Frida: Bypassing SSL Pinning

TL;DR

This guide shows how to bypass SSL pinning in Android applications using Frida. We’ll focus on common hooking methods and practical examples.

Prerequisites

• Android device (rooted is helpful, but not always required).
• Frida installed on your computer: https://frida.re/docs/home/
• A target Android application with SSL pinning enabled.
• Basic understanding of JavaScript and Frida syntax.

1. Identify the Target Application

First, you need to identify the package name of your target app. You can use ADB (Android Debug Bridge) for this:

adb shell pm list packages | grep <app_name>

Replace <app_name> with a part of the application’s name. The output will show you the full package name (e.g., com.example.myapp).

2. Find SSL Pinning Implementation

SSL pinning is usually implemented in one of these places:

• OkHttp Interceptors: Common in apps using the OkHttp library.
• TrustKit: A popular pinning library.
• Custom Code: The app might have its own SSL validation logic.

Use tools like jadx or apktool to decompile the APK and search for keywords like “trustManager”, “pinning”, “SSLContext”, “CertificatePinner”, or specific library names (e.g., “OkHttp”).

3. Hooking OkHttp Interceptors

If the app uses OkHttp, hooking its interceptors is a common approach.

Step 1: Locate the Interceptor

In the decompiled code, find where the OkHttp client is created and how interceptors are added. Look for something like:

OkHttpClient client = new OkHttpClient.Builder().addInterceptor(new YourPinningInterceptor()).build();

Step 2: Frida Script

Create a Frida script (e.g., bypass_okhttp_pinning.js) to hook the interceptor’s method responsible for SSL validation:

Java.perform(function() {
  var YourPinningInterceptor = Java.use('com.example.myapp.YourPinningInterceptor'); // Replace with actual class name

  YourPinningInterceptor.validateCertificate.implementation = function(certificate) {
    console.log("SSL Certificate Validation Attempted!");
    return true; // Bypass validation
  };
});

Replace com.example.myapp.YourPinningInterceptor with the actual class name you found in step 1.

Step 3: Run Frida

Execute the script using Frida:

frida -U -f com.example.myapp -l bypass_okhttp_pinning.js --no-pause

Replace com.example.myapp with your app’s package name.

4. Hooking TrustKit

If the app uses TrustKit, you can hook its session creation or validation methods.

Step 1: Locate Key Classes

Find classes related to TrustKit session management (e.g., TSession, TURLSession).

Step 2: Frida Script

Create a Frida script to hook the relevant methods:

Java.perform(function() {
  var TSession = Java.use('com.trustkit.TSession');

  TSession.validateTrustchain.implementation = function(trustchain) {
    console.log("TrustKit Trustchain Validation Attempted!");
    return true; // Bypass validation
  };
});

Adjust the class name com.trustkit.TSession based on your app’s implementation.

Step 3: Run Frida

Run the script as described in step 3 of the OkHttp section.

5. Hooking Custom Code

If the app has custom SSL validation logic, you need to identify the specific methods responsible for validation and hook them accordingly. The process is similar to hooking OkHttp or TrustKit – locate the method, create a Frida script with an appropriate implementation override, and run it.

6. Troubleshooting

• Class Not Found: Double-check the class names in your Frida script against the decompiled code.
• Method Not Found: Ensure you’re hooking the correct method signature. Use jadx to verify.
• App Crashes: Incorrect hooking can cause crashes. Review the error logs and adjust your script accordingly.