search

httptoolkit / frida-interception-and-unpinning

Frida scripts to directly MitM all HTTPS traffic from a target mobile application
https://httptoolkit.com/android/
GNU Affero General Public License v3.0
1.06k stars 198 forks source link

issues with unpinning of com.segway.mower and com.hansgrohe.poseidon #81

Open DeepflashX opened 6 months ago

DeepflashX commented 6 months ago

Hi There,

I am having issues with unpinning two applications, named Navimow (com.segway.mower) and Hansgrome Home (com.hansgrohe.poseidon). Normal ADB-Connection-Setup with HTTP Toolkit was not possible for those, in general the setup is working though. The output is basically for both the same. Navimow App throws a cert pinning failure popup and Hansgrohe App brings up a message regarding no connection possible. I am not sure if I set up the proxy stuff correct. I am using httptoolkit on a rooted device via adb. What do I have to set the proxy for that? HttpTooKit is running on a Windows Laptop and both Phone and Laptop are connected on the same Wifi Network.

C:\Users\rogue\Downloads\unpinning>frida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android-proxy-override.js -l ./android-system-certificate-injection.js -l ./android-certificate-unpinning.js -l ./android-certificate-unpinning-fallback.js -f com.hansgrohe.poseidon

/ _  |   Frida 16.1.8 - A world-class dynamic instrumentation toolkit

| (_| |

| Commands: // |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to IN2023 (id=6a027d3b) Spawning com.hansgrohe.poseidon...

== Redirecting all TCP connections to 192.168.178.42:8000 == == Hooked native TLS lib libssl.so == Spawned com.hansgrohe.poseidon. Resuming main thread! [IN2023::com.hansgrohe.poseidon ]-> == Proxy system configuration overridden to 192.168.178.42:8000 == == Proxy configuration overridden to 192.168.178.42:8000 == == System certificate trust injected == == Certificate unpinning completed == == Unpinning fallback auto-patcher installed ==

DeepflashX commented 6 months ago

here output with debug enabed and proxy = 127.0.0.1 Navimow still brings certificate unpinning failure.

C:\Users\rogue\Downloads\unpinning>frida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android-proxy-override.js -l ./android-system-certificate-injection.js -lfrida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android-proxy-override.js -l ./android-system-certificate-injection.js -l ./android-certificate-unpinning.js -l ./android-certificate-unpinning-fallback.js -f com.segway.mower

/ _  |   Frida 16.1.8 - A world-class dynamic instrumentation toolkit

| (_| |

| Commands: // |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to IN2023 (id=6a027d3b) Spawning com.segway.mower...

Starting scripts == Redirecting all TCP connections to 127.0.0.1:8000 == [+] Patched 2 libssl.so verification methods == Hooked native TLS lib libssl.so == Spawned com.segway.mower. Resuming main thread! [IN2023::com.segway.mower ]-> Ignoring unix:dgram connection == Proxy system configuration overridden to 127.0.0.1:8000 == Rewriting Rewriting Rewriting == Proxy configuration overridden to 127.0.0.1:8000 == [+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex [ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present) [ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present) == System certificate trust injected ==

=== Disabling all recognized unpinning libraries ===

[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier [+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory [+] javax.net.ssl.HttpsURLConnection setHostnameVerifier [+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom) [ ] com.android.org.conscrypt.CertPinManager isChainValid [+] com.android.org.conscrypt.CertPinManager checkChainPinning [+] android.security.net.config.NetworkSecurityConfig $init() (0) [+] android.security.net.config.NetworkSecurityConfig $init() (1) [+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession) [+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector) [ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector) [ ] okhttp3.CertificatePinner [ ] com.squareup.okhttp.CertificatePinner [ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager [ ] appcelerator.https.PinningTrustManager [ ] nl.xservices.plugins.sslCertificateChecker [ ] com.worklight.wlclient.api.WLClient [ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning [ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin [ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager [ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory [ ] com.silkimen.cordovahttp.CordovaServerTrust [ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier [ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor [ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager == Certificate unpinning completed == == Unpinning fallback auto-patcher installed == Scripts completed

=> android.security.net.config.NetworkSecurityConfig $init() (0) => android.security.net.config.NetworkSecurityConfig $init() (0) => android.security.net.config.NetworkSecurityConfig $init() (0) => android.security.net.config.NetworkSecurityConfig $init() (0) Process terminated [IN2023::com.segway.mower ]->

Thank you for using Frida!

Hansgrohe Home App also still says "Connection problems" C:\Users\rogue\Downloads\unpinning>frida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android-proxy-override.js -l ./android-system-certificate-injection.js -l ./android-certificate-unpinning.js -l ./android-certificate-unpinning-fallback.js -f com.hansgrohe.poseidon

/ _  |   Frida 16.1.8 - A world-class dynamic instrumentation toolkit

| (_| |

| Commands: // |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to IN2023 (id=6a027d3b) Spawning com.hansgrohe.poseidon...

Starting scripts == Redirecting all TCP connections to 127.0.0.1:8000 == [+] Patched 2 libssl.so verification methods == Hooked native TLS lib libssl.so == Spawned com.hansgrohe.poseidon. Resuming main thread! [IN2023::com.hansgrohe.poseidon ]-> Ignoring unix:dgram connection == Proxy system configuration overridden to 127.0.0.1:8000 == Rewriting Rewriting Rewriting == Proxy configuration overridden to 127.0.0.1:8000 == [+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex [ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present) [ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present) == System certificate trust injected ==

=== Disabling all recognized unpinning libraries ===

[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier [+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory [+] javax.net.ssl.HttpsURLConnection setHostnameVerifier [+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom) [ ] com.android.org.conscrypt.CertPinManager isChainValid [+] com.android.org.conscrypt.CertPinManager checkChainPinning [+] android.security.net.config.NetworkSecurityConfig $init() (0) [+] android.security.net.config.NetworkSecurityConfig $init() (1) [+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession) [+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector) [ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector) [+] okhttp3.CertificatePinner check(String, List) [ ] okhttp3.CertificatePinner check(String, Certificate) [+] okhttp3.CertificatePinner check(String, Certificate;[]) [+] okhttp3.CertificatePinner check$okhttp [ ] com.squareup.okhttp.CertificatePinner [ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager [ ] appcelerator.https.PinningTrustManager [ ] nl.xservices.plugins.sslCertificateChecker [ ] com.worklight.wlclient.api.WLClient [ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning [ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin [ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager [ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory [ ] com.silkimen.cordovahttp.CordovaServerTrust [ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier [ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor [ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager * == Certificate unpinning completed == == Unpinning fallback auto-patcher installed == Scripts completed

Manually intercepting connection to ::ffff:192.168.178.42:8000 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 116 to null (-1) Manually intercepting connection to ::ffff:52.212.83.48:443 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 116 to null (-1) Manually intercepting connection to ::ffff:52.215.12.96:443 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 117 to null (-1) Manually intercepting connection to ::ffff:192.168.178.42:8000 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 149 to null (-1) Manually intercepting connection to ::ffff:142.251.37.10:443 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 149 to null (-1) Manually intercepting connection to ::ffff:142.251.36.170:443 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 149 to null (-1) Manually intercepting connection to ::ffff:142.251.36.202:443 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 149 to null (-1) Manually intercepting connection to ::ffff:142.251.36.234:443 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 149 to null (-1) Manually intercepting connection to ::ffff:172.217.16.170:443 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 149 to null (-1) Manually intercepting connection to ::ffff:192.168.178.42:8000 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 149 to null (-1) Manually intercepting connection to ::ffff:192.168.178.42:8000 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 149 to null (-1) Manually intercepting connection to ::ffff:192.168.178.42:8000 Ignoring unix:stream connection Ignoring unix:stream connection Connected tcp6 fd 149 to null (-1)

DeepflashX commented 6 months ago

error in Navimow:

Screenshot_2024-03-28-08-38-29-76_2ee6bca7c20b21338fe5a7ef294d28f9

pimterry commented 6 months ago

Hmm, that is definitely a certificate pinning failure. That suggests that all your config is correct, but the current scripts don't work for those apps. Unfortunately it seems that the fallback script isn't providing any info here though, which is quite unusual. In most cases, even if the unpinning doesn't work that normally gives some clues (it hooks all standard SSL errors, so it can at least report where they're thrown, and try to auto-patch them if they're recognized, even if they're obfuscated).

To find out more you'll need to do some reverse engineering (guide here: https://httptoolkit.com/blog/android-reverse-engineering/)

For the error in the screenshot at least, it looks like the pinning is based on OkHttp, because this error message exactly matches theirs here. I'm not sure why that wouldn't be matched by the existing hooks for OkHttp though (which are being applied - you can see the [x] okhttp3.CertificatePinner lines) so there must be something unusual (some kind of obfuscation or weird class loading or something) going on there.

DeepflashX commented 6 months ago

could it be that in the original apk are several apks included? Anything about the Hansgrohe App?

pimterry commented 5 months ago

Hi @DeepflashX. It could be that there are multiple APKs (these are generally delivered in an XAPK file, which is just a zip of APKs) but that shouldn't make any difference AFAIK.

The same explanation above also applies for Hansgrohe - there must some certificate pinning technique being used that isn't covered by the scripts for some reason, although in that case there's even less info on the specific error.

To find out what's happening here, you'll need to follow the guide and reverse engineer the internals of these apps for yourself. This will be a substantial project that will take some work (you will need to use the decompiled code and Frida to understand how the app actually works) but I'm afraid I can't offer personal support step-by-step through projects like this. As you might imagine, I get hundreds of requests like this and I'm already quite busy running HTTP Toolkit.

You'll need to reverse engineer this yourself, or hire somebody to do so (I'd recommend marketplaces like Fiverr or Upwork, which have plenty of people offering these services).

To start with though, take a look through the guide and see how you get on doing this yourself. If you have any specific quick questions, or any thoughts on the actual content of the scripts in this repo, do let me know and I'm happy to explain those details.