Open pb36 opened 1 month ago
This isn't certificate pinning - it's just a normal system CA certificate check.
Before worrying about certificate pinning, you need to ensure the Android device trusts your MITM CA as a system-level CA certificate or all intercepted HTTPS connections will fail for more-or-less all apps (except ones that allow user certificates, such as Chrome or debug-enabled apps).
You can either do so by configuring that for your whole device (requires either quite a bit of manual setup, or using the one-click HTTP Toolkit ADB option on a rooted device) so that the cert appears in the system CAs in your settings, or you can use the ./android/android-system-certificate-injection.js
script here which does that directly for the target app.
Does that make sense?
I realized I've already been using the HTTP Toolkit (Pro) ADB option. However, even with this option enabled, the app remains open for about 10 to 15 seconds(only this specific app. Other apps seem fine, and I can record traffic as needed). I can see requests in the View Section during this time, but then it suddenly crashes. Interestingly, when I don't use the HTTP Toolkit, the app functions normally, and I can use it without any issues.
the app remains open for about 10 to 15 seconds
If you're not seeing any failing network requests at all, then this sounds like root/frida/proxy/etc detection, where the app is actively closing itself when it realises that something unusual is going on, independent of network traffic.
Fixing that is a bit more complicated unfortunately, and will likely require some reverse engineering (guide: https://httptoolkit.com/blog/android-reverse-engineering/) to work out exactly what triggers this and how to disable it. A good place to start is looking at the adb logcat output (adb logcat -T1
) when the app closes, to see if any clues appear there.
I haven't seen any messages about this app in the past, so if you do find any clues I'd definitely be interested to hear about them. I'll keep this issue open and an eye out for related fixes that might help with this case.
mmm i have same error but problem is
ahhh i seee, need make cert as system, not as user. But android-system-certificate-injection.js not working for it.
ahhh i seee, need make cert as system, not as user.
Yes - you need to either trust the cert system-wide (so most apps without pinning already trust it successfully) or you need to use the android-system-certificate-injection
script.
But android-system-certificate-injection.js not working for it.
Can you explain exactly what "not working" means? It would be helpful to share the specific app you're testing against, the output you're seeing, and any other details about what's going wrong.
sure. when i understand about my error with system cert (iv use user cert location before) iv also try run frida with android-system-certificate-injection script. Frida says - yeap, System certificate trust injected.
But this not help with error Unrecognized TLS error - this must be patched manually and , as a result, sniffing did not work, i dont know why but cert not caching correctly i think
My apps - Charles Proxy, Android 10, Windows 11,
frida -U ^ -l ./config.js ^ -l ./native-tls-hook.js ^ -l ./android-certificate-unpinning.js ^ -l ./android-certificate-unpinning-fallback.js ^ -l ./android-system-certificate-injection.js ^ 28465
How i fix it? Iv download AlwaysTrustUserCerts module for Magisk and install it. And now all my users cert will be as system. Now its working and no any error
Now its working and no any error
You added this in an edit - does that mean everything is now working perfectly now, or are there still issues?
If it's not all resolved, can you please share the specific app you're testing again, and the full output that's printed by Frida when you run this command?
I'm also not clear what the 28465
is here - are you attaching to a PID, or launching an Android app? Normally you'd use -f <package id>
with the Android package name (like -f com.google.android.maps
)
App-Tata NeU Command used -
frida -U -l config.js -l native-tls-hook.js -l android-certificate-unpinning.js -l android-certificate-unpinning-fallback.js -f com.tatadigital.tcp
URL, which they were trying to access and failed -> aws-gate.licelus.com so most probably they are using some sdk from licelus.com to protect against this