Unable to inspect app

[douglasforseti]

I am using Burp Sute Community with a rooted Samsung Galaxy A04e device running Android 13. I am trying to inspect an app that uses certificate pinning, br.com.autopass.top

My environment info:

• Frida Server on device: 16.4.7
• Frida tools on my computer: 16.4.7
• Before run Frida on device, I did a setenforce 0
• I enabled debug mode at config.js
• I did a test with _tech.httptoolkit.pinningdemo and it work as expected

The error:

$ frida -U \
>     -l ./config.js \
>     -l ./native-tls-hook.js \
>     -l ./android/android-certificate-unpinning.js \
>     -l ./android/android-certificate-unpinning-fallback.js \
>     -f br.com.autopass.top
     ____
    / _  |   Frida 16.4.7 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to SM A042M (id=R9XW206F74V)
Spawning `br.com.autopass.top`...                                       

*** Starting scripts ***
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
Spawned `br.com.autopass.top`. Resuming main thread!                    
[SM A042M::br.com.autopass.top ]->
    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[+] okhttp3.CertificatePinner check(String, List)
[ ] okhttp3.CertificatePinner check(String, Certificate)
[+] okhttp3.CertificatePinner check(String, Certificate;[])
[+] okhttp3.CertificatePinner check$okhttp
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
*** Scripts completed ***

 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
Process crashed: SIGTRAP TRAP_BRKPT

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/a04eub/a04e:13/TP1A.220624.014/A042MUBU1BWAB:user/release-keys'
Revision: '0'
ABI: 'arm64'
Processor: '5'
Timestamp: 2024-08-03 11:47:04.801704461-0300
Process uptime: 21s
Cmdline: br.com.autopass.top
pid: 1273, tid: 1391, name: mqt_native_modu  >>> br.com.autopass.top <<<
uid: 10236
signal 5 (SIGTRAP), code 1 (TRAP_BRKPT), fault addr 0x00000073ee95ae3c
    x0  0000000000000000  x1  000000000000056f  x2  0000000000000005  x3  0000007535294700
    x4  00000073e6ec9cc0  x5  00000073e6ec9cc0  x6  00000073e6ec9cc0  x7  0000000000000001
    x8  00000000000000f0  x9  efc69674434d599e  x10 0000000000000b48  x11 000000000000000d
    x12 0000000000004100  x13 0000000000000002  x14 0000000000000025  x15 0000000000000000
    x16 000000740ddfe4d8  x17 000000752bef9000  x18 0000000000000068  x19 0000007535294700
    x20 00000000000004f9  x21 b400007487424688  x22 00000073e6eca000  x23 00000075352942e8
    x24 0000000000000000  x25 000000754d6713a0  x26 0000007540fb2459  x27 00000073f29b9218
    x28 b4000074876a9f00  x29 0000007535294340
    lr  000000740dd93afc  sp  00000075352942e0  pc  000000752bef9020  pst 0000000000000000
backtrace:
      #00 pc 000000000008a020  /apex/com.android.runtime/lib64/bionic/libc.so (syscall+32) (BuildId: 98aed11fdb60f820e85fe8de98dd0800)
      #01 pc 0000000000052af8  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk!libcrashlytics-common.so (BuildId: 1bbc978b6d6214da5715537ea8a5f111a5eb8128)
      #02 pc 0000000000a2f02c  /memfd:frida-agent-64.so (deleted)
      #03 pc 00000000000005c0  [vdso] (__kernel_rt_sigreturn+0)
      #04 pc 000000000008a01c  /apex/com.android.runtime/lib64/bionic/libc.so (syscall+28) (BuildId: 98aed11fdb60f820e85fe8de98dd0800)
      #05 pc 000000000576f27c  /data/app/~~nJox5AbFqnuvQLUpnsOFrg==/com.google.android.webview-60NuD0YHFWy3JRqYHaZx8A==/base.apk!libmonochrome.so (BuildId: 4ffc581582edf0838bdd4b541727e4edc60f9088)
      #06 pc 0000000005766860  /data/app/~~nJox5AbFqnuvQLUpnsOFrg==/com.google.android.webview-60NuD0YHFWy3JRqYHaZx8A==/base.apk!libmonochrome.so (BuildId: 4ffc581582edf0838bdd4b541727e4edc60f9088)
      #07 pc 0000000000a2f02c  /memfd:frida-agent-64.so (deleted)
      #08 pc 00000000000005c0  [vdso] (__kernel_rt_sigreturn+0)
      #09 pc 0000000000072e38  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk!libidp-shared.so
      #10 pc 000000000006dfa4  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk!libidp-shared.so
      #11 pc 0000000000072200  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk!libidp-shared.so (_aRFCeqe7D7P23zB9P7NMXdtc45e9oadu6rwEhPzQmRu+388)
      #12 pc 000000000000fe70  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk (ffi_call_SYSV+96)
      #13 pc 000000000000f660  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk (ffi_call+292)
      #14 pc 0000000000005b80  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk
      #15 pc 00000000000079ec  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk (Java_com_sun_jna_Native_invokeInt+32)
      #16 pc 0000000000163bf8  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.odex (art_jni_trampoline+152)
      #17 pc 00000000004cc928  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.odex (com.sun.jna.Function.invoke+3448)
      #18 pc 00000000004cb3a0  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.odex (com.sun.jna.Function.invoke+1344)
      #19 pc 000000000045c670  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.odex (com.sun.jna.Library$Handler.invoke+1824)
      #20 pc 000000000051380c  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (java.lang.reflect.Proxy.invoke+92)
      #21 pc 000000000033aa80  /apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+640) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #22 pc 00000000002c2070  /apex/com.android.art/lib64/libart.so (art::InvokeProxyInvocationHandler(art::ScopedObjectAccessAlreadyRunnable&, char const*, _jobject*, _jobject*, std::__1::vector<jvalue, std::__1::allocator<jvalue> >&)+784) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #23 pc 00000000002bfb60  /apex/com.android.art/lib64/libart.so (artQuickProxyInvokeHandler+820) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #24 pc 0000000000350e4c  /apex/com.android.art/lib64/libart.so (art_quick_proxy_invoke_handler+76) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #25 pc 00000000005b9dd4  /apex/com.android.art/lib64/libart.so (nterp_helper+7636) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #26 pc 0000000001efbd12  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.vdex (util.a.y.y.mb.AuthResultCode+1302)
      #27 pc 00000000005b8f54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #28 pc 0000000001eb1284  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.vdex (util.a.y.g.b.values+224)
      #29 pc 00000000005b8f54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #30 pc 0000000001ed0782  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.vdex (util.a.y.s.a.callback+478)
      #31 pc 000000000033a7a4  /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #32 pc 000000000037cdc0  /apex/com.android.art/lib64/libart.so (_jobject* art::InvokeMethod<(art::PointerSize)8>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+5308) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #33 pc 000000000037b8f4  /apex/com.android.art/lib64/libart.so (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*) (.__uniq.165753521025965369065708152063621506277)+32) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #34 pc 00000000003925f8  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (art_jni_trampoline+120)
      #35 pc 00000000005b8fb0  /apex/com.android.art/lib64/libart.so (nterp_helper+4016) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #36 pc 00000000015f2bd4  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.vdex (com.sun.jna.CallbackReference$DefaultCallbackProxy.invokeCallback+120)
      #37 pc 00000000005b8f54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #38 pc 00000000015f2894  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.vdex (com.sun.jna.CallbackReference$DefaultCallbackProxy.callback+0)
      #39 pc 000000000033a7a4  /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #40 pc 00000000003388ec  /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeVirtualOrInterfaceWithVarArgs<art::ArtMethod*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, art::ArtMethod*, std::__va_list)+772) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #41 pc 0000000000558f80  /apex/com.android.art/lib64/libart.so (art::JNI<false>::CallObjectMethod(_JNIEnv*, _jobject*, _jmethodID*, ...)+264) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #42 pc 000000000000b118  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk
      #43 pc 000000000000b8b4  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk
      #44 pc 000000000000fbac  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk
      #45 pc 000000000000fefc  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk
      #46 pc 000000000006d2ec  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk!libidp-shared.so (_C5FdwPQRMrtKfKFPjrXqVB+660)
      #47 pc 000000000000fe70  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk (ffi_call_SYSV+96)
      #48 pc 000000000000f660  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk (ffi_call+292)
      #49 pc 0000000000005b80  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk
      #50 pc 00000000000079ec  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/split_config.arm64_v8a.apk (Java_com_sun_jna_Native_invokeInt+32)
      #51 pc 0000000000163bf8  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.odex (art_jni_trampoline+152)
      #52 pc 00000000004cc928  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.odex (com.sun.jna.Function.invoke+3448)
      #53 pc 00000000004cb3a0  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.odex (com.sun.jna.Function.invoke+1344)
      #54 pc 000000000045c670  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.odex (com.sun.jna.Library$Handler.invoke+1824)
      #55 pc 000000000051380c  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (java.lang.reflect.Proxy.invoke+92)
      #56 pc 000000000033aa80  /apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+640) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #57 pc 00000000002c2070  /apex/com.android.art/lib64/libart.so (art::InvokeProxyInvocationHandler(art::ScopedObjectAccessAlreadyRunnable&, char const*, _jobject*, _jobject*, std::__1::vector<jvalue, std::__1::allocator<jvalue> >&)+784) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #58 pc 00000000002bfb60  /apex/com.android.art/lib64/libart.so (artQuickProxyInvokeHandler+820) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #59 pc 0000000000350e4c  /apex/com.android.art/lib64/libart.so (art_quick_proxy_invoke_handler+76) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #60 pc 00000000005b9dd4  /apex/com.android.art/lib64/libart.so (nterp_helper+7636) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #61 pc 0000000001ef9db2  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.vdex (util.a.y.y.ma.AuthResultCode+1338)
      #62 pc 00000000005b8f54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #63 pc 0000000001eb0834  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.vdex (util.a.y.g.b.AuthInput+20)
      #64 pc 00000000005b8f54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #65 pc 0000000001eb3738  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.vdex (util.a.y.g.ma.AuthResultCode+728)
      #66 pc 00000000005b8098  /apex/com.android.art/lib64/libart.so (nterp_helper+152) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #67 pc 0000000000c85798  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.vdex (com.gemalto.idp.mobile.core.IdpCore.configure+48)
      #68 pc 00000000005b8098  /apex/com.android.art/lib64/libart.so (nterp_helper+152) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #69 pc 0000000000c858ea  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.vdex (com.gemalto.idp.mobile.core.IdpCore.configure+42)
      #70 pc 00000000005b8098  /apex/com.android.art/lib64/libart.so (nterp_helper+152) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #71 pc 00000000015ce112  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.vdex (com.pefisasecuritysdk.PefisaSecuritySdkModule.init+374)
      #72 pc 000000000033a7a4  /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #73 pc 000000000037cdc0  /apex/com.android.art/lib64/libart.so (_jobject* art::InvokeMethod<(art::PointerSize)8>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+5308) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #74 pc 000000000037b8f4  /apex/com.android.art/lib64/libart.so (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*) (.__uniq.165753521025965369065708152063621506277)+32) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #75 pc 00000000003925f8  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (art_jni_trampoline+120)
      #76 pc 00000000003780f8  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.odex (com.facebook.react.bridge.JavaMethodWrapper.invoke+2136)
      #77 pc 0000000000314f04  /data/app/~~gtnHWo5pMoV38V_INmQQkg==/br.com.autopass.top-73h03bMCPMnd2u9j4-aDvg==/oat/arm64/base.odex (com.facebook.react.bridge.JavaModuleWrapper.invoke+1540)
      #78 pc 000000000033a7a4  /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #79 pc 00000000003388ec  /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeVirtualOrInterfaceWithVarArgs<art::ArtMethod*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, art::ArtMethod*, std::__va_list)+772) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #80 pc 0000000000560504  /apex/com.android.art/lib64/libart.so (art::JNI<false>::CallVoidMethodV(_JNIEnv*, _jobject*, _jmethodID*, std::__va_list)+192) (BuildId: 2452917c4ff69cbb6e75e5512260946b)
      #81 pc 00000000000556e8  /data/data/br.com.autopass.top/lib-0/libreactnativejni.so (_JNIEnv::CallVoidMethod(_jobject*, _jmethodID*, ...)+116) (BuildId: 0cc91b6af83e1a90a1a2fffe3085b287cbb2e0a0)
      #82 pc 0000000000079780  /data/data/br.com.autopass.top/lib-0/libreactnativejni.so (BuildId: 0cc91b6af83e1a90a1a2fffe3085b287cbb2e0a0)
      #83 pc 000000000006fc28  /data/data/br.com.autopass.top/lib-0/libreactnativejni.so (BuildId: 0cc91b6af83e1a90a1a2fffe3085b287cbb2e0a0)
      #84 pc 0000000000058d24  /data/data/br.com.autopass.top/lib-0/libreactnativejni.so (facebook::jni::detail::MethodWrapper<void (facebook::react::JNativeRunnable::*)(), &(facebook::react::JNativeRunnable::run()), facebook::react::JNativeRunnable, void>::dispatch(facebook::jni::alias_ref<facebook::jni::detail::JTypeFor<facebook::jni::HybridClass<facebook::react::JNativeRunnable, facebook::react::Runnable>::JavaPart, facebook::react::Runnable, void>::_javaobject*>)+32) (BuildId: 0cc91b6af83e1a90a1a2fffe3085b287cbb2e0a0)
***
[SM A042M::br.com.autopass.top ]->

Thank you for using Frida!

[pimterry]

Hmm, that's very interesting. Can you try simplifying your CLI script bit by bit, to see which one causes this? Config.js has some shared logic & settings, so you'll always need that, but all other others can be included or not independently. It's also worth testing with no Frida scripts specified on the CLI at all, just to check if this is caused by Frida detection in general (or some Frida bug or similar).

If you find it's cause by a specific script with various parts (like the script with all the cert unpinning hooks), you can try commenting out specific sections and see exactly which hook is breaking things. Takes a little trial and error, but it should be possible to pin this down a very specific cause with that.

[douglasforseti]

@pimterry thank you for help.

I tried just run frida (command below), and I got the same exception. It seems to happen right at startup when trying to open a webview

$ frida -U -f br.com.autopass.top

Do you think I should open an issue on the Frida project?

[pimterry]

Ok, thanks for confirming that. I think this means it's either a Frida bug, or it means the app is actively detecting Frida and blocking it (crashing intentionally to block this).

You might be able to confirm this by trying lots of different Frida versions. If this does run without crashing in any other Frida version, then this is almost certainly a bug (and if you can test different versions to find when this broke, and report it to the Frida team, I'm sure they'd love to hear about that).

Alternatively, to confirm for sure whether this is being actively detected & blocked, you'll need to do some serious reverse engineering of the app itself. That's quite a bit more complicated, but you might find https://httptoolkit.com/blog/android-reverse-engineering/ an interesting introduction if you're not familiar.

Either way, I'm going to close this for now, since it seems like this is not related to the current scripts at all. If you do find out that this is due to intentional Frida detection in the app though, and you learn any more about how that works in this case, do please share info here! That's definitely an interesting topic, and I'm open to eventually trying to extend the scripts here to deal with that where possible.

[douglasforseti]

Ok, thank you!

I tried some other older versions of Frida and the crashing still happens. I think it is being actively detected and blocked.

I did simple reverse engineering, and I found this:

package com.appsflyer.internal;

public enum AFa1xSDK$23740$AFa1xSDK {
   AFInAppEventParameterName;

   private static final AFa1xSDK$23740$AFa1xSDK[] AFInAppEventType;
   values;

   public String AFKeystoreWrapper;

   static {
      AFa1xSDK$23740$AFa1xSDK var0 = new AFa1xSDK$23740$AFa1xSDK("XPOSED", 0, "xps");
      values = var0;
      AFa1xSDK$23740$AFa1xSDK var1 = new AFa1xSDK$23740$AFa1xSDK("FRIDA", 1, "frd");
      AFInAppEventParameterName = var1;
      AFInAppEventType = new AFa1xSDK$23740$AFa1xSDK[]{var0, var1};
   }

   private AFa1xSDK$23740$AFa1xSDK(String var3) {
      this.AFKeystoreWrapper = var3;
   }
}

Do you think is there a way to bypass?

[pimterry]

No idea I'm afraid! It's not obvious to me from that snippet exactly what this is doing, you'll need to look into all the related classes and references and try to work out how this is used. It certainly suggests that's some kind of Frida detection going on, but I'm afraid it's hard to be any more specific.