search

tweaselORG / appstraction

An abstraction layer for common instrumentation functions (e.g. installing and starting apps, setting preferences, etc.) on Android and iOS.
MIT License
4 stars 1 forks source link

Replace objection with httptoolkit/frida-android-unpinning #110

Closed baltpeter closed 11 months ago

baltpeter commented 12 months ago

As per https://github.com/tweaselORG/meta/issues/16, we want to replace objection with https://github.com/httptoolkit/frida-android-unpinning:

I'd say we do switch to the HT script (it seems more actively maintained, is not worse and maybe even a little better than objection, and it saves us from all the trouble we had with keeping objection's process around (https://github.com/tweaselORG/appstraction/issues/101, https://github.com/tweaselORG/appstraction/issues/24)).

baltpeter commented 12 months ago

I've decided to include the script as a file in our repository (and thus the yarn packed version) instead of downloading it in the prepack script (as we're doing for the mitmproxy HAR script). The license allows that. And that way, we can always precisely say which version of the unpinning script a particular version of appstraction used.

baltpeter commented 12 months ago

We can spawn an app with Frida like this:

const device = await frida.getUsbDevice();
const pid = await device.spawn(appId);
await device.resume(pid);

The app won't actually start running until the resume() call. That allows us to do early instrumentation and load the unpinning script before the app can make any requests.

baltpeter commented 12 months ago

The interesting question is then how we actually solve #24. For the other Frida scripts we're loading, we've used this workflow (minus the spawning):

const device = await frida.getUsbDevice();
const pid = await device.spawn(appId);
const session = await device.attach(pid);
const script = await session.createScript(unpinningScript);
await script.load();
await device.resume(pid);
await session.detach();

However, detaching from the session (last line) will also unload the script and thus no requests will actually be unpinned.

To confirm this, I've started mitmproxy and run the example script with an app that I know from the experiment has cert pinning that the script can solve (de.dhl.paket). Indeed, there are always errors like this if I load the script like above:

[15:06:56.241][10.0.0.1:41110] Client TLS handshake failed. The client does not trust the proxy's certificate for www.dhl.de (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))

On the other hand, if we don't detach, we're not actually solving #24. The Frida session will stick around and the Node process will not exit unless the app is stopped.

baltpeter commented 12 months ago

However, I did find that there is a script.eternalize() method. I didn't really find anything in the way of documentation of what that does. frida --help helpfully documents it as "eternalize the script before exit". The only documentation I found was this comment in frida-go:

https://github.com/frida/frida-go/blob/f6834eec371c3cd8850d6e006e3b3b5c282a1cba/frida/script.go#L55

That however sounds like exactly what we're looking for.

And indeed, if I load the script like this:

const device = await frida.getUsbDevice();
const pid = await device.spawn(appId);
const session = await device.attach(pid);
const script = await session.createScript(unpinningScript);
await script.load();
await script.eternalize();
await device.resume(pid);
await session.detach();

I don't see any cert errors anymore in mitmproxy and the Node process still exits at the end. Happy days.