search

httptoolkit / frida-interception-and-unpinning

Frida scripts to directly MitM all HTTPS traffic from a target mobile application
https://httptoolkit.com/android/
GNU Affero General Public License v3.0
1.06k stars 198 forks source link

SSLPeerUnverifiedException: Certificate transparency failed #80

Open flamecopper opened 6 months ago

flamecopper commented 6 months ago

== System certificate trust injected == == Certificate unpinning completed == == Unpinning fallback auto-patcher installed == Manually intercepting connection to ::ffff:3.108.122.90:443 Manually intercepting connection to ::ffff:52.87.6.154:5047 Error: access violation accessing 0x0 at (/xxxxx/Pentest/frida-interception-and-unpinning/native-tls-hook.js:111)

!!! --- Unexpected TLS failure --- !!! SSLPeerUnverifiedException: Certificate transparency failed Thrown by s33->intercept [ ] Unrecognized TLS error - this must be patched manually

!!! --- Unexpected TLS failure --- !!! SSLPeerUnverifiedException: Certificate transparency failed Thrown by s33->intercept

!!! --- Unexpected TLS failure --- !!!

!!! --- Unexpected TLS failure --- !!!

!!! --- Unexpected TLS failure --- !!!

!!! --- Unexpected TLS failure --- !!!

!!! --- Unexpected TLS failure --- !!! SSLPeerUnverifiedException: Certificate transparency failed Thrown by s33->intercept

!!! --- Unexpected TLS failure --- !!! [ ] Unrecognized TLS error - this must be patched manually

!!! --- Unexpected TLS failure --- !!! SSLPeerUnverifiedException: Certificate transparency failed Thrown by s33->intercept [ ] Unrecognized TLS error - this must be patched manually SSLPeerUnverifiedException: Certificate transparency failed Thrown by s33->intercept SSLPeerUnverifiedException: Certificate transparency failed Thrown by s33->intercept SSLPeerUnverifiedException: Certificate transparenc

pimterry commented 6 months ago

Hi @flamecopper. Is it possible to share the details of the app where you're seeing this?

The scripts here do include unpinning for various certificate transparency cases, but in this example it looks like the libraries being used have been obfuscated (the s33 for example suggests this). There is a fallback unpinning script which handles various specific obfuscated cases, but it doesn't focus on transparency issues yet.

In theory this is very possible though, we'd just need to know more about the internal content of the failing function here. If you could share a specific example so I can take a closer look then that would be helpful to work out how to handle this.

If you're interested in investigating and fixing this yourself in the meantime, I've written a guide you might find useful here: https://httptoolkit.com/blog/android-reverse-engineering/. Even if you can't share more details about the app in question, if you could share the decompiled code of the failing class (s33) via JADX, that might be enough to solve this.