From 4e5e92f066907acb64d4580450e3d9585fc9926d Mon Sep 17 00:00:00 2001
From: Translator <github-actions@github.com>
Date: Mon, 29 Sep 2025 12:18:41 +0000
Subject: [PATCH] Translated ['',
 'src/mobile-pentesting/android-app-pentesting/android-an

---
 ...-instrumentation-and-ssl-pinning-bypass.md | 116 ++++++++++--------
 1 file changed, 67 insertions(+), 49 deletions(-)

diff --git a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
index 3445018d7..ecf909acf 100644
--- a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
+++ b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
@@ -2,7 +2,7 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-Ukurasa huu unaorodhesha mtiririko wa vitendo ili kurejesha dynamic analysis dhidi ya programu za Android zinazogundua/kuzuia instrumentation kwa root au kutekeleza TLS pinning. Unalenga triage ya haraka, ugunduzi wa kawaida, na hooks/tactics za nakili-na-wekewa (copy‑pasteable) ili kuzipita bila kujaribu repacking inapowezekana.
+Ukurasa huu unaelezea mtiririko wa vitendo ili kupata tena dynamic analysis dhidi ya Android apps zinazogundua/root‑block instrumentation au zinazotekeleza TLS pinning. Unalenga fast triage, detections za kawaida, na copy‑pasteable hooks/tactics za kuzipitisha bila repacking inapowezekana.
 
 ## Detection Surface (what apps check)
 
@@ -18,14 +18,14 @@ Ukurasa huu unaorodhesha mtiririko wa vitendo ili kurejesha dynamic analysis dhi
 - Enable DenyList, add the target package
 - Reboot and retest
 
-Programu nyingi huangalia tu viashiria vinavyoonekana (su/Magisk paths/getprop). DenyList mara nyingi huondoa ukaguzi wa aina hiyo.
+Many apps only look for obvious indicators (su/Magisk paths/getprop). DenyList often neutralizes naive checks.
 
 References:
 - Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk
 
 ## Step 2 — 30‑second Frida Codeshare tests
 
-Jaribu scripts za kawaida za drop‑in kabla ya kuchimba kwa undani:
+Try common drop‑in scripts before deep diving:
 
 - anti-root-bypass.js
 - anti-frida-detection.js
@@ -35,13 +35,13 @@ Example:
 ```bash
 frida -U -f com.example.app -l anti-frida-detection.js
 ```
-Hizi kwa kawaida stub Java root/debug checks, process/service scans, na native ptrace(). Zinasaidia kwenye apps zilizo na ulinzi mdogo; hardened targets zinaweza kuhitaji tailored hooks.
+Haya kwa kawaida hu-stub Java root/debug checks, process/service scans, na native ptrace(). Inafaa kwa apps zilizo na ulinzi mdogo; hardened targets may need tailored hooks.
 
 - Codeshare: https://codeshare.frida.re/
 
-## Otomatisha kwa Medusa (Frida framework)
+## Otomatisha na Medusa (Frida framework)
 
-Medusa inatoa 90+ modules zilizo tayari kwa ajili ya SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na mengine mengi.
+Medusa hutoa moduli 90+ zilizotengenezwa tayari kwa SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, na mengine.
 ```bash
 git clone https://github.com/Ch0pin/medusa
 cd medusa
@@ -54,40 +54,40 @@ use http_communications/multiple_unpinner
 use root_detection/universal_root_detection_bypass
 run com.target.app
 ```
-Vidokezo: Medusa ni nzuri kwa kupata ushindi wa haraka kabla ya kuandika hooks maalum. Unaweza pia kuchagua modules kwa makini na kuzichanganya na scripts zako.
+Tip: Medusa ni nzuri kwa ushindi wa haraka kabla ya kuandika custom hooks. Unaweza pia kuchagua modules na kuzichanganya na scripts zako.
 
-## Hatua ya 3 — Pita kando detekta za wakati wa kuanzisha kwa kuambatisha baadaye
+## Hatua 3 — Pitia vichunguzi vya wakati wa init kwa kuambatisha kwa kuchelewa
 
-Deteksheni nyingi hufanya kazi tu wakati wa process spawn/onCreate(). Spawn‑time injection (-f) au gadgets hukamatwa; kuambatisha baada ya UI kupakia kunaweza kupita bila kugunduliwa.
+Uchunguzi mwingi hufanya kazi tu wakati wa process spawn/onCreate(). Spawn‑time injection (-f) au gadgets hushikwa; kuambatisha baada UI inapopakuliwa kunaweza kupita bila kugunduliwa.
 ```bash
 # Launch the app normally (launcher/adb), wait for UI, then attach
 frida -U -n com.example.app
 # Or with Objection to attach to running process
 aobjection --gadget com.example.app explore  # if using gadget
 ```
-Ikiwa hili litafanya kazi, hakikisha kikao kinabaki thabiti na endelea na kazi za kuunda ramani na ukaguzi wa stub.
+Ikiwa hii itafanya kazi, hakikisha kikao kimekaa thabiti kisha endelea na kuunda ramani na ukaguzi wa stub.
 
-## Hatua 4 — Ramani mantiki ya utambuzi kupitia Jadx na utafutaji wa strings
+## Step 4 — Ramani ya mantiki ya utambuzi kupitia Jadx na kutafuta strings
 
-Maneno muhimu ya static triage katika Jadx:
+Maneno muhimu kwa triage ya static katika Jadx:
 - "frida", "gum", "root", "magisk", "ptrace", "su", "getprop", "debugger"
 
-Mifano ya kawaida ya Java:
+Mifumo ya kawaida ya Java:
 ```java
 public boolean isFridaDetected() {
 return getRunningServices().contains("frida");
 }
 ```
-API za kawaida za kukagua/hook:
+APIs za kawaida za kukagua/hook:
 - android.os.Debug.isDebuggerConnected
 - android.app.ActivityManager.getRunningAppProcesses / getRunningServices
 - java.lang.System.loadLibrary / System.load (native bridge)
-- java.lang.Runtime.exec / ProcessBuilder (maamri ya kuchunguza)
-- android.os.SystemProperties.get (heuristics za root/emulator)
+- java.lang.Runtime.exec / ProcessBuilder (probing commands)
+- android.os.SystemProperties.get (root/emulator heuristics)
 
-## Hatua ya 5 — Runtime stubbing na Frida (Java)
+## Hatua 5 — Runtime stubbing na Frida (Java)
 
-Override custom guards ili zirudishe thamani salama bila repacking:
+Fanya override ya custom guards ili zirudishe thamani salama bila repacking:
 ```js
 Java.perform(() => {
 const Checks = Java.use('com.example.security.Checks');
@@ -102,7 +102,7 @@ const AM = Java.use('android.app.ActivityManager');
 AM.getRunningAppProcesses.implementation = function () { return java.util.Collections.emptyList(); };
 });
 ```
-Triaging early crashes? Dump classes tu kabla inavyokufa ili kutambua detection namespaces zinazowezekana:
+Unachambua crashes za mapema? Dump classes tu kabla inavyokufa ili kugundua detection namespaces zinazowezekana:
 ```js
 Java.perform(() => {
 Java.enumerateLoadedClasses({
@@ -119,7 +119,7 @@ RootChecker.isDeviceRooted.implementation = function () { return false; };
 } catch (e) {}
 });
 
-Rekodi na kuzima mbinu zinazoshukiwa ili kuthibitisha mtiririko wa utekelezaji:
+Log na kuwafanya methods zinazoshukiwa zisifanye kazi ili kuthibitisha mtiririko wa utekelezaji:
 ```js
 Java.perform(() => {
 const Det = Java.use('com.example.security.DetectionManager');
@@ -131,9 +131,9 @@ return false;
 ```
 ## Bypass emulator/VM detection (Java stubs)
 
-Vidokezo vya kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zikiwa zinajumuisha generic/goldfish/ranchu/sdk; QEMU artifacts kama /dev/qemu_pipe, /dev/socket/qemud; default MAC 02:00:00:00:00:00; 10.0.2.x NAT; kukosekana kwa telephony/sensors.
+Vidokezo vya kawaida: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE zinazojumuisha generic/goldfish/ranchu/sdk; QEMU artifacts kama /dev/qemu_pipe, /dev/socket/qemud; MAC ya chaguo-msingi 02:00:00:00:00:00; NAT 10.0.2.x; ukosefu wa huduma za simu/sensa.
 
-Spoof ya haraka ya Build fields:
+Udanganyifu wa haraka wa sehemu za Build:
 ```js
 Java.perform(function(){
 var Build = Java.use('android.os.Build');
@@ -143,11 +143,11 @@ Build.BRAND.value = 'google';
 Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
 });
 ```
-Ongeza stubs kwa ukaguzi wa kuwepo kwa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili zirudishe thamani za kweli.
+Ongeza stubs kwa ajili ya ukaguzi wa uwepo wa faili na vitambulisho (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) ili zirudishe thamani za kweli.
 
 ## SSL pinning bypass quick hook (Java)
 
-Batilisha TrustManagers maalum na kulazimisha SSL contexts zinazoruhusu:
+Fanya TrustManagers zilizobinafsishwa zisizofanya kazi na ulazimishe SSL contexts zenye kuruhusu:
 ```js
 Java.perform(function(){
 var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
@@ -165,17 +165,17 @@ return SSLContextInit.call(this, km, TrustManagers, sr);
 };
 });
 ```
-Vidokezo
-- Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier kama inavyohitajika, au tumia universal unpinning script kutoka CodeShare.
+Notes
+- Panua kwa OkHttp: hook okhttp3.CertificatePinner na HostnameVerifier inapohitajika, au tumia universal unpinning script kutoka CodeShare.
 - Mfano wa kuendesha: `frida -U -f com.target.app -l ssl-bypass.js --no-pause`
 
-## Hatua 6 — Fuata njia ya JNI/native wakati Java hooks zinashindwa
+## Hatua 6 — Fuata njia ya JNI/native wakati Java hooks zinaposhindwa
 
-Fuatilia JNI entry points ili kupata native loaders na detection init:
+Chunguza entry points za JNI ili kutambua native loaders na detection init:
 ```bash
 frida-trace -n com.example.app -i "JNI_OnLoad"
 ```
-Tathmini ya haraka ya native ya mafaili .so yaliyoambatanishwa:
+Tathmini ya haraka ya native ya faili za .so zilizojumuishwa:
 ```bash
 # List exported symbols & JNI
 nm -D libfoo.so | head
@@ -186,7 +186,7 @@ Interactive/native reversing:
 - Ghidra: https://ghidra-sre.org/
 - r2frida: https://github.com/nowsecure/r2frida
 
-Mfano: kufanya ptrace isitumike ili kushinda anti‑debug rahisi katika libc:
+Mfano: kuzuia ptrace ili kushinda anti‑debug rahisi katika libc:
 ```js
 const ptrace = Module.findExportByName(null, 'ptrace');
 if (ptrace) {
@@ -195,35 +195,35 @@ return -1; // pretend failure
 }, 'int', ['int', 'int', 'pointer', 'pointer']));
 }
 ```
-Angalia pia:
+Tazama pia:
 {{#ref}}
 reversing-native-libraries.md
 {{#endref}}
 
-## Hatua 7 — Objection patching (embed gadget / strip basics)
+## Hatua ya 7 — Objection patching (embed gadget / strip basics)
 
 Ikiwa unapendelea repacking badala ya runtime hooks, jaribu:
 ```bash
 objection patchapk --source app.apk
 ```
-Vidokezo:
-- Requires apktool; ensure a current version from the official guide to avoid build issues: https://apktool.org/docs/install
-- Gadget injection enables instrumentation without root but can still be caught by stronger init‑time checks.
+Notes:
+- Inahitaji apktool; hakikisha toleo la hivi karibuni kutoka kwenye mwongozo rasmi ili kuepuka matatizo ya ujenzi: https://apktool.org/docs/install
+- Gadget injection inaruhusu instrumentation bila root lakini inaweza kugunduliwa na init‑time checks kali.
 
-Hiari, ongezea moduli za LSPosed na Shamiko kwa stronger root hiding katika Zygisk environments, na panga DenyList ili kufunika child processes.
+Hiari, ongeza LSPosed modules na Shamiko kwa kuficha root kwa nguvu zaidi katika mazingira ya Zygisk, na tengeneza DenyList ili kufunika child processes.
 
-Marejeo:
+References:
 - Objection: https://github.com/sensepost/objection
 
-## Hatua 8 — Mbadala: Rekebisha TLS pinning kwa uwazi wa mtandao
+## Step 8 — Njia mbadala: Rekebisha TLS pinning kwa uonekano wa mtandao
 
-Ikiwa instrumentation imezuiwa, bado unaweza kuchunguza trafiki kwa kuondoa TLS pinning kwa njia ya statiki:
+Iwapo instrumentation imezuiwa, unaweza bado kuchambua traffic kwa kuondoa pinning kistatikali:
 ```bash
 apk-mitm app.apk
 # Then install the patched APK and proxy via Burp/mitmproxy
 ```
 - Zana: https://github.com/shroudedcode/apk-mitm
-- Kwa mbinu za CA‑trust katika usanidi wa network (na user CA trust ya Android 7+), angalia:
+- Kwa mbinu za CA‑trust za usanidi wa mtandao (na Android 7+ user CA trust), angalia:
 
 {{#ref}}
 make-apk-accept-ca-certificate.md
@@ -251,25 +251,43 @@ objection --gadget com.example.app explore
 # Static TLS pinning removal
 apk-mitm app.apk
 ```
-## Vidokezo na tahadhari
+## Kulazimisha proxy universal + TLS unpinning (HTTP Toolkit Frida hooks)
 
-- Pendelea ku-attach mwishowe kuliko spawning wakati apps zinaporomoka wakati wa uzinduzi
-- Baadhi ya utambuzi zinafanywa tena katika mizunguko muhimu (mf., payment, auth) — weka hooks zikiwa active wakati wa navigation
-- Changanya static na dynamic: string hunt katika Jadx ili kupunguza orodha ya classes; kisha hook methods ili kuthibitisha wakati wa runtime
-- Apps zilizo hardened zinaweza kutumia packers na native TLS pinning — tarajia ku-reverse native code
+Programu za kisasa mara nyingi huupuza system proxies na kutekeleza tabaka nyingi za pinning (Java + native), na kufanya kukamata trafiki kuwa ngumu hata kama CAs za user/system zimesakinishwa. Njia ya vitendo ni kuchanganya universal TLS unpinning na kulazimisha proxy kupitia Frida hooks tayari, na kupitisha kila kitu kupitia mitmproxy/Burp.
 
-## References
+Workflow
+- Run mitmproxy on your host (or Burp). Ensure the device can reach the host IP/port.
+- Load HTTP Toolkit’s consolidated Frida hooks to both unpin TLS and force proxy usage across common stacks (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). This bypasses CertificatePinner/TrustManager checks and overrides proxy selectors, so traffic is always sent via your proxy even if the app explicitly disables proxies.
+- Start the target app with Frida and the hook script, and capture requests in mitmproxy.
 
-- [Reversing Android Apps: Bypassing Detection Like a Pro](https://www.kayssel.com/newsletter/issue-12/)
+Mfano
+```bash
+# Device connected via ADB or over network (-U)
+# See the repo for the exact script names & options
+frida -U -f com.vendor.app \
+-l ./android-unpinning-with-proxy.js \
+--no-pause
+
+# mitmproxy listening locally
+mitmproxy -p 8080
+```
+Vidokezo
+- Unganisha na proxy ya mfumo mzima kupitia `adb shell settings put global http_proxy <host>:<port>` inapowezekana. Frida hooks yatafanya proxy itumike hata wakati apps zinapiepuka mipangilio ya mfumo.
+- Mbinu hii inafaa unapohitaji kufanya MITM kwenye taratibu za onboarding kutoka mobile kwenda IoT ambapo kuepukana na pinning/proxy ni jambo la kawaida.
+- Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning
+
+## Marejeo
+
+- [Reversing Android Apps: Kuepuka Ugunduzi Kama Mtaalamu](https://www.kayssel.com/newsletter/issue-12/)
 - [Frida Codeshare](https://codeshare.frida.re/)
 - [Objection](https://github.com/sensepost/objection)
 - [apk-mitm](https://github.com/shroudedcode/apk-mitm)
 - [Jadx](https://github.com/skylot/jadx)
 - [Ghidra](https://ghidra-sre.org/)
 - [r2frida](https://github.com/nowsecure/r2frida)
-- [Apktool install guide](https://apktool.org/docs/install)
+- [Mwongozo wa ufungaji wa Apktool](https://apktool.org/docs/install)
 - [Magisk](https://github.com/topjohnwu/Magisk)
 - [Medusa (Android Frida framework)](https://github.com/Ch0pin/medusa)
-- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
+- [Jenga Maabara ya Android ya Bug Bounty Inayoweza Kurudiwa: Emulator vs Magisk, Burp, Frida, na Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
 
 {{#include ../../banners/hacktricks-training.md}}