Android Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection)

Reading time: 9 minutes

Hierdie bladsy verskaf 'n praktiese werkvloei om dinamiese analise teen Android-apps te hervat wat instrumentation opspoor/root‑blokkeer of TLS pinning afdwing. Dit fokus op vinnige triage, algemene opsporingsmetodes, en copy‑pastebare hooks/taktieke om hulle te omseil sonder om te repak indien moontlik.

Detection Surface (what apps check)

• Root checks: su binary, Magisk paths, getprop values, common root packages
• Frida/debugger checks (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
• Native anti‑debug: ptrace(), syscalls, anti‑attach, breakpoints, inline hooks
• Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
• TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins

Step 1 — Quick win: hide root with Magisk DenyList

• Skakel Zygisk in Magisk in
• Skakel DenyList in, voeg die teikenpakket by
• Herbegin en toets weer

Baie apps kyk net na duidelike aanduiders (su/Magisk paths/getprop). DenyList neutraliseer dikwels naiewe kontroles.

References:

• Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk

Step 2 — 30‑second Frida Codeshare tests

Probeer algemene drop‑in-skripte voordat jy dieper delf:

• anti-root-bypass.js
• anti-frida-detection.js
• hide_frida_gum.js

Example:

frida -U -f com.example.app -l anti-frida-detection.js

Hierdie vervang gewoonlik Java root/debug checks, process/service scans en native ptrace() met stubs. Nuttig vir liggies beskermde apps; geharde teikens mag pasgemaakte hooks benodig.

• Codeshare: https://codeshare.frida.re/

Outomatiseer met Medusa (Frida framework)

Medusa bied 90+ kant-en-klare modules vir SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, en meer.

git clone https://github.com/Ch0pin/medusa
cd medusa
pip install -r requirements.txt
python medusa.py

# Example interactive workflow
show categories
use http_communications/multiple_unpinner
use root_detection/universal_root_detection_bypass
run com.target.app

Wenk: Medusa is uitstekend vir vinnige oorwinnings voordat jy custom hooks skryf. Jy kan ook cherry-pick modules en dit met jou eie scripts kombineer.

Stap 3 — Omseil init-time detectors deur laat aan te heg

Baie deteksies loop slegs tydens process spawn/onCreate(). Spawn‑time injection (-f) of gadgets word gevang; aanheg nadat die UI gelaai is, kan deurglip.

# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore  # if using gadget

As dit werk, hou die sessie stabiel en gaan voort om map and stub checks uit te voer.

Stap 4 — Map detection logic via Jadx and string hunting

Statiese triage sleutelwoorde in Jadx:

• "frida", "gum", "root", "magisk", "ptrace", "su", "getprop", "debugger"

Tipiese Java-patrone:

public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}

Algemene APIs om te hersien/hook:

• android.os.Debug.isDebuggerConnected
• android.app.ActivityManager.getRunningAppProcesses / getRunningServices
• java.lang.System.loadLibrary / System.load (native bridge)
• java.lang.Runtime.exec / ProcessBuilder (probing commands)
• android.os.SystemProperties.get (root/emulator heuristics)

Stap 5 — Runtime stubbing met Frida (Java)

Oorskryf pasgemaakte guards om veilige waardes terug te gee sonder repacking:

Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
Checks.isFridaDetected.implementation = function () { return false; };

// Neutralize debugger checks
const Debug = Java.use('android.os.Debug');
Debug.isDebuggerConnected.implementation = function () { return false; };

// Example: kill ActivityManager scans
const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});

Triaging vroeë crashes? Dump classes net voordat dit sterf om waarskynlike detection namespaces op te spoor:

Java.perform(() => {
Java.enumerateLoadedClasses({
onMatch: n => console.log(n),
onComplete: () => console.log('Done')
});
});

// Quick root detection stub example (adapt to target package/class names) Java.perform(() => { try { const RootChecker = Java.use('com.target.security.RootCheck'); RootChecker.isDeviceRooted.implementation = function () { return false; }; } catch (e) {} });

Log en neutraliseer verdagte metodes om die uitvoeringsvloei te bevestig:

Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
Det.checkFrida.implementation = function () {
console.log('checkFrida() called');
return false;
};
});

Omseil emulator/VM-detek­sie (Java stubs)

Algemene heuristieke: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE wat generic/goldfish/ranchu/sdk bevat; QEMU-artefakte soos /dev/qemu_pipe, /dev/socket/qemud; standaard MAC 02:00:00:00:00:00; 10.0.2.x NAT; ontbrekende telephony/sensors.

Vinnige spoof van Build-velde:

Java.perform(function(){
var Build = Java.use('android.os.Build');
Build.MODEL.value = 'Pixel 7 Pro';
Build.MANUFACTURER.value = 'Google';
Build.BRAND.value = 'google';
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
});

Vul dit aan met stubs vir lêer-bestaanskontroles en identifiseerders (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) om realistiese waardes terug te gee.

SSL pinning bypass quick hook (Java)

Neutraliseer pasgemaakte TrustManagers en dwing permissiewe SSL contexts af:

Java.perform(function(){
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');

// No-op validations
X509TrustManager.checkClientTrusted.implementation = function(){ };
X509TrustManager.checkServerTrusted.implementation = function(){ };

// Force permissive TrustManagers
var TrustManagers = [ X509TrustManager.$new() ];
var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');
SSLContextInit.implementation = function(km, tm, sr){
return SSLContextInit.call(this, km, TrustManagers, sr);
};
});

Aantekeninge

• Brei uit vir OkHttp: hook okhttp3.CertificatePinner en HostnameVerifier soos nodig, of gebruik 'n universal unpinning script' van CodeShare.
• Voer voorbeeld uit: frida -U -f com.target.app -l ssl-bypass.js --no-pause

Stap 6 — Volg die JNI/native-spoor wanneer Java hooks faal

Spoor JNI entry points op om native loaders en detection init te vind:

frida-trace -n com.example.app -i "JNI_OnLoad"

Vinnige native triage van gebundelde .so-lêers:

# List exported symbols & JNI
nm -D libfoo.so | head
objdump -T libfoo.so | grep Java_
strings -n 6 libfoo.so | egrep -i 'frida|ptrace|gum|magisk|su|root'

Interaktiewe/native reversing:

• Ghidra: https://ghidra-sre.org/
• r2frida: https://github.com/nowsecure/r2frida

Voorbeeld: neutriseer ptrace om eenvoudige anti‑debug in libc te omseil:

const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
Interceptor.replace(ptrace, new NativeCallback(function () {
return -1; // pretend failure
}, 'int', ['int', 'int', 'pointer', 'pointer']));
}

Sien ook: Reversing Native Libraries

Stap 7 — Objection patching (embed gadget / strip basics)

Wanneer jy repacking bo runtime hooks verkies, probeer:

objection patchapk --source app.apk

Aantekeninge:

• Vereis apktool; maak seker van 'n huidige weergawe vanaf die amptelike gids om bouprobleme te vermy: https://apktool.org/docs/install
• Gadget injection stel instrumentation sonder root in staat, maar kan steeds deur sterker init‑time kontroles opgevang word.

Opsioneel, voeg LSPosed modules en Shamiko by vir sterker root hiding in Zygisk omgewings, en stel die DenyList saam om child processes te dek.

Verwysings:

• Objection: https://github.com/sensepost/objection

Stap 8 — Fallback: Patch TLS pinning vir netwerk-sigbaarheid

As instrumentation geblokkeer is, kan jy steeds verkeer inspekteer deur pinning staties te verwyder:

apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy

• Gereedskap: https://github.com/shroudedcode/apk-mitm
• Vir netwerkconfiguratie CA‑trust truuks (en Android 7+ user CA trust), sien:

Make APK Accept CA Certificate

Install Burp Certificate

Handige opdrag cheat‑sheet

# List processes and attach
frida-ps -Uai
frida -U -n com.example.app

# Spawn with a script (may trigger detectors)
frida -U -f com.example.app -l anti-frida-detection.js

# Trace native init
frida-trace -n com.example.app -i "JNI_OnLoad"

# Objection runtime
objection --gadget com.example.app explore

# Static TLS pinning removal
apk-mitm app.apk

Universele proxyafdwinging + TLS unpinning (HTTP Toolkit Frida hooks)

Moderne apps ignoreer dikwels stelselproxies en dwing verskeie lae van pinning af (Java + native), wat verkeersvaslegging moeilik maak selfs met user/system CAs geïnstalleer. 'n Praktiese benadering is om universele TLS unpinning te kombineer met proxyafdwinging via kant-en-klare Frida hooks, en alles deur mitmproxy/Burp te roete.

Workflow

• Voer mitmproxy op jou host uit (of Burp). Verseker dat die toestel die host IP/poort kan bereik.
• Laai HTTP Toolkit se saamgestelde Frida hooks om sowel TLS te unpin as proxygebruik af te dwing oor algemene stacks (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, ens.). Dit omseil CertificatePinner/TrustManager kontroles en oorskryf proxy selectors, sodat verkeer altyd via jou proxy gestuur word, selfs as die app proxies uitdruklik deaktiveer.
• Begin die teikentoepassing met Frida en die hook-script, en vang versoeke in mitmproxy op.

Voorbeeld

# Device connected via ADB or over network (-U)
# See the repo for the exact script names & options
frida -U -f com.vendor.app \
-l ./android-unpinning-with-proxy.js \
--no-pause

# mitmproxy listening locally
mitmproxy -p 8080

Aantekeninge

• Kombineer dit met 'n stelselwye proxy via adb shell settings put global http_proxy <host>:<port> waar moontlik. Die Frida hooks sal proxygebruik afdwing selfs wanneer apps globale instellings omseil.
• Hierdie tegniek is ideaal wanneer jy 'n MITM op mobile-to-IoT onboarding-strome nodig het, waar pinning/proxy-vermijding algemeen is.
• Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning

Verwysings

• Reversing Android Apps: Bypassing Detection Like a Pro
• Frida Codeshare
• Objection
• apk-mitm
• Jadx
• Ghidra
• r2frida
• Apktool install guide
• Magisk
• Medusa (Android Frida framework)
• Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa