search

httptoolkit / frida-interception-and-unpinning

Frida scripts to directly MitM all HTTPS traffic from a target mobile application
https://httptoolkit.com/android/
GNU Affero General Public License v3.0
1.05k stars 195 forks source link

App closes when trying to attach or spawn using frida & frida-interception-and-unpinning #111

Closed datNurd closed 3 weeks ago

datNurd commented 3 weeks ago

I am trying to intercept an appllication and simply terminates when I try to attach or spawn using frida frida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android/android-proxy-override.js -l ./android/android-system-certificate-injection.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js -f in.gov.uidai.mAadhaarPlus

     ____
    / _  |   Frida 16.4.10 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Pixel 3 (id=912X1U6Z7)
Spawning `in.gov.uidai.mAadhaarPlus`...

*** Starting scripts ***
== Redirecting all TCP connections to 10.10.6.250:8000 ==
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
Spawned `in.gov.uidai.mAadhaarPlus`. Resuming main thread!
[Pixel 3::in.gov.uidai.mAadhaarPlus ]-> Ignoring unix:dgram connection
== Proxy system configuration overridden to 10.10.6.250:8000 ==
Rewriting <class: sun.net.spi.DefaultProxySelector>
Rewriting <class: android.net.PacProxySelector>
Rewriting <class: java.net.ProxySelector>
== Proxy configuration overridden to 10.10.6.250:8000 ==
[+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex
[ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present)
[ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present)
== System certificate trust injected ==

    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[+] okhttp3.CertificatePinner check(String, List)
[ ] okhttp3.CertificatePinner check(String, Certificate)
[+] okhttp3.CertificatePinner check(String, Certificate;[])
[+] okhttp3.CertificatePinner check$okhttp
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
*** Scripts completed ***

 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
Process terminated
[Pixel 3::in.gov.uidai.mAadhaarPlus ]->

Thank you for using Frida!

I don't see what exactly is casing this issue.

I've learnt that Anti debugging could be enabled for some apps. So I've downloaded the script from the following git link https://github.com/apkunpacker/FridaScripts/blob/main/AntiDebug.js found only and attached it to the chain for scripts like this

frida -U -l./AntiDebug.js -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android/android-proxy-override.js -l ./android/android-system-certificate-injection.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js -f in.gov.uidai.mAadhaarPlus

but still no luck

     ____
    / _  |   Frida 16.4.10 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Pixel 3 (id=912X1U6Z7)
Spawning `in.gov.uidai.mAadhaarPlus`...

*** Starting scripts ***
== Redirecting all TCP connections to 10.10.6.250:8000 ==
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
Spawned `in.gov.uidai.mAadhaarPlus`. Resuming main thread!
[Pixel 3::in.gov.uidai.mAadhaarPlus ]-> Ignoring unix:dgram connection
== Proxy system configuration overridden to 10.10.6.250:8000 ==
Rewriting <class: sun.net.spi.DefaultProxySelector>
Rewriting <class: android.net.PacProxySelector>
Rewriting <class: java.net.ProxySelector>
== Proxy configuration overridden to 10.10.6.250:8000 ==
[+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex
[ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present)
[ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present)
== System certificate trust injected ==

    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[+] okhttp3.CertificatePinner check(String, List)
[ ] okhttp3.CertificatePinner check(String, Certificate)
[+] okhttp3.CertificatePinner check(String, Certificate;[])
[+] okhttp3.CertificatePinner check$okhttp
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
*** Scripts completed ***

 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
HasTransport Check Detected
Process terminated
[Pixel 3::in.gov.uidai.mAadhaarPlus ]->

Thank you for using Frida!

What could be happening here why does the app automatically get closed when frida is attached how can I overcome or understand what or what check is causing it

pimterry commented 3 weeks ago

It's hard to know I'm afraid. If you run the app with Frida without any scripts, does it still crash? Some apps do try to detect Frida and/or root configurations in general (not just specific scripts) and fail like this in those environments. If that's the case, then it's not related to these scripts, and I'd suggest asking in a more general forum.

If that's not the case, and it is these scripts triggering this issue, then it would be helpful to reduce the number of scripts you're using and comment out chunks bit by bit, until you work out exactly what code is causing this.

datNurd commented 3 weeks ago

Yes the app does crash even without any scripts. Also, the application has play safetynet. Does SateyNet have the capability to detect frida during runtime ? (was able to bypass other safetynet checks using magisk, so without frida attached the app does work on a rooted device)

pimterry commented 3 weeks ago

SafetyNet monitors overall device state I think, not whether there's anything attached to this specific app, so I don't think that'll be relevant here, given that the app does work when Frida is not attached.

If the app is crashing when run with Frida without any scripts though, it must have some specific Frida detection, or (less likely imo) there's a Frida bug here. You'll need to investigate that yourself, which will probably require reverse engineering into the source in depth. There's a general reverse engineering guide here: https://httptoolkit.com/blog/android-reverse-engineering/. I'd suggest looking through lots of public Frida detection approaches and anti-detection scripts to find the kind of thing they look for, and then dig into the source to see if you can find anything similar.

Regardless, this isn't related to these scripts specifically so I'm going to close this. If you're looking for more help, I'd suggest looking at general reverse engineering communities & other places where Frida gets discussed more generally.