HackTricksAndroid Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection)
Reading time: 7 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na š¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter š¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Ukurasa huu unaonyesha mtiririko wa vitendo wa kurudisha uwezo wa dynamic analysis dhidi ya Android apps zinazogundua/rootāblock instrumentation au kutekeleza TLS pinning. Unalenga triage ya haraka, ugunduzi wa kawaida, na hooks/tactics zinazoweza kunakiliānaākubandika ili kuzivuka bila repacking inapowezekana.
Detection Surface (what apps check)
- Root checks: su binary, Magisk paths, getprop values, common root packages
- Frida/debugger checks (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
- Native antiādebug: ptrace(), syscalls, antiāattach, breakpoints, inline hooks
- Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
- TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins
Step 1 ā Quick win: hide root with Magisk DenyList
- Enable Zygisk in Magisk
- Enable DenyList, add the target package
- Reboot and retest
Programu nyingi zinatafuta tu viashiria vya wazi (su/Magisk paths/getprop). DenyList mara nyingi huondoa ukaguzi wa aina hiyo.
References:
- Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk
Step 2 ā 30āsecond Frida Codeshare tests
Try common dropāin scripts before deep diving:
- anti-root-bypass.js
- anti-frida-detection.js
- hide_frida_gum.js
Example:
frida -U -f com.example.app -l anti-frida-detection.js
Hizi kwa kawaida hufanya stub Java root/debug checks, process/service scans, na native ptrace(). Zinasaidia kwenye apps zenye ulinzi mdogo; hardened targets zinaweza kuhitaji tailored hooks.
- Codeshare: https://codeshare.frida.re/
Hatua 3 ā Bypass init-time detectors by attaching late
Ugundaji mwingi hufanywa tu wakati wa process spawn/onCreate(). Spawnātime injection (-f) au gadgets hupatikana; kuambatisha baada UI inapopakua kunaweza kupita bila kugunduliwa.
# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore # if using gadget
Ikiwa hii itafanya kazi, weka kikao thabiti na endelea na kukagua ramani na stub.
Hatua 4 ā Ramani mantiki ya utambuzi kupitia Jadx na kutafuta strings
Static triage keywords in Jadx:
- "frida", "gum", "root", "magisk", "ptrace", "su", "getprop", "debugger"
Typical Java patterns:
public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}
API za kawaida za kukagua/hook:
- android.os.Debug.isDebuggerConnected
- android.app.ActivityManager.getRunningAppProcesses / getRunningServices
- java.lang.System.loadLibrary / System.load (daraja la asili)
- java.lang.Runtime.exec / ProcessBuilder (amri za kuchunguza)
- android.os.SystemProperties.get (heuristics za root/emulator)
Hatua 5 ā Runtime stubbing na Frida (Java)
Rekebisha custom guards ili zirudishe thamani salama bila repacking:
Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
Checks.isFridaDetected.implementation = function () { return false; };
// Neutralize debugger checks
const Debug = Java.use('android.os.Debug');
Debug.isDebuggerConnected.implementation = function () { return false; };
// Example: kill ActivityManager scans
const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});
Triaging early crashes? Dump classes tu kabla inakufa ili kugundua detection namespaces zinazowezekana:
Java.perform(() => {
Java.enumerateLoadedClasses({
onMatch: n => console.log(n),
onComplete: () => console.log('Done')
});
});
Log na kulemaza mbinu zenye shaka ili kuthibitisha mtiririko wa utekelezaji:
Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
Det.checkFrida.implementation = function () {
console.log('checkFrida() called');
return false;
};
});
Hatua 6 ā Fuata nyayo za JNI/native wakati Java hooks zinashindwa
Rambua JNI entry points ili kupata native loaders na detection init:
frida-trace -n com.example.app -i "JNI_OnLoad"
Triage ya haraka ya native ya faili za .so zilizoambatanishwa:
# List exported symbols & JNI
nm -D libfoo.so | head
objdump -T libfoo.so | grep Java_
strings -n 6 libfoo.so | egrep -i 'frida|ptrace|gum|magisk|su|root'
Interactive/native reversing:
- Ghidra: https://ghidra-sre.org/
- r2frida: https://github.com/nowsecure/r2frida
Mfano: kudhoofisha ptrace ili kushinda antiādebug rahisi katika libc:
const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
Interceptor.replace(ptrace, new NativeCallback(function () {
return -1; // pretend failure
}, 'int', ['int', 'int', 'pointer', 'pointer']));
}
Angalia pia: Reversing Native Libraries
Step 7 ā Objection patching (embed gadget / strip basics)
Unapopendelea repacking kuliko runtime hooks, jaribu:
objection patchapk --source app.apk
Vidokezo:
- Inahitaji apktool; hakikisha toleo la hivi karibuni kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya kujenga: https://apktool.org/docs/install
- Gadget injection inaruhusu instrumentation bila root lakini bado inaweza kugunduliwa na stronger initātime checks.
Marejeo:
- Objection: https://github.com/sensepost/objection
Hatua 8 ā Njia mbadala: Rekebisha TLS pinning kwa uonekano wa mtandao
Ikiwa instrumentation imezuiwa, bado unaweza kuchunguza trafiki kwa kuondoa pinning kwa njia ya static:
apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy
- Chombo: https://github.com/shroudedcode/apk-mitm
- Kwa usanidi wa mtandao na mbinu za CAātrust (na Android 7+ user CA trust), angalia:
Make APK Accept CA Certificate
Orodha ya haraka ya amri muhimu
# List processes and attach
frida-ps -Uai
frida -U -n com.example.app
# Spawn with a script (may trigger detectors)
frida -U -f com.example.app -l anti-frida-detection.js
# Trace native init
frida-trace -n com.example.app -i "JNI_OnLoad"
# Objection runtime
objection --gadget com.example.app explore
# Static TLS pinning removal
apk-mitm app.apk
Vidokezo na Tahadhari
- Pendelea attaching baadaye badala ya spawning wakati apps zinapo crash at launch
- Baadhi ya detections zinafanya reārun katika critical flows (mfano, payment, auth) ā weka hooks zikifanya kazi wakati wa navigation
- Changanya static na dynamic: string hunt katika Jadx ili kupunguza classes; kisha hook methods kuthibitisha at runtime
- Hardened apps zinaweza kutumia packers na native TLS pinning ā tarajia ku-reverse native code
Marejeo
- Reversing Android Apps: Bypassing Detection Like a Pro
- Frida Codeshare
- Objection
- apk-mitm
- Jadx
- Ghidra
- r2frida
- Apktool install guide
- Magisk
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na š¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter š¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.