Android Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection)
Reading time: 9 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na š¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter š¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Ukurasa huu unaelezea mtiririko wa vitendo ili kupata tena dynamic analysis dhidi ya Android apps zinazogundua/rootāblock instrumentation au zinazotekeleza TLS pinning. Unalenga fast triage, detections za kawaida, na copyāpasteable hooks/tactics za kuzipitisha bila repacking inapowezekana.
Detection Surface (what apps check)
- Root checks: su binary, Magisk paths, getprop values, common root packages
- Frida/debugger checks (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
- Native antiādebug: ptrace(), syscalls, antiāattach, breakpoints, inline hooks
- Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
- TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins
Step 1 ā Quick win: hide root with Magisk DenyList
- Enable Zygisk in Magisk
- Enable DenyList, add the target package
- Reboot and retest
Many apps only look for obvious indicators (su/Magisk paths/getprop). DenyList often neutralizes naive checks.
References:
- Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk
Step 2 ā 30āsecond Frida Codeshare tests
Try common dropāin scripts before deep diving:
- anti-root-bypass.js
- anti-frida-detection.js
- hide_frida_gum.js
Example:
frida -U -f com.example.app -l anti-frida-detection.js
Haya kwa kawaida hu-stub Java root/debug checks, process/service scans, na native ptrace(). Inafaa kwa apps zilizo na ulinzi mdogo; hardened targets may need tailored hooks.
- Codeshare: https://codeshare.frida.re/
Otomatisha na Medusa (Frida framework)
Medusa hutoa moduli 90+ zilizotengenezwa tayari kwa SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na mengine.
git clone https://github.com/Ch0pin/medusa
cd medusa
pip install -r requirements.txt
python medusa.py
# Example interactive workflow
show categories
use http_communications/multiple_unpinner
use root_detection/universal_root_detection_bypass
run com.target.app
Tip: Medusa ni nzuri kwa ushindi wa haraka kabla ya kuandika custom hooks. Unaweza pia kuchagua modules na kuzichanganya na scripts zako.
Hatua 3 ā Pitia vichunguzi vya wakati wa init kwa kuambatisha kwa kuchelewa
Uchunguzi mwingi hufanya kazi tu wakati wa process spawn/onCreate(). Spawnātime injection (-f) au gadgets hushikwa; kuambatisha baada UI inapopakuliwa kunaweza kupita bila kugunduliwa.
# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore # if using gadget
Ikiwa hii itafanya kazi, hakikisha kikao kimekaa thabiti kisha endelea na kuunda ramani na ukaguzi wa stub.
Step 4 ā Ramani ya mantiki ya utambuzi kupitia Jadx na kutafuta strings
Maneno muhimu kwa triage ya static katika Jadx:
- "frida", "gum", "root", "magisk", "ptrace", "su", "getprop", "debugger"
Mifumo ya kawaida ya Java:
public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}
APIs za kawaida za kukagua/hook:
- android.os.Debug.isDebuggerConnected
- android.app.ActivityManager.getRunningAppProcesses / getRunningServices
- java.lang.System.loadLibrary / System.load (native bridge)
- java.lang.Runtime.exec / ProcessBuilder (probing commands)
- android.os.SystemProperties.get (root/emulator heuristics)
Hatua 5 ā Runtime stubbing na Frida (Java)
Fanya override ya custom guards ili zirudishe thamani salama bila repacking:
Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
Checks.isFridaDetected.implementation = function () { return false; };
// Neutralize debugger checks
const Debug = Java.use('android.os.Debug');
Debug.isDebuggerConnected.implementation = function () { return false; };
// Example: kill ActivityManager scans
const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});
Unachambua crashes za mapema? Dump classes tu kabla inavyokufa ili kugundua detection namespaces zinazowezekana:
Java.perform(() => {
Java.enumerateLoadedClasses({
onMatch: n => console.log(n),
onComplete: () => console.log('Done')
});
});
// Quick root detection stub example (adapt to target package/class names) Java.perform(() => { try { const RootChecker = Java.use('com.target.security.RootCheck'); RootChecker.isDeviceRooted.implementation = function () { return false; }; } catch (e) {} });
Log na kuwafanya methods zinazoshukiwa zisifanye kazi ili kuthibitisha mtiririko wa utekelezaji:
Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
Det.checkFrida.implementation = function () {
console.log('checkFrida() called');
return false;
};
});
Bypass emulator/VM detection (Java stubs)
Vidokezo vya kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zinazojumuisha generic/goldfish/ranchu/sdk; QEMU artifacts kama /dev/qemu_pipe, /dev/socket/qemud; MAC ya chaguo-msingi 02:00:00:00:00:00; NAT 10.0.2.x; ukosefu wa huduma za simu/sensa.
Udanganyifu wa haraka wa sehemu za Build:
Java.perform(function(){
var Build = Java.use('android.os.Build');
Build.MODEL.value = 'Pixel 7 Pro';
Build.MANUFACTURER.value = 'Google';
Build.BRAND.value = 'google';
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
});
Ongeza stubs kwa ajili ya ukaguzi wa uwepo wa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili zirudishe thamani za kweli.
SSL pinning bypass quick hook (Java)
Fanya TrustManagers zilizobinafsishwa zisizofanya kazi na ulazimishe SSL contexts zenye kuruhusu:
Java.perform(function(){
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');
// No-op validations
X509TrustManager.checkClientTrusted.implementation = function(){ };
X509TrustManager.checkServerTrusted.implementation = function(){ };
// Force permissive TrustManagers
var TrustManagers = [ X509TrustManager.$new() ];
var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');
SSLContextInit.implementation = function(km, tm, sr){
return SSLContextInit.call(this, km, TrustManagers, sr);
};
});
Notes
- Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier inapohitajika, au tumia universal unpinning script kutoka CodeShare.
- Mfano wa kuendesha:
frida -U -f com.target.app -l ssl-bypass.js --no-pause
Hatua 6 ā Fuata njia ya JNI/native wakati Java hooks zinaposhindwa
Chunguza entry points za JNI ili kutambua native loaders na detection init:
frida-trace -n com.example.app -i "JNI_OnLoad"
Tathmini ya haraka ya native ya faili za .so zilizojumuishwa:
# List exported symbols & JNI
nm -D libfoo.so | head
objdump -T libfoo.so | grep Java_
strings -n 6 libfoo.so | egrep -i 'frida|ptrace|gum|magisk|su|root'
Interactive/native reversing:
- Ghidra: https://ghidra-sre.org/
- r2frida: https://github.com/nowsecure/r2frida
Mfano: kuzuia ptrace ili kushinda antiādebug rahisi katika libc:
const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
Interceptor.replace(ptrace, new NativeCallback(function () {
return -1; // pretend failure
}, 'int', ['int', 'int', 'pointer', 'pointer']));
}
Tazama pia: Reversing Native Libraries
Hatua ya 7 ā Objection patching (embed gadget / strip basics)
Ikiwa unapendelea repacking badala ya runtime hooks, jaribu:
objection patchapk --source app.apk
Notes:
- Inahitaji apktool; hakikisha toleo la hivi karibuni kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya ujenzi: https://apktool.org/docs/install
- Gadget injection inaruhusu instrumentation bila root lakini inaweza kugunduliwa na initātime checks kali.
Hiari, ongeza LSPosed modules na Shamiko kwa kuficha root kwa nguvu zaidi katika mazingira ya Zygisk, na tengeneza DenyList ili kufunika child processes.
References:
- Objection: https://github.com/sensepost/objection
Step 8 ā Njia mbadala: Rekebisha TLS pinning kwa uonekano wa mtandao
Iwapo instrumentation imezuiwa, unaweza bado kuchambua traffic kwa kuondoa pinning kistatikali:
apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy
- Zana: https://github.com/shroudedcode/apk-mitm
- Kwa mbinu za CAātrust za usanidi wa mtandao (na Android 7+ user CA trust), angalia:
Make APK Accept CA Certificate
Orodha fupi ya amri muhimu
# List processes and attach
frida-ps -Uai
frida -U -n com.example.app
# Spawn with a script (may trigger detectors)
frida -U -f com.example.app -l anti-frida-detection.js
# Trace native init
frida-trace -n com.example.app -i "JNI_OnLoad"
# Objection runtime
objection --gadget com.example.app explore
# Static TLS pinning removal
apk-mitm app.apk
Kulazimisha proxy universal + TLS unpinning (HTTP Toolkit Frida hooks)
Programu za kisasa mara nyingi huupuza system proxies na kutekeleza tabaka nyingi za pinning (Java + native), na kufanya kukamata trafiki kuwa ngumu hata kama CAs za user/system zimesakinishwa. Njia ya vitendo ni kuchanganya universal TLS unpinning na kulazimisha proxy kupitia Frida hooks tayari, na kupitisha kila kitu kupitia mitmproxy/Burp.
Workflow
- Run mitmproxy on your host (or Burp). Ensure the device can reach the host IP/port.
- Load HTTP Toolkitās consolidated Frida hooks to both unpin TLS and force proxy usage across common stacks (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). This bypasses CertificatePinner/TrustManager checks and overrides proxy selectors, so traffic is always sent via your proxy even if the app explicitly disables proxies.
- Start the target app with Frida and the hook script, and capture requests in mitmproxy.
Mfano
# Device connected via ADB or over network (-U)
# See the repo for the exact script names & options
frida -U -f com.vendor.app \
-l ./android-unpinning-with-proxy.js \
--no-pause
# mitmproxy listening locally
mitmproxy -p 8080
Vidokezo
- Unganisha na proxy ya mfumo mzima kupitia
adb shell settings put global http_proxy <host>:<port>
inapowezekana. Frida hooks yatafanya proxy itumike hata wakati apps zinapiepuka mipangilio ya mfumo. - Mbinu hii inafaa unapohitaji kufanya MITM kwenye taratibu za onboarding kutoka mobile kwenda IoT ambapo kuepukana na pinning/proxy ni jambo la kawaida.
- Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning
Marejeo
- Reversing Android Apps: Kuepuka Ugunduzi Kama Mtaalamu
- Frida Codeshare
- Objection
- apk-mitm
- Jadx
- Ghidra
- r2frida
- Mwongozo wa ufungaji wa Apktool
- Magisk
- Medusa (Android Frida framework)
- Jenga Maabara ya Android ya Bug Bounty Inayoweza Kurudiwa: Emulator vs Magisk, Burp, Frida, na Medusa
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na š¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter š¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.