search

httptoolkit / frida-interception-and-unpinning

Frida scripts to directly MitM all HTTPS traffic from a target mobile application
https://httptoolkit.com/android/
GNU Affero General Public License v3.0
871 stars 176 forks source link

OkHostnameVerifier #53

Open kaerbannog opened 7 months ago

kaerbannog commented 7 months ago

a missing case for ssl pinning that could help other :

Java.perform(function () {
  var OkHostnameVerifier = Java.use('com.android.okhttp.internal.tls.OkHostnameVerifier');

  // Hook de la méthode verify
  OkHostnameVerifier.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (hostname, session) {
      // Affichez les paramètres en rouge dans la console
      console.log("\x1b[31m[Hooked OkHostnameVerifier.verify]");
      console.log("\x1b[31mHostname: \x1b[0m" + hostname);
      console.log("\x1b[31mSSLSession: \x1b[0m" + session);
      var result = this.verify(hostname, session);
      console.log("\x1b[31mResult: \x1b[0m" + result);
      return true;
  };
});

Hope that can help other. BTW, thanks for your amazing work.

pimterry commented 7 months ago

Do you know why this is required in your case?

Currently we don't hook OkHostnameVerifier because I think it shouldn't be required if your interception setup is working correctly. It's really just verifying that the hostname matches the certificate with normal TLS rules - it shouldn't be pinning anything.

If there's a case where this doesn't work, it'd be great if you could share an example I can test!

kaerbannog commented 7 months ago

Ok, I understand your point. As I see(not sure, lot of obfuscation), the hash of the certificat is hardcoded, so the match failed. I can't share the apk sorry :/.

pimterry commented 6 months ago

Can you share more details about where and how the hash of the certificate is hardcoded? Just sharing the stack trace of the failure and the outline of the class involved would be very helpful. That would be interesting and might lead to something useful that could be fixed.

I think my point above is worth reiterating though: if OkHostnameVerifier is failing, that probably means your interception setup is not correct, it doesn't mean that you need to add more unpinning hooks (you can, to work around the setup issue, but your life will be easier if you instead use a certificate that passes basic hostname checks, and AFAIK it's always be possible to do that in any environment).