Open pcurz opened 1 month ago
08-12 01:43:18.765 1139 2635 I InputDispatcher: setInputWindows displayId=0 Window{d21eedd u0 ScreenDecorOverlay} Window{490fb34 u0 NavigationBar0} Window{486b0fc u0 StatusBar} Window{4a678e7 u0 cl.com.edenred.ticketjunaeb/cl.com.edenred.ticketjunaeb.onboarding.OnBoardingActivity} Window{9c551a4 u0 cl.com.edenred.ticketjunaeb/cl.com.edenred.ticketjunaeb.onboarding.OnBoardingActivity} Window{5d12ea8 u0 com.android.systemui.ImageWallpaper}
08-12 01:43:18.776 20135 20169 D Utils : subject : O=Mockttp Cert - DO NOT TRUST,L=Unknown,C=XX,CN=edenred.ionix.cl
08-12 01:43:18.776 20135 20169 D Utils : organization : HTTP Toolkit CA
08-12 01:43:18.777 20135 20169 D Utils : commonName : HTTP Toolkit CA
08-12 01:43:18.777 20135 20169 D Utils : country : XX
08-12 01:43:18.777 20135 20169 D GuardInterceptor: No es un certificado válido
08-12 01:43:18.781 522 1208 I BufferQueueProducer: [cl.com.edenred.ticketjunaeb/cl.com.edenred.ticketjunaeb.onboarding.OnBoardingActivity#1](id:20a00000146,api:1,p:20135,c:522) disconnect(): api=1
it says "08-12 01:43:18.777 20135 20169 D GuardInterceptor: It is not a valid certificate"
Hmm, it's hard to know what's going on here:
Does that message definitely appear at the same time as the failing 401 response? Do you see any "certificate rejected" or "connection reset" empty rows in HTTP Toolkit? In all certificate pinning cases, something like that should appear. If there's no empty failure rows like that (so on every row you can see the request URL etc) then there is no certificate pinning issue.
If you want to know more about GuardInterceptor anyway, you'll need to do some reverse engineering to dig into the app and find that source code. See here for more info: https://httptoolkit.com/blog/android-reverse-engineering/
Does that message definitely appear at the same time as the failing 401 response?
Yes
Do you see any "certificate rejected" or "connection reset" empty rows in HTTP Toolkit?
Not really, it's like the app does a check itself and returns the same 401 error.
If you want to know more about GuardInterceptor anyway, you'll need to do some reverse engineering to dig into the app and find that source code. See here for more info: https://httptoolkit.com/blog/android-reverse-engineering/
I found the class and the method in question, but there are other things I still can't figure out because the proxy stops working (no requests appear in HTTP Toolkit, and the app works normally) and I have to delete data from it and start all over again, when I have time I will take it up again.
It gets stuck in the mfa section, does a request to https://edenred.ionix.cl/ with 401 Unauthorized logcat_output.txt Edit: i forgot frida logs running with
frida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android/android-proxy-override.js -l ./android/android-system-certificate-injection.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js -f net.veritran.becl.prod