Android Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Ukurasa huu unatoa mtiririko wa vitendo wa kurejesha uchambuzi wa dynamic dhidi ya apps za Android zinazogundua au kuzuia instrumentation kwa root au zinazotekeleza TLS pinning. Unalenga triage ya haraka, ugunduzi wa kawaida, na hooks/tactics zinazoweza kunakiliwa (copyā€‘pasteable) ili kuzipita bila ku-repack inapowezekana.

Detection Surface (what apps check)

  • Ukaguzi wa root: su binary, Magisk paths, getprop values, common root packages
  • Frida/debugger checks (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
  • Native antiā€‘debug: ptrace(), syscalls, antiā€‘attach, breakpoints, inline hooks
  • Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
  • TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins

Step 1 ā€” Quick win: hide root with Magisk DenyList

  • Washa Zygisk ndani ya Magisk
  • Washa DenyList, ongeza target package
  • Anzisha upya na jaribu tena

Apps nyingi zinatafuta tu viashiria vya wazi (su/Magisk paths/getprop). DenyList mara nyingi huzima ukaguzi wa kawaida.

References:

  • Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk

Step 2 ā€” 30ā€‘second Frida Codeshare tests

Jaribu common dropā€‘in scripts kabla ya kuchimba kwa undani:

  • anti-root-bypass.js
  • anti-frida-detection.js
  • hide_frida_gum.js

Mfano:

frida -U -f com.example.app -l anti-frida-detection.js

Hizi kawaida hu-stub Java root/debug checks, process/service scans, na native ptrace(). Zinatumika kwenye apps zilizo na ulinzi mdogo; hardened targets zinaweza kuhitaji tailored hooks.

  • Codeshare: https://codeshare.frida.re/

Automatisha kwa Medusa (Frida framework)

Medusa hutoa zaidi ya moduli 90 tayari kwa ajili ya SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na zaidi.

git clone https://github.com/Ch0pin/medusa
cd medusa
pip install -r requirements.txt
python medusa.py

# Example interactive workflow
show categories
use http_communications/multiple_unpinner
use root_detection/universal_root_detection_bypass
run com.target.app

Vidokezo: Medusa ni nzuri kwa ushindi wa haraka kabla ya kuandika custom hooks. Unaweza pia kuchagua modules na kuziunganisha na scripts zako.

Hatua 3 ā€” Pita kando vigunduzi vya init kwa kuambatisha baadaye

Migunduzi mingi huendeshwa tu wakati wa process spawn/onCreate(). Spawnā€‘time injection (-f) au gadgets hugunduliwa; kuambatisha baada ya UI kupakia kunaweza kupita bila kugunduliwa.

# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore  # if using gadget

Ikiwa hili linafanya kazi, weka session thabiti na endelea na kupanga ramani na ukaguzi wa stub.

Hatua ya 4 ā€” Ramani mantiki ya utambuzi kwa kutumia Jadx na kutafuta string

Maneno muhimu za static triage katika Jadx:

  • ā€œfridaā€, ā€œgumā€, ā€œrootā€, ā€œmagiskā€, ā€œptraceā€, ā€œsuā€, ā€œgetpropā€, ā€œdebuggerā€

Mifano ya kawaida ya Java:

public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}

Common APIs to review/hook:

  • android.os.Debug.isDebuggerConnected
  • android.app.ActivityManager.getRunningAppProcesses / getRunningServices
  • java.lang.System.loadLibrary / System.load (daraja la native)
  • java.lang.Runtime.exec / ProcessBuilder (amri za uchunguzi)
  • android.os.SystemProperties.get (mabinu ya root/emulator)

Hatua 5 ā€” Kustubisha wakati wa utekelezaji na Frida (Java)

Badilisha custom guards ili zirudishe thamani salama bila repacking:

Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
Checks.isFridaDetected.implementation = function () { return false; };

// Neutralize debugger checks
const Debug = Java.use('android.os.Debug');
Debug.isDebuggerConnected.implementation = function () { return false; };

// Example: kill ActivityManager scans
const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});

Unapochambua crash za mapema? Dump classes tu kabla ya kuanguka ili kugundua namespaces zinazoweza kuwa za detection:

Java.perform(() => {
Java.enumerateLoadedClasses({
onMatch: n => console.log(n),
onComplete: () => console.log('Done')
});
});

// Quick root detection stub example (adapt to target package/class names) Java.perform(() => { try { const RootChecker = Java.use(ā€˜com.target.security.RootCheckā€™); RootChecker.isDeviceRooted.implementation = function () { return false; }; } catch (e) {} });

Log na neuter mbinu zinazoshukiwa ili kuthibitisha mtiririko wa utekelezaji:

Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
Det.checkFrida.implementation = function () {
console.log('checkFrida() called');
return false;
};
});

Bypass emulator/VM detection (Java stubs)

Vigezo vya kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE vinavyojumuisha generic/goldfish/ranchu/sdk; artifacts za QEMU kama /dev/qemu_pipe, /dev/socket/qemud; MAC ya chaguo-msingi 02:00:00:00:00:00; 10.0.2.x NAT; ukosefu wa telephony/sensors.

Quick spoof of Build fields:

Java.perform(function(){
var Build = Java.use('android.os.Build');
Build.MODEL.value = 'Pixel 7 Pro';
Build.MANUFACTURER.value = 'Google';
Build.BRAND.value = 'google';
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
});

Ongeza stubs kwa ukaguzi wa kuwepo kwa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili kurudisha thamani za kweli.

SSL pinning bypass quick hook (Java)

Nyamazisha custom TrustManagers na kulazimisha permissive SSL contexts:

Java.perform(function(){
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');

// No-op validations
X509TrustManager.checkClientTrusted.implementation = function(){ };
X509TrustManager.checkServerTrusted.implementation = function(){ };

// Force permissive TrustManagers
var TrustManagers = [ X509TrustManager.$new() ];
var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');
SSLContextInit.implementation = function(km, tm, sr){
return SSLContextInit.call(this, km, TrustManagers, sr);
};
});

Vidokezo

  • Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier inapohitajika, au tumia universal unpinning script kutoka CodeShare.
  • Mfano wa kuendesha: frida -U -f com.target.app -l ssl-bypass.js --no-pause

Hatua 6 ā€” Fuatilia njia ya JNI/native wakati Java hooks zinaposhindwa

Fuatilia JNI entry points ili kupata native loaders na detection init:

frida-trace -n com.example.app -i "JNI_OnLoad"

Uchunguzi wa haraka wa faili za .so zilizojumuishwa:

# List exported symbols & JNI
nm -D libfoo.so | head
objdump -T libfoo.so | grep Java_
strings -n 6 libfoo.so | egrep -i 'frida|ptrace|gum|magisk|su|root'

Reversing ya interactive/native:

  • Ghidra: https://ghidra-sre.org/
  • r2frida: https://github.com/nowsecure/r2frida

Mfano: neuter ptrace ili kushinda antiā€‘debug rahisi katika libc:

const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
Interceptor.replace(ptrace, new NativeCallback(function () {
return -1; // pretend failure
}, 'int', ['int', 'int', 'pointer', 'pointer']));
}

Tazama pia: Reversing Native Libraries

Hatua 7 ā€” Objection patching (embed gadget / strip basics)

Ikiwa unapendelea repacking badala ya runtime hooks, jaribu:

objection patchapk --source app.apk

Maelezo:

  • Inahitaji apktool; hakikisha toleo la sasa kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya kujenga: https://apktool.org/docs/install
  • Gadget injection inaruhusu instrumentation bila root lakini bado inaweza kugunduliwa na ukaguzi mkali wa initā€‘time.

Hiari, ongeza modules za LSPosed na Shamiko kwa kuficha root kwa nguvu zaidi katika mazingira ya Zygisk, na panga DenyList ili kufunika michakato ya mtoto.

Kwa mtiririko kamili wa kazi ikiwa ni pamoja na script-mode Gadget configuration na kuunganisha Frida 17+ agent yako ndani ya APK, ona:

Frida Tutorial ā€” Self-contained agent + Gadget embedding

Marejeo:

  • Objection: https://github.com/sensepost/objection

Hatua 8 ā€” Njia mbadala: Rekebisha TLS pinning kwa uonekano wa mtandao

Ikiwa instrumentation imezuiwa, bado unaweza kuchunguza trafiki kwa kuondoa pinning kwa njia ya static:

apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy
  • Zana: https://github.com/shroudedcode/apk-mitm
  • Kwa ujanja wa CAā€‘trust wa network config (na user CA trust ya Android 7+), angalia:

Make APK Accept CA Certificate

Install Burp Certificate

Orodha mfupi ya amri muhimu

# List processes and attach
frida-ps -Uai
frida -U -n com.example.app

# Spawn with a script (may trigger detectors)
frida -U -f com.example.app -l anti-frida-detection.js

# Trace native init
frida-trace -n com.example.app -i "JNI_OnLoad"

# Objection runtime
objection --gadget com.example.app explore

# Static TLS pinning removal
apk-mitm app.apk

Universal proxy forcing + TLS unpinning (HTTP Toolkit Frida hooks)

Programu za kisasa mara nyingi hazizingatii proxies za mfumo na zinaweka tabaka kadhaa za pinning (Java + native), na hivyo kufanya kukamata trafiki kuwa ngumu hata kama CAs za mtumiaji/mfumo zimesakinishwa. Njia yenye vitendo ni kuunganisha TLS unpinning ya ulimwengu pamoja na proxy forcing kupitia Frida hooks zilizotayarishwa, kisha kupitisha kila kitu kupitia mitmproxy/Burp.

Workflow

  • Endesha mitmproxy kwenye host yako (au Burp). Hakikisha kifaa kinaweza kufikia IP/port ya host.
  • Pakia Frida hooks zilizojumuishwa za HTTP Toolkit ili kufanya TLS unpinning na kulazimisha matumizi ya proxy kwenye stacks za kawaida (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). Hii inavuka ukaguzi wa CertificatePinner/TrustManager na inafanya override ya proxy selectors, hivyo trafiki itatumwa kila mara kupitia proxy yako hata kama app iko wazi kuizima proxies.
  • Anza app lengwa kwa Frida na script ya hook, kisha rekodi requests katika mitmproxy.

Example

# Device connected via ADB or over network (-U)
# See the repo for the exact script names & options
frida -U -f com.vendor.app \
-l ./android-unpinning-with-proxy.js \
--no-pause

# mitmproxy listening locally
mitmproxy -p 8080

Vidokezo

  • Unganisha na system-wide proxy kupitia adb shell settings put global http_proxy <host>:<port> inapowezekana. Frida hooks zitatia nguvu matumizi ya proxy hata pale ambapo apps zinapovuka mipangilio ya mfumo.
  • Mbinu hii ni inafaa wakati unahitaji MITM mobile-to-IoT onboarding flows ambapo pinning/proxy avoidance ni kawaida.
  • Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks