Frida scripts to directly MitM all HTTPS traffic from a target mobile application

Home Page: https://httptoolkit.com/android/

License: GNU Affero General Public License v3.0

JavaScript 100.00%

android frida certificate interception mitm

frida-interception-and-unpinning's Introduction

Frida Mobile Interception Scripts

Part of HTTP Toolkit: powerful tools for building, testing & debugging HTTP(S)

This repo contains Frida scripts designed to do everything required for fully automated HTTPS MitM interception on mobile devices.

This set of scripts can be used all together, to handle interception, manage certificate trust & disable certificate pinning & transparency checks, for MitM interception of HTTP(S) traffic on Android and iOS, or they can be used and tweaked independently to hook just specific features.

The scripts can automatically handle:

Redirection of traffic to an HTTP(S) proxy - modifying both system settings & directly redirecting all socket connections.
Injecting a given CA certificate into the system trust stores so they're trusted in connections by default.
Patching many (all?) known certificate pinning and certificate transparency tools, to allow interception by your CA certificate even when this is actively blocked.
On Android, as a fallback: auto-detection of remaining pinning failures, to attempt auto-patching of obfuscated certificate pinning (in fully obfuscated apps, the first request may fail, but this will trigger additional patching so that all subsequent requests work correctly).

Android Getting Started Guide

Start your MitM proxy (e.g. HTTP Toolkit), and set up your rooted Android device or emulator, connected to ADB.
Find your MitM proxy's port (e.g. 8000) and its CA certificate in PEM format
- The CA certificate should start with -----BEGIN CERTIFICATE-----. You can open it with a text editor to see and extract this content.
- In HTTP Toolkit, both details can be found in the 'Anything' option on the Intercept page.
Open config.js, and add those details:
- CERT_PEM: your CA certificate in PEM format.
- PROXY_PORT: the proxy's port
- PROXY_HOST: the address of your proxy, from the perspective of your device (or use adb reverse tcp:$PORT tcp:$PORT to forward the port over ADB, and use 127.0.0.1 as the host)
Install & start Frida on your device
- The steps here may depend on your specific device & configuration.
- For example: download the relevant frida-server from github.com/frida/frida, extract it, adb push it to your device, and then run it with the following 4 commands: adb shell, su, chmod +x /.../frida-server, /.../frida-server.
- If you have issues, remember to check the device is on & connected (using adb devices) before running commands. Note that Frida will only run on the device as root, which is what su provides in the example above, when run on a rooted device. To check you are root after running su or similar, check that running whoami in the shell prints root.
Find the package id for the app you're interested in (for a quick test, try using github.com/httptoolkit/android-ssl-pinning-demo - the package id is tech.httptoolkit.pinning_demo)

Use Frida to launch the app you're interested in with the scripts injected (starting with config.js). Which scripts to use is up to you, but for Android a good command to start with is:

frida -U \
    -l ./config.js \
    -l ./native-connect-hook.js \
    -l ./native-tls-hook.js \
    -l ./android/android-proxy-override.js \
    -l ./android/android-system-certificate-injection.js \
    -l ./android/android-certificate-unpinning.js \
    -l ./android/android-certificate-unpinning-fallback.js \
    -f $PACKAGE_ID

Explore, examine & modify all the traffic you're interested in! If you have any problems, please open an issue and help make these scripts even better.

iOS Getting Started Guide

Start your MitM proxy (e.g. HTTP Toolkit), and set up your jailbroken iOS device, connected to your computer.
Find your MitM proxy's port (e.g. 8000) and its CA certificate in PEM format
- The CA certificate should start with -----BEGIN CERTIFICATE-----. You can open it with a text editor to see and extract this content.
- In HTTP Toolkit, both details can be found in the 'Anything' option on the Intercept page.
Open config.js, and add those details:
- CERT_PEM: your CA certificate in PEM format.
- PROXY_PORT: the proxy's port
- PROXY_HOST: the address of your proxy, from the perspective of your device
Install & start Frida on your device
- The steps here may depend on your specific device & configuration, but this is generally available via Cydia/Sileo etc using https://build.frida.re as a package source.
- Ensure you can run frida-ps -Uai on your computer to confirm this is working correctly.
Find the id for the app you're interested in via frida-ps -Uai (for a quick test, try using github.com/httptoolkit/ios-ssl-pinning-demo - the id is com.httptoolkit.ios-pinning-demo)
Use Frida to launch the app you're interested in with the scripts injected (starting with config.js). Which scripts to use is up to you, but for iOS a good command to start with is:
```
frida -U \
    -l ./config.js \
    -l ./ios/ios-connect-hook.js \
    -l ./native-tls-hook.js \
    -f $APP_ID
```
Explore, examine & modify all the traffic you're interested in! If you have any problems, please open an issue and help make these scripts even better.

The Scripts

The commands above use all the relevant scripts, but you can generally use any subset you like, although in almost all cases you will want to include config.js as the first script (this defines some variables that are used by other scripts).

For example, to do unpinning alone on Android, when handling proxy & certificate configuration elsewhere and without obfuscation fallbacks, you could just run:

frida -U \
    -l ./config.js \
    -l ./android/android-certificate-unpinning.js
    -f $PACKAGE_ID

Each script includes detailed documentation on what it does and how it works in a large comment section at the top. The scripts are:

config.js

This defines variables used by other scripts:
- CERT_PEM - the extra CA certificate to trust, in PEM format
- PROXY_HOST - the IP address (IPv4) of the proxy server to use (not required if you're only unpinning)
- PROXY_PORT - the port of the proxy server to use (not required if you're only unpinning)
- DEBUG_MODE - defaults to false, but switching this to true will enable lots of extra output that can be useful for debugging and reverse engineering any issues.
This should be listed on the command line before any other scripts.
native-connect-hook.js

Captures all network traffic directly, routing all connections to the configured proxy host & port.

This is a low-level hook that applies to all network connections. This ensures that all connections are forcibly redirected to the target proxy server, even those which ignore proxy settings or make other raw socket connections.

This hook applies to libc, and works for Android, Linux, and many related environments (but not iOS or Mac).
native-tls-hook.js

Modifies all TLS validation for BoringSSL-based libraries to trust your configured CA certificate.

Notably, this hooks the built-in BoringSSL APIs on iOS, which is the normal way that iOS handles TLS certificate validation (so this is sufficient for almost all iOS HTTPS interception) but this is also used in a few other cases on both iOS & Android too.

This effectively trusts your CA for all certificates, and disables all certificate pinning, certificate transparency and other restrictions for your CA. Note that unlike many other Frida hooks elsewhere this does not disable TLS validation completely (which is very insecure). Instead, it overrides validation to ensure that all connections using your specific CA certificate are trusted, without relaxing validation to allow interception by 3rd parties.
android/
- android-proxy-override.js
  
  Overrides the Android proxy settings for the target app, ensuring that all well-behaved traffic is redirected via the proxy server and intercepted.
- android-system-certificate-injection.js
  
  Modifies the native Android APIs to ensure that all trust stores trust your extra CA certificate by default, allowing encrypted TLS traffic to be captured.
- android-certificate-unpinning.js
  
  Modifies or disables many common known techniques for additional certificate restrictions, including certificate pinning (accepting only a small set of recognized certificates, rather than all certificates trusted on the system) and certificate transparency (validating that all used certificates have been registered in public certificate logs).
- android-certificate-unpinning-fallback.js
  
  Detects unhandled certificate validation failures, and attempts to handle unknown unrecognized cases with auto-generated fallback patches. This is more experimental and could be slightly unpredictable, but is very helpful for obfuscated cases, and in general will either fix pinning issues (after one initial failure) or will at least highlight code for further reverse engineering in the Frida log output. This script shares some logic with android-certificate-unpinning.js, and cannot be used standalone - if you want to use this script, you'll need to include the non-fallback unpinning script too.
ios/
- ios-connect-hook.js
  
  Captures all iOS network traffic directly, routing all connections to the configured proxy host & port.
  
  This is a low-level hook that applies to all network connections. This ensures that all connections are forcibly redirected to the target proxy server, even those which ignore proxy settings or make other raw socket connections.

These scripts are part of a broader HTTP Toolkit project, funded through the NGI Zero Entrust Fund, established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more on the NLnet project page.

frida-interception-and-unpinning's People

Contributors

Stargazers

Watchers

Forkers

fulanah-binti-fulanah scriptidiot xcatolin jinmaotowne samruston shashankhacker730 stein-dev kingking888 csyjyy nicolas1312 bbhunter seeflowerx lr-zhao njannasch tr0e cyal1 mohx64 fre3vil unisunis sanarisan licklishh elitezerker jhubbardsf xmysterlousx excitoon-favorites yaelahrip akshitchauhan-max adisubagja devcxm fengjixuchui msute geekplus001 crackercat natpacket gannicusliu ckfridaproject ethicalhcop andreroggeri chouex marwancht 781732825 nguyentruong190 dfc302 dedfft mopi1402 xuejuns saucedbeacon mdsakibanwar danksuperuser edoofx flyxt m0xsec te3 wdnmd-rushb gprime31 tarekrahman3 mukarramkhalid zhang52linux lvan188 rive-n bee3yh4uk gotzillas dch5568 xuhaomin giaphat71 0x021 muhammadraihanfirdaus drunkentortoise douglasrao aarzaary megamannen arunbabucode astronot-sedih chanduittamsetty martin-code202 idone alumonroy ivkeyminds code-football-dog yousefkazemy1 taiji-xo zuiailaoda zackmark29 aayushmanthapamagar 5l1v3r1 kwawannanstaylinked a422015028 iybmad bartosz-kozajda martymonero ahmadsuhermansyah cknetcapture manishj1996 joel-egarcia 309746069 mhdmirel shuixi2013 pocdc551 xfrgod l1725821492

frida-interception-and-unpinning's Issues

unity game bypass

im totally rookie about this so it might be a dumb question.

i wanna ask whether i can use this script to bypass ssl pinning when the requests codes are in some .so files.

i heard unity game is written by C# and the engine would complie the source codes into some .so files , like libil2cpp.so libunity.so or something else.

in this case, the main codes of sending requests may not work on Java layer. And to hook the function in so files, Java object might be of no use. NativePointer makes things more complex. i can hardly read the origin doc.

i wanna ask whether there is a better way to do this, or any tutorials .

thanks

Hulu and Prime apps?

I was interested in using this script with the Hulu and Prime apps. It worked fine for the DisneyPlus app, Netflix and several others, but Hulu and Amazon seem to have unorthodox/custom pinning approaches.

See this video for a sample of Hulu startup behavior: https://www.youtube.com/watch?v=ABMddrT04_E

I also tried all the current ssl unpinning scripts available on codeshare and none of them had any effect. I've also tried a bit with some objection ssl unpinning options but same result. Tried hooking with some other techniques but didn't get anywhere: https://pastebin.com/Tp28KYtk

Would appreciate any insights.

Ssl unpinning

Hello i hope you fine
There is three or four apps i tried to unpinning ssl using frida server with too many scripts but nothing worked i tried the codes in frida code share and in too many sites but no one worked
So are you still available to send this apps for you to make a script for them ?
And thanks in advance

Fix #6

Change
SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
to
this.init(keyManager, TrustManagers, secureRandom);

Clearly the method is not static and so it should be called from it's instance, maybe I am missing some inner forbidden knowledge, but this.init is proper way to call instance method

OkHostnameVerifier

a missing case for ssl pinning that could help other :

Java.perform(function () {
  var OkHostnameVerifier = Java.use('com.android.okhttp.internal.tls.OkHostnameVerifier');

  // Hook de la méthode verify
  OkHostnameVerifier.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (hostname, session) {
      // Affichez les paramètres en rouge dans la console
      console.log("\x1b[31m[Hooked OkHostnameVerifier.verify]");
      console.log("\x1b[31mHostname: \x1b[0m" + hostname);
      console.log("\x1b[31mSSLSession: \x1b[0m" + session);
      var result = this.verify(hostname, session);
      console.log("\x1b[31mResult: \x1b[0m" + result);
      return true;
  };
});

Hope that can help other. BTW, thanks for your amazing work.

Error: VM::AttachCurrentThread failed: -1

Hi,
When I try to use frida-script.js I get an error:

frida --no-pause -U -l ./frida-script.js -f tech.httptoolkit.pinning_demo
     ____
    / _  |   Frida 15.1.14 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `tech.httptoolkit.pinning_demo`. Resuming main thread!
Error: VM::AttachCurrentThread failed: -1
    at o (frida/node_modules/frida-java-bridge/lib/result.js:4)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:25)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:14)
    at Xe (frida/node_modules/frida-java-bridge/lib/android.js:500)
    at Ie (frida/node_modules/frida-java-bridge/lib/android.js:196)
    at Ce (frida/node_modules/frida-java-bridge/lib/android.js:16)
    at _tryInitialize (frida/node_modules/frida-java-bridge/index.js:17)
    at y (frida/node_modules/frida-java-bridge/index.js:9)
    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:320)
    at call (native)
    at o (/_java.js)
    at <anonymous> (/_java.js)
    at <anonymous> (frida/runtime/java.js:1)
    at call (native)
    at o (/_java.js)
    at r (/_java.js)
    at <eval> (frida/runtime/java.js:3)
    at _loadJava (native)
    at get (frida/runtime/core.js:125)
    at <anonymous> (/frida-script.js:510)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:45)

It doesn't matter which app I use (com.twitter.android, tech.httptoolkit.pinning_demo, etc) the result is always the same.

Android 11, Samsung SM G998B (s21 Ultra) rooted.
Frida is installed on Windows 11 / Python3.7

Any idea how to fix this?
Thank you.

Snapchat certificate rejected even after following guide

Hello, I followed this guide (https://httptoolkit.com/blog/frida-certificate-pinning/) but was still unable to get the certificate to work. Whenever I opened snapchat I would get the certificate rejected error and Snapchat wouldn't be working properly. Please let me know how I can fix this and maybe try Snapchat yourself if possible. Tried this on arm64 architecture.

Should I combine scripts ?

Hey,
First of all I'm very appreciative for everything you do on HTTP Toolkit it's been a lifesaver, user-friendly and many other qualifier but I don't to make it too much.

I wanted to know, in the context of using Genymotion with HTTP Toolkit and connecting via ADB to it, I want to bypass SSL pinning.

I've tried android-certificate-unpinning.js + config.js, but it seems like it's still blocked for the app I'm trying (Facebook).

My question is a bit more general, I want to know if I should combine scripts ? I read the description where it says you generally use a subset of scripts but I'm unsure if that means only 1 or possibly 2.

And what would be the ones we would usually combine together, thanks !

Error: VM::AttachCurrentThread failed: -1

For some reason I get this error for every app I try the script on. The app launches and this is the error it gives. My devices is running on Android 11

Error: VM::AttachCurrentThread failed: -1
    at o (frida/node_modules/frida-java-bridge/lib/result.js:4)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:25)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:14)
    at Xe (frida/node_modules/frida-java-bridge/lib/android.js:499)
    at Ie (frida/node_modules/frida-java-bridge/lib/android.js:195)
    at Ce (frida/node_modules/frida-java-bridge/lib/android.js:16)
    at _tryInitialize (frida/node_modules/frida-java-bridge/index.js:17)
    at g (frida/node_modules/frida-java-bridge/index.js:9)
    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:317)
    at call (native)
    at o (/_java.js)
    at <anonymous> (/_java.js)
    at <anonymous> (frida/runtime/java.js:1)
    at call (native)
    at o (/_java.js)
    at r (/_java.js)
    at <eval> (frida/runtime/java.js:3)
    at _loadJava (native)
    at get (frida/runtime/core.js:114)
    at <anonymous> (/frida-script.js:448)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:45)

help ssl unpinning not working

SSL unpinning not working on Instagram app

com.instagram.android

Cert rejected in-app with Roblox

After using this great tutorial, I can confirm twitter's certificate un-pinning and can see traffic from twitter. Unfortunately, when I try to do the same with Roblox, I still can't get passed their cert pining. In my mitmdump I see: "Client TLS handshake failed. The client does not trust the proxy's certificate for *.roblox.com"

And in app, I see the roblox alert "Connection error. Unable to contact server."

I am using mitmproxy and http toolkit 'connect through adb'. The phone is rooted and I have su access. HTTPtoolkit gives all green checkmarks.

I love all these tools and use the cert pinning for other apps, but Roblox is awfully stubborn! fwiw, when I do a tcpdump of playing Roblox on macos (instead of on android) I see the RakNet protocol for all the Roblox traffic (encrypted).

Thanks for all wisdom! And thanks for all the great docs and open source code in the past!

com.nbcuni.nbc: failure with fallback script

using this command:

frida -U `
-l config.js `
-l android/android-certificate-unpinning.js `
-l android/android-certificate-unpinning-fallback.js `
-f com.nbcuni.nbc

with Android 7, I get this result:

     ____
    / _  |   Frida 16.1.4 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.nbcuni.nbc`...

*** Starting scripts ***
Spawned `com.nbcuni.nbc`. Resuming main thread!
[Android Emulator 5554::com.nbcuni.nbc ]->
    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[+] com.android.org.conscrypt.CertPinManager isChainValid
[ ] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[ ] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[+] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
[+] TLS error auto-patcher
*** Scripts completed ***

 => android.security.net.config.NetworkSecurityConfig $init(*) (1)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)

 !!! --- Unexpected TLS failure --- !!!

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function

 !!! --- Unexpected TLS failure --- !!!

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.org.conscrypt.CertPinManager isChainValid

 !!! --- Unexpected TLS failure --- !!!
      Thrown by java.security.cert.CertificateParsingException-><init>
      [ ] Failed to automatically patch failure
TypeError: cannot read property 'overloads' of undefined

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.org.conscrypt.CertPinManager isChainValid

 !!! --- Unexpected TLS failure --- !!!
      Thrown by java.security.cert.CertificateParsingException-><init>
      [ ] Failed to automatically patch failure
TypeError: cannot read property 'overloads' of undefined

 !!! --- Unexpected TLS failure --- !!!
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function

 !!! --- Unexpected TLS failure --- !!!
      Thrown by okhttp3.internal.platform.android.d->a
      [ ] Unrecognized TLS error - this must be patched manually

UbiConnect: exception thrown and the app hangs

The automatic exception patcher seems to fail for the UbiConnect Android app (com.ubisoft.uplay)

Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (CertificateTransparencyInterceptor)
[ ] Appmattus (CertificateTransparencyTrustManager)
Unpinning setup completed
---
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing OkHTTPv3 ($okhttp): public-ubiservices.ubi.com
  --> Bypassing OkHTTPv3 ($okhttp): public-ubiservices.ubi.com
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.internal.tls.BasicCertificateChainCleaner->clean
      Attempting to patch automatically...
      [+] okhttp3.internal.tls.BasicCertificateChainCleaner->clean (automatic exception patch)

after this the app is just loading forever and frozen.

How to automatically unpin every application ?

This solution is nice as it avoids the trouble of repacking and patching apps statically and some of the integrity checks they do.
Can we patch the known checks automatically on startup of the app somehow? It is a bit complicated to start apps manually with frida that interact with each other like apps that use the google play store&services to check licenses.
Same is true for automatically started OS components and oem bloatware apps.
There used to be Magisk Modules but they are outdated and not maintained at the moment.

Issue when script reloaded

Hi! I'm trying to bypass SSL pinning and it doesn't working. But when I "live reload" script i can see this error

`
Error: Cast from 'com.google.android.gms.org.conscrypt.OpenSSLX509Certificate' to 'javax.net.ssl.KeyManager' isn't possible
at cast (frida/node_modules/frida-java-bridge/lib/class-factory.js:131)
at fromJni (/_java.js)
at fromJni (frida/node_modules/frida-java-bridge/lib/types.js:247)
at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:610)
at (frida/node_modules/frida-java-bridge/lib/class-factory.js:592)

Unable to solve recaptcha

Unable to solve google recaptcha(In app) while connected to the burpsuite. I used Frida with the ssl unpinning script. The error I got is unexpected ssl verification failed at "com.android.org.conscrypt.ActiveSession->checkPeerCertificatesPresent"

Device : Google Pixel 3XL (Android V9.0)

Help with unpinning app

Hi! Unpinning works, but the problem that app totally unusable. I'm able to see requests, but look like on receive data app fail to verify something. I will be appreciated for any direction how to resolve this.

Error: getPackageInfoNoCheck(): has more than one overload, use .overload(<signature>) to choose from:

ı got this error. is there any way to handle it
Error: getPackageInfoNoCheck(): has more than one overload, use .overload() to choose from:
.overload('android.content.pm.ApplicationInfo', 'android.content.res.CompatibilityInfo')
.overload('android.content.pm.ApplicationInfo', 'android.content.res.CompatibilityInfo', 'boolean')
at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:569)
at K (frida/node_modules/frida-java-bridge/lib/class-factory.js:564)
at set (frida/node_modules/frida-java-bridge/lib/class-factory.js:932)
at (frida/node_modules/frida-java-bridge/index.js:224)
at (frida/node_modules/frida-java-bridge/lib/vm.js:12)
at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244)
at perform (frida/node_modules/frida-java-bridge/index.js:204)
at (/frida/repl-2.js:520)
at apply (native)
at (frida/runtime/core.js:51)

net.mullvad.mullvadvpn

using MITM Proxy, I cannot get past the login screen on the Mullvad Android app

I tried Frida with the script here, but the problem remains. I can share account if needed.

com.hulu.plus failure

using this command:

frida -U `
-l config.js `
-l android/android-certificate-unpinning.js `
-f com.hulu.plus

after entering password, if you click LOG IN you get this:

Hmm. Something’s up. Please check your internet settings and try again. If all’s fine on your end, visit our Help Center.

If I disable proxy and try again, it works as expected. I can share account if need be. result:

     ____
    / _  |   Frida 16.1.4 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.hulu.plus`...

*** Starting scripts ***
Spawned `com.hulu.plus`. Resuming main thread!
[Android Emulator 5554::com.hulu.plus ]->
    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[+] com.android.okhttp.Address $init
[ ] okhttp3.CertificatePinner check(String, List)
[ ] okhttp3.CertificatePinner check(String, Certificate)
[ ] okhttp3.CertificatePinner check(String, Certificate;[])
[ ] okhttp3.CertificatePinner check$okhttp
[!] Matched class okhttp3.CertificatePinner but could not patch any methods
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
*** Scripts completed ***

 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => com.android.okhttp.Address $init
 => com.android.okhttp.Address $init
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)

Youtube for Android TV can't be intercepted

output.txt

syntax error: unexpected 'newline'

Running command returning syntax error.

> adb shell "/data/local/tmp/frida-server &"
/data/local/tmp/frida-server[1]: syntax error: unexpected 'newline'

com.segway.mower Failed to automatically patch failure

https://play.google.com/store/apps/details?id=com.segway.mower

 --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure

Error: Address(): argument types do not match

using this command:

> frida -U `
-f com.nbcuni.nbc `
-l android/android-certificate-unpinning.js `
-l config.js

I get this:

     ____
    / _  |   Frida 16.1.4 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.nbcuni.nbc`...

Spawned `com.nbcuni.nbc`. Resuming main thread!
[Android Emulator 5554::com.nbcuni.nbc ]-> == Certificate unpinning completed ==
Error: Address(): argument types do not match any of:
        .overload('java.lang.String', 'int', 'javax.net.SocketFactory', 'javax.net.ssl.SSLSocketFactory', 'javax.net.ssl.HostnameVerifier', 'com.android.okhttp.CertificatePinner', 'com.android.okhttp.Authenticator', 'java.net.Proxy', 'java.util.List', 'java.util.List', 'java.net.ProxySelector')
    at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:569)
    at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:973)
    at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:553)
    at <anonymous> (D:\Desktop\frida-interception-and-unpinning-main\android\android-certificate-unpinning.js:170)
    at apply (native)
    at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:620)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:598)

com.expressvpn.vpn not bypassed

No luck using the script on the expressvpn app. After running the script, HTTP Toolkit still is unable to view the https traffic.
I tried reverse engineering the app and writing a frida script myself, but with no success. I wasn't able to figure out the functions needed to bypass the SSL verification. I would appreciate any help. Thank you

Failed on Line messaging app

Tried intercepting requests with Http Toolkit as well. Responses kept being aborted and after running the script the same thing continued to happen. Only that now the entire data traffic was blocked: all incoming and outgoing messages wouldn't be sent/received on the device.

Additional info: I used a rooted Samsung Galaxy S10 with Android 12.

Cannot unpin com.namcobandaigames.spmoja010E

It prints out

--> Bypassing OpenSSLSocketImpl Conscrypt
 --> Bypassing OpenSSLSocketImpl Conscrypt
 --> Bypassing OpenSSLSocketImpl Conscrypt
 --> Bypassing OpenSSLSocketImpl Conscrypt

, but still fails to unpin it as seen in the photo

Handle VPN detection

Sir,
I face VPN detection problem while unpinning in some apps.
In some apps your script works properly and in some it doesn't work at all.
Can u make a script of hide vpn detect

Originally posted by @TechnoIndian in #57 (comment)

Zello App

The ssl-unpinning doesn't work.

Thank you.

Google Play Store Android API 18

this is a long shot, but I figure it cant hurt to post this in case others have mess with it. I am trying to intercept older Google Play Stores, and I can get all the newer versions but got stuck on API 18. I first tried MITM Proxy with a "user certificate", then tried again with a "system certificate":

https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/#instructions-for-api-level--28-using--writable-system-1

and confirmed that the system certificate is installed in the Trusted credentials. However I still am not capturing any requests for some reason. so I had the idea that maybe the older Play Store are using pinning or something. so I tried Frida with the script here, not even using MITM Proxy, just to see what would happen. however Frida will not complete:

> adb shell /data/app/frida-server
CANNOT LINK EXECUTABLE: cannot locate symbol "statvfs" referenced by
"/data/app/frida-server"...

I figure I am using wrong version of Frida server:

https://github.com/frida/frida/releases/download/16.0.0/frida-server-16.0.0-android-x86.xz

but just wanted to see if anyone had messed with this.

How to put pem code in config.js

sir,
how many times pem code has to be put in config.js, it is given twice.

SSL Unpinning failed for Whatsapp, Snapchat & McDonald's

Hey I tried out your SSL unpinning script on some apps and it didnt work for most of them (Whatsapp, Snapchat, McDonald's App). Is that fixable or is it because of some different issue? Would be nice if we could have a talk, Discord: RequestFX#1541

OkHttp3 - java.lang.NullPointerException: interceptor l3.e@b68a57c returned null

Hello, I encountered this issue while playing with a React Native app.

FATAL EXCEPTION: um.z Dispatcher
Process: com.cvent.mobile.eventapp, PID: 29861
java.lang.NullPointerException: interceptor l3.e@b68a57c returned null
	at an.g.b(RealInterceptorChain.kt:291)
	at zm.a.a(ConnectInterceptor.kt:33)
	at an.g.b(RealInterceptorChain.kt:167)
	at xm.a.a(CacheInterceptor.kt:192)
	at an.g.b(RealInterceptorChain.kt:167)
	at an.a.a(BridgeInterceptor.kt:168)
	at an.g.b(RealInterceptorChain.kt:167)
	at an.j.a(RetryAndFollowUpInterceptor.kt:35)
	at an.g.b(RealInterceptorChain.kt:167)
	at zm.e.r(RealCall.kt:114)
	at zm.e$a.run(RealCall.kt:52)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
	at java.lang.Thread.run(Thread.java:1012)

Command

frida -U -l frida-script.js -f com.cvent.mobile.eventapp

Information about the app
processName: 'com.cvent.mobile.eventapp',
type: React Native (Hermes engine)

Exceptions for Blizzard Messenger aren't patched properly

com.blizzard.messenger their chat and authentication app isn't unpinned completely .
The log says:

Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (CertificateTransparencyInterceptor)
[ ] Appmattus (CertificateTransparencyTrustManager)
Unpinning setup completed
---
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing OkHTTPv3 ($okhttp): account.battle.net
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.internal.connection.RealConnection->connectTls
      Attempting to patch automatically...
      [+] okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
Process crashed: kotlin.KotlinNullPointerException

***
FATAL EXCEPTION: OkHttp Dispatcher
Process: com.blizzard.messenger, PID: 23849
kotlin.KotlinNullPointerException
        at okhttp3.internal.connection.RealConnection.isHealthy(RealConnection.kt:635)
        at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:117)
        at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:76)
        at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:245)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:82)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
        at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:197)
        at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:502)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
        at java.lang.Thread.run(Thread.java:919)

maybe the okhttp3 auto patch has unwanted side-effects.

Roli: pins must start with 'sha256/'

when working on https://play.google.com/store/apps/details?id=com.telkomsel.roli the OKHttp Exception occurs.

Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[ ] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[ ] OkHTTPv3 (cert array)
[ ] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (CertificateTransparencyInterceptor)
[ ] Appmattus (CertificateTransparencyTrustManager)
Unpinning setup completed
---
  --> Bypassing HttpsURLConnection (setDefaultHostnameVerifier)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing TrustManagerImpl checkTrusted
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing TrustManagerImpl checkTrusted
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->c
      Attempting to patch automatically...
      [+] okhttp3.CertificatePinner->c (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
Process crashed: java.lang.IllegalArgumentException: pins must start with 'sha256/' or 'sha1/': Pinned certificates for roli.telkomsel.com

The code for that is in https://github.com/square/okhttp/blob/d54ef742fc43e8917edc233760c20fbbdda8ee52/okhttp/src/jvmMain/kotlin/okhttp3/CertificatePinner.kt#L272

Certificate unpinning not working for this app

Link to app (playstore)
Even after running the script the process crashes after submission of OTP with this message on console.
Process crashed: Bad access due to protection failure.
Help if anybody can figure out reason or successfully log https requests after the OTP submission phase.
Are they using custom certificate pinning method?

Screenshots of log -

new setup is complicated

the new setup seems to be really complicated, which I don't like. I guess if the end result is better unpinning that is good, but I think it would help explain the extra complexity. for example:

why is config.js even needed? the previous script did not need to know this information. Note I am using Android Studio with MITM Proxy and not HTTP Toolkit, not sure if that makes a difference.
why are we ALSO needing to supply an ADDITIONAL 5 scripts on top of config.js? I think it would be helpful to explain what people are getting using all 6 scripts versus just one or two.
what is the absolute minimum needed to have some form of unpinning support? just config.js and one other JS file? if so which one?

Apple TV App unpinning

Any success with the Apple TV app on an Amazon Firetv 4k?

com.nike.omega

Tried it on Nike app: com.nike.omega

Frida on terminal returned error below:

Process crashed: java.lang.NullPointerException: interceptor com.nike.mpe.plugin.certtransparency.internal.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor@2c65125 returned null

Just to make sure, I tried it on Twitter and it works.

FATAL EXCEPTION: OkHttp Dispatcher

Process crashed: java.lang.NullPointerException: interceptor se0.e@1c6a394 returned null

FATAL EXCEPTION: OkHttp Dispatcher
Process: cn.adidas.app, PID: 1455

Can't unpin eu.reply.cordless.uk

I'm struggling to find a script that'll unpin the Vodafone Broadband app (eu.reply.cordless.uk) and having read the blog post about Frida's unpinning capabilities I figured I'd see if anyone can help.

This app in question is a companion app for Vodafone's supplied router. The SSL traffic being pinned is local, between the device and router on custom ports, any traffic sent remotely (API calls to the cloud using port 443) is not pinned and can be intercepted without issue. The app uses TCP ports 8888 6698 and 6699 to communicate with the Router.

If the script launches the app with no prior user data (like a fresh install), I'll get the following:

--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing Trustmanager (Android < 7) request
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing Trustmanager (Android < 7) request
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing Trustmanager (Android < 7) request
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt

Thereafter, using the script to relaunch the app I'll just get:

--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt

In all instances certificate pinning is still in place and blocking communication if I'm proxying the traffic. If I refresh the app enough times it'll add another line of '--> Bypassing OpenSSLSocketImpl Conscrypt' which seemingly isn't achieving anything.

Unfortunately I can't read or write javascript so I'm a bit stuck on how I'd resolve this myself. I've dug around in the code using jdax but don't really know what to look for, I have found mentions of certificate pinning. The apk uses BouncyCastle keystores (.bks) to facilitate the certificate pinning (I think) and they're not password protected.

Test environment is a rooted Andriod 7 (Xperia Z5) with the latest Frida releases.

App version is the latest (4.5.2) It's worth noting that certificate pinning is a recent addition in the app (starting in version 4.4.1) but the traffic I want to intercept (and therefore the feature I want to manipulate) is only available after pinning came into force.

Some urls are missing in burpsuite

Maybe it’s not the right place to ask this question. I am trying to intercept an android app(it doesn’t have ssl Pinner). I am able to get all the links while using http tool kit but not when trying with burpsuite. Most of the links are not showing in burp. I am sure that it’s not because of the filtering . Kindly help me with it. What’s the difference between using http toolkit and burp. Both should work the same way isn’t it?

Game refuses to Connect/Boot after even after SSL Unpinning

While I have followed the guide on SSL unpinning and able to view Twitter's packets, this particular game/app still refuses to connect after the execution of this script or via Objection's unpinning.

The game I am referring to is Fate/Grand Order, here are the links to them on the Play Store:
https://play.google.com/store/apps/details?id=com.aniplex.fategrandorder.en
https://play.google.com/store/apps/details?id=com.aniplex.fategrandorder

The first link is the English version, and the other is the Japanese version. The Japanese version is more ahead in terms of content, and the English version is following its release path in terms of playable content (but there are certain features on the client that are released ahead of its time according to JP's schedule). The behaviour of the 2 Apps differ a little after HTTP Toolkit is connected, the English version gets stuck on "Connecting", while the Japanese version has a pop up saying the game needs updating or something. After running the script

or even running Objection's unpinning

the game would still refuse to connect.

My current guess is that neither this script nor Objection was unable to unpin it. (or it has somehow detected it to be unpinned thus refusing to connect?)
My current device is MuMu, which I'm pretty sure is a slightly modified version of the more popular emulator MEmu with a few extra feature to suit the games I'm playing.
(I have installed the CA cert using https://play.google.com/store/apps/details?id=net.jolivier.cert.Importer (since emulators allow me to toggle root effortlessly).)

I'm not much a of a reverse engineer at all myself, so I'm not sure where else to look for the answers for this issue.
I'm not sure about hooking and finding the function/method that checks Certificates but since this is a unity game, there might be a way to get started if you want to give it a try. There's a program called il2cppDumper using this I have found that you can dump the function names, but when I looked up the word 'certificate' in the dumped file, there's over 1700 results, and I don't have enough experience to identify which are the functions that are related in solving this issue.

To dump and find the functions, simply download il2cppDumper and the game APK.
Open the game APK like an archive and extract the following files:
assets\bin\Data\Managed\Metadata\global-metadata.dat
and either of the following:
lib\armeabi-v7a\libil2cpp.so
lib\arm64-v8a\libil2cpp.so
Now run Il2CppDumper.exe and open the libil2cpp.so first and then global-metadata.dat. Give a few moments, the dump.cs should be generated and may have what you might be looking for...

EDIT: Updated a bit of info.

Connection terminated

Hello!

Im currently trying to SSL pin the app called "Zalando" - Whenever I do run

frida --no-pause -U -l intercepter.js -f "de.zalando.mobile"

it seems like the app crashes and here is the logs:

frida --no-pause -U -l intercepter.js -f "de.zalando.mobile"
     ____
    / _  |   Frida 15.1.3 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawning `de.zalando.mobile`...
Unpinning setup cmopleted
---
Spawned `de.zalando.mobile`. Resuming main thread!
[SM G965N::de.zalando.mobile]-> ---
Unpinning Android app...
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[+] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[+] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing OpenSSLSocketImpl Conscrypt
  --> Bypassing OkHTTPv3 ($okhttp): www.zalando.de
  --> Bypassing OpenSSLSocketImpl Conscrypt
  --> Bypassing OkHTTPv3 ($okhttp): www.zalando.se
  --> Bypassing TrustManagerImpl checkTrusted
Connection terminated
[SM G965N::de.zalando.mobile]->

Thank you for using Frida!```

Is there anything I can add on please let me know :)

Http toolkit Apk for android

Sir, can you make an app to capture http traffic for android also?

Unity based applications pinning bypass?

Hello,

I have been looking forward for the frida script to bypass unity based applications ssl pinning which are using below code.

https://docs.unity3d.com/ScriptReference/Networking.CertificateHandler.ValidateCertificate.html

Any help?

[app.dogorama] Process crashed: java.lang.UnsatisfiedLinkError: couldn't find DSO to load: libhermes.so

Hi, I was trying to unpin SSL from the Dogorama app but that didn't work:

$ frida --no-pause -U -l ../../Downloads/frida-script.js -f app.dogorama
     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `app.dogorama`. Resuming main thread!                           
[Android Emulator 5554::app.dogorama ]-> ---
Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[+] Squareup CertificatePinner (list)
[+] Squareup OkHostnameVerifier (cert)
[+] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (Transparency)
Unpinning setup completed
---
Process crashed: java.lang.UnsatisfiedLinkError: couldn't find DSO to load: libhermes.so

***
FATAL EXCEPTION: create_react_context
Process: app.dogorama, PID: 5240
java.lang.UnsatisfiedLinkError: couldn't find DSO to load: libhermes.so
	SoSource 0: com.facebook.soloader.ApkSoSource[root = /data/data/app.dogorama/lib-main flags = 1]
	SoSource 1: com.facebook.soloader.DirectorySoSource[root = /data/app/~~Js_W8z118rVG9AxCVcowrQ==/app.dogorama-C0q6l1U3SOxP2VO_M3NyhQ==/lib/x86_64 flags = 0]
	SoSource 2: com.facebook.soloader.DirectorySoSource[root = /vendor/lib64 flags = 2]
	SoSource 3: com.facebook.soloader.DirectorySoSource[root = /system/lib64 flags = 2]
	Native lib dir: /data/app/~~Js_W8z118rVG9AxCVcowrQ==/app.dogorama-C0q6l1U3SOxP2VO_M3NyhQ==/lib/x86_64
 result: 0
	at com.facebook.soloader.SoLoader.doLoadLibraryBySoName(SoLoader.java:918)
	at com.facebook.soloader.SoLoader.loadLibraryBySoNameImpl(SoLoader.java:740)
	at com.facebook.soloader.SoLoader.loadLibraryBySoName(SoLoader.java:654)
	at com.facebook.soloader.SoLoader.loadLibrary(SoLoader.java:634)
	at com.facebook.soloader.SoLoader.loadLibrary(SoLoader.java:582)
	at com.facebook.hermes.reactexecutor.HermesExecutor.<clinit>(HermesExecutor.java:20)
	at com.facebook.hermes.reactexecutor.HermesExecutorFactory.create(HermesExecutorFactory.java:29)
	at com.facebook.react.ReactInstanceManager$5.run(ReactInstanceManager.java:1054)
	at java.lang.Thread.run(Thread.java:920)
***
[Android Emulator 5554::app.dogorama ]->

Thank you for using Frida!

Device: Android Emulator, API 31, Android 12, x86_64

Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)

Came across your article on how to defeat pinning with Frida and I'm trying to work my way through it as I'm a bit of newb, but I'm tryin!

For some context, I'm running Windows 10, an Android Pixel XL emulator, and OWASP ZAP as my proxy. I've installed the OWASP certificate onto the device, and I can now parse HTTPS traffic from the Chrome app. I'm wanting to now intercept traffic via apps!

I'm using the dating app Bumble as my first "target", so I've installed the APK file onto the device (which does NOT have Google Play Store as I've read that's important). I have the Frida server running in one terminal window as root (running frida-server-15.1.22-android-x86 which I don't know for sure if that's the correct server to be running, maybe x86_64 should be run instead? Anyway...)

So I fire up the App, where it just hangs on the main loading screen and I do not see any traffic from it in OWASP (again, even though it IS proxying internet requests fine, so that part IS working):

...and in a separate terminal window, I run the command:

frida --no-pause -U -l ./frida-script.js -f com.bumble.app

...and this is my resulting output (beware, it's long, and the trailing end just infinitely prints until the frida server dies):

frida --no-pause -U -l ./frida-script.js -f com.bumble.app
     ____
    / _  |   Frida 15.1.22 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `com.bumble.app`. Resuming main thread!
[Android Emulator 5554::com.bumble.app ]-> ---
Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[ ] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[ ] OkHTTPv3 (cert array)
[ ] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
Unpinning setup completed
---
  --> Bypassing Trustmanager (Android < 7) request
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by android.net.SSLCertificateSocketFactory->verifyHostname
      Attempting to patch automatically...
      [+] android.net.SSLCertificateSocketFactory->verifyHostname (automatic exception patch)
  --> Bypassing TrustManagerImpl checkTrusted
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing android.net.SSLCertificateSocketFactory->verifyHostname (automatic exception patch)
  --> Bypassing TrustManagerImpl checkTrusted
  --> Bypassing TrustManagerImpl checkTrusted
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Bypassing TrustManagerImpl checkTrusted
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by com.android.okhttp.internal.io.RealConnection->connectTls
      Attempting to patch automatically...
      [+] com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
      Thrown by com.android.okhttp.internal.io.RealConnection->connectTls
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
...........................

SO, what can a guy try from here? Would be cool to get some insight from the community on this one so I can get started on the app traffic track :P Thanks!!!

Failed to spawn: the 'argv' option is not supported when spawning Android apps

Hey team, there seem to be some internal changes when shifting from Frida 15.x to 16.x and now it started throwing error as defined in the title.
Do anyone has any idea how can we resolve the above error?

httptoolkit / frida-interception-and-unpinning Goto Github PK

frida-interception-and-unpinning's Introduction

Frida Mobile Interception Scripts

Android Getting Started Guide

iOS Getting Started Guide

The Scripts

frida-interception-and-unpinning's People

Contributors

Stargazers

Watchers

Forkers

frida-interception-and-unpinning's Issues

Recommend Projects

Recommend Topics

Recommend Org