Certificate unpinning not working for this app

[shrish-nitb]

Link to app (playstore) Even after running the script the process crashes after submission of OTP with this message on console. Process crashed: Bad access due to protection failure. Help if anybody can figure out reason or successfully log https requests after the OTP submission phase. Are they using custom certificate pinning method?

Screenshots of log -

[pimterry]

That's very unusual, thanks for reporting this @shrish-nitb.

It would be interesting to work out which part of the script triggers this. Does it still happen if you run the app with Frida with an empty script? If not, can you remove different sections of this script until you find the specific part that's breaking things here?

It's most likely to be the Conscrypt patch, since that's the last line that appears in your logs, but it could be any one of the patches with a [+] next to it during setup.

My best guess would be that the application includes some native code that's integrating unusually with some code that's been patched here, in a way that's causing problems. If you can confirm which part is causing the issue, that might provide some clues (or at least, you can disable that specific patch and see if just using the rest of the patches works for you).

[shrish-nitb]

Yeah, I found some code regarding certificate pinning which destined to throw errors on failure and a few more instances of bool like isSslPinningEnabled() which basically intended for developers to change the certificate pinning whether. So I turned it off and deleted throw exception code. On signing the apk again and running the frida tool (which stopped at that same point again but app kept running) I found to my surprise that I could not login previously due to interruption in communication (certificate rejected for a particular https url) but this time I successfully logged in so I guess it bypassed that pinning thing. But since the app has DRM content protection policy so it immediately stopped working after logging in on my emulator. When I tried running it on my android phone over SSL proxy(burp) it not even allowed me to enter credentials and crashes by saying that "No Internet available. Please check your Internet connection and try again 1001/1002" which I think is due to detection of proxy server or self-signed non system certificate trust issues(burp ca cert) (jesus they raised the security bar too high). So Eventually I could not study the api. I don't know how to bypass this.

The last screenshot has a method onFailure() 12th line of which has the same message which flashes on my android device when I try to run the patch.

[pimterry]

It's hard to say what's up here I'm afraid, and unfortunately I can't do in-depth investigations into apps like this.

I do think the isSslPinningEnabled method sounds interesting! I would be tempted to try not using any of the hooks here, and instead just create a new Frida hook that modifies only that method to return false :smile:.

Beyond that, I'm afraid I'm not sure what to do here. If there are additional protections beyond basic pinning, it should definitely be possible to disable those with Frida, it's just that there may be quite a bit more reverse engineering required to understand exactly where your requests are failing, and then fix that. Sorry I can't be more help.