL ANDROID SSL PINNING IN 10 MINUTES WITH FRIDA

( Original text BY OMESPINO)

Hi everyone It’s been a while from my last post but I’m back , now I want to show you that you can start hacking android apps with frida without pain, I took me several hours to figure out how to get the frida installation ready but at the end that wasn’t really really difficult, the main problem is that I didn’t found a pretty clear tutorial for beginners in mobile security like me, so that’s why decided to create this 10 min tutorial. if you want to skip frida description you can go directly to Step 0 to start frida installation

So what is frida, exactly? 

Extracted from frida website:
“It’s Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.”

So basically frida is a tool that let you inject scripts to native apps (in this case Android apps) to modify the application behavoir (in this case make a ssl pinning bypass and can perform a MitM attack, even if the aplication has https / ssl connections) and make dynamic test in real time.

Disclaimer: this method won’t work with applications that uses HSTS (HTTP Strict Transport Security) per example facebook, instagram, twitter, paypal, banking apps, etc, but don’t worry most applications don’t uses this protocol yet.

Step 0 – set up the enviroment


computer

– python 2.7 

– pip for python

– adb tools (Android Debug Bridge tools)

– local proxy (Burpsuite by Larry_lau, just kidding Burpsuite comunnity edition) 

android phone

– android device rooted (in my case oneplus one with android 8.1) or

– android emulator with android 4.4.4 to 8.1 

Step 1 – install frida on your computer

  • # installing frida via terminal, sometimes you need to run this command as sudo
  • pip install frida

Step 2 – install frida-server on your device

Since there are a lot kind of android devices arquitechtures we need to find out what processor have our device so we need to connect our device to the computer (with usb debugger option activated) and then  run this following command:

  • # getting the processor arquitecture in this case is ARM, there are also x86, x86_64, etc …
  • adb shell getprop ro.product.cpu.abi
  • ouput: armeabi-v7a

well, after know the arch now we can download the properly frida-server version for our device, in this case frida-server-XX.X.X-android-arm in this frida github releases link (since the lastest version didn’t work I highly recommend download this version frida-server-12.0.5-android-arm.xz, anyway you can try with newer version if you want to), once is downloaded we need to extract the frida server and then copy it to the device

  • # extracting frida-server binary from the xz file
  • # for linux distributions
  • tar -xJf frida-server-12.0.5-android-arm.xz
  • # for macOS or BSD based
  • unxz frida-server-12.0.5-android-arm.xz
  • # then we need to copy the frida-server binary to the device with adb
  • adb push ./frida-server-12.0.5-android-arm /data/local/tmp/

Step 3 – Hello process in frida (frida’s Hello world)

Once we have installed frida(computer) and frida-server (android) we can start interacting with frida with the following commands:

  • # first we need to start frida-server with this adb command
  • # the last ‘&’ is to run the command in background
  • # disable SELinux is very important I was looking about 4 hours trying to see what happened and SELinux was preventing the success frida-server execution, also frida-server must run as root
  • setenforce 0
  • adb shell ‘su -c /data/local/tmp/frida-server-12.0.5-android-arm &’
  • # then if everything works you can see frida’s hello world with
  • # frida-ps is for list the devices process and -U flag is for usb devices
  • frida-ps -U

Step 5 – Set up Burpsuite comunnity edition

The quickiest way to setup a connection between our devices is get connected the android device and computer in the same wifi, so we just need to set up the android wifi connection to manual proxy in advanced section and also set up Burpsuite with the local computer ip (don’t forget use the same port) 

also we need to install the burpsuite certificate, once the android device have the proxy set up we need to access to http://burp in browser, then click the “CA certificate” buton and download the certificate (Note, you need to change the certificate extention from der to cer)

Last step: Bypass SSL pinning with Universal Android SSL Pinning Bypass No.2 

So, we got frida, frida-server and burpsuite running as espected, the next step is run the “Universal Android SSL Pinning Bypass No.2” script in order to start sniffing the application connections so we need to get the script and saved locally as name_script.js, here is a blogpost about this script by Mattia Vinci (you can add several scripts to frida from the repo or custom scripts too)

  • /*
  • Universal Android SSL Pinning Bypass
  • by Mattia Vinci and Maurizio Agazzini
  • $ frida -U -f org.package.name -l universal-ssl-check-bypass.js —no-pause
  • https://techblog.mediaservice.net/2018/11/universal-android-ssl-check-bypass-2/
  • */
  • Java.perform(function() {
  • var array_list = Java.use(«java.util.ArrayList»);
  • var ApiClient = Java.use(‘com.android.org.conscrypt.TrustManagerImpl’);
  • ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
  • // console.log(‘Bypassing SSL Pinning’);
  • var k = array_list.$new();
  • return k;
  • }
  • }, 0);

so the only thing that we have to do is save this script as “frida-ssl-2.js” and run the following command:

  • # the -l flag is to run custom script, in this case ssl pinning 2 script
  • # the -f flag is for the apk package name, —no-paus option to not interrupt
  • # the app startup at all and still leave the spawning of the process to Frida.
  • frida -U -l frida-ssl-2.js —no-paus -f com.example.application

then the application is going start you are going to see the results in burpsuite

so at this point you successfully bypass the ssl pinning with frida and you can start hacking network connections on android aplications

References:

well that’s it , if you have any thoughts, doubts, comment or sugestion just drop me a line here or in twitter @omespino, read you later.

Реклама