/* * This script combines, fixes & extends a long list of other scripts, most notably including: * * - https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/ * - https://codeshare.frida.re/@avltree9798/universal-android-ssl-pinning-bypass/ * - https://pastebin.com/TVJD63uM */ setTimeout(function () { Java.perform(function () { console.log("---"); console.log("Unpinning Android app..."); /// -- Generic hook to protect against SSLPeerUnverifiedException -- /// // In some cases, with unusual cert pinning approaches, or heavy obfuscation, we can't // match the real method & package names. This is a problem! Fortunately, we can still // always match built-in types, so here we spot all failures that use the built-in cert // error type (notably this includes OkHttp), and after the first failure, we dynamically // generate & inject a patch to completely disable the method that threw the error. try { const UnverifiedCertError = Java.use('javax.net.ssl.SSLPeerUnverifiedException'); UnverifiedCertError.$init.implementation = function (str) { console.log(' --> Unexpected SSL verification failure, adding dynamic patch...'); try { const stackTrace = Java.use('java.lang.Thread').currentThread().getStackTrace(); const exceptionStackIndex = stackTrace.findIndex(stack => stack.getClassName() === "javax.net.ssl.SSLPeerUnverifiedException" ); const callingFunctionStack = stackTrace[exceptionStackIndex + 1]; const className = callingFunctionStack.getClassName(); const methodName = callingFunctionStack.getMethodName(); console.log(` Thrown by ${className}->${methodName}`); const callingClass = Java.use(className); const callingMethod = callingClass[methodName]; if (callingMethod.implementation) return; // Already patched by Frida - skip it console.log(' Attempting to patch automatically...'); const returnTypeName = callingMethod.returnType.type; callingMethod.implementation = function () { console.log(` --> Bypassing ${className}->${methodName} (automatic exception patch)`); // This is not a perfect fix! Most unknown cases like this are really just // checkCert(cert) methods though, so doing nothing is perfect, and if we // do need an actual return value then this is probably the best we can do, // and at least we're logging the method name so you can patch it manually: if (returnTypeName === 'void') { return; } else { return null; } }; console.log(` [+] ${className}->${methodName} (automatic exception patch)`); } catch (e) { console.log(' [ ] Failed to automatically patch failure'); } return this.$init(str); }; console.log('[+] SSLPeerUnverifiedException auto-patcher'); } catch (err) { console.log('[ ] SSLPeerUnverifiedException auto-patcher'); } /// -- Specific targeted hooks: -- /// // HttpsURLConnection try { const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection"); HttpsURLConnection.setDefaultHostnameVerifier.implementation = function (hostnameVerifier) { console.log(' --> Bypassing HttpsURLConnection (setDefaultHostnameVerifier)'); return; // Do nothing, i.e. don't change the hostname verifier }; console.log('[+] HttpsURLConnection (setDefaultHostnameVerifier)'); } catch (err) { console.log('[ ] HttpsURLConnection (setDefaultHostnameVerifier)'); } try { const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection"); HttpsURLConnection.setSSLSocketFactory.implementation = function (SSLSocketFactory) { console.log(' --> Bypassing HttpsURLConnection (setSSLSocketFactory)'); return; // Do nothing, i.e. don't change the SSL socket factory }; console.log('[+] HttpsURLConnection (setSSLSocketFactory)'); } catch (err) { console.log('[ ] HttpsURLConnection (setSSLSocketFactory)'); } try { const HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection"); HttpsURLConnection.setHostnameVerifier.implementation = function (hostnameVerifier) { console.log(' --> Bypassing HttpsURLConnection (setHostnameVerifier)'); return; // Do nothing, i.e. don't change the hostname verifier }; console.log('[+] HttpsURLConnection (setHostnameVerifier)'); } catch (err) { console.log('[ ] HttpsURLConnection (setHostnameVerifier)'); } // SSLContext try { const X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); const SSLContext = Java.use('javax.net.ssl.SSLContext'); const TrustManager = Java.registerClass({ // Implement a custom TrustManager name: 'dev.asd.test.TrustManager', implements: [X509TrustManager], methods: { checkClientTrusted: function (chain, authType) { }, checkServerTrusted: function (chain, authType) { }, getAcceptedIssuers: function () { return []; } } }); // Prepare the TrustManager array to pass to SSLContext.init() const TrustManagers = [TrustManager.$new()]; // Get a handle on the init() on the SSLContext class const SSLContext_init = SSLContext.init.overload( '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom' ); // Override the init method, specifying the custom TrustManager SSLContext_init.implementation = function (keyManager, trustManager, secureRandom) { console.log(' --> Bypassing Trustmanager (Android < 7) request'); SSLContext_init.call(this, keyManager, TrustManagers, secureRandom); }; console.log('[+] SSLContext'); } catch (err) { console.log('[ ] SSLContext'); } // TrustManagerImpl (Android > 7) try { const array_list = Java.use("java.util.ArrayList"); const TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl'); // This step is notably what defeats the most common case: network security config TrustManagerImpl.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) { console.log(' --> Bypassing TrustManagerImpl checkTrusted '); return array_list.$new(); } TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) { console.log(' --> Bypassing TrustManagerImpl verifyChain: ' + host); return untrustedChain; }; console.log('[+] TrustManagerImpl'); } catch (err) { console.log('[ ] TrustManagerImpl'); } // OkHTTPv3 (quadruple bypass) try { // Bypass OkHTTPv3 {1} const okhttp3_Activity_1 = Java.use('okhttp3.CertificatePinner'); okhttp3_Activity_1.check.overload('java.lang.String', 'java.util.List').implementation = function (a, b) { console.log(' --> Bypassing OkHTTPv3 (list): ' + a); return; }; console.log('[+] OkHTTPv3 (list)'); } catch (err) { console.log('[ ] OkHTTPv3 (list)'); } try { // Bypass OkHTTPv3 {2} // This method of CertificatePinner.check could be found in some old Android app const okhttp3_Activity_2 = Java.use('okhttp3.CertificatePinner'); okhttp3_Activity_2.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function (a, b) { console.log(' --> Bypassing OkHTTPv3 (cert): ' + a); return; }; console.log('[+] OkHTTPv3 (cert)'); } catch (err) { console.log('[ ] OkHTTPv3 (cert)'); } try { // Bypass OkHTTPv3 {3} const okhttp3_Activity_3 = Java.use('okhttp3.CertificatePinner'); okhttp3_Activity_3.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function (a, b) { console.log(' --> Bypassing OkHTTPv3 (cert array): ' + a); return; }; console.log('[+] OkHTTPv3 (cert array)'); } catch (err) { console.log('[ ] OkHTTPv3 (cert array)'); } try { // Bypass OkHTTPv3 {4} const okhttp3_Activity_4 = Java.use('okhttp3.CertificatePinner'); okhttp3_Activity_4['check$okhttp'].implementation = function (a, b) { console.log(' --> Bypassing OkHTTPv3 ($okhttp): ' + a); return; }; console.log('[+] OkHTTPv3 ($okhttp)'); } catch (err) { console.log('[ ] OkHTTPv3 ($okhttp)'); } // Trustkit (triple bypass) try { // Bypass Trustkit {1} const trustkit_Activity_1 = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier'); trustkit_Activity_1.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (a, b) { console.log(' --> Bypassing Trustkit OkHostnameVerifier(SSLSession): ' + a); return true; }; console.log('[+] Trustkit OkHostnameVerifier(SSLSession)'); } catch (err) { console.log('[ ] Trustkit OkHostnameVerifier(SSLSession)'); } try { // Bypass Trustkit {2} const trustkit_Activity_2 = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier'); trustkit_Activity_2.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (a, b) { console.log(' --> Bypassing Trustkit OkHostnameVerifier(cert): ' + a); return true; }; console.log('[+] Trustkit OkHostnameVerifier(cert)'); } catch (err) { console.log('[ ] Trustkit OkHostnameVerifier(cert)'); } try { // Bypass Trustkit {3} const trustkit_PinningTrustManager = Java.use('com.datatheorem.android.trustkit.pinning.PinningTrustManager'); trustkit_PinningTrustManager.checkServerTrusted.implementation = function () { console.log(' --> Bypassing Trustkit PinningTrustManager'); }; console.log('[+] Trustkit PinningTrustManager'); } catch (err) { console.log('[ ] Trustkit PinningTrustManager'); } // Appcelerator Titanium try { const appcelerator_PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager'); appcelerator_PinningTrustManager.checkServerTrusted.implementation = function () { console.log(' --> Bypassing Appcelerator PinningTrustManager'); }; console.log('[+] Appcelerator PinningTrustManager'); } catch (err) { console.log('[ ] Appcelerator PinningTrustManager'); } // OpenSSLSocketImpl Conscrypt try { const OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl'); OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certRefs, JavaObject, authMethod) { console.log(' --> Bypassing OpenSSLSocketImpl Conscrypt'); }; console.log('[+] OpenSSLSocketImpl Conscrypt'); } catch (err) { console.log('[ ] OpenSSLSocketImpl Conscrypt'); } // OpenSSLEngineSocketImpl Conscrypt try { const OpenSSLEngineSocketImpl_Activity = Java.use('com.android.org.conscrypt.OpenSSLEngineSocketImpl'); OpenSSLEngineSocketImpl_Activity.verifyCertificateChain.overload('[Ljava.lang.Long;', 'java.lang.String').implementation = function (a, b) { console.log(' --> Bypassing OpenSSLEngineSocketImpl Conscrypt: ' + b); }; console.log('[+] OpenSSLEngineSocketImpl Conscrypt'); } catch (err) { console.log('[ ] OpenSSLEngineSocketImpl Conscrypt'); } // OpenSSLSocketImpl Apache Harmony try { const OpenSSLSocketImpl_Harmony = Java.use('org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl'); OpenSSLSocketImpl_Harmony.verifyCertificateChain.implementation = function (asn1DerEncodedCertificateChain, authMethod) { console.log(' --> Bypassing OpenSSLSocketImpl Apache Harmony'); }; console.log('[+] OpenSSLSocketImpl Apache Harmony'); } catch (err) { console.log('[ ] OpenSSLSocketImpl Apache Harmony'); } // PhoneGap sslCertificateChecker (https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin) try { const phonegap_Activity = Java.use('nl.xservices.plugins.sslCertificateChecker'); phonegap_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function (a, b, c) { console.log(' --> Bypassing PhoneGap sslCertificateChecker: ' + a); return true; }; console.log('[+] PhoneGap sslCertificateChecker'); } catch (err) { console.log('[ ] PhoneGap sslCertificateChecker'); } // IBM MobileFirst pinTrustedCertificatePublicKey (double bypass) try { // Bypass IBM MobileFirst {1} const WLClient_Activity_1 = Java.use('com.worklight.wlclient.api.WLClient'); WLClient_Activity_1.getInstance().pinTrustedCertificatePublicKey.overload('java.lang.String').implementation = function (cert) { console.log(' --> Bypassing IBM MobileFirst pinTrustedCertificatePublicKey (string): ' + cert); return; }; console.log('[+] IBM MobileFirst pinTrustedCertificatePublicKey (string)'); } catch (err) { console.log('[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)'); } try { // Bypass IBM MobileFirst {2} const WLClient_Activity_2 = Java.use('com.worklight.wlclient.api.WLClient'); WLClient_Activity_2.getInstance().pinTrustedCertificatePublicKey.overload('[Ljava.lang.String;').implementation = function (cert) { console.log(' --> Bypassing IBM MobileFirst pinTrustedCertificatePublicKey (string array): ' + cert); return; }; console.log('[+] IBM MobileFirst pinTrustedCertificatePublicKey (string array)'); } catch (err) { console.log('[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)'); } // IBM WorkLight (ancestor of MobileFirst) HostNameVerifierWithCertificatePinning (quadruple bypass) try { // Bypass IBM WorkLight {1} const worklight_Activity_1 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning'); worklight_Activity_1.verify.overload('java.lang.String', 'javax.net.ssl.SSLSocket').implementation = function (a, b) { console.log(' --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket): ' + a); return; }; console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)'); } catch (err) { console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)'); } try { // Bypass IBM WorkLight {2} const worklight_Activity_2 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning'); worklight_Activity_2.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (a, b) { console.log(' --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (cert): ' + a); return; }; console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)'); } catch (err) { console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)'); } try { // Bypass IBM WorkLight {3} const worklight_Activity_3 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning'); worklight_Activity_3.verify.overload('java.lang.String', '[Ljava.lang.String;', '[Ljava.lang.String;').implementation = function (a, b) { console.log(' --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (string string): ' + a); return; }; console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)'); } catch (err) { console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)'); } try { // Bypass IBM WorkLight {4} const worklight_Activity_4 = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning'); worklight_Activity_4.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (a, b) { console.log(' --> Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession): ' + a); return true; }; console.log('[+] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)'); } catch (err) { console.log('[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)'); } // Conscrypt CertPinManager try { const conscrypt_CertPinManager_Activity = Java.use('com.android.org.conscrypt.CertPinManager'); conscrypt_CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function (a, b) { console.log(' --> Bypassing Conscrypt CertPinManager: ' + a); return true; }; console.log('[+] Conscrypt CertPinManager'); } catch (err) { console.log('[ ] Conscrypt CertPinManager'); } // CWAC-Netsecurity (unofficial back-port pinner for Android<4.2) CertPinManager try { const cwac_CertPinManager_Activity = Java.use('com.commonsware.cwac.netsecurity.conscrypt.CertPinManager'); cwac_CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function (a, b) { console.log(' --> Bypassing CWAC-Netsecurity CertPinManager: ' + a); return true; }; console.log('[+] CWAC-Netsecurity CertPinManager'); } catch (err) { console.log('[ ] CWAC-Netsecurity CertPinManager'); } // Worklight Androidgap WLCertificatePinningPlugin try { const androidgap_WLCertificatePinningPlugin_Activity = Java.use('com.worklight.androidgap.plugin.WLCertificatePinningPlugin'); androidgap_WLCertificatePinningPlugin_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function (a, b, c) { console.log(' --> Bypassing Worklight Androidgap WLCertificatePinningPlugin: ' + a); return true; }; console.log('[+] Worklight Androidgap WLCertificatePinningPlugin'); } catch (err) { console.log('[ ] Worklight Androidgap WLCertificatePinningPlugin'); } // Netty FingerprintTrustManagerFactory try { const netty_FingerprintTrustManagerFactory = Java.use('io.netty.handler.ssl.util.FingerprintTrustManagerFactory'); netty_FingerprintTrustManagerFactory.checkTrusted.implementation = function (type, chain) { console.log(' --> Bypassing Netty FingerprintTrustManagerFactory'); }; console.log('[+] Netty FingerprintTrustManagerFactory'); } catch (err) { console.log('[ ] Netty FingerprintTrustManagerFactory'); } // Squareup CertificatePinner [OkHTTP Bypassing Squareup CertificatePinner (cert): ' + a); return; }; console.log('[+] Squareup CertificatePinner (cert)'); } catch (err) { console.log('[ ] Squareup CertificatePinner (cert)'); } try { // Bypass Squareup CertificatePinner {2} const Squareup_CertificatePinner_Activity_2 = Java.use('com.squareup.okhttp.CertificatePinner'); Squareup_CertificatePinner_Activity_2.check.overload('java.lang.String', 'java.util.List').implementation = function (a, b) { console.log(' --> Bypassing Squareup CertificatePinner (list): ' + a); return; }; console.log('[+] Squareup CertificatePinner (list)'); } catch (err) { console.log('[ ] Squareup CertificatePinner (list)'); } // Squareup OkHostnameVerifier [OkHTTP v3] (double bypass) try { // Bypass Squareup OkHostnameVerifier {1} const Squareup_OkHostnameVerifier_Activity_1 = Java.use('com.squareup.okhttp.internal.tls.OkHostnameVerifier'); Squareup_OkHostnameVerifier_Activity_1.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (a, b) { console.log(' --> Bypassing Squareup OkHostnameVerifier (cert): ' + a); return true; }; console.log('[+] Squareup OkHostnameVerifier (cert)'); } catch (err) { console.log('[ ] Squareup OkHostnameVerifier (cert)'); } try { // Bypass Squareup OkHostnameVerifier {2} const Squareup_OkHostnameVerifier_Activity_2 = Java.use('com.squareup.okhttp.internal.tls.OkHostnameVerifier'); Squareup_OkHostnameVerifier_Activity_2.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (a, b) { console.log(' --> Bypassing Squareup OkHostnameVerifier (SSLSession): ' + a); return true; }; console.log('[+] Squareup OkHostnameVerifier (SSLSession)'); } catch (err) { console.log('[ ] Squareup OkHostnameVerifier (SSLSession)'); } // Android WebViewClient (double bypass) try { // Bypass WebViewClient {1} (deprecated from Android 6) const AndroidWebViewClient_Activity_1 = Java.use('android.webkit.WebViewClient'); AndroidWebViewClient_Activity_1.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.SslErrorHandler', 'android.net.http.SslError').implementation = function (obj1, obj2, obj3) { console.log(' --> Bypassing Android WebViewClient (SslErrorHandler)'); }; console.log('[+] Android WebViewClient (SslErrorHandler)'); } catch (err) { console.log('[ ] Android WebViewClient (SslErrorHandler)'); } try { // Bypass WebViewClient {2} const AndroidWebViewClient_Activity_2 = Java.use('android.webkit.WebViewClient'); AndroidWebViewClient_Activity_2.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.WebResourceRequest', 'android.webkit.WebResourceError').implementation = function (obj1, obj2, obj3) { console.log(' --> Bypassing Android WebViewClient (WebResourceError)'); }; console.log('[+] Android WebViewClient (WebResourceError)'); } catch (err) { console.log('[ ] Android WebViewClient (WebResourceError)'); } // Apache Cordova WebViewClient try { const CordovaWebViewClient_Activity = Java.use('org.apache.cordova.CordovaWebViewClient'); CordovaWebViewClient_Activity.onReceivedSslError.overload('android.webkit.WebView', 'android.webkit.SslErrorHandler', 'android.net.http.SslError').implementation = function (obj1, obj2, obj3) { console.log(' --> Bypassing Apache Cordova WebViewClient'); obj3.proceed(); }; } catch (err) { console.log('[ ] Apache Cordova WebViewClient'); } // Boye AbstractVerifier try { const boye_AbstractVerifier = Java.use('ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier'); boye_AbstractVerifier.verify.implementation = function (host, ssl) { console.log(' --> Bypassing Boye AbstractVerifier: ' + host); }; } catch (err) { console.log('[ ] Boye AbstractVerifier'); } // Appmattus try { const appmatus_Activity = Java.use('com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor'); appmatus_Activity['intercept'].implementation = function (a) { console.log(' --> Bypassing Appmattus (Transparency)'); return a.proceed(a.request()); }; console.log('[+] Appmattus (Transparency)'); } catch (err) { console.log('[ ] Appmattus (Transparency)'); } console.log("Unpinning setup completed"); console.log("---"); }); }, 0);