Skip to content

Commit 00f9893

Browse files
carlospolopcarlospolop
committed
f
1 parent 156d9c5 commit 00f9893

1 file changed

Lines changed: 24 additions & 5 deletions

File tree

src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md

Lines changed: 24 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -279,12 +279,31 @@ objection --gadget com.example.app explore
279279
apk-mitm app.apk
280280
```
281281

282-
## Tips & caveats
282+
## Universal proxy forcing + TLS unpinning (HTTP Toolkit Frida hooks)
283283

284-
- Prefer attaching late over spawning when apps crash at launch
285-
- Some detections re‑run in critical flows (e.g., payment, auth) — keep hooks active during navigation
286-
- Mix static and dynamic: string hunt in Jadx to shortlist classes; then hook methods to verify at runtime
287-
- Hardened apps may use packers and native TLS pinning — expect to reverse native code
284+
Modern apps often ignore system proxies and enforce multiple layers of pinning (Java + native), making traffic capture painful even with user/system CAs installed. A practical approach is to combine universal TLS unpinning with proxy forcing via ready-made Frida hooks, and route everything through mitmproxy/Burp.
285+
286+
Workflow
287+
- Run mitmproxy on your host (or Burp). Ensure the device can reach the host IP/port.
288+
- Load HTTP Toolkit’s consolidated Frida hooks to both unpin TLS and force proxy usage across common stacks (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). This bypasses CertificatePinner/TrustManager checks and overrides proxy selectors, so traffic is always sent via your proxy even if the app explicitly disables proxies.
289+
- Start the target app with Frida and the hook script, and capture requests in mitmproxy.
290+
291+
Example
292+
```bash
293+
# Device connected via ADB or over network (-U)
294+
# See the repo for the exact script names & options
295+
frida -U -f com.vendor.app \
296+
-l ./android-unpinning-with-proxy.js \
297+
--no-pause
298+
299+
# mitmproxy listening locally
300+
mitmproxy -p 8080
301+
```
302+
303+
Notes
304+
- Combine with a system-wide proxy via `adb shell settings put global http_proxy <host>:<port>` when possible. The Frida hooks will enforce proxy use even when apps bypass global settings.
305+
- This technique is ideal when you need to MITM mobile-to-IoT onboarding flows where pinning/proxy avoidance is common.
306+
- Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning
288307

289308
## References
290309

0 commit comments

Comments
 (0)