SSL Unpinning failed for Whatsapp, Snapchat & McDonald's

[RequestFX]

Hey I tried out your SSL unpinning script on some apps and it didnt work for most of them (Whatsapp, Snapchat, McDonald's App). Is that fixable or is it because of some different issue? Would be nice if we could have a talk, Discord: RequestFX#1541

[pimterry]

Hi @RequestFX - thanks for reporting this, that's useful to know.

Unpinning here is mostly focused on HTTP, and I'm fairly sure that the core of Whatsapp at least doesn't use HTTP at all, so I wouldn't expect that to work anyway.

Beyond that though, I'm not sure! I'm afraid I don't have time to investigate every report of issues for every app, but I've written a guide for reverse engineering to extend the script for custom per-app debugging & fixing here: https://httptoolkit.tech/blog/android-reverse-engineering/

It's useful to share any info you do have about the failure here too, to help others who hit this issue, and so we can spot widespread issues across many apps & unpatched common pinning libraries that might be fixable in the general-purpose script. Do you have any more info about what's failing?

If you have any errors you can share that would be useful, or if there's any interesting error or debug output that's shown if you runadb logcat -T1 before reproducing the issue. If you do make any progress reverse engineering this, or if you run into any problems, do share that here too, I'm happy to give you some pointers if you have specific questions and it may help others investigating the same apps later.

[RequestFX]

As for the Mcdonalds app the script printed out this

As for the log I dont know what to look for in this mess. Maybe someone else finds this helpful https://pastebin.com/DyQ06qxt

The HTTP Toolkit data: Also for the Mcdonald's app it will immediately show a network error if the certificate gets blocked and you have to restart the app

McDonald's fortunately sends a crash report with info https://pastebin.com/vZBgySnr with info like Certificate transparency failed but idk what to do with that info tbh

[RequestFX]

So what I tried here is go into the McDonald's app and then launch HTTP Toolkit. It worked until these 2 post requests showed up and found out that there is something going on

[pimterry]

Those are requests to google's device attestation API, which is part of SafetyNet: https://developer.android.com/training/safetynet/. Apps use this API to detect if your device is rooted, or otherwise modified.

If this is causing issues, then that means that your device does not pass SafetyNet checks, and the app is designed to refuse to work in that environment. That usually means you've used a rooting setup that isn't compatible with SafetyNet. It's hard to advise in more detail I'm afraid, because the SafetyNet checks themselves and the rooting mechanisms people use change very frequently.

There's various SafetyNet checkers you can install to test this for yourself - you'll probably find that they all show your device as failing this check.

To fix this, you'll need to either change your device's setup so that it does pass this check, or you'll need to modify the app (e.g. with Frida) to disable the check entirely.

To be clear, this isn't really related to certificate unpinning at all - this is an issue with using apps on rooted devices in general. Most apps will work fine even on devices that don't pass these checks, it's just the few apps that actively try to make themselves unusable on rooted devices where you'll have problems.

[JXRNO]

SafetyNet passes, but yet doesn't work on https://play.google.com/store/apps/details?id=com.mcdonalds.mobileapp

[ghost]

anyone know the new logcat command?

> adb logcat -T1
unknown option -- TUnrecognized Option

[141MATRIX141]

Hi @JXRNO and @RequestFX did u manage to bypass ssl pinning for mcdonalds?