search

httptoolkit / frida-interception-and-unpinning

Frida scripts to directly MitM all HTTPS traffic from a target mobile application
https://httptoolkit.com/android/
GNU Affero General Public License v3.0
905 stars 178 forks source link

Connection terminated #7

Open BarryThrill opened 2 years ago

BarryThrill commented 2 years ago

Hello!

Im currently trying to SSL pin the app called "Zalando" - Whenever I do run

frida --no-pause -U -l intercepter.js -f "de.zalando.mobile"

it seems like the app crashes and here is the logs:

frida --no-pause -U -l intercepter.js -f "de.zalando.mobile"
     ____
    / _  |   Frida 15.1.3 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawning `de.zalando.mobile`...
Unpinning setup cmopleted
---
Spawned `de.zalando.mobile`. Resuming main thread!
[SM G965N::de.zalando.mobile]-> ---
Unpinning Android app...
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[+] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[+] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing Trustmanager (Android < 7) request
  --> Bypassing OpenSSLSocketImpl Conscrypt
  --> Bypassing OkHTTPv3 ($okhttp): www.zalando.de
  --> Bypassing OpenSSLSocketImpl Conscrypt
  --> Bypassing OkHTTPv3 ($okhttp): www.zalando.se
  --> Bypassing TrustManagerImpl checkTrusted
Connection terminated
[SM G965N::de.zalando.mobile]->

Thank you for using Frida!```

image

Is there anything I can add on please let me know :)

pimterry commented 2 years ago

That's an interesting one! Can you use adb to get the logcat logs for this? That will probably have a stacktrace showing exactly why this crashed.

BarryThrill commented 2 years ago

That's an interesting one! Can you use adb to get the logcat logs for this? That will probably have a stacktrace showing exactly why this crashed.

I could if I knew how :( If you could tell me how I can do that then I would glady give you the logs ! :D

pimterry commented 2 years ago

Assuming you have ADB set up (which you probably do, because you usually need it to set up Frida) then you need to:

You should avoid doing anything else especially private on the Android device at the same time, since logcat can capture all sorts of private data. You can skim through the output there to check it before posting if you're concerned.

Does that make sense?

BarryThrill commented 2 years ago

Assuming you have ADB set up (which you probably do, because you usually need it to set up Frida) then you need to:

  • Run adb logcat -T1 > logs.txt.

    • That command streams all logging while it's running into that logs.txt file.
    • This will keep running until you press ctrl-c to stop it
  • With that command running, reproduce the issue
  • Then kill the logcat command
  • Then post the logfile here

You should avoid doing anything else especially private on the Android device at the same time, since logcat can capture all sorts of private data. You can skim through the output there to check it before posting if you're concerned.

Does that make sense?

--------- beginning of system
11-15 23:16:53.894  2174  2190 E BatteryStatsService: modem info is invalid: ModemActivityInfo{ mTimestamp=0 mSleepTimeMs=0 mIdleTimeMs=0 mTxTimeMs[]=[0, 0, 0, 0, 0] mRxTimeMs=0 mEnergyUsed=0}
--------- beginning of main
11-15 23:16:59.063  2540  2540 D BoundBrokerSvc: onUnbind: Intent { act=com.google.android.gms.udc.service.START cmp=com.google.android.gms/.chimera.PersistentApiService }
11-15 23:16:59.529  2599  2675 W System  : Ignoring header Cookie because its value was null.
11-15 23:17:01.450  2174  8705 W ResourceType: ResTable_typeSpec entry count inconsistent: given 141, previously 169
11-15 23:17:02.672  2540  2540 D BoundBrokerSvc: onUnbind: Intent { act=com.google.android.gms.scheduler.ACTION_PROXY_SCHEDULE cmp=com.google.android.gms/.chimera.PersistentInternalBoundBrokerService }
11-15 23:17:06.543  2174  8705 I ActivityManager: Force stopping com.jd.jdsports appid=10046 user=0: from pid 2174
11-15 23:17:06.544  2174  8705 I ActivityManager: Killing 8627:com.jd.jdsports/u0a46 (adj 900): stop com.jd.jdsports
11-15 23:17:06.551  2174  8705 D ActivityManager: cleanUpApplicationRecord -- 8627
11-15 23:17:06.565  2289  2289 E PhoneInterfaceManager: [PhoneIntfMgr] getCarrierPackageNamesForIntent: No UICC
11-15 23:17:06.565  2289  2289 D CarrierSvcBindHelper: No carrier app for: 0
11-15 23:17:06.571  2174  8705 W ContextImpl: Calling a method in the system process without a qualified user: android.app.ContextImpl.startActivity:767 android.content.ContextWrapper.startActivity:356 <bottom of call stack> <bottom of call stack> <bottom of call stack> 
11-15 23:17:06.571  2174  8705 W ContextImpl: Calling a method in the system process without a qualified user: android.app.ContextImpl.startActivity:779 android.app.ContextImpl.startActivity:768 android.content.ContextWrapper.startActivity:356 <bottom of call stack> <bottom of call stack> 
11-15 23:17:06.571  2174  8705 I ActivityManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 pkg=com.jd.jdsports cmp=com.jd.jdsports/.ui.MainActivity} from uid 1000 on display 0
11-15 23:17:06.584  1881  1881 E Zygote  : Not whitelisted : /dev/ccid_ctrl
11-15 23:17:06.590  8715  8715 W art     : Unexpected CPU variant for X86 using defaults: x86
11-15 23:17:06.601  2174  2185 I ActivityManager: Start proc 8715:com.jd.jdsports/u0a46 for activity com.jd.jdsports/.ui.MainActivity
11-15 23:17:06.628  2599  8417 W ContextImpl: Calling a method in the system process without a qualified user: android.app.ContextImpl.bindService:1435 android.content.ContextWrapper.bindService:636 cj.d:12 bu.d:4 bl.c:14 
11-15 23:17:06.676  2540  2540 D BoundBrokerSvc: onBind: Intent { act=com.google.android.gms.scheduler.ACTION_PROXY_SCHEDULE cmp=com.google.android.gms/.chimera.PersistentInternalBoundBrokerService }
11-15 23:17:06.676  2540  2540 D BoundBrokerSvc: Loading bound service for intent: Intent { act=com.google.android.gms.scheduler.ACTION_PROXY_SCHEDULE cmp=com.google.android.gms/.chimera.PersistentInternalBoundBrokerService }
11-15 23:17:06.916  8715  8715 I art     : Starting a blocking GC AddRemoveAppImageSpace
11-15 23:17:06.956  8715  8751 W System  : ClassLoader referenced unknown path: 
11-15 23:17:06.959  8715  8751 D ApplicationLoaders: ignored Vulkan layer search path /data/app/com.google.android.gms-1/lib/x86:/data/app/com.google.android.gms-1/base.apk!/lib/x86:/data/app/com.google.android.gms-1/split_config.en.apk!/lib/x86:/data/app/com.google.android.gms-1/split_config.xhdpi.apk!/lib/x86 for namespace 0xd7532090
11-15 23:17:06.963  8715  8751 W ResourceType: ResTable_typeSpec entry count inconsistent: given 67, previously 69
11-15 23:17:06.964  8715  8751 W ResourceType: ResTable_typeSpec entry count inconsistent: given 2869, previously 2890
11-15 23:17:06.964  8715  8751 W ResourceType: ResTable_typeSpec entry count inconsistent: given 511, previously 3842
11-15 23:17:06.979  8715  8751 W System  : ClassLoader referenced unknown path: /data/user_de/0/com.google.android.gms/app_chimera/m/00000011/n/x86
11-15 23:17:06.979  8715  8751 W System  : ClassLoader referenced unknown path: /data/user_de/0/com.google.android.gms/app_chimera/m/00000011/n/armeabi-v7a
11-15 23:17:06.979  8715  8751 W System  : ClassLoader referenced unknown path: /data/user_de/0/com.google.android.gms/app_chimera/m/00000011/n/armeabi
11-15 23:17:07.951  8715  8715 D ApplicationLoaders: ignored Vulkan layer search path /data/app/com.google.android.gms-1/lib/x86:/data/app/com.google.android.gms-1/base.apk!/lib/x86:/data/app/com.google.android.gms-1/split_config.en.apk!/lib/x86:/data/app/com.google.android.gms-1/split_config.xhdpi.apk!/lib/x86 for namespace 0xd75320d0
11-15 23:17:07.986  8715  8715 V NativeCrypto: Registering com/google/android/gms/org/conscrypt/NativeCrypto's 294 native methods...
11-15 23:17:08.261  8715  8715 D         : static HostConnection *HostConnection::createUnique(): call
11-15 23:17:08.262  8715  8715 D         : HostConnection::get() New Host Connection established 0xa2f63ae0, tid 8715
11-15 23:17:08.310  8715  8806 I OpenGLRenderer: Initialized EGL, version 1.4
11-15 23:17:08.312  8715  8806 D OpenGLRenderer: Swap behavior 1
11-15 23:17:08.316  8715  8806 D         : HostConnection::get() New Host Connection established 0xb0c7bf00, tid 8806
pimterry commented 2 years ago

Hmm, that doesn't look right... Did you open the Zolando app and crash it whilst that command was running? There's nothing about Zolando in there at all, and there should be lots. I'd generally expect the output when you're actively using the device to be much much longer too.

Any idea what happened there? Did logcat exit unexpectedly before Zolando started? It should keep running, and producing lots of output anytime anything happens on the device.

BarryThrill commented 2 years ago

Hmm, that doesn't look right... Did you open the Zolando app and crash it whilst that command was running? There's nothing about Zolando in there at all, and there should be lots. I'd generally expect the output when you're actively using the device to be much much longer too.

Any idea what happened there? Did logcat exit unexpectedly before Zolando started? It should keep running, and producing lots of output anytime anything happens on the device.

Hello for late answer. Its been chaotic week for me... but I have tried different apps such as Size and JDsports https://play.google.com/store/apps/details?id=com.size&hl=en&gl=US and same thing... they all seem to get connection terminated on my side. Could you perhaps try on your end and see if you get the same?

TheShooter commented 2 years ago

I think it's a problem related to emulator detection, anti-root or anti-debugging methods in the previous apps you mentioned,however various techniques could be used in apps in order to make it harder to examine.