[ ] Unrecognized TLS error - this must be patched manually

[pb36]

App-Tata NeU Command used - frida -U -l config.js -l native-tls-hook.js -l android-certificate-unpinning.js -l android-certificate-unpinning-fallback.js -f com.tatadigital.tcp

    / _  |   Frida 16.2.1 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to ONEPLUS A5000 (id=192.168.1.5:5555)
Spawning `com.tatadigital.tcp`...

== Hooked native TLS lib libssl.so ==
Spawned `com.tatadigital.tcp`. Resuming main thread!
[ONEPLUS A5000::com.tatadigital.tcp ]-> [!] Matched class okhttp3.CertificatePinner but could not patch any methods
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==

 !!! --- Unexpected TLS failure --- !!!
      CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Unrecognized TLS error - this must be patched manually
Process crashed: java.lang.RuntimeException: DP: 751

***
FATAL EXCEPTION: main
Process: com.tatadigital.tcp, PID: 24959
java.lang.RuntimeException: Unable to create application com.tatadigital.tcp.ProtectedNeuApplication: com.tatadigital.tcp.MessageGuardException_RFA6IDc1MSBbMjAyMzA4MzEtMjAyNDAzMTkxNTE0IGI3OmFybTY0LXY4YSAyOCBPbmVQbHVzL09uZVBsdXM1L09uZVBsdXM1OjkvUEtRMS4xODA3MTYuMDAxLzE4MTIyMzIwNDY6dXNlci9yZWxlYXNlLWtleXMgYmxvY2tlZF0: DP: 751
        at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6044)
        at android.app.ActivityThread.handleBindApplication(Native Method)
        at android.app.ActivityThread.access$1300(ActivityThread.java:207)
        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1748)
        at android.os.Handler.dispatchMessage(Handler.java:106)
        at android.os.Looper.loop(Looper.java:193)
        at android.app.ActivityThread.main(ActivityThread.java:6863)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:537)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)
Caused by: com.tatadigital.tcp.MessageGuardException_RFA6IDc1MSBbMjAyMzA4MzEtMjAyNDAzMTkxNTE0IGI3OmFybTY0LXY4YSAyOCBPbmVQbHVzL09uZVBsdXM1L09uZVBsdXM1OjkvUEtRMS4xODA3MTYuMDAxLzE4MTIyMzIwNDY6dXNlci9yZWxlYXNlLWtleXMgYmxvY2tlZF0: DP: 751
        at com.tatadigital.tcp.ProtectedNeuApplication.fxiB(Unknown Source:78)
        at com.tatadigital.tcp.ProtectedNeuApplication.onCreate(Unknown Source:54)
        at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1165)
        at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6039)
        ... 9 more
Caused by: java.lang.RuntimeException: DP: 751
        at com.tatadigital.tcp.ProtectedNeuApplication.J(Native Method)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.tatadigital.tcp.ProtectedNeuApplication$ProtectedNeuApplication$DataBinderMapperImpl.ozbefaclio(Unknown Source:31)
        at com.tatadigital.tcp.ProtectedNeuApplication$ProtectedNeuApplication$DataBinderMapperImpl.aHikix(Unknown Source:472)
        at com.tatadigital.tcp.ProtectedNeuApplication.J(Native Method)
        at com.tatadigital.tcp.ProtectedNeuApplication.onCreate(Unknown Source:46)
        ... 11 more
***
[ONEPLUS A5000::com.tatadigital.tcp ]->

Thank you for using Frida!

URL, which they were trying to access and failed -> aws-gate.licelus.com so most probably they are using some sdk from licelus.com to protect against this

[pimterry]

This isn't certificate pinning - it's just a normal system CA certificate check.

Before worrying about certificate pinning, you need to ensure the Android device trusts your MITM CA as a system-level CA certificate or all intercepted HTTPS connections will fail for more-or-less all apps (except ones that allow user certificates, such as Chrome or debug-enabled apps).

You can either do so by configuring that for your whole device (requires either quite a bit of manual setup, or using the one-click HTTP Toolkit ADB option on a rooted device) so that the cert appears in the system CAs in your settings, or you can use the ./android/android-system-certificate-injection.js script here which does that directly for the target app.

Does that make sense?

[pb36]

I realized I've already been using the HTTP Toolkit (Pro) ADB option. However, even with this option enabled, the app remains open for about 10 to 15 seconds(only this specific app. Other apps seem fine, and I can record traffic as needed). I can see requests in the View Section during this time, but then it suddenly crashes. Interestingly, when I don't use the HTTP Toolkit, the app functions normally, and I can use it without any issues.

[pimterry]

the app remains open for about 10 to 15 seconds

If you're not seeing any failing network requests at all, then this sounds like root/frida/proxy/etc detection, where the app is actively closing itself when it realises that something unusual is going on, independent of network traffic.

Fixing that is a bit more complicated unfortunately, and will likely require some reverse engineering (guide: https://httptoolkit.com/blog/android-reverse-engineering/) to work out exactly what triggers this and how to disable it. A good place to start is looking at the adb logcat output (adb logcat -T1) when the app closes, to see if any clues appear there.

I haven't seen any messages about this app in the past, so if you do find any clues I'd definitely be interested to hear about them. I'll keep this issue open and an eye out for related fixes that might help with this case.

[miraserver]

mmm i have same error but problem is

• before iv use old manual and old JS frida scripts posted by httptoolkit Of course its worked perfect. But not all req possible detected Now i v try to use new scripts posted here. And got this error. Yeap, my proxy cert already imported and trusted by my device (android), iv checked it again. But error same here. Iv use Charles proxy, adnroid and PC, frida 16.1.11, android 10

[miraserver]

ahhh i seee, need make cert as system, not as user. But android-system-certificate-injection.js not working for it.

[pimterry]

ahhh i seee, need make cert as system, not as user.

Yes - you need to either trust the cert system-wide (so most apps without pinning already trust it successfully) or you need to use the android-system-certificate-injection script.

But android-system-certificate-injection.js not working for it.

Can you explain exactly what "not working" means? It would be helpful to share the specific app you're testing against, the output you're seeing, and any other details about what's going wrong.

[miraserver]

sure. when i understand about my error with system cert (iv use user cert location before) iv also try run frida with android-system-certificate-injection script. Frida says - yeap, System certificate trust injected.

But this not help with error Unrecognized TLS error - this must be patched manually and , as a result, sniffing did not work, i dont know why but cert not caching correctly i think

My apps - Charles Proxy, Android 10, Windows 11,

frida -U ^ -l ./config.js ^ -l ./native-tls-hook.js ^ -l ./android-certificate-unpinning.js ^ -l ./android-certificate-unpinning-fallback.js ^ -l ./android-system-certificate-injection.js ^ 28465

How i fix it? Iv download AlwaysTrustUserCerts module for Magisk and install it. And now all my users cert will be as system. Now its working and no any error

[pimterry]

Now its working and no any error

You added this in an edit - does that mean everything is now working perfectly now, or are there still issues?

If it's not all resolved, can you please share the specific app you're testing again, and the full output that's printed by Frida when you run this command?

I'm also not clear what the 28465 is here - are you attaching to a PID, or launching an Android app? Normally you'd use -f <package id> with the Android package name (like -f com.google.android.maps)