pimterry
commented
10 months ago Ok, thanks! I did a bit of testing and I can confirm this, when using HTTP Toolkit with the new unpinning scripts here.
There's no errors shown in the Frida log (which is actually quite unusual) but digging into the ADB logs directly I can see:
01-16 17:10:46.723 9554 9683 E Spotify : [logging@f:221] aq: OnError reason: 1, error:server's cert didn't look good, X509_V_ERR = 24: CA is not trusted
So there's definitely certificate pinning going on. That error almost certainly comes from here: https://github.com/warmcat/libwebsockets/blob/36ff3b8d738a94d7c1d1b56ee9d41eb591088d2c/lib/tls/openssl/openssl-client.c#L666
Unfortunately, this is deep within libwebsockets, which we don't currently hook... This is a native library, so that's kind of out of scope of our current approach, but it might actually be possible. I can't see libwebsockets in the loaded modules of the app, but I can see libssl, so in theory we could hook methods there to do this. There's some discussion here that seems related: https://github.com/librespot-org/librespot-java/issues/140
How familiar are you with Frida? Want to take a crack at hooking this yourself?
emrovsky
AlexPaiva
3052
all logs with debug-mode on
C:\Users\emrovsky\Downloads\test>frida -U -l config.js -l frida-script.js -f com.spotify.music
| (_| |
Starting scripts Spawned
com.spotify.music. Resuming main thread! [M2101K6G::com.spotify.music ]-> --- Unpinning Android app... [+] SSLPeerUnverifiedException auto-patcher [+] HttpsURLConnection (setDefaultHostnameVerifier) [+] HttpsURLConnection (setSSLSocketFactory) [+] HttpsURLConnection (setHostnameVerifier) [+] SSLContext [+] TrustManagerImpl [ ] OkHTTPv3 (list) [ ] OkHTTPv3 (cert) [ ] OkHTTPv3 (cert array) [ ] OkHTTPv3 ($okhttp) [ ] Trustkit OkHostnameVerifier(SSLSession) [ ] Trustkit OkHostnameVerifier(cert) [ ] Trustkit PinningTrustManager [ ] Appcelerator PinningTrustManager [ ] OpenSSLSocketImpl Conscrypt [ ] OpenSSLEngineSocketImpl Conscrypt [ ] OpenSSLSocketImpl Apache Harmony [ ] PhoneGap sslCertificateChecker [ ] IBM MobileFirst pinTrustedCertificatePublicKey (string) [ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array) [ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket) [ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert) [ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string) [ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession) [ ] Conscrypt CertPinManager [ ] CWAC-Netsecurity CertPinManager [ ] Worklight Androidgap WLCertificatePinningPlugin [ ] Netty FingerprintTrustManagerFactory [ ] Squareup CertificatePinner (cert) [ ] Squareup CertificatePinner (list) [ ] Squareup OkHostnameVerifier (cert) [ ] Squareup OkHostnameVerifier (SSLSession) [+] Android WebViewClient (SslErrorHandler) [ ] Android WebViewClient (WebResourceError) [ ] Apache Cordova WebViewClient [ ] Boye AbstractVerifier [ ] Appmattus (CertificateTransparencyInterceptor) [ ] Appmattus (CertificateTransparencyTrustManager) Unpinning setup completedScripts completed
--> Bypassing Trustmanager (Android < 7) request --> Bypassing TrustManagerImpl checkTrusted --> Bypassing Trustmanager (Android < 7) request --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted --> Bypassing TrustManagerImpl checkTrusted