search

httptoolkit / frida-interception-and-unpinning

Frida scripts to directly MitM all HTTPS traffic from a target mobile application
https://httptoolkit.com/android/
GNU Affero General Public License v3.0
905 stars 178 forks source link

Roli: pins must start with 'sha256/' #42

Open yoshimo opened 10 months ago

yoshimo commented 10 months ago

when working on https://play.google.com/store/apps/details?id=com.telkomsel.roli the OKHttp Exception occurs.

Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[ ] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[ ] OkHTTPv3 (cert array)
[ ] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (CertificateTransparencyInterceptor)
[ ] Appmattus (CertificateTransparencyTrustManager)
Unpinning setup completed
---
  --> Bypassing HttpsURLConnection (setDefaultHostnameVerifier)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing TrustManagerImpl checkTrusted
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing TrustManagerImpl checkTrusted
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->c
      Attempting to patch automatically...
      [+] okhttp3.CertificatePinner->c (automatic exception patch)
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
Process crashed: java.lang.IllegalArgumentException: pins must start with 'sha256/' or 'sha1/': Pinned certificates for roli.telkomsel.com

The code for that is in https://github.com/square/okhttp/blob/d54ef742fc43e8917edc233760c20fbbdda8ee52/okhttp/src/jvmMain/kotlin/okhttp3/CertificatePinner.kt#L272

pimterry commented 10 months ago

Hi @yoshimo, as in #39, the automated exception patcher basically exists as a fallback, not a reliable mechanism. As soon as you see it failing, as here, it's a good bet that any future exceptions are caused by that.

I would recommend checking what okhttp3.CertificatePinner->c is in your case, and what what would happen if that returned null.

For the specific exception later, can you trace back and work out where the invalid pin string comes from? You might need to debug the app or add logging in places with Frida. I'd expect these two exceptions are related, but either way there must be some previous step in this unpinning process that results in that string being wrong.