search

httptoolkit / frida-interception-and-unpinning

Frida scripts to directly MitM all HTTPS traffic from a target mobile application
https://httptoolkit.com/android/
GNU Affero General Public License v3.0
909 stars 179 forks source link

not able to sniff com.peacocktv.peacockandroid #97

Open luisfernandez93 opened 2 weeks ago

luisfernandez93 commented 2 weeks ago

so I have been trying to use this btw thank you very much... so my current setup is

android emulator, pixel 3a upsidedowncake, frida and proxyman,

what i did:

override config.js in this repo with my own cert_pem which proxyman i think puts in /Users/blabla/.proxyman/proxyman-ca.pem

then i ran the following:

frida -U \                                                     5s 09:14:59 AM
    -l ./config.js \
    -l ./native-connect-hook.js \
    -l ./native-tls-hook.js \
    -l ./android/android-proxy-override.js \
    -l ./android/android-system-certificate-injection.js \
    -l ./android/android-certificate-unpinning.js \
    -l ./android/android-certificate-unpinning-fallback.js -f com.peacocktv.peacockandroid

what I see in logs:

     ____
    / _  |   Frida 16.2.1 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.peacocktv.peacockandroid`...                              

*** Starting scripts ***
== Redirecting all TCP connections to 192.168.20.162:9090 ==
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
Spawned `com.peacocktv.peacockandroid`. Resuming main thread!           
[Android Emulator 5554::com.peacocktv.peacockandroid ]-> Ignoring unix:dgram connection
== Proxy system configuration overridden to 192.168.20.162:9090 ==
Rewriting <class: sun.net.spi.DefaultProxySelector>
Rewriting <class: java.net.ProxySelector>
Rewriting <class: android.net.PacProxySelector>
== Proxy configuration overridden to 192.168.20.162:9090 ==
[+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex
[ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present)
[ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present)
== System certificate trust injected ==

    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
*** Scripts completed ***

Ignoring attempt to override http.proxyHost system property
Ignoring attempt to override https.proxyHost system property
Ignoring attempt to override http.proxyPort system property
Ignoring attempt to override https.proxyPort system property
Ignoring attempt to override http.nonProxyHosts system property
Ignoring attempt to override https.nonProxyHosts system property
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
Ignoring unix:stream connection
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 111 to {"ip":"::ffff:192.168.20.162","port":9090} (-1)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Error: access violation accessing 0x0
    at <anonymous> (/Users/luisfernandez/development/frida-interception-and-unpinning/native-tls-hook.js:111)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Ignoring unix:stream connection
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Connected tcp6 fd 193 to {"ip":"::ffff:192.168.20.162","port":9090} (-1)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 194 to {"ip":"::ffff:192.168.20.162","port":9090} (-1)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 200 to {"ip":"::ffff:192.168.20.162","port":9090} (-1)
Ignoring unix:stream connection

 !!! --- Unexpected TLS failure --- !!!
      CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
Error: access violation accessing 0x0
    at <anonymous> (/Users/luisfernandez/development/frida-interception-and-unpinning/native-tls-hook.js:111)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 263 to {"ip":"::ffff:192.168.20.162","port":9090} (-1)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 258 to {"ip":"::ffff:192.168.20.162","port":9090} (-1)

 !!! --- Unexpected TLS failure --- !!!
Error: access violation accessing 0x0
    at <anonymous> (/Users/luisfernandez/development/frida-interception-and-unpinning/native-tls-hook.js:111)
Ignoring unix:dgram connection
Ignoring unix:dgram connection
Ignoring unix:dgram connection
Ignoring unix:dgram connection
Ignoring unix:dgram connection
Process crashed: Bad access due to invalid address

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/sdk_gphone64_arm64/emu64a:14/UE1A.230829.036.A1/11228894:userdebug/dev-keys'
Revision: '0'
ABI: 'arm64'
Timestamp: 2024-06-13 09:16:38.135366769-0400
Process uptime: 4s
Cmdline: com.peacocktv.peacockandroid
pid: 11119, tid: 11305, name: NR_Harvester-1  >>> com.peacocktv.peacockandroid <<<
uid: 10191
tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x00000000fe94fe30
    x0  00000073ba56d7a8  x1  00000073ba56c1e0  x2  0000000000000008  x3  00000073ba56d7a4
    x4  00000073ba56dd80  x5  00000073ba56dbe8  x6  0000000000000027  x7  2720646165726874
    x8  0000000000000076  x9  000000000001000a  x10 00000073ba56c360  x11 000000000000000a
    x12 0000000000000000  x13 0000000000000000  x14 0000000000000008  x15 0000000000000000
    x16 000000744fa10a30  x17 00000076e96e8a40  x18 0000000000000000  x19 00000073ba56d7a8
    x20 00000000fe94fe20  x21 00000073ba56d7a4  x22 000000000000ffff  x23 00000073ba56c1e0
    x24 00000073ba571000  x25 000000744f580a5c  x26 00000073ba56d7a8  x27 b400007645852930
    x28 000000744fc16000  x29 00000073ba56d6a0
    lr  000000744f23cdbc  sp  00000073ba56d660  pc  000000744f340780  pst 0000000000001000
75 total frames
backtrace:
      #00 pc 0000000000340780  /apex/com.android.art/lib64/libart.so (art::FindOatMethodFor(art::ArtMethod*, art::PointerSize, bool*) (.__uniq.231987612005477677052516648077052451092.llvm.494659047661038854)+128) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #01 pc 000000000023cdb8  /apex/com.android.art/lib64/libart.so (void art::StackVisitor::WalkStack<(art::StackVisitor::CountTransitions)0>(bool)+6324) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #02 pc 000000000026e1e0  /apex/com.android.art/lib64/libart.so (art::Thread::ThrowNewWrappedException(char const*, char const*)+412) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #03 pc 000000000028d54c  /apex/com.android.art/lib64/libart.so (art::ThrowIllegalMonitorStateExceptionF(char const*, ...) (.__uniq.137044065544711739518426728593693908610)+228) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #04 pc 00000000002444fc  /apex/com.android.art/lib64/libart.so (art::Monitor::FailedUnlock(art::ObjPtr<art::mirror::Object>, unsigned int, unsigned int, art::Monitor*)+2120) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #05 pc 0000000000243414  /apex/com.android.art/lib64/libart.so (art::Monitor::MonitorExit(art::Thread*, art::ObjPtr<art::mirror::Object>)+2120) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #06 pc 000000000042886c  /apex/com.android.art/lib64/libart.so (artJniUnlockObject+52) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #07 pc 0000000000427e6c  /apex/com.android.art/lib64/libart.so (artQuickGenericJniEndTrampoline+988) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #08 pc 0000000000377040  /apex/com.android.art/lib64/libart.so (art_quick_generic_jni_trampoline+160) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #09 pc 000000000058ac0c  /apex/com.android.art/lib64/libart.so (nterp_helper+3852) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #10 pc 0000000000024b48  /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.NativeSsl.readDirectByteBuffer+32)
      #11 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #12 pc 0000000000019d1c  /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect+12)
      #13 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #14 pc 0000000000019cc0  /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.ConscryptEngine.readPlaintextData+44)
      #15 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #16 pc 000000000001a7b6  /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.ConscryptEngine.unwrap+606)
      #17 pc 000000000058b358  /apex/com.android.art/lib64/libart.so (nterp_helper+5720) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #18 pc 000000000001a9e8  /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.ConscryptEngine.unwrap+56)
      #19 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #20 pc 000000000001a43a  /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.ConscryptEngine.unwrap+22)
      #21 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #22 pc 0000000000017f3c  /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket+140)
      #23 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #24 pc 0000000000017e4c  /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket+0)
      #25 pc 0000000000589d34  /apex/com.android.art/lib64/libart.so (nterp_helper+52) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #26 pc 0000000000019184  /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.ConscryptEngineSocket.doHandshake+108)
      #27 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #28 pc 000000000001950e  /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.ConscryptEngineSocket.startHandshake+58)
      #29 pc 000000000003539c  /system/framework/arm64/boot-okhttp.oat (com.android.okhttp.internal.io.RealConnection.connectTls+636) (BuildId: ef70c02fb1e4aadf4cf4de165c164a4fe438ff55)
      #30 pc 0000000000034cf0  /system/framework/arm64/boot-okhttp.oat (com.android.okhttp.internal.io.RealConnection.connectSocket+1104) (BuildId: ef70c02fb1e4aadf4cf4de165c164a4fe438ff55)
      #31 pc 0000000000036450  /system/framework/arm64/boot-okhttp.oat (com.android.okhttp.internal.io.RealConnection.connect+864) (BuildId: ef70c02fb1e4aadf4cf4de165c164a4fe438ff55)
      #32 pc 000000000002810c  /system/framework/arm64/boot-okhttp.oat (com.android.okhttp.internal.http.StreamAllocation.findConnection+924) (BuildId: ef70c02fb1e4aadf4cf4de165c164a4fe438ff55)
      #33 pc 000000000002839c  /system/framework/arm64/boot-okhttp.oat (com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection+76) (BuildId: ef70c02fb1e4aadf4cf4de165c164a4fe438ff55)
      #34 pc 0000000000028c2c  /system/framework/arm64/boot-okhttp.oat (com.android.okhttp.internal.http.StreamAllocation.newStream+76) (BuildId: ef70c02fb1e4aadf4cf4de165c164a4fe438ff55)
      #35 pc 000000000002041c  /system/framework/arm64/boot-okhttp.oat (com.android.okhttp.internal.http.HttpEngine.connect+316) (BuildId: ef70c02fb1e4aadf4cf4de165c164a4fe438ff55)
      #36 pc 0000000000024700  /system/framework/arm64/boot-okhttp.oat (com.android.okhttp.internal.http.HttpEngine.sendRequest+848) (BuildId: ef70c02fb1e4aadf4cf4de165c164a4fe438ff55)
      #37 pc 000000000002a1f4  /system/framework/arm64/boot-okhttp.oat (com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute+388) (BuildId: ef70c02fb1e4aadf4cf4de165c164a4fe438ff55)
      #38 pc 000000000002c4a4  /system/framework/arm64/boot-okhttp.oat (com.android.okhttp.internal.huc.HttpURLConnectionImpl.getOutputStream+68) (BuildId: ef70c02fb1e4aadf4cf4de165c164a4fe438ff55)
      #39 pc 00000000000341b8  /system/framework/arm64/boot-okhttp.oat (com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getOutputStream+56) (BuildId: ef70c02fb1e4aadf4cf4de165c164a4fe438ff55)
      #40 pc 000000000058acb0  /apex/com.android.art/lib64/libart.so (nterp_helper+4016) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #41 pc 0000000002f1d5b4  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.HarvestConnection.send+164)
      #42 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #43 pc 0000000002f1d8a6  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.HarvestConnection.sendData+34)
      #44 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #45 pc 0000000002f1d868  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.HarvestConnection.sendData+8)
      #46 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #47 pc 0000000002f1fa9a  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.Harvester.connected+386)
      #48 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #49 pc 0000000002f2017c  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.Harvester.execute+152)
      #50 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #51 pc 0000000002f1fec8  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.Harvester.disconnected+132)
      #52 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #53 pc 0000000002f2018a  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.Harvester.execute+166)
      #54 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #55 pc 0000000002f20bac  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.Harvester.uninitialized+184)
      #56 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #57 pc 0000000002f20192  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.Harvester.execute+174)
      #58 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #59 pc 0000000002f1ed8e  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.HarvestTimer.tick+66)
      #60 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #61 pc 0000000002f1ef02  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.HarvestTimer.tickIfReady+166)
      #62 pc 000000000058ac54  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #63 pc 0000000002f1eb56  /data/app/~~d9gWpYiAcvv9G0Bk7q29ew==/com.peacocktv.peacockandroid-_wVeth8-epz6Az5zfkHSng==/oat/arm64/base.vdex (com.newrelic.agent.android.harvest.HarvestTimer.run+10)
      #64 pc 00000000001baae4  /system/framework/arm64/boot.oat (java.util.concurrent.Executors$RunnableAdapter.call+68) (BuildId: 5f2ff7f6c842c7ab341edeabcf35b2bcaddb338c)
      #65 pc 0000000000255d18  /system/framework/arm64/boot.oat (java.util.concurrent.FutureTask.runAndReset+184) (BuildId: 5f2ff7f6c842c7ab341edeabcf35b2bcaddb338c)
      #66 pc 00000000002f4030  /system/framework/arm64/boot.oat (java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run+160) (BuildId: 5f2ff7f6c842c7ab341edeabcf35b2bcaddb338c)
      #67 pc 00000000002b4d8c  /system/framework/arm64/boot.oat (java.util.concurrent.ThreadPoolExecutor.runWorker+796) (BuildId: 5f2ff7f6c842c7ab341edeabcf35b2bcaddb338c)
      #68 pc 00000000002b1eb0  /system/framework/arm64/boot.oat (java.util.concurrent.ThreadPoolExecutor$Worker.run+64) (BuildId: 5f2ff7f6c842c7ab341edeabcf35b2bcaddb338c)
      #69 pc 0000000000160778  /system/framework/arm64/boot.oat (java.lang.Thread.run+72) (BuildId: 5f2ff7f6c842c7ab341edeabcf35b2bcaddb338c)
      #70 pc 00000000003605a4  /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #71 pc 000000000034b8a4  /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+144) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #72 pc 00000000004f3e30  /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1888) (BuildId: b10f5696fea1b32039b162aef3850ed3)
      #73 pc 00000000000cb6a8  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+208) (BuildId: a87908b48b368e6282bcc9f34bcfc28c)
      #74 pc 000000000006821c  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: a87908b48b368e6282bcc9f34bcfc28c)
***
[Android Emulator 5554::com.peacocktv.peacockandroid ]->

Thank you for using Frida!

The app starts and then shuts off.

this is what i see in when i use adb logcat -T1 

06-13 09:25:18.123   522  1971 W ActivityManager: Exception when unbinding service com.peacocktv.peacockandroid/org.chromium.content.app.SandboxedProcessService0:0
06-13 09:25:18.123   522  1971 W ActivityManager: android.os.DeadObjectException
06-13 09:25:18.123   522  1971 W ActivityManager:   at android.os.BinderProxy.transactNative(Native Method)
06-13 09:25:18.123   522  1971 W ActivityManager:   at android.os.BinderProxy.transact(BinderProxy.java:584)
06-13 09:25:18.123   522  1971 W ActivityManager:   at android.app.IApplicationThread$Stub$Proxy.scheduleUnbindService(IApplicationThread.java:1419)
06-13 09:25:18.123   522  1971 W ActivityManager:   at com.android.server.am.ActiveServices.removeConnectionLocked(ActiveServices.java:5896)
06-13 09:25:18.123   522  1971 W ActivityManager:   at com.android.server.am.ActiveServices.killServicesLocked(ActiveServices.java:6432)
06-13 09:25:18.123   522  1971 W ActivityManager:   at com.android.server.am.ActivityManagerService.cleanUpApplicationRecordLocked(ActivityManagerService.java:12989)
06-13 09:25:18.123   522  1971 W ActivityManager:   at com.android.server.am.ActivityManagerService.handleAppDiedLocked(ActivityManagerService.java:3338)
06-13 09:25:18.123   522  1971 W ActivityManager:   at com.android.server.am.ActivityManagerService.appDiedLocked(ActivityManagerService.java:3453)
06-13 09:25:18.123   522  1971 W ActivityManager:   at com.android.server.am.ActivityManagerService$AppDeathRecipient.binderDied(ActivityManagerService.java:1583)
06-13 09:25:18.123   522  1971 W ActivityManager:   at android.os.IBinder$DeathRecipient.binderDied(IBinder.java:319)
06-13 09:25:18.123   522  1971 W ActivityManager:   at android.os.BinderProxy.sendDeathNotice(BinderProxy.java:704)
pimterry commented 2 weeks ago

Interesting! Thanks for the detailed report.

What happens if you skip the native-tls-hook.js script? That seems to be throwing an error here (the access violation accessing 0x0 message). It's not clear whether that's the real underlying cause, but there's definitely something unusual going on there.

The CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. message from com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive implies that the certificate isn't trusted by the basic Android certificate stores, which is unusual. That's supposed to be fixed by android-system-certificate-injection.js, which modifies the cached used by that store (and various other places) so that the certificate you add in config.js is pre-trusted. The fact that that's failing means either something is breaking that pretty basic & normally quite reliable patch (which could be the access violation error above, or something else) or the certificate in your config.js isn't actually correct.

In general it would be interesting to try skipping various scripts or commenting out certain patches, to see if you can work out which part of these scripts is causing this issue. It's also worth running using Frida but with no scripts at all - some apps actively detect Frida and fight against it, and some versions of Frida have bugs that crash under certain conditions, which means sometimes apps will crash with any use of Frida (regardless of these scripts).

luisfernandez93 commented 2 weeks ago

thank you for your response @pimterry, it must def be a me thing, so what i did is that i grabbed the certificate from proxyman from here

image

i went to the address that it shows in my computer opened with sublime and copy the content into the config.js file.

I commented out the native-tls-hook.js the app doesn't crash anymore but it's blocking the http connections cause it says and error has occurred I'm assuming it's trying to do some http connectivity process.

Which is happening with these ones 

!!! --- Unexpected TLS failure --- !!!
      CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Unrecognized TLS error - this must be patched manually

 !!! --- Unexpected TLS failure --- !!!
      CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
      Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
      [ ] Unrecognized TLS error - this must be patched manually

at least the app doesn't crash anymore but i'm still not able to see traffic going thru, I'm assuming it's because of this particular error.

luisfernandez93 commented 2 weeks ago

also the error above appears when i add the ./android/android-certificate-unpinning-fallback.js script if i don't add it then i don't any errors but i also not able to sniff any traffic the app shows the following:

image
pimterry commented 2 weeks ago

Hi @luisfernandez93 I've just pushed a fix (https://github.com/httptoolkit/frida-interception-and-unpinning/commit/8ca3cb5b946691117228d98bcf78f8ddde548441) for the native-tls-hook script, which might help resolve this (at the very least, it should avoid the access violation accessing 0x0 error). Can you test that out when you have a sec?

To confirm your config is working correctly, it would also be helpful to try installing https://github.com/httptoolkit/android-ssl-pinning-demo on your device and check that you can intercept that correctly. If your config and scripts are set up properly, every button except the last one should work correctly and its corresponding request should appear in your proxy UI (don't worry about that last button - by design this is a custom check that isn't automatically covered). If some of those don't work then most likely your certificate config is wrong or Proxyman is doing something weird, it's hard to be more specific there though. If those do all work then your general setup is OK and something much more specific is going on.

luisfernandez93 commented 2 weeks ago

@pimterry thank you, so I tried running the demo app with frida

got the error as i pressed the first button Unpinned request :

image

when i pressed the unpinned request, it became red, i do see something in the proxyman app tho

image

this is how it looks like image

when i don't use frida i press the buttons and they become green.

I will try now with Charles.

luisfernandez93 commented 2 weeks ago

with Charles i sort of get the same pain point.. and same error, I think I'm doing something clearly wrong lol :D

pimterry commented 1 week ago

Yes, that unpinned request failing definitely means your certificate isn't trusted at all. That should be trusted either by installing it in the system certificate store (HTTP Toolkit ADB setup does this for you automatically) or using the android/android-system-certificate-injection.js script. If the latter doesn't work, it means the CA certificate being used to intercept this traffic doesn't match your config. Hard to know exactly why that's happening in this setup unfortunately.

That said, I've just released an HTTP Toolkit update you might find interesting: it now does automated Frida setup and configures & runs these scripts automatically, in one click. It's also totally free & open-source - want to try that it and see if it works for you? If you download the latest version from https://httptoolkit.com/ and run it then you should see the new "Android app via Frida" (and "iOS app via Frida") buttons light up if you have a suitable device attached to your computer.

luisfernandez93 commented 1 week ago

oh wow so yeah I used httptoolkit and I'm def sniffing traffic, however the app keeps on not able to do certain http requests, I'm using an emulator I'm wondering if I should go ahead and use a real device I just didn't want to root my phone lol also i'm not able to see which request is failing.

image

I'm pretty sure the app doesn't like that i'm on the emulator, I feel like if i had the actual device it probably would work.

image

the iOS app via frida is grayed out for me.

pimterry commented 1 week ago

the iOS app via frida is grayed out for me.

The iOS option will activate when you have a connected iOS device (after accepting the trust prompts on device etc). For interception to work though, it needs to be jailbroken and running Frida server. This was only just released, and there'll be detailed docs for this (and walkthrough guides) available soon.

oh wow so yeah I used httptoolkit and I'm def sniffing traffic, however the app keeps on not able to do certain http requests

That means the basic setup is working at least, but there's some other issue that this script doesn't cover. I've just given this a quick test, and on my machine (with an emulator and a US VPN) I can start the app and start intercepting, but I quickly get a 403 response from tv.clients.peacocktv.com, which seems to be an Akamai endpoint. It's hard to know for sure, but I'd best this is TLS fingerprinting (some context: https://httptoolkit.com/blog/tls-fingerprinting-node-js/) which Akamai uses to block all sorts of slightly unusual clients. If you're seeing unexpected 403 errors causing issues, that could well be the cause, and will create issues with any kind of proxy intercepting tool unfortunately (the fingerprints for all of them are fairly easily distinguishable from direct traffic from a normal Android app).

I'm working on some improvements here (https://github.com/openssl/openssl/issues/19220) but it's going to be a long-term project and I can't offer many good solutions there in the short term.

luisfernandez93 commented 3 days ago

@pimterry thank you so much for all your help and support appreciate it a lot, it seems like I cannot do much for this app in particular right, at this moment.