Open luisfernandez93 opened 2 weeks ago
Interesting! Thanks for the detailed report.
What happens if you skip the native-tls-hook.js
script? That seems to be throwing an error here (the access violation accessing 0x0
message). It's not clear whether that's the real underlying cause, but there's definitely something unusual going on there.
The CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
message from com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
implies that the certificate isn't trusted by the basic Android certificate stores, which is unusual. That's supposed to be fixed by android-system-certificate-injection.js
, which modifies the cached used by that store (and various other places) so that the certificate you add in config.js is pre-trusted. The fact that that's failing means either something is breaking that pretty basic & normally quite reliable patch (which could be the access violation error above, or something else) or the certificate in your config.js isn't actually correct.
In general it would be interesting to try skipping various scripts or commenting out certain patches, to see if you can work out which part of these scripts is causing this issue. It's also worth running using Frida but with no scripts at all - some apps actively detect Frida and fight against it, and some versions of Frida have bugs that crash under certain conditions, which means sometimes apps will crash with any use of Frida (regardless of these scripts).
thank you for your response @pimterry, it must def be a me thing, so what i did is that i grabbed the certificate from proxyman from here
i went to the address that it shows in my computer opened with sublime and copy the content into the config.js file.
I commented out the native-tls-hook.js
the app doesn't crash anymore but it's blocking the http connections cause it says and error has occurred I'm assuming it's trying to do some http connectivity process.
Which is happening with these ones
!!! --- Unexpected TLS failure --- !!!
CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
[ ] Unrecognized TLS error - this must be patched manually
!!! --- Unexpected TLS failure --- !!!
CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Thrown by com.android.org.conscrypt.TrustManagerImpl->checkTrustedRecursive
[ ] Unrecognized TLS error - this must be patched manually
at least the app doesn't crash anymore but i'm still not able to see traffic going thru, I'm assuming it's because of this particular error.
also the error above appears when i add the ./android/android-certificate-unpinning-fallback.js
script if i don't add it then i don't any errors but i also not able to sniff any traffic the app shows the following:
Hi @luisfernandez93 I've just pushed a fix (https://github.com/httptoolkit/frida-interception-and-unpinning/commit/8ca3cb5b946691117228d98bcf78f8ddde548441) for the native-tls-hook script, which might help resolve this (at the very least, it should avoid the access violation accessing 0x0
error). Can you test that out when you have a sec?
To confirm your config is working correctly, it would also be helpful to try installing https://github.com/httptoolkit/android-ssl-pinning-demo on your device and check that you can intercept that correctly. If your config and scripts are set up properly, every button except the last one should work correctly and its corresponding request should appear in your proxy UI (don't worry about that last button - by design this is a custom check that isn't automatically covered). If some of those don't work then most likely your certificate config is wrong or Proxyman is doing something weird, it's hard to be more specific there though. If those do all work then your general setup is OK and something much more specific is going on.
@pimterry thank you, so I tried running the demo app with frida
got the error as i pressed the first button Unpinned request
:
when i pressed the unpinned request, it became red, i do see something in the proxyman app tho
this is how it looks like
when i don't use frida i press the buttons and they become green.
I will try now with Charles.
with Charles i sort of get the same pain point.. and same error, I think I'm doing something clearly wrong lol :D
Yes, that unpinned request failing definitely means your certificate isn't trusted at all. That should be trusted either by installing it in the system certificate store (HTTP Toolkit ADB setup does this for you automatically) or using the android/android-system-certificate-injection.js
script. If the latter doesn't work, it means the CA certificate being used to intercept this traffic doesn't match your config. Hard to know exactly why that's happening in this setup unfortunately.
That said, I've just released an HTTP Toolkit update you might find interesting: it now does automated Frida setup and configures & runs these scripts automatically, in one click. It's also totally free & open-source - want to try that it and see if it works for you? If you download the latest version from https://httptoolkit.com/ and run it then you should see the new "Android app via Frida" (and "iOS app via Frida") buttons light up if you have a suitable device attached to your computer.
oh wow so yeah I used httptoolkit and I'm def sniffing traffic, however the app keeps on not able to do certain http requests, I'm using an emulator I'm wondering if I should go ahead and use a real device I just didn't want to root my phone lol also i'm not able to see which request is failing.
I'm pretty sure the app doesn't like that i'm on the emulator, I feel like if i had the actual device it probably would work.
the iOS app via frida is grayed out for me.
the iOS app via frida is grayed out for me.
The iOS option will activate when you have a connected iOS device (after accepting the trust prompts on device etc). For interception to work though, it needs to be jailbroken and running Frida server. This was only just released, and there'll be detailed docs for this (and walkthrough guides) available soon.
oh wow so yeah I used httptoolkit and I'm def sniffing traffic, however the app keeps on not able to do certain http requests
That means the basic setup is working at least, but there's some other issue that this script doesn't cover. I've just given this a quick test, and on my machine (with an emulator and a US VPN) I can start the app and start intercepting, but I quickly get a 403 response from tv.clients.peacocktv.com, which seems to be an Akamai endpoint. It's hard to know for sure, but I'd best this is TLS fingerprinting (some context: https://httptoolkit.com/blog/tls-fingerprinting-node-js/) which Akamai uses to block all sorts of slightly unusual clients. If you're seeing unexpected 403 errors causing issues, that could well be the cause, and will create issues with any kind of proxy intercepting tool unfortunately (the fingerprints for all of them are fairly easily distinguishable from direct traffic from a normal Android app).
I'm working on some improvements here (https://github.com/openssl/openssl/issues/19220) but it's going to be a long-term project and I can't offer many good solutions there in the short term.
@pimterry thank you so much for all your help and support appreciate it a lot, it seems like I cannot do much for this app in particular right, at this moment.
so I have been trying to use this btw thank you very much... so my current setup is
android emulator, pixel 3a upsidedowncake, frida and proxyman,
what i did:
override config.js in this repo with my own cert_pem which proxyman i think puts in
/Users/blabla/.proxyman/proxyman-ca.pem
then i ran the following:
what I see in logs:
The app starts and then shuts off.
this is what i see in when i use
adb logcat -T1