pimterry
commented
2 years ago Thanks for the report! This is really useful info.
I'm not sure how the Vodafone app implements SSL pinning either, any ideas? Happy to help, but I can't seem to find an APK for it on apkpure.com or elsewhere, and I'm not in the UK so it won't seem to let me install it from the play store either.
If you manage to reverse engineer it and share any details that would be very helpful, I'm happy to help write up the JavaScript if you can work out what in the app needs changing. The trick is to find the specific method that is used to check the certificate, and then we can replace that with something that skips the check. For example, if you can follow it back a class like eu.reply.cordless.uk.HttpClient with a checkCertificates method, then we can change that method to just return true every time, and then you're sorted. Does that make sense?
If it's a new addition, that might help here - if you can get the previous & changed APKs then you can compare and contrast different disassembled versions of the code to find where things changed. If you can get the certificate check error message from ADB logs that might also be helpful, because you can hunt through the code for the error message string.
dobypog
maxrull00
I'm struggling to find a script that'll unpin the Vodafone Broadband app (eu.reply.cordless.uk) and having read the blog post about Frida's unpinning capabilities I figured I'd see if anyone can help.
This app in question is a companion app for Vodafone's supplied router. The SSL traffic being pinned is local, between the device and router on custom ports, any traffic sent remotely (API calls to the cloud using port 443) is not pinned and can be intercepted without issue. The app uses TCP ports 8888 6698 and 6699 to communicate with the Router.
If the script launches the app with no prior user data (like a fresh install), I'll get the following:
--> Bypassing OpenSSLSocketImpl Conscrypt --> Bypassing Trustmanager (Android < 7) request --> Bypassing OpenSSLSocketImpl Conscrypt --> Bypassing Trustmanager (Android < 7) request --> Bypassing OpenSSLSocketImpl Conscrypt --> Bypassing Trustmanager (Android < 7) request --> Bypassing OpenSSLSocketImpl Conscrypt --> Bypassing OpenSSLSocketImpl Conscrypt --> Bypassing OpenSSLSocketImpl Conscrypt --> Bypassing OpenSSLSocketImpl Conscrypt --> Bypassing OpenSSLSocketImpl Conscrypt
Thereafter, using the script to relaunch the app I'll just get:
--> Bypassing OpenSSLSocketImpl Conscrypt --> Bypassing OpenSSLSocketImpl Conscrypt
In all instances certificate pinning is still in place and blocking communication if I'm proxying the traffic. If I refresh the app enough times it'll add another line of '--> Bypassing OpenSSLSocketImpl Conscrypt' which seemingly isn't achieving anything.
Unfortunately I can't read or write javascript so I'm a bit stuck on how I'd resolve this myself. I've dug around in the code using jdax but don't really know what to look for, I have found mentions of certificate pinning. The apk uses BouncyCastle keystores (.bks) to facilitate the certificate pinning (I think) and they're not password protected.
Test environment is a rooted Andriod 7 (Xperia Z5) with the latest Frida releases.
App version is the latest (4.5.2) It's worth noting that certificate pinning is a recent addition in the app (starting in version 4.4.1) but the traffic I want to intercept (and therefore the feature I want to manipulate) is only available after pinning came into force.