maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

f

Browse Source
This commit is contained in:
carlospolop 2025-09-29 14:10:03 +02:00
parent 156d9c5ee9
commit 00f989366d
1 changed files with 24 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
View File

@ -279,12 +279,31 @@ objection --gadget com.example.app explore
apk-mitm app.apk
```
## Tips & caveats
## Universal proxy forcing + TLS unpinning (HTTP Toolkit Frida hooks)
- Prefer attaching late over spawning when apps crash at launch
- Some detections rerun in critical flows (e.g., payment, auth) — keep hooks active during navigation
- Mix static and dynamic: string hunt in Jadx to shortlist classes; then hook methods to verify at runtime
- Hardened apps may use packers and native TLS pinning — expect to reverse native code
Modern apps often ignore system proxies and enforce multiple layers of pinning (Java + native), making traffic capture painful even with user/system CAs installed. A practical approach is to combine universal TLS unpinning with proxy forcing via ready-made Frida hooks, and route everything through mitmproxy/Burp.
Workflow
- Run mitmproxy on your host (or Burp). Ensure the device can reach the host IP/port.
- Load HTTP Toolkits consolidated Frida hooks to both unpin TLS and force proxy usage across common stacks (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). This bypasses CertificatePinner/TrustManager checks and overrides proxy selectors, so traffic is always sent via your proxy even if the app explicitly disables proxies.
- Start the target app with Frida and the hook script, and capture requests in mitmproxy.
Example
```bash
# Device connected via ADB or over network (-U)
# See the repo for the exact script names & options
frida -U -f com.vendor.app \
-l ./android-unpinning-with-proxy.js \
--no-pause
# mitmproxy listening locally
mitmproxy -p 8080
```
Notes
- Combine with a system-wide proxy via `adb shell settings put global http_proxy <host>:<port>` when possible. The Frida hooks will enforce proxy use even when apps bypass global settings.
- This technique is ideal when you need to MITM mobile-to-IoT onboarding flows where pinning/proxy avoidance is common.
- Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning
## References