Frida scripts to directly MitM all HTTPS traffic from a target mobile application

Home Page: https://httptoolkit.com/android/

License: GNU Affero General Public License v3.0

JavaScript 100.00%

android frida certificate interception mitm

frida-interception-and-unpinning's Introduction

HTTP Toolkit

HTTP Toolkit is an open-source tool for debugging, testing and building with HTTP(S) on Windows, Linux & Mac.

You can use it to intercept, inspect & rewrite HTTP(S) traffic, from everything to anywhere. Explore Android app traffic, mock requests between your microservices, and x-ray your browser traffic to debug, understand and test anything.

➡️ Find out more and try it out now at httptoolkit.com ⬅️

Want to give feedback, report bugs, or get help? File an issue.

Want to contribute to HTTP Toolkit's development yourself? Dive in.

Features

With HTTP Toolkit, you can:

Instantly intercept browsers, most backend & scripting languages (from Node.js to PHP), Android devices, Electron apps and more with one-click setup.
Collect interesting traffic without intercepting everything on your whole machine, so there's no extra noise and no side-effects - just the traffic you care about.
Inspect the full headers & body for every request & response from every client, to immediately see what's really being sent & received on the wire.
Easily understand collected HTTP traffic, with inline documentation for all standard headers & response statuses, plus body decoding, highlighting, folding, and other niceties, powered by the same internals as Visual Studio Code.
Send HTTP requests, with a fully featured HTTP client to send your own custom requests, or resend (and tweak) requests intercepted from other clients
Quickly find the data you care about, with exchanges highlighted by the type of client and tagged by category (images, JSON responses, errors), and free-text & structured filtering across all request & response data.
Breakpoint live requests or responses, to rewrite HTTP traffic on the fly.
Mock endpoints or servers, with flexible rule configurations to match and handle requests automatically, to send responses, inject failures & timeouts, or transparently redirect requests elsewhere.
Intercept any HTTP traffic: HTTP Toolkit is a transparent HTTP proxy, and can intercept plain HTTP, encrypted HTTPS, WebSockets, HTTP/2, proxy requests, direct requests, manually redirected packets, you name it, all on one port.

➡️ Find out more and try it out now at httptoolkit.com ⬅️

Send your feedback

HTTP Toolkit is driven by its community of users and their feedback. Have some ideas, problems or questions about HTTP Toolkit? Post an issue in this repo. If that's too public, you can also send a message directly.

Would you like to help design the perfect HTTP debugging tool? Take a look through the open issues, and add a 👍 on topics you care about to prioritize them.

Contributing directly

Want to go further, to build & contribute the HTTP Toolkit features & fixes you're looking for yourself? HTTP Toolkit is 100% open source, so you can help shape it directly! All contributors get free HTTP Toolkit Pro (more background on this over here).

That includes code contributions, but documentation improvements, article & blog posts elsewhere about the project, bug & security reports, and anything else that helps drive HTTP Toolkit forwards. The goal is to reward anything that helps drive HTTP Toolkit development or bring it to new people. To claim your Pro account, get in touch once you've made your contribution, with the email you'd like associated with your account. Feel free to get in touch with any other questions about this too.

Where to start

This github organization contains the entire project.

Yes, even the account management servers, even the paid features, everything. All of that is open source, licensed as a mixture of copyleft AGPL (for the HTTP Toolkit-specific components, ensuring all direct derivative projects are open-source too) and permissive Apache-2/MIT licenses (for all the general-purpose reusable libraries).

The main repos you might be interested in are:

HTTP Toolkit Website - the source for the website, including the marketing pages, the blog, and the docs.
HTTP Toolkit UI - the core of the product, a TypeScript + React app that powers most of the functionality you use, except for things that can't be done in a web page (i.e. starting a proxy, and setting up client interception).
HTTP Toolkit Server - the backend of the product, a TypeScript + node.js server that does the things the UI can't do: starting a proxy, and setting up client interception.
Mockttp - the HTTP(S) proxy itself, and all low-level logic around that, as a standalone TypeScript library. Used in HTTP Toolkit for traffic interception, but also usable standalone as a testing tool, or as a programmatically controllable intercepting HTTP(S) proxy.
HTTP Toolkit for Android - the Android app, a native Kotlin + Java app that manages certificate trust & enforces HTTP interception on Android devices.
HTTP Toolkit Desktop - a TypeScript + Electron wrapper, which combines the UI & the server and builds convenient per-platform installers.

Each repo has its own readme explaining how to get set up and outlining how the component works. Check out the issues in this repo for ideas, feel free to ask questions, and dive in!

frida-interception-and-unpinning's People

Contributors

Stargazers

Watchers

Forkers

fulanah-binti-fulanah scriptidiot xcatolin jinmaotowne samruston shashankhacker730 stein-dev kingking888 csyjyy nicolas1312 bbhunter seeflowerx lr-zhao njannasch tr0e cyal1 mohx64 fre3vil unisunis sanarisan licklishh elitezerker jhubbardsf xmysterlousx excitoon-favorites yaelahrip akshitchauhan-max adisubagja devcxm fengjixuchui msute geekplus001 crackercat natpacket gannicusliu ckfridaproject ethicalhcop andreroggeri chouex marwancht 781732825 nguyentruong190 dfc302 dedfft mopi1402 xuejuns saucedbeacon mdsakibanwar danksuperuser edoofx flyxt m0xsec te3 wdnmd-rushb gprime31 tarekrahman3 mukarramkhalid zhang52linux lvan188 rive-n bee3yh4uk gotzillas dch5568 xuhaomin giaphat71 0x021 muhammadraihanfirdaus drunkentortoise douglasrao aarzaary megamannen arunbabucode astronot-sedih chanduittamsetty martin-code202 idone alumonroy ivkeyminds code-football-dog yousefkazemy1 taiji-xo zuiailaoda zackmark29 aayushmanthapamagar 5l1v3r1 kwawannanstaylinked a422015028 iybmad bartosz-kozajda ahmadsuhermansyah cknetcapture manishj1996 joel-egarcia 309746069 mhdmirel shuixi2013 pocdc551 xfrgod l1725821492 jinze0417

frida-interception-and-unpinning's Issues

Game refuses to Connect/Boot after even after SSL Unpinning

While I have followed the guide on SSL unpinning and able to view Twitter's packets, this particular game/app still refuses to connect after the execution of this script or via Objection's unpinning.

The game I am referring to is Fate/Grand Order, here are the links to them on the Play Store:
https://play.google.com/store/apps/details?id=com.aniplex.fategrandorder.en
https://play.google.com/store/apps/details?id=com.aniplex.fategrandorder

The first link is the English version, and the other is the Japanese version. The Japanese version is more ahead in terms of content, and the English version is following its release path in terms of playable content (but there are certain features on the client that are released ahead of its time according to JP's schedule). The behaviour of the 2 Apps differ a little after HTTP Toolkit is connected, the English version gets stuck on "Connecting", while the Japanese version has a pop up saying the game needs updating or something. After running the script

or even running Objection's unpinning

the game would still refuse to connect.

My current guess is that neither this script nor Objection was unable to unpin it. (or it has somehow detected it to be unpinned thus refusing to connect?)
My current device is MuMu, which I'm pretty sure is a slightly modified version of the more popular emulator MEmu with a few extra feature to suit the games I'm playing.
(I have installed the CA cert using https://play.google.com/store/apps/details?id=net.jolivier.cert.Importer (since emulators allow me to toggle root effortlessly).)

I'm not much a of a reverse engineer at all myself, so I'm not sure where else to look for the answers for this issue.
I'm not sure about hooking and finding the function/method that checks Certificates but since this is a unity game, there might be a way to get started if you want to give it a try. There's a program called il2cppDumper using this I have found that you can dump the function names, but when I looked up the word 'certificate' in the dumped file, there's over 1700 results, and I don't have enough experience to identify which are the functions that are related in solving this issue.

To dump and find the functions, simply download il2cppDumper and the game APK.
Open the game APK like an archive and extract the following files:
assets\bin\Data\Managed\Metadata\global-metadata.dat
and either of the following:
lib\armeabi-v7a\libil2cpp.so
lib\arm64-v8a\libil2cpp.so
Now run Il2CppDumper.exe and open the libil2cpp.so first and then global-metadata.dat. Give a few moments, the dump.cs should be generated and may have what you might be looking for...

EDIT: Updated a bit of info.

Handle VPN detection

Sir,
I face VPN detection problem while unpinning in some apps.
In some apps your script works properly and in some it doesn't work at all.
Can u make a script of hide vpn detect

Originally posted by @TechnoIndian in #57 (comment)

Some urls are missing in burpsuite

Maybe it’s not the right place to ask this question. I am trying to intercept an android app(it doesn’t have ssl Pinner). I am able to get all the links while using http tool kit but not when trying with burpsuite. Most of the links are not showing in burp. I am sure that it’s not because of the filtering . Kindly help me with it. What’s the difference between using http toolkit and burp. Both should work the same way isn’t it?

OkHttp3 - java.lang.NullPointerException: interceptor l3.e@b68a57c returned null

Hello, I encountered this issue while playing with a React Native app.

FATAL EXCEPTION: um.z Dispatcher
Process: com.cvent.mobile.eventapp, PID: 29861
java.lang.NullPointerException: interceptor l3.e@b68a57c returned null
	at an.g.b(RealInterceptorChain.kt:291)
	at zm.a.a(ConnectInterceptor.kt:33)
	at an.g.b(RealInterceptorChain.kt:167)
	at xm.a.a(CacheInterceptor.kt:192)
	at an.g.b(RealInterceptorChain.kt:167)
	at an.a.a(BridgeInterceptor.kt:168)
	at an.g.b(RealInterceptorChain.kt:167)
	at an.j.a(RetryAndFollowUpInterceptor.kt:35)
	at an.g.b(RealInterceptorChain.kt:167)
	at zm.e.r(RealCall.kt:114)
	at zm.e$a.run(RealCall.kt:52)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
	at java.lang.Thread.run(Thread.java:1012)

Command

frida -U -l frida-script.js -f com.cvent.mobile.eventapp

Information about the app
processName: 'com.cvent.mobile.eventapp',
type: React Native (Hermes engine)

Google Play Store Android API 18

this is a long shot, but I figure it cant hurt to post this in case others have mess with it. I am trying to intercept older Google Play Stores, and I can get all the newer versions but got stuck on API 18. I first tried MITM Proxy with a "user certificate", then tried again with a "system certificate":

https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/#instructions-for-api-level--28-using--writable-system-1

and confirmed that the system certificate is installed in the Trusted credentials. However I still am not capturing any requests for some reason. so I had the idea that maybe the older Play Store are using pinning or something. so I tried Frida with the script here, not even using MITM Proxy, just to see what would happen. however Frida will not complete:

> adb shell /data/app/frida-server
CANNOT LINK EXECUTABLE: cannot locate symbol "statvfs" referenced by
"/data/app/frida-server"...

I figure I am using wrong version of Frida server:

https://github.com/frida/frida/releases/download/16.0.0/frida-server-16.0.0-android-x86.xz

but just wanted to see if anyone had messed with this.

com.hulu.plus failure

using this command:

frida -U `
-l config.js `
-l android/android-certificate-unpinning.js `
-f com.hulu.plus

after entering password, if you click LOG IN you get this:

Hmm. Something’s up. Please check your internet settings and try again. If all’s fine on your end, visit our Help Center.

If I disable proxy and try again, it works as expected. I can share account if need be. result:

     ____
    / _  |   Frida 16.1.4 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.hulu.plus`...

*** Starting scripts ***
Spawned `com.hulu.plus`. Resuming main thread!
[Android Emulator 5554::com.hulu.plus ]->
    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[+] com.android.okhttp.Address $init
[ ] okhttp3.CertificatePinner check(String, List)
[ ] okhttp3.CertificatePinner check(String, Certificate)
[ ] okhttp3.CertificatePinner check(String, Certificate;[])
[ ] okhttp3.CertificatePinner check$okhttp
[!] Matched class okhttp3.CertificatePinner but could not patch any methods
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
*** Scripts completed ***

 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => com.android.okhttp.Address $init
 => com.android.okhttp.Address $init
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)

syntax error: unexpected 'newline'

Running command returning syntax error.

> adb shell "/data/local/tmp/frida-server &"
/data/local/tmp/frida-server[1]: syntax error: unexpected 'newline'

Failed to spawn: the 'argv' option is not supported when spawning Android apps

Hey team, there seem to be some internal changes when shifting from Frida 15.x to 16.x and now it started throwing error as defined in the title.
Do anyone has any idea how can we resolve the above error?

Snapchat certificate rejected even after following guide

Hello, I followed this guide (https://httptoolkit.com/blog/frida-certificate-pinning/) but was still unable to get the certificate to work. Whenever I opened snapchat I would get the certificate rejected error and Snapchat wouldn't be working properly. Please let me know how I can fix this and maybe try Snapchat yourself if possible. Tried this on arm64 architecture.

Should I combine scripts ?

Hey,
First of all I'm very appreciative for everything you do on HTTP Toolkit it's been a lifesaver, user-friendly and many other qualifier but I don't to make it too much.

I wanted to know, in the context of using Genymotion with HTTP Toolkit and connecting via ADB to it, I want to bypass SSL pinning.

I've tried android-certificate-unpinning.js + config.js, but it seems like it's still blocked for the app I'm trying (Facebook).

My question is a bit more general, I want to know if I should combine scripts ? I read the description where it says you generally use a subset of scripts but I'm unsure if that means only 1 or possibly 2.

And what would be the ones we would usually combine together, thanks !

Exceptions for Blizzard Messenger aren't patched properly

com.blizzard.messenger their chat and authentication app isn't unpinned completely .
The log says:

Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (CertificateTransparencyInterceptor)
[ ] Appmattus (CertificateTransparencyTrustManager)
Unpinning setup completed
---
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing OkHTTPv3 ($okhttp): account.battle.net
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.internal.connection.RealConnection->connectTls
      Attempting to patch automatically...
      [+] okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing okhttp3.internal.connection.RealConnection->connectTls (automatic exception patch)
Process crashed: kotlin.KotlinNullPointerException

***
FATAL EXCEPTION: OkHttp Dispatcher
Process: com.blizzard.messenger, PID: 23849
kotlin.KotlinNullPointerException
        at okhttp3.internal.connection.RealConnection.isHealthy(RealConnection.kt:635)
        at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:117)
        at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:76)
        at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:245)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:82)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
        at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:197)
        at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:502)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
        at java.lang.Thread.run(Thread.java:919)

maybe the okhttp3 auto patch has unwanted side-effects.

Apple TV App unpinning

Any success with the Apple TV app on an Amazon Firetv 4k?

Can't unpin eu.reply.cordless.uk

I'm struggling to find a script that'll unpin the Vodafone Broadband app (eu.reply.cordless.uk) and having read the blog post about Frida's unpinning capabilities I figured I'd see if anyone can help.

This app in question is a companion app for Vodafone's supplied router. The SSL traffic being pinned is local, between the device and router on custom ports, any traffic sent remotely (API calls to the cloud using port 443) is not pinned and can be intercepted without issue. The app uses TCP ports 8888 6698 and 6699 to communicate with the Router.

If the script launches the app with no prior user data (like a fresh install), I'll get the following:

--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing Trustmanager (Android < 7) request
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing Trustmanager (Android < 7) request
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing Trustmanager (Android < 7) request
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt

Thereafter, using the script to relaunch the app I'll just get:

--> Bypassing OpenSSLSocketImpl Conscrypt
--> Bypassing OpenSSLSocketImpl Conscrypt

In all instances certificate pinning is still in place and blocking communication if I'm proxying the traffic. If I refresh the app enough times it'll add another line of '--> Bypassing OpenSSLSocketImpl Conscrypt' which seemingly isn't achieving anything.

Unfortunately I can't read or write javascript so I'm a bit stuck on how I'd resolve this myself. I've dug around in the code using jdax but don't really know what to look for, I have found mentions of certificate pinning. The apk uses BouncyCastle keystores (.bks) to facilitate the certificate pinning (I think) and they're not password protected.

Test environment is a rooted Andriod 7 (Xperia Z5) with the latest Frida releases.

App version is the latest (4.5.2) It's worth noting that certificate pinning is a recent addition in the app (starting in version 4.4.1) but the traffic I want to intercept (and therefore the feature I want to manipulate) is only available after pinning came into force.

com.nike.omega

Tried it on Nike app: com.nike.omega

Frida on terminal returned error below:

Process crashed: java.lang.NullPointerException: interceptor com.nike.mpe.plugin.certtransparency.internal.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor@2c65125 returned null

Just to make sure, I tried it on Twitter and it works.

unity game bypass

im totally rookie about this so it might be a dumb question.

i wanna ask whether i can use this script to bypass ssl pinning when the requests codes are in some .so files.

i heard unity game is written by C# and the engine would complie the source codes into some .so files , like libil2cpp.so libunity.so or something else.

in this case, the main codes of sending requests may not work on Java layer. And to hook the function in so files, Java object might be of no use. NativePointer makes things more complex. i can hardly read the origin doc.

i wanna ask whether there is a better way to do this, or any tutorials .

thanks

net.mullvad.mullvadvpn

using MITM Proxy, I cannot get past the login screen on the Mullvad Android app

I tried Frida with the script here, but the problem remains. I can share account if needed.

com.expressvpn.vpn not bypassed

No luck using the script on the expressvpn app. After running the script, HTTP Toolkit still is unable to view the https traffic.
I tried reverse engineering the app and writing a frida script myself, but with no success. I wasn't able to figure out the functions needed to bypass the SSL verification. I would appreciate any help. Thank you

Fix #6

Change
SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
to
this.init(keyManager, TrustManagers, secureRandom);

Clearly the method is not static and so it should be called from it's instance, maybe I am missing some inner forbidden knowledge, but this.init is proper way to call instance method

Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)

Came across your article on how to defeat pinning with Frida and I'm trying to work my way through it as I'm a bit of newb, but I'm tryin!

For some context, I'm running Windows 10, an Android Pixel XL emulator, and OWASP ZAP as my proxy. I've installed the OWASP certificate onto the device, and I can now parse HTTPS traffic from the Chrome app. I'm wanting to now intercept traffic via apps!

I'm using the dating app Bumble as my first "target", so I've installed the APK file onto the device (which does NOT have Google Play Store as I've read that's important). I have the Frida server running in one terminal window as root (running frida-server-15.1.22-android-x86 which I don't know for sure if that's the correct server to be running, maybe x86_64 should be run instead? Anyway...)

So I fire up the App, where it just hangs on the main loading screen and I do not see any traffic from it in OWASP (again, even though it IS proxying internet requests fine, so that part IS working):

...and in a separate terminal window, I run the command:

frida --no-pause -U -l ./frida-script.js -f com.bumble.app

...and this is my resulting output (beware, it's long, and the trailing end just infinitely prints until the frida server dies):

frida --no-pause -U -l ./frida-script.js -f com.bumble.app
     ____
    / _  |   Frida 15.1.22 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `com.bumble.app`. Resuming main thread!
[Android Emulator 5554::com.bumble.app ]-> ---
Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[ ] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[ ] OkHTTPv3 (cert array)
[ ] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
Unpinning setup completed
---
  --> Bypassing Trustmanager (Android < 7) request
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by android.net.SSLCertificateSocketFactory->verifyHostname
      Attempting to patch automatically...
      [+] android.net.SSLCertificateSocketFactory->verifyHostname (automatic exception patch)
  --> Bypassing TrustManagerImpl checkTrusted
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing android.net.SSLCertificateSocketFactory->verifyHostname (automatic exception patch)
  --> Bypassing TrustManagerImpl checkTrusted
  --> Bypassing TrustManagerImpl checkTrusted
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Bypassing TrustManagerImpl checkTrusted
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by com.android.okhttp.internal.io.RealConnection->connectTls
      Attempting to patch automatically...
      [+] com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
      Thrown by com.android.okhttp.internal.io.RealConnection->connectTls
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
  --> Bypassing com.android.okhttp.internal.io.RealConnection->connectTls (automatic exception patch)
...........................

SO, what can a guy try from here? Would be cool to get some insight from the community on this one so I can get started on the app traffic track :P Thanks!!!

Hulu and Prime apps?

I was interested in using this script with the Hulu and Prime apps. It worked fine for the DisneyPlus app, Netflix and several others, but Hulu and Amazon seem to have unorthodox/custom pinning approaches.

See this video for a sample of Hulu startup behavior: https://www.youtube.com/watch?v=ABMddrT04_E

I also tried all the current ssl unpinning scripts available on codeshare and none of them had any effect. I've also tried a bit with some objection ssl unpinning options but same result. Tried hooking with some other techniques but didn't get anywhere: https://pastebin.com/Tp28KYtk

Would appreciate any insights.

Unable to solve recaptcha

Unable to solve google recaptcha(In app) while connected to the burpsuite. I used Frida with the ssl unpinning script. The error I got is unexpected ssl verification failed at "com.android.org.conscrypt.ActiveSession->checkPeerCertificatesPresent"

Device : Google Pixel 3XL (Android V9.0)

com.segway.mower Failed to automatically patch failure

https://play.google.com/store/apps/details?id=com.segway.mower

 --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure

How to automatically unpin every application ?

This solution is nice as it avoids the trouble of repacking and patching apps statically and some of the integrity checks they do.
Can we patch the known checks automatically on startup of the app somehow? It is a bit complicated to start apps manually with frida that interact with each other like apps that use the google play store&services to check licenses.
Same is true for automatically started OS components and oem bloatware apps.
There used to be Magisk Modules but they are outdated and not maintained at the moment.

[app.dogorama] Process crashed: java.lang.UnsatisfiedLinkError: couldn't find DSO to load: libhermes.so

Hi, I was trying to unpin SSL from the Dogorama app but that didn't work:

$ frida --no-pause -U -l ../../Downloads/frida-script.js -f app.dogorama
     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `app.dogorama`. Resuming main thread!                           
[Android Emulator 5554::app.dogorama ]-> ---
Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[+] Squareup CertificatePinner (list)
[+] Squareup OkHostnameVerifier (cert)
[+] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (Transparency)
Unpinning setup completed
---
Process crashed: java.lang.UnsatisfiedLinkError: couldn't find DSO to load: libhermes.so

***
FATAL EXCEPTION: create_react_context
Process: app.dogorama, PID: 5240
java.lang.UnsatisfiedLinkError: couldn't find DSO to load: libhermes.so
	SoSource 0: com.facebook.soloader.ApkSoSource[root = /data/data/app.dogorama/lib-main flags = 1]
	SoSource 1: com.facebook.soloader.DirectorySoSource[root = /data/app/~~Js_W8z118rVG9AxCVcowrQ==/app.dogorama-C0q6l1U3SOxP2VO_M3NyhQ==/lib/x86_64 flags = 0]
	SoSource 2: com.facebook.soloader.DirectorySoSource[root = /vendor/lib64 flags = 2]
	SoSource 3: com.facebook.soloader.DirectorySoSource[root = /system/lib64 flags = 2]
	Native lib dir: /data/app/~~Js_W8z118rVG9AxCVcowrQ==/app.dogorama-C0q6l1U3SOxP2VO_M3NyhQ==/lib/x86_64
 result: 0
	at com.facebook.soloader.SoLoader.doLoadLibraryBySoName(SoLoader.java:918)
	at com.facebook.soloader.SoLoader.loadLibraryBySoNameImpl(SoLoader.java:740)
	at com.facebook.soloader.SoLoader.loadLibraryBySoName(SoLoader.java:654)
	at com.facebook.soloader.SoLoader.loadLibrary(SoLoader.java:634)
	at com.facebook.soloader.SoLoader.loadLibrary(SoLoader.java:582)
	at com.facebook.hermes.reactexecutor.HermesExecutor.<clinit>(HermesExecutor.java:20)
	at com.facebook.hermes.reactexecutor.HermesExecutorFactory.create(HermesExecutorFactory.java:29)
	at com.facebook.react.ReactInstanceManager$5.run(ReactInstanceManager.java:1054)
	at java.lang.Thread.run(Thread.java:920)
***
[Android Emulator 5554::app.dogorama ]->

Thank you for using Frida!

Device: Android Emulator, API 31, Android 12, x86_64

new setup is complicated

the new setup seems to be really complicated, which I don't like. I guess if the end result is better unpinning that is good, but I think it would help explain the extra complexity. for example:

why is config.js even needed? the previous script did not need to know this information. Note I am using Android Studio with MITM Proxy and not HTTP Toolkit, not sure if that makes a difference.
why are we ALSO needing to supply an ADDITIONAL 5 scripts on top of config.js? I think it would be helpful to explain what people are getting using all 6 scripts versus just one or two.
what is the absolute minimum needed to have some form of unpinning support? just config.js and one other JS file? if so which one?

Http toolkit Apk for android

Sir, can you make an app to capture http traffic for android also?

Youtube for Android TV can't be intercepted

output.txt

Roli: pins must start with 'sha256/'

when working on https://play.google.com/store/apps/details?id=com.telkomsel.roli the OKHttp Exception occurs.

Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[ ] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[ ] OkHTTPv3 (cert array)
[ ] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (CertificateTransparencyInterceptor)
[ ] Appmattus (CertificateTransparencyTrustManager)
Unpinning setup completed
---
  --> Bypassing HttpsURLConnection (setDefaultHostnameVerifier)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing TrustManagerImpl checkTrusted
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing TrustManagerImpl checkTrusted
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->c
      Attempting to patch automatically...
      [+] okhttp3.CertificatePinner->c (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
Process crashed: java.lang.IllegalArgumentException: pins must start with 'sha256/' or 'sha1/': Pinned certificates for roli.telkomsel.com

The code for that is in https://github.com/square/okhttp/blob/d54ef742fc43e8917edc233760c20fbbdda8ee52/okhttp/src/jvmMain/kotlin/okhttp3/CertificatePinner.kt#L272

Error: Address(): argument types do not match

using this command:

> frida -U `
-f com.nbcuni.nbc `
-l android/android-certificate-unpinning.js `
-l config.js

I get this:

     ____
    / _  |   Frida 16.1.4 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.nbcuni.nbc`...

Spawned `com.nbcuni.nbc`. Resuming main thread!
[Android Emulator 5554::com.nbcuni.nbc ]-> == Certificate unpinning completed ==
Error: Address(): argument types do not match any of:
        .overload('java.lang.String', 'int', 'javax.net.SocketFactory', 'javax.net.ssl.SSLSocketFactory', 'javax.net.ssl.HostnameVerifier', 'com.android.okhttp.CertificatePinner', 'com.android.okhttp.Authenticator', 'java.net.Proxy', 'java.util.List', 'java.util.List', 'java.net.ProxySelector')
    at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:569)
    at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:973)
    at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:553)
    at <anonymous> (D:\Desktop\frida-interception-and-unpinning-main\android\android-certificate-unpinning.js:170)
    at apply (native)
    at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:620)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:598)

Unity based applications pinning bypass?

Hello,

I have been looking forward for the frida script to bypass unity based applications ssl pinning which are using below code.

https://docs.unity3d.com/ScriptReference/Networking.CertificateHandler.ValidateCertificate.html

Any help?

Cert rejected in-app with Roblox

After using this great tutorial, I can confirm twitter's certificate un-pinning and can see traffic from twitter. Unfortunately, when I try to do the same with Roblox, I still can't get passed their cert pining. In my mitmdump I see: "Client TLS handshake failed. The client does not trust the proxy's certificate for *.roblox.com"

And in app, I see the roblox alert "Connection error. Unable to contact server."

I am using mitmproxy and http toolkit 'connect through adb'. The phone is rooted and I have su access. HTTPtoolkit gives all green checkmarks.

I love all these tools and use the cert pinning for other apps, but Roblox is awfully stubborn! fwiw, when I do a tcpdump of playing Roblox on macos (instead of on android) I see the RakNet protocol for all the Roblox traffic (encrypted).

Thanks for all wisdom! And thanks for all the great docs and open source code in the past!

How to put pem code in config.js

sir,
how many times pem code has to be put in config.js, it is given twice.

Cannot unpin com.namcobandaigames.spmoja010E

It prints out

--> Bypassing OpenSSLSocketImpl Conscrypt
 --> Bypassing OpenSSLSocketImpl Conscrypt
 --> Bypassing OpenSSLSocketImpl Conscrypt
 --> Bypassing OpenSSLSocketImpl Conscrypt

, but still fails to unpin it as seen in the photo

Help with unpinning app

Hi! Unpinning works, but the problem that app totally unusable. I'm able to see requests, but look like on receive data app fail to verify something. I will be appreciated for any direction how to resolve this.

Connection terminated

Hello!

Im currently trying to SSL pin the app called "Zalando" - Whenever I do run

frida --no-pause -U -l intercepter.js -f "de.zalando.mobile"

it seems like the app crashes and here is the logs:

frida --no-pause -U -l intercepter.js -f "de.zalando.mobile"
     ____
    / _  |   Frida 15.1.3 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawning `de.zalando.mobile`...
Unpinning setup cmopleted
---
Spawned `de.zalando.mobile`. Resuming main thread!
[SM G965N::de.zalando.mobile]-> ---
Unpinning Android app...
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[+] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[+] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing OpenSSLSocketImpl Conscrypt
  --> Bypassing OkHTTPv3 ($okhttp): www.zalando.de
  --> Bypassing OpenSSLSocketImpl Conscrypt
  --> Bypassing OkHTTPv3 ($okhttp): www.zalando.se
  --> Bypassing TrustManagerImpl checkTrusted
Connection terminated
[SM G965N::de.zalando.mobile]->

Thank you for using Frida!```

Is there anything I can add on please let me know :)

com.nbcuni.nbc: failure with fallback script

using this command:

frida -U `
-l config.js `
-l android/android-certificate-unpinning.js `
-l android/android-certificate-unpinning-fallback.js `
-f com.nbcuni.nbc

with Android 7, I get this result:

     ____
    / _  |   Frida 16.1.4 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.nbcuni.nbc`...

*** Starting scripts ***
Spawned `com.nbcuni.nbc`. Resuming main thread!
[Android Emulator 5554::com.nbcuni.nbc ]->
    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[+] com.android.org.conscrypt.CertPinManager isChainValid
[ ] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[ ] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[+] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
[+] TLS error auto-patcher
*** Scripts completed ***

 => android.security.net.config.NetworkSecurityConfig $init(*) (1)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)

 !!! --- Unexpected TLS failure --- !!!

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function

 !!! --- Unexpected TLS failure --- !!!

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.org.conscrypt.CertPinManager isChainValid

 !!! --- Unexpected TLS failure --- !!!
      Thrown by java.security.cert.CertificateParsingException-><init>
      [ ] Failed to automatically patch failure
TypeError: cannot read property 'overloads' of undefined

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function

 !!! --- Unexpected TLS failure --- !!!
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.org.conscrypt.CertPinManager isChainValid

 !!! --- Unexpected TLS failure --- !!!
      Thrown by java.security.cert.CertificateParsingException-><init>
      [ ] Failed to automatically patch failure
TypeError: cannot read property 'overloads' of undefined

 !!! --- Unexpected TLS failure --- !!!
 => com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Failed to automatically patch failure
TypeError: not a function

 !!! --- Unexpected TLS failure --- !!!
      Thrown by okhttp3.internal.platform.android.d->a
      [ ] Unrecognized TLS error - this must be patched manually

Failed on Line messaging app

Tried intercepting requests with Http Toolkit as well. Responses kept being aborted and after running the script the same thing continued to happen. Only that now the entire data traffic was blocked: all incoming and outgoing messages wouldn't be sent/received on the device.

Additional info: I used a rooted Samsung Galaxy S10 with Android 12.

OkHostnameVerifier

a missing case for ssl pinning that could help other :

Java.perform(function () {
  var OkHostnameVerifier = Java.use('com.android.okhttp.internal.tls.OkHostnameVerifier');

  // Hook de la méthode verify
  OkHostnameVerifier.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (hostname, session) {
      // Affichez les paramètres en rouge dans la console
      console.log("\x1b[31m[Hooked OkHostnameVerifier.verify]");
      console.log("\x1b[31mHostname: \x1b[0m" + hostname);
      console.log("\x1b[31mSSLSession: \x1b[0m" + session);
      var result = this.verify(hostname, session);
      console.log("\x1b[31mResult: \x1b[0m" + result);
      return true;
  };
});

Hope that can help other. BTW, thanks for your amazing work.

Error: getPackageInfoNoCheck(): has more than one overload, use .overload(<signature>) to choose from:

ı got this error. is there any way to handle it
Error: getPackageInfoNoCheck(): has more than one overload, use .overload() to choose from:
.overload('android.content.pm.ApplicationInfo', 'android.content.res.CompatibilityInfo')
.overload('android.content.pm.ApplicationInfo', 'android.content.res.CompatibilityInfo', 'boolean')
at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:569)
at K (frida/node_modules/frida-java-bridge/lib/class-factory.js:564)
at set (frida/node_modules/frida-java-bridge/lib/class-factory.js:932)
at (frida/node_modules/frida-java-bridge/index.js:224)
at (frida/node_modules/frida-java-bridge/lib/vm.js:12)
at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244)
at perform (frida/node_modules/frida-java-bridge/index.js:204)
at (/frida/repl-2.js:520)
at apply (native)
at (frida/runtime/core.js:51)

Issue when script reloaded

Hi! I'm trying to bypass SSL pinning and it doesn't working. But when I "live reload" script i can see this error

`
Error: Cast from 'com.google.android.gms.org.conscrypt.OpenSSLX509Certificate' to 'javax.net.ssl.KeyManager' isn't possible
at cast (frida/node_modules/frida-java-bridge/lib/class-factory.js:131)
at fromJni (/_java.js)
at fromJni (frida/node_modules/frida-java-bridge/lib/types.js:247)
at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:610)
at (frida/node_modules/frida-java-bridge/lib/class-factory.js:592)

Ssl unpinning

Hello i hope you fine
There is three or four apps i tried to unpinning ssl using frida server with too many scripts but nothing worked i tried the codes in frida code share and in too many sites but no one worked
So are you still available to send this apps for you to make a script for them ?
And thanks in advance

UbiConnect: exception thrown and the app hangs

The automatic exception patcher seems to fail for the UbiConnect Android app (com.ubisoft.uplay)

Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (CertificateTransparencyInterceptor)
[ ] Appmattus (CertificateTransparencyTrustManager)
Unpinning setup completed
---
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing OkHTTPv3 ($okhttp): public-ubiservices.ubi.com
  --> Bypassing OkHTTPv3 ($okhttp): public-ubiservices.ubi.com
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.internal.tls.BasicCertificateChainCleaner->clean
      Attempting to patch automatically...
      [+] okhttp3.internal.tls.BasicCertificateChainCleaner->clean (automatic exception patch)

after this the app is just loading forever and frozen.

FATAL EXCEPTION: OkHttp Dispatcher

Process crashed: java.lang.NullPointerException: interceptor se0.e@1c6a394 returned null

FATAL EXCEPTION: OkHttp Dispatcher
Process: cn.adidas.app, PID: 1455

Zello App

The ssl-unpinning doesn't work.

Thank you.

Error: VM::AttachCurrentThread failed: -1

Hi,
When I try to use frida-script.js I get an error:

frida --no-pause -U -l ./frida-script.js -f tech.httptoolkit.pinning_demo
     ____
    / _  |   Frida 15.1.14 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `tech.httptoolkit.pinning_demo`. Resuming main thread!
Error: VM::AttachCurrentThread failed: -1
    at o (frida/node_modules/frida-java-bridge/lib/result.js:4)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:25)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:14)
    at Xe (frida/node_modules/frida-java-bridge/lib/android.js:500)
    at Ie (frida/node_modules/frida-java-bridge/lib/android.js:196)
    at Ce (frida/node_modules/frida-java-bridge/lib/android.js:16)
    at _tryInitialize (frida/node_modules/frida-java-bridge/index.js:17)
    at y (frida/node_modules/frida-java-bridge/index.js:9)
    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:320)
    at call (native)
    at o (/_java.js)
    at <anonymous> (/_java.js)
    at <anonymous> (frida/runtime/java.js:1)
    at call (native)
    at o (/_java.js)
    at r (/_java.js)
    at <eval> (frida/runtime/java.js:3)
    at _loadJava (native)
    at get (frida/runtime/core.js:125)
    at <anonymous> (/frida-script.js:510)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:45)

It doesn't matter which app I use (com.twitter.android, tech.httptoolkit.pinning_demo, etc) the result is always the same.

Android 11, Samsung SM G998B (s21 Ultra) rooted.
Frida is installed on Windows 11 / Python3.7

Any idea how to fix this?
Thank you.

SSL Unpinning failed for Whatsapp, Snapchat & McDonald's

Hey I tried out your SSL unpinning script on some apps and it didnt work for most of them (Whatsapp, Snapchat, McDonald's App). Is that fixable or is it because of some different issue? Would be nice if we could have a talk, Discord: RequestFX#1541

SSL unpinning not working on Instagram app

com.instagram.android

Certificate unpinning not working for this app

Link to app (playstore)
Even after running the script the process crashes after submission of OTP with this message on console.
Process crashed: Bad access due to protection failure.
Help if anybody can figure out reason or successfully log https requests after the OTP submission phase.
Are they using custom certificate pinning method?

Screenshots of log -

help ssl unpinning not working

Error: VM::AttachCurrentThread failed: -1

For some reason I get this error for every app I try the script on. The app launches and this is the error it gives. My devices is running on Android 11

Error: VM::AttachCurrentThread failed: -1
    at o (frida/node_modules/frida-java-bridge/lib/result.js:4)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:25)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:14)
    at Xe (frida/node_modules/frida-java-bridge/lib/android.js:499)
    at Ie (frida/node_modules/frida-java-bridge/lib/android.js:195)
    at Ce (frida/node_modules/frida-java-bridge/lib/android.js:16)
    at _tryInitialize (frida/node_modules/frida-java-bridge/index.js:17)
    at g (frida/node_modules/frida-java-bridge/index.js:9)
    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:317)
    at call (native)
    at o (/_java.js)
    at <anonymous> (/_java.js)
    at <anonymous> (frida/runtime/java.js:1)
    at call (native)
    at o (/_java.js)
    at r (/_java.js)
    at <eval> (frida/runtime/java.js:3)
    at _loadJava (native)
    at get (frida/runtime/core.js:114)
    at <anonymous> (/frida-script.js:448)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:45)

httptoolkit / frida-interception-and-unpinning Goto Github PK

frida-interception-and-unpinning's Introduction

HTTP Toolkit

Features

Send your feedback

Contributing directly

Where to start

frida-interception-and-unpinning's People

Contributors

Stargazers

Watchers

Forkers

frida-interception-and-unpinning's Issues

Recommend Projects

Recommend Topics

Recommend Org