How to disable ssl pinning in android app using Objection

Ask Question

Asked 3 years, 10 months ago

Modified 3 years, 10 months ago

Viewed 3k times

Part of Mobile Development Collective

I have a simple app and am trying to bypass its ssl pinning with no luck. Already did android sslpinning disable but didnt work.

Based on this article https://blog.nviso.eu/2020/11/19/proxying-android-app-traffic-common-issues-checklist/ I then used apktool to decompile my app then searched across all smali classes for anything that might be doing pinning using grep -ri "java/lang/String;\[Ljava/lang/String;)L" smali There was 3 smali files and I found the okhttp3 stuff in the last smali file smali_classes3.

This was the output:

smali_classes3/okhttp3/CertificatePinner$Builder.smali:        "(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder;",
smali_classes3/okhttp3/CertificatePinner$Builder.smali:.method public final varargs add(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder;

So I created this script hook2.js

Java.perform(function(){
    var Pinner = Java.use("okhttp3.CertificatePinner$Builder");
    Pinner.Builder.overload('java.lang.String', '[Ljava.lang.String;').implementation = function(Builder, b)
    {
        console.log("Disabling pin for " + Builder);
        return this;
    }
});

and tried to inject it using objection:

objection explore --startup-script hook2.js

I get an error

Importing and running startup script at: <_io.TextIOWrapper name='hook2.js' mode='r' encoding='cp1252'>
[{'type': 'error', 'description': "TypeError: cannot read property 'overload' of undefined", 'stack': "TypeError: cannot read property 'overload' of undefined\n    at <anonymous> (/script2.js:3)\n    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:11)\n    at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:238)\n    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:213)\n    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:11)\n    at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:232)\n    at perform (frida/node_modules/frida-java-bridge/index.js:192)\n    at <eval> (/script2.js:8)", 'fileName': '/script2.js', 'lineNumber': 3, 'columnNumber': 1}]

How can I get this injected properly or is my script wrong?

edited Jan 9, 2022 at 11:52

asked Jan 9, 2022 at 11:34

West

2,6198 gold badges46 silver badges83 bronze badges

1

For an unknown reason some apps do no longer load all classes right at the beginning and thus Frida can not hook them. I am not sure if this is is caused by Android itself or a bug in Frida. Please see the very similar question: stackoverflow.com/q/70135333/150978

Robert
– Robert

2022-01-09 11:41:57 +00:00
Commented Jan 9, 2022 at 11:41
@Robert Oh thats a bugger. Is my script correct though? Any way around this or injecting at some point after starting? Im still new to this so struggling with a few things

West
– West

2022-01-09 11:49:24 +00:00
Commented Jan 9, 2022 at 11:49

Add a comment |

0 Your Answer

Sign up or log in

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

Collectives™ on Stack Overflow

How to disable ssl pinning in android app using Objection

0

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Sign up or log in

Post as a guest

Linked