HackTricksAndroid Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection)
Reading time: 9 minutes
tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Učite i vežbajte Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
Ova stranica pruža praktičan workflow za ponovnu dinamičku analizu Android aplikacija koje detektuju/blokiraju instrumentation zbog root-a ili primenjuju TLS pinning. Fokusira se na brzu trijažu, uobičajene detekcije i copy‑pasteable hooks/tactics za njihovo zaobilaženje bez repackovanja kada je to moguće.
Detection Surface (what apps check)
- Root provere: su binary, Magisk paths, getprop values, uobičajeni root paketi
- Frida/debugger provere (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
- Native anti‑debug: ptrace(), syscalls, anti‑attach, breakpoints, inline hooks
- Early init provere: Application.onCreate() ili process start hooks koji crashuju ako instrumentation postoji
- TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins
Step 1 — Quick win: hide root with Magisk DenyList
- Enable Zygisk in Magisk
- Enable DenyList, add the target package
- Reboot and retest
Mnoge aplikacije proveravaju samo očigledne indikatore (su/Magisk paths/getprop). DenyList često neutralizuje naivne provere.
References:
- Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk
Step 2 — 30‑second Frida Codeshare tests
Isprobaj uobičajene drop‑in skripte pre dubljeg uranjanja:
- anti-root-bypass.js
- anti-frida-detection.js
- hide_frida_gum.js
Example:
frida -U -f com.example.app -l anti-frida-detection.js
Obično stub-uju Java root/debug checks, process/service scans i native ptrace(). Korisno za lightly protected apps; hardened targets mogu zahtevati prilagođene hooks.
- Codeshare: https://codeshare.frida.re/
Automatizuj pomoću Medusa (Frida framework)
Medusa pruža 90+ gotovih modula za SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception i još mnogo toga.
git clone https://github.com/Ch0pin/medusa
cd medusa
pip install -r requirements.txt
python medusa.py
# Example interactive workflow
show categories
use http_communications/multiple_unpinner
use root_detection/universal_root_detection_bypass
run com.target.app
Savet: Medusa je odličan za brze pobede pre nego što napišete custom hooks. Takođe možete cherry-pick modules i kombinovati ih sa sopstvenim scripts.
Korak 3 — Zaobiđite detektore u fazi inicijalizacije tako što ćete se zakačiti kasnije
Mnoge detekcije se izvršavaju samo tokom process spawn/onCreate(). Spawn‑time injection (-f) ili gadgets bivaju otkriveni; prikačivanje nakon učitavanja UI-a može proći neopaženo.
# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore # if using gadget
Ako ovo uspe, zadržite sesiju stabilnom i pređite na mapiranje i provere stub-ova.
Korak 4 — Mapiranje logike detekcije pomoću Jadx-a i pretraga stringova
Statičke ključne reči za trijažu u Jadx-u:
- "frida", "gum", "root", "magisk", "ptrace", "su", "getprop", "debugger"
Tipični Java obrasci:
public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}
Uobičajeni API-ji za pregled/hook:
- android.os.Debug.isDebuggerConnected
- android.app.ActivityManager.getRunningAppProcesses / getRunningServices
- java.lang.System.loadLibrary / System.load (native bridge)
- java.lang.Runtime.exec / ProcessBuilder (probing commands)
- android.os.SystemProperties.get (root/emulator heuristics)
Korak 5 — Runtime stubbing with Frida (Java)
Nadjačajte prilagođene provere da vrate bezbedne vrednosti bez repackiranja:
Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
Checks.isFridaDetected.implementation = function () { return false; };
// Neutralize debugger checks
const Debug = Java.use('android.os.Debug');
Debug.isDebuggerConnected.implementation = function () { return false; };
// Example: kill ActivityManager scans
const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});
Trijaža ranih padova? Dumpuj klase neposredno pre nego što padne da bi uočio verovatne namespace-ove za detekciju:
Java.perform(() => {
Java.enumerateLoadedClasses({
onMatch: n => console.log(n),
onComplete: () => console.log('Done')
});
});
// Quick root detection stub example (adapt to target package/class names) Java.perform(() => { try { const RootChecker = Java.use('com.target.security.RootCheck'); RootChecker.isDeviceRooted.implementation = function () { return false; }; } catch (e) {} });
Zabeležite i onesposobite sumnjive metode kako biste potvrdili tok izvršavanja:
Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
Det.checkFrida.implementation = function () {
console.log('checkFrida() called');
return false;
};
});
Bypass emulator/VM detection (Java stubs)
Uobičajene heuristike: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE koji sadrže generic/goldfish/ranchu/sdk; QEMU artefakti poput /dev/qemu_pipe, /dev/socket/qemud; podrazumevani MAC 02:00:00:00:00:00; 10.0.2.x NAT; nedostatak telephony/sensors.
Quick spoof of Build fields:
Java.perform(function(){
var Build = Java.use('android.os.Build');
Build.MODEL.value = 'Pixel 7 Pro';
Build.MANUFACTURER.value = 'Google';
Build.BRAND.value = 'google';
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
});
Dopunite sa stubovima za provere postojanja fajlova i identifikatore (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) tako da vraćaju realistične vrednosti.
SSL pinning bypass quick hook (Java)
Neutralizujte custom TrustManagers i prisilite permissive SSL contexts:
Java.perform(function(){
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');
// No-op validations
X509TrustManager.checkClientTrusted.implementation = function(){ };
X509TrustManager.checkServerTrusted.implementation = function(){ };
// Force permissive TrustManagers
var TrustManagers = [ X509TrustManager.$new() ];
var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');
SSLContextInit.implementation = function(km, tm, sr){
return SSLContextInit.call(this, km, TrustManagers, sr);
};
});
Beleške
- Proširi za OkHttp: hook okhttp3.CertificatePinner i HostnameVerifier po potrebi, ili koristi univerzalni unpinning script sa CodeShare.
- Primer pokretanja:
frida -U -f com.target.app -l ssl-bypass.js --no-pause
Korak 6 — Prati JNI/native trag kada Java hooks zakažu
Prati JNI entry points da bi pronašao native loadere i inicijalizaciju detekcije:
frida-trace -n com.example.app -i "JNI_OnLoad"
Brza nativna trijaža priloženih .so fajlova:
# List exported symbols & JNI
nm -D libfoo.so | head
objdump -T libfoo.so | grep Java_
strings -n 6 libfoo.so | egrep -i 'frida|ptrace|gum|magisk|su|root'
Interaktivno/nativno reverzno inženjerstvo:
- Ghidra: https://ghidra-sre.org/
- r2frida: https://github.com/nowsecure/r2frida
Primer: onesposobiti ptrace da zaobiđete jednostavan anti‑debug u libc:
const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
Interceptor.replace(ptrace, new NativeCallback(function () {
return -1; // pretend failure
}, 'int', ['int', 'int', 'pointer', 'pointer']));
}
Vidi takođe: Reversing Native Libraries
Korak 7 — Objection patching (embed gadget / strip basics)
Ako više volite repacking umesto runtime hooks, pokušajte:
objection patchapk --source app.apk
Napomene:
- Requires apktool; ensure a current version from the official guide to avoid build issues: https://apktool.org/docs/install
- Gadget injection enables instrumentation without root but can still be caught by stronger init‑time checks.
Po želji, dodajte LSPosed modules i Shamiko za jače skrivanje root-a u Zygisk okruženjima, i uredite DenyList da obuhvati child processes.
For a complete workflow including script-mode Gadget configuration and bundling your Frida 17+ agent into the APK, see:
Frida Tutorial — Self-contained agent + Gadget embedding
References:
- Objection: https://github.com/sensepost/objection
Korak 8 — Fallback: Patch TLS pinning for network visibility
Ako je instrumentation blokirana, i dalje možete da pregledate saobraćaj statičkim uklanjanjem pinning-a:
apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy
- Alat: https://github.com/shroudedcode/apk-mitm
- Za trikove vezane za network config CA‑trust (i Android 7+ user CA trust), pogledajte:
Make APK Accept CA Certificate
Korisna lista komandi
# List processes and attach
frida-ps -Uai
frida -U -n com.example.app
# Spawn with a script (may trigger detectors)
frida -U -f com.example.app -l anti-frida-detection.js
# Trace native init
frida-trace -n com.example.app -i "JNI_OnLoad"
# Objection runtime
objection --gadget com.example.app explore
# Static TLS pinning removal
apk-mitm app.apk
Univerzalno prisiljavanje korišćenja proxy-ja + TLS unpinning (HTTP Toolkit Frida hooks)
Moderne aplikacije često ignorišu sistemske proxy-je i primenjuju više slojeva pinning-a (Java + native), što čini presretanje saobraćaja bolnim čak i kada su user/system CAs instalirane. Praktičan pristup je kombinovanje univerzalnog TLS unpinning-a sa prisiljavanjem proxy-ja koristeći gotove Frida hooks, i preusmeravanje svega kroz mitmproxy/Burp.
Workflow
- Pokrenite mitmproxy na vašem hostu (ili Burp). Osigurajte da uređaj može da dosegne host IP/port.
- Učitajte HTTP Toolkit’s consolidated Frida hooks kako biste simultano unpinovali TLS i prisilili korišćenje proxy-ja kroz uobičajene stack-ove (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, itd.). Ovo zaobilazi CertificatePinner/TrustManager provere i prepisuje proxy selectors, tako da se saobraćaj uvek šalje preko vašeg proxy-ja čak i ako aplikacija eksplicitno onemogućava proxy-je.
- Pokrenite ciljnu aplikaciju sa Frida i hook skriptom, i presrećite zahteve u mitmproxy.
Primer
# Device connected via ADB or over network (-U)
# See the repo for the exact script names & options
frida -U -f com.vendor.app \
-l ./android-unpinning-with-proxy.js \
--no-pause
# mitmproxy listening locally
mitmproxy -p 8080
Notes
- Kombinujte sa sistemskim proxy-jem koristeći
adb shell settings put global http_proxy <host>:<port>kada je to moguće. Frida hooks će primorati korišćenje proxy-ja čak i kada aplikacije zaobilaze globalna podešavanja. - Ova tehnika je idealna kada treba da izvedete MITM mobile-to-IoT onboarding flows gde je pinning/proxy avoidance uobičajeno.
- Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning
References
- Reversing Android Apps: Bypassing Detection Like a Pro
- Frida Codeshare
- Objection
- apk-mitm
- Jadx
- Ghidra
- r2frida
- Apktool install guide
- Magisk
- Medusa (Android Frida framework)
- Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa
tip
Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.