Comments (4)
Thanks for the report! This is really useful info.
I'm not sure how the Vodafone app implements SSL pinning either, any ideas? Happy to help, but I can't seem to find an APK for it on apkpure.com or elsewhere, and I'm not in the UK so it won't seem to let me install it from the play store either.
If you manage to reverse engineer it and share any details that would be very helpful, I'm happy to help write up the JavaScript if you can work out what in the app needs changing. The trick is to find the specific method that is used to check the certificate, and then we can replace that with something that skips the check. For example, if you can follow it back a class like eu.reply.cordless.uk.HttpClient
with a checkCertificates
method, then we can change that method to just return true
every time, and then you're sorted. Does that make sense?
If it's a new addition, that might help here - if you can get the previous & changed APKs then you can compare and contrast different disassembled versions of the code to find where things changed. If you can get the certificate check error message from ADB logs that might also be helpful, because you can hunt through the code for the error message string.
from frida-interception-and-unpinning.
Thanks for the reply. The apk is available on apkmonk.com
I don't know whether it's worth it anymore (for me personally) because I can't get the router co-operating on port 6699 in the versions without certificate pinning. Even though I can get a TLS connection while proxying, the webserver (nginx) on the router refuses to reply to any of the API calls, resulting in 404's and 503's, it's so frustrating because anything that uses port 443 is a breeze. It's the same with the Packet Capture app, if I just capture the traffic without SSL I can see evidence of back and forth communication, as soon as I apply SSL to the relevant ports the router refuses to talk. So right now I feel at a dead end, I'll probably push on though when I get the time because I hate giving up!
from frida-interception-and-unpinning.
Hi, any updates on unpinning the Vodafone app? I am also struggling to bypass their protection.
from frida-interception-and-unpinning.
@maxrull00 can you share more info about the requests that are failing? I've tested and cloud requests do all seem to be interceptable with the latest scripts, so I assume you're talking about local network traffic, but I don't think it's possible to test the local network requests without owning a vodafone router.
If you're interested in reverse engineering this, I've written a guide you can use to dig into this here: https://httptoolkit.com/blog/android-reverse-engineering/
from frida-interception-and-unpinning.
Related Issues (20)
- add
- McDonalds app dosentbypass ssl pinning Android HOT 1
- Kayo Sports - au.com.kayosports.tv HOT 5
- SSL error when trying to bypass Youtube pinning HOT 2
- I have an app that has certificate transparency failed, is there any script that I can use? HOT 1
- SSLPeerUnverifiedException: Certificate transparency failed HOT 1
- issues with unpinning of com.segway.mower and com.hansgrohe.poseidon HOT 5
- Frida: The 'argv' option is not supported when spawnin HOT 1
- Nigloland App: Certificate transparency failed HOT 5
- Hi
- Not Work = Raw Custom-Pinned Resquest HOT 3
- [FIXED] Not working with bereal HOT 3
- [ ] Unrecognized TLS error - this must be patched manually HOT 8
- Fishing Clash app. Some super-duper pinning protection. HOT 2
- Ignorar detectar VPN httptoolkit HOT 5
- Bypass la fijación SSL de IOS 15-16 con httptoolkit + script frida HOT 3
- Error: access violation accessing 0x5d8 HOT 1
- this script fails with com.audioteka but another works HOT 2
- Error with file : android-certificate-unpinning.js HOT 1
- error native-connect-hook.js HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from frida-interception-and-unpinning.