com.segway.mower Failed to automatically patch failure

TA2k commented 9 months ago

https://play.google.com/store/apps/details?id=com.segway.mower

 --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure

pimterry commented 9 months ago

Hmm, that's interesting.

The automated patch here is really a backup - it might work, but even if it doesn't, it shows you where the problem is (okhttp3.CertificatePinner->check in this case).

That's an unusual problem though, because we already patch that method, in 4 different ways.

Can you share the rest of the output from the Frida script?

Can you run running Frida connected to the app, and then run Java.perform(() => console.log(Java.use('okhttp3.CertificatePinner').check.overloads)) in the REPL there? That should print all over the different check() method overloads, presumably we must be missing one somehow.

TA2k commented 9 months ago

Complete log

Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[ ] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[ ] OkHTTPv3 (cert array)
[ ] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (CertificateTransparencyInterceptor)
[ ] Appmattus (CertificateTransparencyTrustManager)
Unpinning setup completed
---
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Bypassing TrustManagerImpl checkTrusted 
  --> Unexpected SSL verification failure, adding dynamic patch...
  --> Unexpected SSL verification failure, adding dynamic patch...
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure
      Thrown by okhttp3.CertificatePinner->check
      [ ] Failed to automatically patch failure

Error: java.lang.ClassNotFoundException: Didn't find class "okhttp3.CertificatePinner" on path: DexPathList[[zip file "/system/framework/org.apache.http.legacy.boot.jar", zip file "/data/app/com.segway.mower-FWYQe4J75UnE947412O_MA==/base.apk", zip file "/data/app/com.segway.mower-FWYQe4J75UnE947412O_MA==/split_config.arm64_v8a.apk", zip file "/data/app/com.segway.mower-FWYQe4J75UnE947412O_MA==/split_config.de.apk", zip file "/data/app/com.segway.mower-FWYQe4J75UnE947412O_MA==/split_config.en.apk", zip file "/data/app/com.segway.mower-FWYQe4J75UnE947412O_MA==/split_config.xxhdpi.apk"],nativeLibraryDirectories=[/data/app/com.segway.mower-FWYQe4J75UnE947412O_MA==/lib/arm64, /data/app/com.segway.mower-FWYQe4J75UnE947412O_MA==/base.apk!/lib/arm64-v8a, /data/app/com.segway.mower-FWYQe4J75UnE947412O_MA==/split_config.arm64_v8a.apk!/lib/arm64-v8a, /data/app/com.segway.mower-FWYQe4J75UnE947412O_MA==/split_config.de.apk!/lib/arm64-v8a, /data/app/com.segway.mower-FWYQe4J75UnE947412O_MA==/split_config.en.apk!/lib/arm64-v8a, /data/app/com.segway.mower-FWYQe4J75UnE947412O_MA==/split_config.xxhdpi.apk!/lib/arm64-v8a, /system/lib64, /product/lib64]] at (frida/node_modules/frida-java-bridge/lib/env.js:124) at (frida/node_modules/frida-java-bridge/lib/class-factory.js:448) at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:818) at _make (frida/node_modules/frida-java-bridge/lib/class-factory.js:111) at use (frida/node_modules/frida-java-bridge/lib/class-factory.js:62) at use (frida/node_modules/frida-java-bridge/index.js:258) at (/frida/log.js:1) at (frida/node_modules/frida-java-bridge/lib/vm.js:12) at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:250) at (frida/node_modules/frida-java-bridge/index.js:242) at apply (native) at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:619) at (frida/node_modules/frida-java-bridge/lib/class-factory.js:597)

pimterry commented 9 months ago

That's the fundamental problem here then:

Unexpected SSL verification failure, adding dynamic patch...
Thrown by okhttp3.CertificatePinner->check

vs

Error: java.lang.ClassNotFoundException: Didn't find class "okhttp3.CertificatePinner"

I'm not sure how Frida can report that CertificatePinner is throwing an error while simultaneously saying it's unable to find the class. Something about classloaders perhaps? Or some kind of dynamic loading that somehow dodges the initial hooking script? It's hard to say and I haven't seen this before myself.

That's the real issue here though - if you can work out why that's happening, it should be easy to make the existing OkHttp hooks work to automatically unpin this for you. The problem isn't that the hooks don't work, it's that they're not being used at all, because Frida can't see OkHttp.

httptoolkit / frida-interception-and-unpinning

com.segway.mower Failed to automatically patch failure #45