Android Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection)

Reading time: 9 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Ukurasa huu unaelezea mtiririko wa vitendo ili kupata tena dynamic analysis dhidi ya Android apps zinazogundua/root‑block instrumentation au zinazotekeleza TLS pinning. Unalenga fast triage, detections za kawaida, na copy‑pasteable hooks/tactics za kuzipitisha bila repacking inapowezekana.

Detection Surface (what apps check)

  • Root checks: su binary, Magisk paths, getprop values, common root packages
  • Frida/debugger checks (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
  • Native anti‑debug: ptrace(), syscalls, anti‑attach, breakpoints, inline hooks
  • Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
  • TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins

Step 1 — Quick win: hide root with Magisk DenyList

  • Enable Zygisk in Magisk
  • Enable DenyList, add the target package
  • Reboot and retest

Many apps only look for obvious indicators (su/Magisk paths/getprop). DenyList often neutralizes naive checks.

References:

  • Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk

Step 2 — 30‑second Frida Codeshare tests

Try common drop‑in scripts before deep diving:

  • anti-root-bypass.js
  • anti-frida-detection.js
  • hide_frida_gum.js

Example:

bash
frida -U -f com.example.app -l anti-frida-detection.js

Haya kwa kawaida hu-stub Java root/debug checks, process/service scans, na native ptrace(). Inafaa kwa apps zilizo na ulinzi mdogo; hardened targets may need tailored hooks.

  • Codeshare: https://codeshare.frida.re/

Otomatisha na Medusa (Frida framework)

Medusa hutoa moduli 90+ zilizotengenezwa tayari kwa SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na mengine.

bash
git clone https://github.com/Ch0pin/medusa
cd medusa
pip install -r requirements.txt
python medusa.py

# Example interactive workflow
show categories
use http_communications/multiple_unpinner
use root_detection/universal_root_detection_bypass
run com.target.app

Tip: Medusa ni nzuri kwa ushindi wa haraka kabla ya kuandika custom hooks. Unaweza pia kuchagua modules na kuzichanganya na scripts zako.

Hatua 3 — Pitia vichunguzi vya wakati wa init kwa kuambatisha kwa kuchelewa

Uchunguzi mwingi hufanya kazi tu wakati wa process spawn/onCreate(). Spawn‑time injection (-f) au gadgets hushikwa; kuambatisha baada UI inapopakuliwa kunaweza kupita bila kugunduliwa.

bash
# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore  # if using gadget

Ikiwa hii itafanya kazi, hakikisha kikao kimekaa thabiti kisha endelea na kuunda ramani na ukaguzi wa stub.

Step 4 — Ramani ya mantiki ya utambuzi kupitia Jadx na kutafuta strings

Maneno muhimu kwa triage ya static katika Jadx:

  • "frida", "gum", "root", "magisk", "ptrace", "su", "getprop", "debugger"

Mifumo ya kawaida ya Java:

java
public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}

APIs za kawaida za kukagua/hook:

  • android.os.Debug.isDebuggerConnected
  • android.app.ActivityManager.getRunningAppProcesses / getRunningServices
  • java.lang.System.loadLibrary / System.load (native bridge)
  • java.lang.Runtime.exec / ProcessBuilder (probing commands)
  • android.os.SystemProperties.get (root/emulator heuristics)

Hatua 5 — Runtime stubbing na Frida (Java)

Fanya override ya custom guards ili zirudishe thamani salama bila repacking:

js
Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
Checks.isFridaDetected.implementation = function () { return false; };

// Neutralize debugger checks
const Debug = Java.use('android.os.Debug');
Debug.isDebuggerConnected.implementation = function () { return false; };

// Example: kill ActivityManager scans
const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});

Unachambua crashes za mapema? Dump classes tu kabla inavyokufa ili kugundua detection namespaces zinazowezekana:

js
Java.perform(() => {
Java.enumerateLoadedClasses({
onMatch: n => console.log(n),
onComplete: () => console.log('Done')
});
});

// Quick root detection stub example (adapt to target package/class names) Java.perform(() => { try { const RootChecker = Java.use('com.target.security.RootCheck'); RootChecker.isDeviceRooted.implementation = function () { return false; }; } catch (e) {} });

Log na kuwafanya methods zinazoshukiwa zisifanye kazi ili kuthibitisha mtiririko wa utekelezaji:

js
Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
Det.checkFrida.implementation = function () {
console.log('checkFrida() called');
return false;
};
});

Bypass emulator/VM detection (Java stubs)

Vidokezo vya kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zinazojumuisha generic/goldfish/ranchu/sdk; QEMU artifacts kama /dev/qemu_pipe, /dev/socket/qemud; MAC ya chaguo-msingi 02:00:00:00:00:00; NAT 10.0.2.x; ukosefu wa huduma za simu/sensa.

Udanganyifu wa haraka wa sehemu za Build:

js
Java.perform(function(){
var Build = Java.use('android.os.Build');
Build.MODEL.value = 'Pixel 7 Pro';
Build.MANUFACTURER.value = 'Google';
Build.BRAND.value = 'google';
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
});

Ongeza stubs kwa ajili ya ukaguzi wa uwepo wa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili zirudishe thamani za kweli.

SSL pinning bypass quick hook (Java)

Fanya TrustManagers zilizobinafsishwa zisizofanya kazi na ulazimishe SSL contexts zenye kuruhusu:

js
Java.perform(function(){
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');

// No-op validations
X509TrustManager.checkClientTrusted.implementation = function(){ };
X509TrustManager.checkServerTrusted.implementation = function(){ };

// Force permissive TrustManagers
var TrustManagers = [ X509TrustManager.$new() ];
var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');
SSLContextInit.implementation = function(km, tm, sr){
return SSLContextInit.call(this, km, TrustManagers, sr);
};
});

Notes

  • Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier inapohitajika, au tumia universal unpinning script kutoka CodeShare.
  • Mfano wa kuendesha: frida -U -f com.target.app -l ssl-bypass.js --no-pause

Hatua 6 — Fuata njia ya JNI/native wakati Java hooks zinaposhindwa

Chunguza entry points za JNI ili kutambua native loaders na detection init:

bash
frida-trace -n com.example.app -i "JNI_OnLoad"

Tathmini ya haraka ya native ya faili za .so zilizojumuishwa:

bash
# List exported symbols & JNI
nm -D libfoo.so | head
objdump -T libfoo.so | grep Java_
strings -n 6 libfoo.so | egrep -i 'frida|ptrace|gum|magisk|su|root'

Interactive/native reversing:

  • Ghidra: https://ghidra-sre.org/
  • r2frida: https://github.com/nowsecure/r2frida

Mfano: kuzuia ptrace ili kushinda anti‑debug rahisi katika libc:

js
const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
Interceptor.replace(ptrace, new NativeCallback(function () {
return -1; // pretend failure
}, 'int', ['int', 'int', 'pointer', 'pointer']));
}

Tazama pia: Reversing Native Libraries

Hatua ya 7 — Objection patching (embed gadget / strip basics)

Ikiwa unapendelea repacking badala ya runtime hooks, jaribu:

bash
objection patchapk --source app.apk

Notes:

  • Inahitaji apktool; hakikisha toleo la hivi karibuni kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya ujenzi: https://apktool.org/docs/install
  • Gadget injection inaruhusu instrumentation bila root lakini inaweza kugunduliwa na init‑time checks kali.

Hiari, ongeza LSPosed modules na Shamiko kwa kuficha root kwa nguvu zaidi katika mazingira ya Zygisk, na tengeneza DenyList ili kufunika child processes.

References:

  • Objection: https://github.com/sensepost/objection

Step 8 — Njia mbadala: Rekebisha TLS pinning kwa uonekano wa mtandao

Iwapo instrumentation imezuiwa, unaweza bado kuchambua traffic kwa kuondoa pinning kistatikali:

bash
apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy
  • Zana: https://github.com/shroudedcode/apk-mitm
  • Kwa mbinu za CA‑trust za usanidi wa mtandao (na Android 7+ user CA trust), angalia:

Make APK Accept CA Certificate

Install Burp Certificate

Orodha fupi ya amri muhimu

bash
# List processes and attach
frida-ps -Uai
frida -U -n com.example.app

# Spawn with a script (may trigger detectors)
frida -U -f com.example.app -l anti-frida-detection.js

# Trace native init
frida-trace -n com.example.app -i "JNI_OnLoad"

# Objection runtime
objection --gadget com.example.app explore

# Static TLS pinning removal
apk-mitm app.apk

Kulazimisha proxy universal + TLS unpinning (HTTP Toolkit Frida hooks)

Programu za kisasa mara nyingi huupuza system proxies na kutekeleza tabaka nyingi za pinning (Java + native), na kufanya kukamata trafiki kuwa ngumu hata kama CAs za user/system zimesakinishwa. Njia ya vitendo ni kuchanganya universal TLS unpinning na kulazimisha proxy kupitia Frida hooks tayari, na kupitisha kila kitu kupitia mitmproxy/Burp.

Workflow

  • Run mitmproxy on your host (or Burp). Ensure the device can reach the host IP/port.
  • Load HTTP Toolkit’s consolidated Frida hooks to both unpin TLS and force proxy usage across common stacks (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). This bypasses CertificatePinner/TrustManager checks and overrides proxy selectors, so traffic is always sent via your proxy even if the app explicitly disables proxies.
  • Start the target app with Frida and the hook script, and capture requests in mitmproxy.

Mfano

bash
# Device connected via ADB or over network (-U)
# See the repo for the exact script names & options
frida -U -f com.vendor.app \
-l ./android-unpinning-with-proxy.js \
--no-pause

# mitmproxy listening locally
mitmproxy -p 8080

Vidokezo

  • Unganisha na proxy ya mfumo mzima kupitia adb shell settings put global http_proxy <host>:<port> inapowezekana. Frida hooks yatafanya proxy itumike hata wakati apps zinapiepuka mipangilio ya mfumo.
  • Mbinu hii inafaa unapohitaji kufanya MITM kwenye taratibu za onboarding kutoka mobile kwenda IoT ambapo kuepukana na pinning/proxy ni jambo la kawaida.
  • Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning

Marejeo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks