[BUG] Disable HTTP/3

[jacopo-degattis]

Describe the bug
When I first used this guide to bypass android SSL pinning I was able to see all the requests that the Instagram client was making such as Photos, API requests or simply profile informations fetching. Right now, after some time, I came back on Instagram SSL pinning bypass and all I can see are requests you can see in the image below.

Method
I'm using Frida for bypassing the SSL pinning.

App info

• Version: Instagram-v256.0.0.18.105
• Arch: arm64-v8a

Device info

• Model: PIXEL_XL API 29 emulator
• Android Version: 10

Proxy tool mitmproxy: v8.1.1

Logs I'm using Frida tool for logging.

Thanks so much in advance !!!

[tulir]

I think Instagram may have enabled HTTP/3 recently, which is UDP and bypasses usual proxy configurations. There's an issue for mitmproxy at https://github.com/mitmproxy/mitmproxy/issues/4170, and I'd guess the Android emulator's proxy configuration also doesn't affect HTTP/3 at all.

As a quick workaround, I blocked all UDP traffic on my machine except port 53 (DNS) using iptables:

sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp -j DROP

(if you have IPv6, repeat those with ip6tables)

After that all requests are visible in mitmproxy

@Eltion perhaps it would be possible to patch the app to not use HTTP/3?

[Eltion]

@tulir Your right about this. It seems like after login and reopening the app instagram is using HTTP/3. Thanks for reporting it.

I've been trying to force HTTP2, had some success with it but the script is not as robust as it was before so I need to work a bit more into it. I just created a new branch for it here: disable-http3.

https://github.com/Eltion/Instagram-SSL-Pinning-Bypass/compare/main...disable-http3

Like this it will work for the current version (260.0.0.23.115) but it will break for each release, so I need to find a better way to do it.

[Eltion]

Seems like there is a configuration file located at /data/data/com.instagram.android/mobileconfig/<sessionId>.data/0.mctable which can be used to configure if app will use HTTP/3. This file is created after login, after the app sends a request to https://b.i.instagram.com/api/v1/launcher/mobileconfig/, unfortunately it's not clear which parameter is for HTTP/3 😥.

Seems like deleting the file disables HTTP/3 so I'll do that until I figure out a better solution.

https://github.com/Eltion/Instagram-SSL-Pinning-Bypass/commit/0da439ce0d161e0f48e46d016b9c9b25408ba2f0

[ChrisVinall]

I am still getting the same issue as #27 (HTTPS capturing works on first app run, not on subsequent runs) but no mobileconfig directory even exists in the specified location. Any idea what is going on here? I'm running instagram-v265.0.0.19.301-x86.apk. Thanks!

[Eltion]

@ChrisVinall can you test using the latest version

https://github.com/Eltion/Instagram-SSL-Pinning-Bypass/releases/download/v275.0.0.27.98/instagram-v275.0.0.27.98-x86.apk

[ChrisVinall]

Ah, my bad, that works. Not sure how I was running such an old version, I thought I was up to date.

The nuking of the whole config is causing another issue for me related to app behaviour, but I'll try to figure it out.

[polatdev]

this problem still persists.

[Anilmemis]

when to share ssl pinning bypass for 284 version ?

[3052]

the above iptables commands are a good option, I also found you should be able to just block outbound UDP port 443. if you do this some apps will default back to HTTP/2