Secured Socket Layer Pinning Bypass via Frida

INTRODUCTION

SSL pinning allows the application to only trust the valid or pre-defined certificate or Public Key. The application developer uses SSL pinning technique as an additional security layer for application traffic. As normally, application trusts custom certificate and allows application to intercept the traffic. But in the SSL Pinning implementation, application does not trust custom certificates and does not allow proxy tools to intercept the traffic.

As per Frida Website :-

Frida is a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.

1. REQUIREMENTS

Below are the all requirements for SSL Pinning Bypass –

– Rooted Device/Emulator

We will be needing a rooted device or an emulator, since we need to inject a script into the root directory of the device. We can download an emulator through below given URL :

https://www.genymotion.com/fun-zone/

Once Genymotion is installed, we need to install on android device version 7+.

– Python installation on ubuntu

sudo apt-get install python3.6

Other python packages to be installed :

pip install Frida

pip install objection

pip install frida-tools

– Install adb on ubuntu

sudo apt-get install adb

– Injection script

Save the following code under fridascript.js

SSL Pinning

2. SETUP AND INSTALLATION

– Connect device to adb

to run commands on emulator or on android device we need to connect our device to adb. But to do that we need to go to the settings of the device or the emulator then to Developer Options and start the debugging mode, so that the device can communicate with the device.

Go to terminal in ubuntu and run the following command:

adb connect <ip address of the device>

SLS Pinning Bypass

To check if the device is connected to adb:
adb devices

– Download Frida server for supported android device’s arch version:

https://github.com/frida/frida/releases/

To find out the arch version of the device, type the following command:

adb shell getprop ro.product.cpu.abi

–  Install the target application in the device

Install your application who’s SSL Pinning has to be bypassed for eg: Twitter

3. Frida Server Setup:

– Push Frida-server into device

Extract “frida-server-12.8.7-android-x86” and run the following command:

adb push <path_of_frida_server_installed ><space></data/local/tmp>

SSL Pinning Bypass

– Give permissions to frida-server :

adb shell chmod 777 /data/local/tmp/ frida-server-12.8.7-android-x86

5. Pushing the proxy’s CA Certificate:

To intercept the traffic, Frida needs to have access to BurpSuite’s CA certificate. Push the certificate into the device and into the same location as the frida-server, name it cert-der.crt as this name and path has been already mentioned in fridascript.js to avoid any issues.

adb push <path to ca-cert.der> /data/local/tmp/cert-der.crt

SSL Pinning Bypass

6. Script injection to bypass SSL Pinning:

– Push fridascript.js into device:

Copy fridascript.js into adb folder and run the following command to push fridascript.js into device.

adb push <path_to_fridascript.js_folder> /data/local/tmp

SSL Pinning Bypass

– Check and run frida server in device:

adb shell /data/local/tmp/frida-server &

– List all running processes on device:

We need to find out id of our target application. It will list all the running services on devices including your target application. Open new terminal and type the following command:

frida-ps -U

Secure Socket Layer

– Hook fridascript.js into target application:

frida -U -f <your_application_package_name> -l <path_to_fridascript.js_on_your_computer> –nopaus

SSL PInning Bypass

– Bypassed

Once all things go well, all traffic of the target app will get intercepted into BurpSuite. But we need to keep frida server on as long as we are intercepting the traffic into BurpSuite.

SSL Pinning Bypass

Prepared By :- Rashika Varshney

Reviewed By :- Vaibhav Rai

Approved By :- Saurabh Seth