Android Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.

Ukurasa huu unatoa mtiririko wa vitendo wa kupata tena uchambuzi wa dynamic dhidi ya apps za Android zinazotambua/kuzuia instrumentation kwa sababu za root au ambazo zinatekeleza TLS pinning. Unalenga uchunguzi wa haraka, ugunduzi wa kawaida, na hooks/tactics zinazoweza kunakili (copy‑paste) ili kuzivuka bila ku-repack inapowezekana.

Detection Surface (what apps check)

• Ukaguzi wa root: su binary, Magisk paths, getprop values, common root packages
• Frida/debugger checks (Java): Debug.isDebuggerConnected(), ActivityManager.getRunningAppProcesses(), getRunningServices(), scanning /proc, classpath, loaded libs
• Native anti‑debug: ptrace(), syscalls, anti‑attach, breakpoints, inline hooks
• Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
• TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins

Bypassing Anti-Frida Detection / Stealth Frida Servers

phantom-frida hujenga upya Frida kutoka source na inaweka takriban ~90 patches ili fingerprint za kawaida za Frida zifutike huku protocol ya Frida ya stock ikibaki sambamba (frida-tools bado zinaweza kuungana). Lengo: apps zinazofanya grep /proc (cmdline, maps, task comm, fd readlink), majina ya service za D-Bus, ports za default, au exported symbols.

Phases:

• Source patches: rename ya kimataifa ya identifiers za frida (server/agent/helper) na helper DEX iliyojengwa upya yenye package ya Java iliyobadilishwa jina.
• Targeted build/runtime patches: meson tweaks, memfd label iliyobadilishwa hadi jit-cache, SELinux labels (m.b. frida_file) zimerename, libc hooks kwenye exit/signal zimeshadiwa ili kuepuka hook-detectors.
• Post-build rename: exported symbol frida_agent_main ilirenamed baada ya compilation ya kwanza (Vala inaemit), inahitaji build ya pili ya incremental.
• Binary hex patches: thread names (gmain, gdbus, pool-spawner) zimeremed; sweep ya hiari inaondoa leftover frida/Frida strings.

Detection vectors covered:

• Base (1–8): process name frida-server, mapped libfrida-agent.so, thread names, memfd label, exported frida_agent_main, SELinux labels, libc hook side-effects, na D-Bus service re.frida.server zimebadilishwa/kuwezeshwa isiyotambulika.
• Extended (9–16): badilisha listening port (--port), rename D-Bus interfaces/internal C symbols/GType names, temp paths kama .frida/frida-, sweep binary strings, rename build-time defines na asset paths (libdir/frida). Majina ya D-Bus interfaces ambayo ni sehemu ya wire protocol hubaki bila kubadilishwa katika base mode ili kuepuka kuvunja stock clients.

Ujenzi / Matumizi (mfano Android arm64):

python3 build.py --version 17.7.2 --name myserver --port 27142 --extended --verify
adb push output/myserver-server-17.7.2-android-arm64 /data/local/tmp/myserver-server
adb shell chmod 755 /data/local/tmp/myserver-server
adb shell /data/local/tmp/myserver-server -D &
adb forward tcp:27142 tcp:27142
frida -H 127.0.0.1:27142 -f com.example.app

Flags: --skip-build (patch only), --skip-clone, --arch, --ndk-path, --temp-fixes; WSL helper: wsl -d Ubuntu bash build-wsl.sh.

Hatua 1 — Ushindi wa haraka: ficha root kwa Magisk DenyList

• Washa Zygisk katika Magisk
• Washa DenyList, ongeza target package
• Reboot na retry

Programu nyingi zinaangalia tu viashiria vinavyoonekana (su/Magisk paths/getprop). DenyList mara nyingi huondoa ukaguzi wa msingi.

Marejeo:

• Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk

Play Integrity / Zygisk ugundaji (post‑SafetyNet)

Programu mpya za benki/kitambulisho zinaunganisha ukaguzi wa runtime na Google Play Integrity (mbadala wa SafetyNet) na pia zinaweza crash ikiwa Zygisk mwenyewe yupo. Vidokezo vya uchunguzi wa haraka:

• Temporarily disable Zygisk (toggle off + reboot) na jaribu tena; baadhi ya apps crash mara Zygote injection inapoanza.
• If attestation blocks login, patch Google Play Services with PlayIntegrityFix/Fork + TrickyStore or use ReZygisk/Zygisk‑Next only when testing. Weka target kwenye DenyList na epuka LSPosed modules ambazo leak props.
• Kwa runs za mara moja, tumia KernelSU/APatch (no Zygote injection) ili kubaki chini ya heuristics za Zygisk, kisha attach Frida.

Hatua 2 — Majaribio ya Frida Codeshare ya sekunde 30

Jaribu common drop‑in scripts kabla ya kuchimba kwa undani:

• anti-root-bypass.js
• anti-frida-detection.js
• hide_frida_gum.js

Mfano:

frida -U -f com.example.app -l anti-frida-detection.js

Hizi kwa kawaida huzuia (stub) ukaguzi wa Java wa root/debug, skani za process/service, na ptrace() ya native. Zinasaidia kwenye apps zenye ulinzi mdogo; malengo yaliyoimarishwa (hardened targets) yanaweza kuhitaji hooks zilizobinafsishwa.

• Codeshare: https://codeshare.frida.re/

Otomatisha na Medusa (Frida framework)

Medusa inatoa moduli 90+ tayari kwa SSL unpinning, root/emulator detection bypass, logging ya HTTP comms, interception ya crypto key, na mengine mengi.

git clone https://github.com/Ch0pin/medusa
cd medusa
pip install -r requirements.txt
python medusa.py

# Example interactive workflow
show categories
use http_communications/multiple_unpinner
use root_detection/universal_root_detection_bypass
run com.target.app

Kidokezo: Medusa ni nzuri kwa mafanikio ya haraka kabla ya kuandika custom hooks. Unaweza pia kuchagua moduli kwa cherry-pick na kuziunganisha na scripts zako.

Automate with Auto-Frida (spawn-mode + consolidated hooks)

Auto-Frida ni toolkit ya automation ya Frida inayolenga setup inayorudiwa pamoja na auto-detection ya protections na consolidated bypass script generation. Inafaa wakati apps zinafanya ukaguzi mapema sana au wakati moduli nyingi za bypass zingeweza ku-hook API zile zile mara mbili.

Mawazo muhimu ya automation:

• Spawn-mode analysis ili kusakinisha hooks kabla ya Application.onCreate() ili SSL pinning ya mapema, root, emulator, au ukaguzi wa anti-Frida zikamatwe.
• Protection detection + auto-bypass: matokeo ya ugundaji yanaendesha utengenezaji wa script moja iliyounganishwa inayohook kila Java method/native symbol mara moja, kupunguza crashes kutokana na overlapping hooks.
• Frida server lifecycle checks: thibitisha afya ya server (process + port 27042 + frida-ps handshake) kabla ya kupakua/kuanzisha tena ili kuhakikisha runs zinaendelea kwa utulivu.

Quick start:

git clone https://github.com/ommirkute/Auto-Frida.git
cd Auto-Frida
pip install -r requirements.txt
python auto_frida.py

Vidokezo

• Auto-Frida inaweza kusakinisha kiotomatiki frida/frida-tools ikiwa hazipo na inaunga mkono uteuzi wa vifaa vingi.
• Skripti zilizotengenezwa zinaweza kutekelezwa mara moja au kuunganishwa na hooks zako maalum baada ya uchambuzi.

Hatua ya 3 — Pitia kando vigunduzi vya init-time kwa kuambatisha kwa kuchelewa

Ugunduzi mwingi hufanyika tu wakati wa process spawn/onCreate(). Spawn‑time injection (-f) au gadgets hushikwa; kuambatisha baada UI inapopakia kunaweza kupita bila kugunduliwa.

# Launch the app normally (launcher/adb), wait for UI, then attach
frida -U -n com.example.app
# Or with Objection to attach to running process
aobjection --gadget com.example.app explore  # if using gadget

Ikiwa hii itaenda, hakikisha kikao kinabaki imara na endelea na ramani na ukaguzi wa stub.

Hatua 4 — Ramani ya mantiki ya ugundaji kupitia Jadx na kutafuta string

Maneno muhimu kwa triage ya static katika Jadx:

• “frida”, “gum”, “root”, “magisk”, “ptrace”, “su”, “getprop”, “debugger”

Mifano ya kawaida ya Java:

public boolean isFridaDetected() {
return getRunningServices().contains("frida");
}

Common APIs to review/hook:

• android.os.Debug.isDebuggerConnected
• android.app.ActivityManager.getRunningAppProcesses / getRunningServices
• java.lang.System.loadLibrary / System.load (native bridge)
• java.lang.Runtime.exec / ProcessBuilder (probing commands)
• android.os.SystemProperties.get (root/emulator heuristics)

Hatua 5 — Runtime stubbing with Frida (Java)

Override custom guards to return safe values without repacking:

Java.perform(() => {
const Checks = Java.use('com.example.security.Checks');
Checks.isFridaDetected.implementation = function () { return false; };

// Neutralize debugger checks
const Debug = Java.use('android.os.Debug');
Debug.isDebuggerConnected.implementation = function () { return false; };

// Example: kill ActivityManager scans
const AM = Java.use('android.app.ActivityManager');
AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
});

Unapopanga kipaumbele kwa early crashes? Dump classes tu kabla ya kuanguka ili kugundua namespaces zinazowezekana za detection:

Java.perform(() => {
Java.enumerateLoadedClasses({
onMatch: n => console.log(n),
onComplete: () => console.log('Done')
});
});

Mfano mfupi wa stub ya ugundaji wa root (rekebisha kwa target package/class names):

Java.perform(() => {
try {
const RootChecker = Java.use('com.target.security.RootCheck');
RootChecker.isDeviceRooted.implementation = function () { return false; };
} catch (e) {}
});

Rekodi na zima mbinu zenye shaka ili kuthibitisha mtiririko wa utekelezaji:

Java.perform(() => {
const Det = Java.use('com.example.security.DetectionManager');
Det.checkFrida.implementation = function () {
console.log('checkFrida() called');
return false;
};
});

Bypass emulator/VM detection (Java stubs)

Heuristics za kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zikiwa zinajumuisha generic/goldfish/ranchu/sdk; artifacts za QEMU kama /dev/qemu_pipe, /dev/socket/qemud; MAC ya chaguo-msingi 02:00:00:00:00:00; 10.0.2.x NAT; kukosekana kwa telephony/sensors.

Spoof fupi ya Build fields:

Java.perform(function(){
var Build = Java.use('android.os.Build');
Build.MODEL.value = 'Pixel 7 Pro';
Build.MANUFACTURER.value = 'Google';
Build.BRAND.value = 'google';
Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
});

Ongeza stubs za ukaguzi wa uwepo wa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili zirudishe thamani za kweli.

SSL pinning bypass quick hook (Java)

Bandua TrustManagers maalum na lazimisha SSL contexts zinazovumilia:

Java.perform(function(){
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');

// No-op validations
X509TrustManager.checkClientTrusted.implementation = function(){ };
X509TrustManager.checkServerTrusted.implementation = function(){ };

// Force permissive TrustManagers
var TrustManagers = [ X509TrustManager.$new() ];
var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');
SSLContextInit.implementation = function(km, tm, sr){
return SSLContextInit.call(this, km, TrustManagers, sr);
};
});

Vidokezo

• Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier inapohitajika, au tumia universal unpinning script kutoka CodeShare.
• Mfano wa kuendesha: frida -U -f com.target.app -l ssl-bypass.js --no-pause

OkHttp4 / gRPC / Cronet pinning (2024+)

Stack za kisasa zina pin ndani ya API mpya (OkHttp4+, gRPC over Cronet/BoringSSL). Ongeza hooks hizi wakati basic SSLContext hook inakwama:

Java.perform(() => {
try {
const Pinner = Java.use('okhttp3.CertificatePinner');
Pinner.check.overload('java.lang.String', 'java.util.List').implementation = function(){};
Pinner.check$okhttp.implementation = function(){};
} catch (e) {}

try {
const CronetB = Java.use('org.chromium.net.CronetEngine$Builder');
CronetB.enablePublicKeyPinningBypassForLocalTrustAnchors.overload('boolean').implementation = function(){ return this; };
CronetB.setPublicKeyPins.overload('java.lang.String', 'java.util.Set', 'boolean').implementation = function(){ return this; };
} catch (e) {}
});

Ikiwa TLS bado inashindwa, drop to native na patch BoringSSL verification entry points zinazotumika na Cronet/gRPC:

const customVerify = Module.findExportByName(null, 'SSL_CTX_set_custom_verify');
if (customVerify) {
Interceptor.attach(customVerify, {
onEnter(args){
// arg0 = SSL_CTX*, arg1 = mode, arg2 = callback
args[1] = ptr(0); // SSL_VERIFY_NONE
args[2] = NULL;  // disable callback
}
});
}

Hatua ya 6 — Fuata njia ya JNI/native wakati Java hooks zinaposhindwa

Fuatilia pointi za kuingia za JNI ili kupata native loaders na detection init:

frida-trace -n com.example.app -i "JNI_OnLoad"

Triage ya haraka ya maktaba za native .so zilizoambatishwa:

# List exported symbols & JNI
nm -D libfoo.so | head
objdump -T libfoo.so | grep Java_
strings -n 6 libfoo.so | egrep -i 'frida|ptrace|gum|magisk|su|root'

Uchambuzi wa Interactive/native reversing:

• Ghidra: https://ghidra-sre.org/
• r2frida: https://github.com/nowsecure/r2frida

Mfano: kuifanya ptrace isifanye kazi ili kushinda anti‑debug rahisi katika libc:

const ptrace = Module.findExportByName(null, 'ptrace');
if (ptrace) {
Interceptor.replace(ptrace, new NativeCallback(function () {
return -1; // pretend failure
}, 'int', ['int', 'int', 'pointer', 'pointer']));
}

Angalia pia: Reversing Native Libraries

Hatua 7 — Objection patching (embed gadget / strip basics)

Unapopendelea repacking kuliko runtime hooks, jaribu:

objection patchapk --source app.apk

Notes:

• Inahitaji apktool; hakikisha toleo la hivi karibuni kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya ujenzi: https://apktool.org/docs/install
• Gadget injection inaruhusu instrumentation bila root lakini bado inaweza kugunduliwa na init‑time checks zenye nguvu zaidi.

Hiari, ongeza moduli za LSPosed na Shamiko kwa kuficha root kwa nguvu zaidi katika mazingira ya Zygisk, na kuandaa DenyList ili kufunika child processes.

Kwa mtiririko kamili wa kazi, ikijumuisha script-mode Gadget configuration na bundling ya Frida 17+ agent ndani ya APK, angalia:

Frida Tutorial — Self-contained agent + Gadget embedding

Marejeleo:

• Objection: https://github.com/sensepost/objection

Hatua 8 — Njia mbadala: Rekebisha TLS pinning kwa uonekano wa mtandao

Kama instrumentation imezuiwa, bado unaweza kuchunguza trafiki kwa kuondoa pinning kwa njia ya static:

apk-mitm app.apk
# Then install the patched APK and proxy via Burp/mitmproxy

• Tool: https://github.com/shroudedcode/apk-mitm
• For network config CA‑trust tricks (and Android 7+ user CA trust), see:

Make APK Accept CA Certificate

Install Burp Certificate

LSPosed/Xposed Hooking Abuse (Telephony/SMS)

On rooted devices, LSPosed/Xposed modules can hook Java telephony/SMS APIs at runtime, keeping the APK unmodified on disk while fully controlling what the app sees. This is commonly abused to bypass SIM‑binding flows that trust local telephony APIs or local SMS provider state.

Misingi muhimu

• Suppress outgoing verification SMS wakati ikifanya exfiltrating token kwa kukata mzunguko (short‑circuiting) wa SmsManager.sendTextMessage katika beforeHookedMethod.
• Spoof MSISDN/line number kwa kulazimisha TelephonyManager.getLine1Number() na SubscriptionInfo.getNumber() zirudishwe na thamani inayodhibitiwa na mshambuliaji.
• Plant a fake “Sent” record katika SMS provider ili apps zinazotazama historia ya SMS ya ndani ziweona kutumwa kwa mafanikio hata kama carrier hakukupokea.

Example: block SMS dispatch and capture content

XposedHelpers.findAndHookMethod(
"android.telephony.SmsManager",
lpparam.classLoader,
"sendTextMessage",
String.class, String.class, String.class, PendingIntent.class, PendingIntent.class,
new XC_MethodHook() {
protected void beforeHookedMethod(MethodHookParam param) {
String body = (String) param.args[2];
// exfiltrate body to operator channel
param.setResult(null); // suppress real SMS send
}
}
);

Mfano: spoof nambari ya simu ya kifaa

XposedHelpers.findAndHookMethod(
"android.telephony.TelephonyManager",
lpparam.classLoader,
"getLine1Number",
new XC_MethodHook() {
protected void afterHookedMethod(MethodHookParam param) {
param.setResult(spoofedMsisdn);
}
}
);

XposedHelpers.findAndHookMethod(
"android.telephony.SubscriptionInfo",
lpparam.classLoader,
"getNumber",
new XC_MethodHook() {
protected void afterHookedMethod(MethodHookParam param) {
param.setResult(spoofedMsisdn);
}
}
);

Mfano: ingiza rekodi bandia ya SMS “Sent”

ContentValues v = new ContentValues();
v.put("address", dest);
v.put("body", body);
v.put("type", 2);   // sent
v.put("status", 0); // success
context.getContentResolver().insert(Uri.parse("content://sms/sent"), v);

Karatasi ya kumbukumbu ya amri muhimu

# List processes and attach
frida-ps -Uai
frida -U -n com.example.app

# Spawn with a script (may trigger detectors)
frida -U -f com.example.app -l anti-frida-detection.js

# Trace native init
frida-trace -n com.example.app -i "JNI_OnLoad"

# Objection runtime
objection --gadget com.example.app explore

# Static TLS pinning removal
apk-mitm app.apk

Universal proxy forcing + TLS unpinning (HTTP Toolkit Frida hooks)

Programu za kisasa mara nyingi huzingatia proxy za mfumo na kutekeleza tabaka nyingi za pinning (Java + native), na kufanya kunasa trafiki kuwa ngumu hata ikiwa user/system CAs zimewekwa. Njia ya vitendo ni kuchanganya universal TLS unpinning na proxy forcing kwa kutumia Frida hooks zilizotayarishwa, na kupitisha kila kitu kupitia mitmproxy/Burp.

Workflow

• Run mitmproxy on your host (or Burp). Ensure the device can reach the host IP/port.
• Pakia Frida hooks iliyoshirikishwa ya HTTP Toolkit ili unpin TLS na kulazimisha matumizi ya proxy kwenye stacks za kawaida (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). Hii bypasses CertificatePinner/TrustManager checks na overrides proxy selectors, hivyo trafiki daima inatumwa kupitia proxy yako hata kama app imezima proxies waziwazi.
• Anzisha app lengwa kwa Frida na script ya hook, na kamata requests katika mitmproxy.

Example

# Device connected via ADB or over network (-U)
# See the repo for the exact script names & options
frida -U -f com.vendor.app \
-l ./android-unpinning-with-proxy.js \
--no-pause

# mitmproxy listening locally
mitmproxy -p 8080

Vidokezo

• Unganisha na proxy ya mfumo mzima kupitia adb shell settings put global http_proxy <host>:<port> inapowezekana. Frida hooks zitalazimisha matumizi ya proxy hata wakati apps zinapepeta mipangilio ya mfumo.
• Mbinu hii ni bora unapohitaji kufanya MITM kwenye mobile-to-IoT onboarding flows ambapo pinning/proxy avoidance ni ya kawaida.
• Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning

Marejeo

• Reversing Android Apps: Bypassing Detection Like a Pro
• Frida Codeshare
• Objection
• apk-mitm
• Jadx
• Ghidra
• r2frida
• Apktool install guide
• Magisk
• Medusa (Android Frida framework)
• Auto-Frida (Android Frida automation toolkit)
• Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa
• phantom-frida (stealth Frida server builder)
• Frida OkHttp4 SSL pinning bypass script
• XDA guide to strong Play Integrity bypass (2025)
• Weaponizing LSPosed: Remote SMS Injection and Identity Spoofing in Modern Payment Ecosystems

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.