Android Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Ukurasa huu unaelezea mtiririko wa vitendo ili kurejesha dynamic analysis dhidi ya apps za Android ambazo hugundua/zinazuia instrumentation kwa root au kutekeleza TLS pinning. Unalenga triage ya haraka, ugunduzi wa kawaida, na hooks/tactics za kunakili-wekeka ili kuzivuka bila kuzipakia upya inapowezekana.

Detection Surface (what apps check)

  • Root checks: su binary, Magisk paths, getprop values, common root packages
  • Frida/debugger checks (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
  • Native anti‑debug: ptrace(), syscalls, anti‑attach, breakpoints, inline hooks
  • Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
  • TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins

Bypassing Anti-Frida Detection / Stealth Frida Servers

phantom-frida inajenga upya Frida kutoka source na inatumia takriban patches ~90 ili alama za kawaida za Frida zionekane kama hazipo huku protocol ya Frida ya stock ikiendelea kuwa compatible (frida-tools bado zinaweza kuungana). Lengo: apps zinazofanya grep kwenye /proc (cmdline, maps, task comm, fd readlink), majina ya huduma za D-Bus, ports za default, au exported symbols.

Hatua:

  • Source patches: kubadilisha kimataifa vitambulisho vya frida (server/agent/helper) na kujenga upya helper DEX na Java package iliyobadilishwa jina.
  • Targeted build/runtime patches: marekebisho ya meson, memfd label kubadilishwa kuwa jit-cache, SELinux labels (mfano, frida_file) zilibadilishwa, libc hooks kwenye exit/signal zimezimwa ili kuepuka detector za hook.
  • Post-build rename: exported symbol frida_agent_main ilibadilishwa jina baada ya compile ya kwanza (Vala inalitoa), ikihitaji build ya pili ya incremental.
  • Binary hex patches: majina ya thread (gmain, gdbus, pool-spawner) yamebadilishwa; sweep ya hiari huondoa strings za frida/Frida zilizobaki.

Njia za ugunduzi zilizofunikwa:

  • Base (1–8): process name frida-server, mapped libfrida-agent.so, majina ya thread, memfd label, exported frida_agent_main, SELinux labels, athari za upande za libc hooks, na D-Bus service re.frida.server zimerenamed/kuondolewa.
  • Extended (9–16): badilisha listening port (--port), rename D-Bus interfaces/internal C symbols/GType names, temp paths kama .frida/frida-, fanya sweep ya binary strings, rename build-time defines na asset paths (libdir/frida). Majina ya D-Bus interfaces ambazo ni sehemu ya wire protocol hazibadilishwi kwenye base mode ili kuepuka kuvunja stock clients.

Build/usage (Android arm64 example):

python3 build.py --version 17.7.2 --name myserver --port 27142 --extended --verify
adb push output/myserver-server-17.7.2-android-arm64 /data/local/tmp/myserver-server
adb shell chmod 755 /data/local/tmp/myserver-server
adb shell /data/local/tmp/myserver-server -D &
adb forward tcp:27142 tcp:27142
frida -H 127.0.0.1:27142 -f com.example.app

Bendera: --skip-build (patch only), --skip-clone, --arch, --ndk-path, --temp-fixes; WSL helper: wsl -d Ubuntu bash build-wsl.sh.

Step 1 — Quick win: hide root with Magisk DenyList

  • Washa Zygisk kwenye Magisk
  • Washa DenyList, ongeza kifurushi lengwa
  • Anzisha upya na jaribu tena

Programu nyingi zinaangalia tu viashiria vya wazi (su/Magisk paths/getprop). DenyList mara nyingi hufanya ukaguzi wa msingi usifanye kazi.

References:

  • Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk

Play Integrity / Zygisk detections (post‑SafetyNet)

Programu mpya za benki/kitambulisho zinahusisha ukaguzi wa wakati wa utekelezaji na Google Play Integrity (mbadala wa SafetyNet) na pia zinaweza kuanguka ikiwa Zygisk mwenyewe yupo. Vidokezo vya uchunguzi wa haraka:

  • Zima Zygisk kwa muda (toggle off + reboot) na jaribu tena; baadhi ya programu zinaanguka mara injection ya Zygote inapopakua.
  • Ikiwa attestation inazuia kuingia, patch Google Play Services na PlayIntegrityFix/Fork + TrickyStore au tumia ReZygisk/Zygisk‑Next tu wakati wa majaribio. Weka target kwenye DenyList na epuka moduli za LSPosed ambazo leak props.
  • Kwa matumizi ya mara moja, tumia KernelSU/APatch (hakuna Zygote injection) ili kukaa chini ya heuristics za Zygisk, kisha unganisha Frida.

Step 2 — 30‑second Frida Codeshare tests

Jaribu scripts za drop‑in maarufu kabla ya kuchimba kwa undani:

  • anti-root-bypass.js
  • anti-frida-detection.js
  • hide_frida_gum.js

Mfano:

frida -U -f com.example.app -l anti-frida-detection.js

Hizi kwa kawaida hu-stub Java root/debug checks, process/service scans, na native ptrace(). Zinasaidia kwenye apps zilizo na ulinzi mdogo; hardened targets zinaweza kuhitaji tailored hooks.

  • Codeshare: https://codeshare.frida.re/

Otomatisha kwa kutumia Medusa (Frida framework)

Medusa inatoa moduli 90+ tayari kwa ajili ya SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na zaidi.

git clone https://github.com/Ch0pin/medusa
cd medusa
pip install -r requirements.txt
python medusa.py

# Example interactive workflow
show categories
use http_communications/multiple_unpinner
use root_detection/universal_root_detection_bypass
run com.target.app

Kidokezo: Medusa ni nzuri kwa matokeo ya haraka kabla ya kuandika custom hooks. Unaweza pia kuchagua modules kwa makini na kuzichanganya na scripts zako.

Hatua 3 — Pita vichunguzi vya wakati wa init kwa kuungana baadaye

Uchunguzi mwingi unaendeshwa tu wakati wa process spawn/onCreate(). Injeksheni za spawn‑time (-f) au gadgets hukamatwa; kuungana baada ya UI kupakia kunaweza kupita bila kugunduliwa.

# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore  # if using gadget

Hatua ya 4 — Ramani ya mantiki ya utambuzi kwa kutumia Jadx na kutafuta string

Maneno muhimu ya triage ya statiki katika Jadx:

  • “frida”, “gum”, “root”, “magisk”, “ptrace”, “su”, “getprop”, “debugger”

Mifumo ya kawaida ya Java:

public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}

API za kawaida za kukagua/hook:

  • android.os.Debug.isDebuggerConnected
  • android.app.ActivityManager.getRunningAppProcesses / getRunningServices
  • java.lang.System.loadLibrary / System.load (native bridge)
  • java.lang.Runtime.exec / ProcessBuilder (probing commands)
  • android.os.SystemProperties.get (root/emulator heuristics)

Hatua 5 — Runtime stubbing na Frida (Java)

Override guards maalum ili zirudishe thamani salama bila kuripakia tena:

Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
Checks.isFridaDetected.implementation = function () { return false; };

// Neutralize debugger checks
const Debug = Java.use('android.os.Debug');
Debug.isDebuggerConnected.implementation = function () { return false; };

// Example: kill ActivityManager scans
const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});

Unachambua crashes za mapema? Dump classes tu kabla inavyokufa ili kuona namespaces zinazoweza kuwa za detection:

Java.perform(() => {
Java.enumerateLoadedClasses({
onMatch: n => console.log(n),
onComplete: () => console.log('Done')
});
});

Mfano mfupi wa stub ya kugundua root (rekebisha kwa majina ya package/class ya lengo):

Java.perform(() => {
try {
const RootChecker = Java.use('com.target.security.RootCheck');
RootChecker.isDeviceRooted.implementation = function () { return false; };
} catch (e) {}
});

Rekodi na lemazia mbinu zinazoshukiwa ili kuthibitisha mtiririko wa utekelezaji:

Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
Det.checkFrida.implementation = function () {
console.log('checkFrida() called');
return false;
};
});

Bypass emulator/VM detection (Java stubs)

Vigezo vya kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zinaonyesha generic/goldfish/ranchu/sdk; alama za QEMU kama /dev/qemu_pipe, /dev/socket/qemud; MAC ya chaguo-msingi 02:00:00:00:00:00; 10.0.2.x NAT; kukosekana kwa telephony/sensors.

Udanganyifu wa haraka wa Build fields:

Java.perform(function(){
var Build = Java.use('android.os.Build');
Build.MODEL.value = 'Pixel 7 Pro';
Build.MANUFACTURER.value = 'Google';
Build.BRAND.value = 'google';
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
});

Ongeza stubs kwa ukaguzi wa kuwepo kwa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili kurudisha thamani halisi.

SSL pinning bypass quick hook (Java)

Fanya TrustManagers maalum zisifanye kazi na kulazimisha SSL contexts zinaruhusu kila kitu:

Java.perform(function(){
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');

// No-op validations
X509TrustManager.checkClientTrusted.implementation = function(){ };
X509TrustManager.checkServerTrusted.implementation = function(){ };

// Force permissive TrustManagers
var TrustManagers = [ X509TrustManager.$new() ];
var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');
SSLContextInit.implementation = function(km, tm, sr){
return SSLContextInit.call(this, km, TrustManagers, sr);
};
});

Vidokezo

  • Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier kama inahitajika, au tumia universal unpinning script kutoka CodeShare.
  • Mfano wa kuendesha: frida -U -f com.target.app -l ssl-bypass.js --no-pause

OkHttp4 / gRPC / Cronet pinning (2024+)

Stacks za kisasa zinafanya pin ndani ya API mpya (OkHttp4+, gRPC over Cronet/BoringSSL). Ongeza hooks hizi wakati basic SSLContext hook inakwama:

Java.perform(() => {
try {
const Pinner = Java.use('okhttp3.CertificatePinner');
Pinner.check.overload('java.lang.String', 'java.util.List').implementation = function(){};
Pinner.check$okhttp.implementation = function(){};
} catch (e) {}

try {
const CronetB = Java.use('org.chromium.net.CronetEngine$Builder');
CronetB.enablePublicKeyPinningBypassForLocalTrustAnchors.overload('boolean').implementation = function(){ return this; };
CronetB.setPublicKeyPins.overload('java.lang.String', 'java.util.Set', 'boolean').implementation = function(){ return this; };
} catch (e) {}
});

Kama TLS bado inashindwa, hamia native na patch BoringSSL verification entry points zinazotumika na Cronet/gRPC:

const customVerify = Module.findExportByName(null, 'SSL_CTX_set_custom_verify');
if (customVerify) {
Interceptor.attach(customVerify, {
onEnter(args){
// arg0 = SSL_CTX*, arg1 = mode, arg2 = callback
args[1] = ptr(0); // SSL_VERIFY_NONE
args[2] = NULL;  // disable callback
}
});
}

Hatua 6 — Fuata nyayo za JNI/native wakati Java hooks zinaposhindwa

Fuatilia viingilio vya JNI ili kupata native loaders na detection init:

frida-trace -n com.example.app -i "JNI_OnLoad"

Tathmini ya haraka ya asili ya faili za .so zilizojumuishwa:

# List exported symbols & JNI
nm -D libfoo.so | head
objdump -T libfoo.so | grep Java_
strings -n 6 libfoo.so | egrep -i 'frida|ptrace|gum|magisk|su|root'

Reversing ya Interactive/native:

  • Ghidra: https://ghidra-sre.org/
  • r2frida: https://github.com/nowsecure/r2frida

Mfano: kuzima ptrace ili kushinda anti‑debug rahisi katika libc:

const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
Interceptor.replace(ptrace, new NativeCallback(function () {
return -1; // pretend failure
}, 'int', ['int', 'int', 'pointer', 'pointer']));
}

Tazama pia: Reversing Native Libraries

Hatua 7 — Objection patching (embed gadget / strip basics)

Unapopendelea repacking kuliko runtime hooks, jaribu:

objection patchapk --source app.apk

Vidokezo:

  • Inahitaji apktool; hakikisha toleo la hivi karibuni kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya kujenga: https://apktool.org/docs/install
  • Gadget injection inaruhusu instrumentation bila root lakini bado inaweza kugunduliwa na ukaguzi mkali wa init‑time.

Hiari, ongeza modules za LSPosed na Shamiko kwa kuficha root vizuri zaidi katika mazingira ya Zygisk, na panga DenyList ili izingatie michakato tawi.

Kwa mtiririko kamili wa kazi, ikijumuisha usanidi wa Gadget katika script-mode na kuambatisha agent yako ya Frida 17+ ndani ya APK, angalia:

Frida Tutorial — Self-contained agent + Gadget embedding

Marejeo:

  • Objection: https://github.com/sensepost/objection

Hatua 8 — Fallback: Rekebisha TLS pinning kwa uonekano wa mtandao

Ikiwa instrumentation imezuiliwa, bado unaweza kuchunguza trafiki kwa kuondoa pinning kwa njia ya static:

apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy
  • Zana: https://github.com/shroudedcode/apk-mitm
  • Kwa mbinu za CA‑trust za usanidi wa mtandao (na Android 7+ user CA trust), angalia:

Make APK Accept CA Certificate

Install Burp Certificate

Orodha fupi ya amri

# List processes and attach
frida-ps -Uai
frida -U -n com.example.app

# Spawn with a script (may trigger detectors)
frida -U -f com.example.app -l anti-frida-detection.js

# Trace native init
frida-trace -n com.example.app -i "JNI_OnLoad"

# Objection runtime
objection --gadget com.example.app explore

# Static TLS pinning removal
apk-mitm app.apk

Universal proxy forcing + TLS unpinning (HTTP Toolkit Frida hooks)

Programu za kisasa mara nyingi huzingatia proxies za mfumo na kutekeleza tabaka mbalimbali za pinning (Java + native), na hivyo kufanya kunasa trafiki kuwa ngumu hata kama CAs za mtumiaji/mfumo zimesanidiwa. Njia ya vitendo ni kuchanganya universal TLS unpinning na proxy forcing kwa kutumia ready-made Frida hooks, na kupitisha kila kitu kupitia mitmproxy/Burp.

Workflow

  • Endesha mitmproxy kwenye host yako (au Burp). Hakikisha kifaa kinaweza kufikia IP/port ya host.
  • Pakia HTTP Toolkit’s consolidated Frida hooks ili unpin TLS na force proxy usage katika stacks za kawaida (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). Hii inapita CertificatePinner/TrustManager checks na inavunja/override proxy selectors, hivyo trafiki inatuma kila mara kupitia proxy yako hata kama app imezitenga proxies kwa uwazi.
  • Anzisha app lengwa kwa kutumia Frida na script ya hook, kisha rekodi maombi katika mitmproxy.

Mfano

# Device connected via ADB or over network (-U)
# See the repo for the exact script names & options
frida -U -f com.vendor.app \
-l ./android-unpinning-with-proxy.js \
--no-pause

# mitmproxy listening locally
mitmproxy -p 8080

Vidokezo

  • Unganisha na proxy ya mfumo mzima kupitia adb shell settings put global http_proxy <host>:<port> inapowezekana. Frida hooks zitahakikisha matumizi ya proxy hata wakati apps zinabypass global settings.
  • Tekniki hii ni bora wakati unahitaji MITM kwenye mchakato wa onboarding kutoka mobile hadi IoT ambapo pinning/proxy avoidance ni ya kawaida.
  • Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks