Android SSL Disable Pinning triggered error - Didn't find class "com.sensepost.test.TrustManager"

[yehgdotnet]

Hello awesome Sensepost team,

I was running objection on rooted Android phone 4.4.2 and experienced error in doing SSL Pinning on all apps.

Tested platform: Sumsung Android 4.4.2. Tested both: USB, Network

$ objection -N -h 192.168.1.127 -g com.x.y explore

     _     _         _   _
 ___| |_  |_|___ ___| |_|_|___ ___
| . | . | | | -_|  _|  _| | . |   |
|___|___|_| |___|___|_| |_|___|_|_|
        |___|(object)inject(ion) v1.2.4

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.x.y on (samsung: 4.4.2) [net] # android sslpinning disable
Job: 0029b653-7642-4228-bb3c-ffa1638be7eb - Starting
[ffa1638be7eb] [java-perform-exception] java.lang.ClassNotFoundException: Didn't find class "com.sensepost.test.TrustManager" on path: DexPathList[[],nativeLibraryDirectories=[/vendor/lib, /system/lib]]
Unloading script due to startup errors.

$ objection -g com.x.y explore

     _     _         _   _
 ___| |_  |_|___ ___| |_|_|___ ___
| . | . | | | -_|  _|  _| | . |   |
|___|___|_| |___|___|_| |_|___|_|_|
        |___|(object)inject(ion) v1.2.4

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.x.y on (samsung: 4.4.2) [usb] # android sslpinning disable
Job: e2e7b406-9188-4f9b-9148-58fd92f9df7f - Starting
[58fd92f9df7f] [java-perform-exception] java.lang.ClassNotFoundException: Didn't find class "com.sensepost.test.TrustManager" on path: DexPathList[[],nativeLibraryDirectories=[/vendor/lib, /system/lib]]
Unloading script due to startup errors.

Directly running Pinning code with Frida triggered the same error.

frida -U -p 5153
     ____
    / _  |   Frida 10.6.54 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at http://www.frida.re/docs/home/
[Samsung GT-I9505::PID::5153]-> if (Java.available) {
                                    Java.perform(function() {

                                    var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
                                    var SSLContext = Java.use('javax.net.ssl.SSLContext');

                                    var TrustManager = Java.registerClass({
                                        name: 'com.sensepost.test.TrustManager',
                                        implements: [X509TrustManager],
                                        methods: {
                                            checkClientTrusted: function (chain, authType) {
                                            },
                                            checkServerTrusted: function (chain, authType) {
                                            },
                                            getAcceptedIssuers: function () {
                                                return [];
                                            }
                                        }
                                    });
                                    }
                                )};
undefined
Error: java.lang.ClassNotFoundException: Didn't find class "com.sensepost.test.TrustManager" on path: DexPathList[[],nativeLibraryDirectories=[/vendor/lib, /system/lib]]
    at frida/node_modules/frida-java/lib/env.js:220
    at ensureClass (frida/node_modules/frida-java/lib/class-factory.js:737)
    at frida/node_modules/frida-java/lib/class-factory.js:120
    at registerClass (frida/node_modules/frida-java/lib/class-factory.js:1939)
    at [anon] (input:19)
    at frida/node_modules/frida-java/lib/vm.js:39
    at frida/node_modules/frida-java/index.js:287
    at eval (input:21)
    at eval (native)

[leonjza]

Heya,

I recall running into a similar problem with an Android 4.x device. Using and Android 5x device worked for me in that case. Admittedly I haven't dived in to deep into why this doesn't work in 4x installations, but my guess is some lack of support in the way the arbitrary class is initialized.

Is it possible for you to test on 5x and let me know?

[yehgdotnet]

Yes, I verified it doesn't work on Android 4.x.

I tested it on Android 7.x. It didn't trigger an error.

$ objection run android sslpinning disable
objc[29050]: +[__NSPlaceholderDate initialize] may have been in progress in another thread when fork() was called.
objc[29050]: +[__NSPlaceholderDate initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
Determining environment...
Running command... `android sslpinning disable`
Job: 846c20af-8103-40f3-9492-6a161b4a8db0 - Starting
[6a161b4a8db0] [android-ssl-pinning-bypass] Custom, Empty TrustManager ready
[6a161b4a8db0] [android-ssl-pinning-bypass] OkHTTP 3.x Found
Job: 846c20af-8103-40f3-9492-6a161b4a8db0 - Started

But interception seems impossible because of new security measure in Android 7

• https://warroom.securestate.com/android-7-intercepting-app-traffic/

[leonjza]

Yeah for Android 7.x I am just going to update the APK patcher to allow you to specify with a flag if a network_security_config.xml should be included (or add it by default depending on how testing goes).

[yehgdotnet]

Awesome, Leon

Looking forward to this update.

[leonjza]

I have added some warnings about older Android and iOS version and objection. As for tracking the network security configuration improvement with Android 7, lets use #48.