Android Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection)

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Proverite planove pretplate!
• Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
• Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

Ova stranica daje praktičan tok rada za ponovno uspostavljanje dynamic analysis protiv Android aplikacija koje detektuju ili blokiraju instrumentation zbog root‑a ili primenjuju TLS pinning. Fokus je na brzoj trijaži, uobičajenim detekcijama i copy‑pasteable hooks/taktikama za njihovo zaobilaženje bez repackovanja kad je to moguće.

Detection Surface (šta aplikacije proveravaju)

• Root checks: su binary, Magisk paths, getprop values, common root packages
• Frida/debugger checks (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
• Native anti‑debug: ptrace(), syscalls, anti‑attach, breakpoints, inline hooks
• Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
• TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins

Bypassing Anti-Frida Detection / Stealth Frida Servers

phantom-frida rebuilds Frida from source and applies ~90 patches so common Frida fingerprints disappear while the stock Frida protocol remains compatible (frida-tools can still connect). Target: apps that grep /proc (cmdline, maps, task comm, fd readlink), D-Bus service names, default ports, or exported symbols.

Faze:

• Source patches: global rename of frida identifiers (server/agent/helper) and rebuilt helper DEX with a renamed Java package.
• Targeted build/runtime patches: meson tweaks, memfd label changed to jit-cache, SELinux labels (e.g., frida_file) renamed, libc hooks on exit/signal disabled to avoid hook-detectors.
• Post-build rename: exported symbol frida_agent_main renamed after the first compile (Vala emits it), requiring a second incremental build.
• Binary hex patches: thread names (gmain, gdbus, pool-spawner) replaced; optional sweep removes leftover frida/Frida strings.

Detection vectors covered:

• Base (1–8): process name frida-server, mapped libfrida-agent.so, thread names, memfd label, exported frida_agent_main, SELinux labels, libc hook side-effects, and D-Bus service re.frida.server are renamed/neutralized.
• Extended (9–16): change listening port (--port), rename D-Bus interfaces/internal C symbols/GType names, temp paths like .frida/frida-, sweep binary strings, rename build-time defines and asset paths (libdir/frida). D-Bus interface names that are part of the wire protocol stay unchanged in base mode to avoid breaking stock clients.

Build/usage (Android arm64 example):

python3 build.py --version 17.7.2 --name myserver --port 27142 --extended --verify
adb push output/myserver-server-17.7.2-android-arm64 /data/local/tmp/myserver-server
adb shell chmod 755 /data/local/tmp/myserver-server
adb shell /data/local/tmp/myserver-server -D &
adb forward tcp:27142 tcp:27142
frida -H 127.0.0.1:27142 -f com.example.app

Opcije: --skip-build (patch only), --skip-clone, --arch, --ndk-path, --temp-fixes; WSL pomoćnik: wsl -d Ubuntu bash build-wsl.sh.

Korak 1 — Brzi dobitak: sakrij root sa Magisk DenyList

• Omogući Zygisk u Magisk
• Omogući DenyList, dodaj ciljani paket
• Restartuj i testiraj ponovo

Mnoge aplikacije traže samo očigledne indikatore (su/Magisk paths/getprop). DenyList često neutralizuje naivne provere.

References:

• Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk

Play Integrity / Zygisk detekcije (post‑SafetyNet)

Novije bankarske/ID aplikacije povezuju runtime provere sa Google Play Integrity (zamena za SafetyNet) i mogu se srušiti ako je Zygisk prisutan. Brzi saveti za procenu:

• Privremeno onemogući Zygisk (isključi + restartuj) i pokušaj ponovo; neke aplikacije se sruše čim se učita Zygote injection.
• Ako attestacija blokira prijavu, patchuj Google Play Services sa PlayIntegrityFix/Fork + TrickyStore ili koristi ReZygisk/Zygisk‑Next samo tokom testiranja. Drži cilj u DenyList i izbegavaj LSPosed module koji leak props.
• Za jednokratna pokretanja, koristi KernelSU/APatch (bez Zygote injection) da ostaneš ispod Zygisk heuristika, zatim prikači Frida.

Korak 2 — 30‑sekundni Frida Codeshare testovi

Probaj uobičajene drop‑in skripte pre dubljeg ispitivanja:

• anti-root-bypass.js
• anti-frida-detection.js
• hide_frida_gum.js

Primer:

frida -U -f com.example.app -l anti-frida-detection.js

Ovo obično prikriva Java root/debug provere, process/service skeniranja i native ptrace(). Korisno za slabo zaštićene aplikacije; hardened targets mogu zahtevati prilagođene hooks.

• Codeshare: https://codeshare.frida.re/

Automatizujte sa Medusa (Frida framework)

Medusa obezbeđuje 90+ gotovih modula za SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception i još mnogo toga.

git clone https://github.com/Ch0pin/medusa
cd medusa
pip install -r requirements.txt
python medusa.py

# Example interactive workflow
show categories
use http_communications/multiple_unpinner
use root_detection/universal_root_detection_bypass
run com.target.app

Savjet: Medusa je odličan za brze pobede pre pisanja custom hooks. Takođe možete cherry-pick modules i kombinovati ih sa svojim scripts.

Korak 3 — Zaobiđite init-time detektore prikačivanjem kasnije

Mnoge detekcije se pokreću samo tokom process spawn/onCreate(). Spawn‑time injection (-f) ili gadgets bivaju otkriveni; prikačivanje nakon učitavanja UI može proći neopaženo.

# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore  # if using gadget

Ako ovo uspe, održite sesiju stabilnom i nastavite sa mapiranjem i stub proverama.

Korak 4 — Mapiranje logike detekcije putem Jadx i pretrage stringova

Ključne reči za statičku trijažu u Jadx:

• “frida”, “gum”, “root”, “magisk”, “ptrace”, “su”, “getprop”, “debugger”

Tipični Java obrasci:

public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}

Uobičajeni API-ji za pregled/hook:

• android.os.Debug.isDebuggerConnected
• android.app.ActivityManager.getRunningAppProcesses / getRunningServices
• java.lang.System.loadLibrary / System.load (native bridge)
• java.lang.Runtime.exec / ProcessBuilder (ispitivanje komandi)
• android.os.SystemProperties.get (heuristike za root/emulator)

Korak 5 — Runtime stubbing with Frida (Java)

Prepišite prilagođene guards da vraćaju bezbedne vrednosti bez repackovanja:

Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
Checks.isFridaDetected.implementation = function () { return false; };

// Neutralize debugger checks
const Debug = Java.use('android.os.Debug');
Debug.isDebuggerConnected.implementation = function () { return false; };

// Example: kill ActivityManager scans
const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});

Baviš li se triagovanjem ranih crash-ova? Dump-uj classes neposredno pre nego što se sruši da bi uočio verovatne detection namespaces:

Java.perform(() => {
Java.enumerateLoadedClasses({
onMatch: n => console.log(n),
onComplete: () => console.log('Done')
});
});

Brz primer root detection stub-a (adapt to target package/class names):

Java.perform(() => {
try {
const RootChecker = Java.use('com.target.security.RootCheck');
RootChecker.isDeviceRooted.implementation = function () { return false; };
} catch (e) {}
});

Log i onemogućite sumnjive metode da potvrdite tok izvršavanja:

Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
Det.checkFrida.implementation = function () {
console.log('checkFrida() called');
return false;
};
});

Bypass emulator/VM detection (Java stubs)

Uobičajene heuristike: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE koji sadrže generic/goldfish/ranchu/sdk; QEMU artefakti kao što su /dev/qemu_pipe, /dev/socket/qemud; podrazumevana MAC adresa 02:00:00:00:00:00; 10.0.2.x NAT; izostanak telephony/sensors.

Brzo spoof polja Build:

Java.perform(function(){
var Build = Java.use('android.os.Build');
Build.MODEL.value = 'Pixel 7 Pro';
Build.MANUFACTURER.value = 'Google';
Build.BRAND.value = 'google';
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
});

Dopunite sa stubovima za provere postojanja fajlova i identifikatore (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) tako da vraćaju realistične vrednosti.

SSL pinning bypass quick hook (Java)

Neutralizujte custom TrustManagers i prisilite permissive SSL contexts:

Java.perform(function(){
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');

// No-op validations
X509TrustManager.checkClientTrusted.implementation = function(){ };
X509TrustManager.checkServerTrusted.implementation = function(){ };

// Force permissive TrustManagers
var TrustManagers = [ X509TrustManager.$new() ];
var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');
SSLContextInit.implementation = function(km, tm, sr){
return SSLContextInit.call(this, km, TrustManagers, sr);
};
});

Napomene

• Proširi za OkHttp: hook okhttp3.CertificatePinner i HostnameVerifier po potrebi, ili koristi univerzalni unpinning script sa CodeShare.
• Primer pokretanja: frida -U -f com.target.app -l ssl-bypass.js --no-pause

OkHttp4 / gRPC / Cronet pinning (2024+)

Moderni stackovi rade pin unutar novijih API-ja (OkHttp4+, gRPC preko Cronet/BoringSSL). Dodaj ove hooks kada osnovni SSLContext hook zaglavi:

Java.perform(() => {
try {
const Pinner = Java.use('okhttp3.CertificatePinner');
Pinner.check.overload('java.lang.String', 'java.util.List').implementation = function(){};
Pinner.check$okhttp.implementation = function(){};
} catch (e) {}

try {
const CronetB = Java.use('org.chromium.net.CronetEngine$Builder');
CronetB.enablePublicKeyPinningBypassForLocalTrustAnchors.overload('boolean').implementation = function(){ return this; };
CronetB.setPublicKeyPins.overload('java.lang.String', 'java.util.Set', 'boolean').implementation = function(){ return this; };
} catch (e) {}
});

Ako TLS i dalje ne radi, pređi na native i patch ulazne tačke verifikacije BoringSSL-a koje koristi Cronet/gRPC:

const customVerify = Module.findExportByName(null, 'SSL_CTX_set_custom_verify');
if (customVerify) {
Interceptor.attach(customVerify, {
onEnter(args){
// arg0 = SSL_CTX*, arg1 = mode, arg2 = callback
args[1] = ptr(0); // SSL_VERIFY_NONE
args[2] = NULL;  // disable callback
}
});
}

Step 6 — Pratite JNI/native trag kada Java hooks zakažu

Pratite JNI ulazne tačke da biste locirali native loadere i inicijalizaciju detekcije:

frida-trace -n com.example.app -i "JNI_OnLoad"

Brza nativna trijaža ugrađenih .so fajlova:

# List exported symbols & JNI
nm -D libfoo.so | head
objdump -T libfoo.so | grep Java_
strings -n 6 libfoo.so | egrep -i 'frida|ptrace|gum|magisk|su|root'

Interaktivno/native reversing:

• Ghidra: https://ghidra-sre.org/
• r2frida: https://github.com/nowsecure/r2frida

Primer: neutralizovati ptrace da bi se zaobišao jednostavan anti‑debug u libc:

const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
Interceptor.replace(ptrace, new NativeCallback(function () {
return -1; // pretend failure
}, 'int', ['int', 'int', 'pointer', 'pointer']));
}

Vidi takođe: Reversing Native Libraries

Korak 7 — Objection patching (embed gadget / strip basics)

Ako radije koristite repacking umesto runtime hooks, pokušajte:

objection patchapk --source app.apk

Napomene:

• Zahteva apktool; obezbedite aktuelnu verziju iz zvaničnog vodiča da biste izbegli probleme pri izgradnji: https://apktool.org/docs/install
• Gadget injection omogućava instrumentation bez root-a, ali i dalje može biti otkriven od strane strožih init‑time provera.

Opcionalno, dodajte LSPosed module i Shamiko za jače skrivanje root-a u Zygisk okruženjima, i uredite DenyList da pokrije child processes.

Za kompletan workflow koji uključuje script-mode Gadget konfiguraciju i bundling vašeg Frida 17+ agenta u APK, pogledajte:

Frida Tutorial — Self-contained agent + Gadget embedding

Reference:

• Objection: https://github.com/sensepost/objection

Korak 8 — Fallback: Patch TLS pinning za preglednost mrežnog saobraćaja

Ako je instrumentation blokiran, i dalje možete pregledati saobraćaj tako što ćete statički ukloniti pinning:

apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy

• Alat: https://github.com/shroudedcode/apk-mitm
• Za trikove vezane za network config CA‑trust (i Android 7+ user CA trust), pogledajte:

Make APK Accept CA Certificate

Install Burp Certificate

Koristan pregled komandi

# List processes and attach
frida-ps -Uai
frida -U -n com.example.app

# Spawn with a script (may trigger detectors)
frida -U -f com.example.app -l anti-frida-detection.js

# Trace native init
frida-trace -n com.example.app -i "JNI_OnLoad"

# Objection runtime
objection --gadget com.example.app explore

# Static TLS pinning removal
apk-mitm app.apk

Universal proxy forcing + TLS unpinning (HTTP Toolkit Frida hooks)

Moderne aplikacije često ignorišu sistemske proxy-je i nameću višeslojne mehanizme pinovanja (Java + native), što otežava presretanje saobraćaja čak i kada su instalirani user/system CAs. Praktičan pristup je kombinovanje universal TLS unpinning sa proxy forcing putem gotovih Frida hooks, i usmeravanje svega kroz mitmproxy/Burp.

Workflow

• Pokrenite mitmproxy na svom hostu (ili Burp). Osigurajte da uređaj može da dosegne host IP/port.
• Učitajte HTTP Toolkit’s konsolidovane Frida hooks da biste izvršili TLS unpinning i forsirali korišćenje proxy-ja preko uobičajenih stack-ova (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). Ovo zaobilazi CertificatePinner/TrustManager provere i nadjačava proxy selectors, tako da se saobraćaj uvek šalje preko vašeg proxy-ja čak i ako aplikacija eksplicitno onemogućava proxy-je.
• Pokrenite ciljnu aplikaciju sa Frida i hook script-om, i presretnite zahteve u mitmproxy.

Example

# Device connected via ADB or over network (-U)
# See the repo for the exact script names & options
frida -U -f com.vendor.app \
-l ./android-unpinning-with-proxy.js \
--no-pause

# mitmproxy listening locally
mitmproxy -p 8080

Napomene

• Kombinujte sa sistemskim proxy-jem preko adb shell settings put global http_proxy <host>:<port> kad je moguće. Frida hooks će nametnuti korišćenje proxy-ja čak i kada aplikacije zaobilaze globalna podešavanja.
• Ova tehnika je idealna kada vam treba MITM za mobile-to-IoT onboarding tokove gde su pinning/proxy avoidance česti.
• Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning

Reference

• Reversing Android Apps: Bypassing Detection Like a Pro
• Frida Codeshare
• Objection
• apk-mitm
• Jadx
• Ghidra
• r2frida
• Apktool install guide
• Magisk
• Medusa (Android Frida framework)
• Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa
• phantom-frida (stealth Frida server builder)
• Frida OkHttp4 SSL pinning bypass script
• XDA guide to strong Play Integrity bypass (2025)

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Proverite planove pretplate!
• Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
• Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.