Kuondokana na Anti-Instrumentation na SSL Pinning kwenye Android (Frida/Objection)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Ukurasa huu unatoa workflow ya vitendo ili kurejesha dynamic analysis dhidi ya Android apps zinazotambua/block instrumentation au kutekeleza TLS pinning. Unalenga triage ya haraka, ugunduzi wa kawaida, na hooks/taktiki zinazoweza kunakili‑mna‑weka (copy‑paste) ili kuzipita bila repacking inapowezekana.

Detection Surface (what apps check)

  • Ukaguzi wa root: su binary, Magisk paths, getprop values, common root packages
  • Frida/debugger checks (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
  • Native anti‑debug: ptrace(), syscalls, anti‑attach, breakpoints, inline hooks
  • Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
  • TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins

Bypassing Anti-Frida Detection / Stealth Frida Servers

phantom-frida inajenga tena Frida kutoka source na inaweka takriban marekebisho ~90 ili fingerprints za kawaida za Frida zifutike huku protocol ya stock Frida ikibaki compatible (frida-tools bado zinaweza kuungana). Lengo: apps zinazofanya grep kwenye /proc (cmdline, maps, task comm, fd readlink), majina ya D-Bus service, ports za default, au exported symbols.

Phases:

  • Source patches: rename ya kimataifa ya vitambulisho vya frida (server/agent/helper) na kujenga tena helper DEX yenye Java package iliyobadilishwa jina.
  • Targeted build/runtime patches: tweaks za meson, memfd label kubadilishwa kuwa jit-cache, SELinux labels (mfano, frida_file) kubadilishwa jina, libc hooks kwenye exit/signal kuzimwa ili kuepuka hook-detectors.
  • Post-build rename: exported symbol frida_agent_main kubadilishwa jina baada ya compile ya kwanza (Vala huitengeneza), ikihitaji build ya pili ya incremental.
  • Binary hex patches: thread names (gmain, gdbus, pool-spawner) zilizoreplaced; optional sweep huondoa strings za leftover frida/Frida.

Detection vectors covered:

  • Base (1–8): process name frida-server, mapped libfrida-agent.so, thread names, memfd label, exported frida_agent_main, SELinux labels, libc hook side-effects, na D-Bus service re.frida.server zinarekebishwa/kuondolewa.
  • Extended (9–16): badilisha listening port (--port), rename D-Bus interfaces/internal C symbols/GType names, temp paths kama .frida/frida-, sweep binary strings, rename build-time defines na asset paths (libdir/frida). D-Bus interface names ambazo ni sehemu ya wire protocol zinabaki zisibadilishwe katika base mode ili kuepuka kuvunja stock clients.

Build/usage (Android arm64 example):

python3 build.py --version 17.7.2 --name myserver --port 27142 --extended --verify
adb push output/myserver-server-17.7.2-android-arm64 /data/local/tmp/myserver-server
adb shell chmod 755 /data/local/tmp/myserver-server
adb shell /data/local/tmp/myserver-server -D &
adb forward tcp:27142 tcp:27142
frida -H 127.0.0.1:27142 -f com.example.app

Flags: --skip-build (patch only), --skip-clone, --arch, --ndk-path, --temp-fixes; WSL helper: wsl -d Ubuntu bash build-wsl.sh.

Hatua 1 — Ushindi wa haraka: ficha root na Magisk DenyList

  • Washa Zygisk katika Magisk
  • Washa DenyList, ongeza package lengwa
  • Reboot na jaribu tena

Programu nyingi zinaangalia dalili zilizo wazi tu (su/Magisk paths/getprop). DenyList mara nyingi hutatua ukaguzi wa msingi.

Marejeleo:

  • Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk

Play Integrity / Zygisk detections (post‑SafetyNet)

Programu mpya za benki/ID zinaunganisha ukaguzi wa wakati wa kukimbia na Google Play Integrity (mbadala wa SafetyNet) na pia zinaweza kuanguka ikiwa Zygisk yenyewe ipo. Vidokezo vya kuchunguza haraka:

  • Wazime kwa muda Zygisk (toggle off + reboot) na jaribu tena; baadhi ya programu zinaanguka mara Zygote injection inapoanza.
  • Kama attestation inaizuia kuingia, patachisha Google Play Services kwa PlayIntegrityFix/Fork + TrickyStore au tumia ReZygisk/Zygisk‑Next wakati wa majaribio pekee. Weka lengwa kwenye DenyList na epuka modules za LSPosed ambazo leak props.
  • Kwa operesheni za mara moja, tumia KernelSU/APatch (no Zygote injection) ili kukaa chini ya heuristics za Zygisk, kisha ungana na Frida.

Hatua 2 — Vipimo vya Frida Codeshare vya sekunde 30

Jaribu scripts za kawaida za drop‑in kabla ya kuchimba kwa undani:

  • anti-root-bypass.js
  • anti-frida-detection.js
  • hide_frida_gum.js

Mfano:

frida -U -f com.example.app -l anti-frida-detection.js

Hizi kwa kawaida hu-stub Java root/debug checks, process/service scans, na native ptrace(). Zinasaidia kwenye apps zenye ulinzi mdogo; hardened targets zinaweza kuhitaji hooks zilizobinafsishwa.

  • Codeshare: https://codeshare.frida.re/

Otomatisha na Medusa (Frida framework)

Medusa inatoa 90+ modules tayari kwa ajili ya SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na mengine mengi.

git clone https://github.com/Ch0pin/medusa
cd medusa
pip install -r requirements.txt
python medusa.py

# Example interactive workflow
show categories
use http_communications/multiple_unpinner
use root_detection/universal_root_detection_bypass
run com.target.app

Ushauri: Medusa ni nzuri kwa ushindi wa haraka kabla ya kuandika custom hooks. Unaweza pia kuchagua modules kwa uangalifu na kuzichanganya na scripts zako mwenyewe.

Hatua 3 — Pita kando ya init-time detectors kwa kuambatisha kwa kuchelewa

Uchunguzi mwingi hufanya kazi tu wakati wa process spawn/onCreate(). Spawn‑time injection (-f) au gadgets zinagunduliwa; kuambatisha baada ya UI kupakia kunaweza kupita bila kugunduliwa.

# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore  # if using gadget

Ikiwa hili litafanya kazi, hakikisha session inabaki imara kisha endelea na map and stub checks.

Step 4 — Ramani ya mantiki ya utambuzi kupitia Jadx na utafutaji wa string

Static triage keywords in Jadx:

  • “frida”, “gum”, “root”, “magisk”, “ptrace”, “su”, “getprop”, “debugger”

Mifumo ya kawaida ya Java:

public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}

API za kawaida za kukagua/hook:

  • android.os.Debug.isDebuggerConnected
  • android.app.ActivityManager.getRunningAppProcesses / getRunningServices
  • java.lang.System.loadLibrary / System.load (native bridge)
  • java.lang.Runtime.exec / ProcessBuilder (probing commands)
  • android.os.SystemProperties.get (root/emulator heuristics)

Hatua ya 5 — Runtime stubbing with Frida (Java)

Override custom guards ili kurudisha thamani salama bila repacking:

Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
Checks.isFridaDetected.implementation = function () { return false; };

// Neutralize debugger checks
const Debug = Java.use('android.os.Debug');
Debug.isDebuggerConnected.implementation = function () { return false; };

// Example: kill ActivityManager scans
const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});

Unachambua early crashes? Dump classes tu kabla ya kuanguka ili kugundua detection namespaces zinazowezekana:

Java.perform(() => {
Java.enumerateLoadedClasses({
onMatch: n => console.log(n),
onComplete: () => console.log('Done')
});
});

Mfano mfupi wa root detection stub (rekebisha kwa target package/class names):

Java.perform(() => {
try {
const RootChecker = Java.use('com.target.security.RootCheck');
RootChecker.isDeviceRooted.implementation = function () { return false; };
} catch (e) {}
});

Rekodi na zimamisha methods zinazoibua shaka ili kuthibitisha mtiririko wa utekelezaji:

Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
Det.checkFrida.implementation = function () {
console.log('checkFrida() called');
return false;
};
});

Kuepuka utambuzi wa emulator/VM (Java stubs)

Mikakati ya kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zikiwa na generic/goldfish/ranchu/sdk; QEMU artefakti kama /dev/qemu_pipe, /dev/socket/qemud; MAC ya default 02:00:00:00:00:00; 10.0.2.x NAT; ukosefu wa telephony/sensors.

Udanganyifu wa haraka wa mashamba ya Build:

Java.perform(function(){
var Build = Java.use('android.os.Build');
Build.MODEL.value = 'Pixel 7 Pro';
Build.MANUFACTURER.value = 'Google';
Build.BRAND.value = 'google';
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
});

Kamilisha na stubs kwa ukaguzi wa uwepo wa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili kurudisha thamani za kweli.

SSL pinning bypass quick hook (Java)

Komesha TrustManagers maalum na lazimisha SSL contexts zenye uvumilivu:

Java.perform(function(){
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');

// No-op validations
X509TrustManager.checkClientTrusted.implementation = function(){ };
X509TrustManager.checkServerTrusted.implementation = function(){ };

// Force permissive TrustManagers
var TrustManagers = [ X509TrustManager.$new() ];
var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');
SSLContextInit.implementation = function(km, tm, sr){
return SSLContextInit.call(this, km, TrustManagers, sr);
};
});

Vidokezo

  • Panua kwa OkHttp: hook okhttp3.CertificatePinner and HostnameVerifier inapohitajika, au tumia universal unpinning script kutoka CodeShare.
  • Mfano wa kuendesha: frida -U -f com.target.app -l ssl-bypass.js --no-pause

OkHttp4 / gRPC / Cronet pinning (2024+)

Stack za kisasa hu-pin ndani ya API mpya (OkHttp4+, gRPC over Cronet/BoringSSL). Ongeza hooks hizi wakati basic SSLContext hook inakwama:

Java.perform(() => {
try {
const Pinner = Java.use('okhttp3.CertificatePinner');
Pinner.check.overload('java.lang.String', 'java.util.List').implementation = function(){};
Pinner.check$okhttp.implementation = function(){};
} catch (e) {}

try {
const CronetB = Java.use('org.chromium.net.CronetEngine$Builder');
CronetB.enablePublicKeyPinningBypassForLocalTrustAnchors.overload('boolean').implementation = function(){ return this; };
CronetB.setPublicKeyPins.overload('java.lang.String', 'java.util.Set', 'boolean').implementation = function(){ return this; };
} catch (e) {}
});

Ikiwa TLS bado inashindwa, rudi kwenye native na patch pointi za uthibitishaji za BoringSSL zinazotumika na Cronet/gRPC:

const customVerify = Module.findExportByName(null, 'SSL_CTX_set_custom_verify');
if (customVerify) {
Interceptor.attach(customVerify, {
onEnter(args){
// arg0 = SSL_CTX*, arg1 = mode, arg2 = callback
args[1] = ptr(0); // SSL_VERIFY_NONE
args[2] = NULL;  // disable callback
}
});
}

Hatua ya 6 — Fuata mfuatano wa JNI/native wakati Java hooks zinashindwa

Fuatilia viingilio vya JNI ili kutambua native loaders na detection init:

frida-trace -n com.example.app -i "JNI_OnLoad"

Tathmini ya haraka ya native ya faili za .so zilizoambatanishwa:

# List exported symbols & JNI
nm -D libfoo.so | head
objdump -T libfoo.so | grep Java_
strings -n 6 libfoo.so | egrep -i 'frida|ptrace|gum|magisk|su|root'

Reversing ya Interactive/native:

  • Ghidra: https://ghidra-sre.org/
  • r2frida: https://github.com/nowsecure/r2frida

Mfano: kufanya ptrace isifanye kazi ili kushinda anti‑debug rahisi katika libc:

const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
Interceptor.replace(ptrace, new NativeCallback(function () {
return -1; // pretend failure
}, 'int', ['int', 'int', 'pointer', 'pointer']));
}

Tazama pia: Reversing Native Libraries

Hatua 7 — Objection patching (embed gadget / strip basics)

Unapopendelea repacking kuliko runtime hooks, jaribu:

objection patchapk --source app.apk

Notes:

  • Inahitaji apktool; hakikisha toleo la sasa kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya kujenga: https://apktool.org/docs/install
  • Gadget injection inaruhusu instrumentation bila root lakini bado inaweza kugunduliwa na init‑time checks kali.

Hiari, ongeza LSPosed modules na Shamiko kwa kuficha root kwa nguvu zaidi katika mazingira ya Zygisk, na rekebisha DenyList ili ifunikie child processes.

Kwa mtiririko kamili wa kazi unaojumuisha script-mode Gadget configuration na kuingiza Frida 17+ agent ndani ya APK, ona:

Frida Tutorial — Self-contained agent + Gadget embedding

References:

  • Objection: https://github.com/sensepost/objection

Hatua 8 — Njia mbadala: Patch TLS pinning kwa uonekaji wa mtandao

Ikiwa instrumentation imezuiwa, bado unaweza kuchunguza trafiki kwa kuondoa pinning kwa njia ya static:

apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy
  • Zana: https://github.com/shroudedcode/apk-mitm
  • Kwa mbinu za CA‑trust za network config (na Android 7+ user CA trust), angalia:

Make APK Accept CA Certificate

Install Burp Certificate

Muhtasari wa amri muhimu

# List processes and attach
frida-ps -Uai
frida -U -n com.example.app

# Spawn with a script (may trigger detectors)
frida -U -f com.example.app -l anti-frida-detection.js

# Trace native init
frida-trace -n com.example.app -i "JNI_OnLoad"

# Objection runtime
objection --gadget com.example.app explore

# Static TLS pinning removal
apk-mitm app.apk

Universal proxy forcing + TLS unpinning (HTTP Toolkit Frida hooks)

Programu za kisasa mara nyingi hazizingatii proxies za mfumo na hutumia tabaka kadhaa za pinning (Java + native), na hivyo kufanya kunasa trafiki kuwa ngumu hata pale CAs za mtumiaji/mfumo zikiwa zimewekwa. Njia ya vitendo ni kuchanganya universal TLS unpinning na proxy forcing kupitia Frida hooks zilizotengenezwa tayari, na kupitisha kila kitu kupitia mitmproxy/Burp.

Workflow

  • Endesha mitmproxy kwenye host yako (au Burp). Hakikisha kifaa kinaweza kufikia IP/port ya host.
  • Pakia Frida hooks zilizojumuishwa za HTTP Toolkit ili kufanya TLS unpinning na kulazimisha matumizi ya proxy katika stacks za kawaida (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). Hii inaepuka ukaguzi wa CertificatePinner/TrustManager na hubadilisha proxy selectors, hivyo trafiki daima itatumwa kupitia proxy yako hata kama app imezima proxies wazi.
  • Anzisha app lengwa kwa Frida na script ya hook, kisha rekodi maombi katika mitmproxy.

Example

# Device connected via ADB or over network (-U)
# See the repo for the exact script names & options
frida -U -f com.vendor.app \
-l ./android-unpinning-with-proxy.js \
--no-pause

# mitmproxy listening locally
mitmproxy -p 8080

Vidokezo

  • Unganisha na proxy ya mfumo mzima kupitia adb shell settings put global http_proxy <host>:<port> pale inapowezekana. Frida hooks zitahakikisha matumizi ya proxy hata wakati apps zinaporuka mipangilio ya mfumo.
  • Mbinu hii inafaa wakati unahitaji kufanya MITM kwenye mchakato wa onboarding kutoka mobile kwenda IoT ambapo kuepuka pinning/proxy ni jambo la kawaida.
  • Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning

Marejeleo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks