diff --git a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md index 14c96f751..978b6c946 100644 --- a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md +++ b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md @@ -279,12 +279,31 @@ objection --gadget com.example.app explore apk-mitm app.apk ``` -## Tips & caveats +## Universal proxy forcing + TLS unpinning (HTTP Toolkit Frida hooks) -- Prefer attaching late over spawning when apps crash at launch -- Some detections re‑run in critical flows (e.g., payment, auth) — keep hooks active during navigation -- Mix static and dynamic: string hunt in Jadx to shortlist classes; then hook methods to verify at runtime -- Hardened apps may use packers and native TLS pinning — expect to reverse native code +Modern apps often ignore system proxies and enforce multiple layers of pinning (Java + native), making traffic capture painful even with user/system CAs installed. A practical approach is to combine universal TLS unpinning with proxy forcing via ready-made Frida hooks, and route everything through mitmproxy/Burp. + +Workflow +- Run mitmproxy on your host (or Burp). Ensure the device can reach the host IP/port. +- Load HTTP Toolkit’s consolidated Frida hooks to both unpin TLS and force proxy usage across common stacks (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). This bypasses CertificatePinner/TrustManager checks and overrides proxy selectors, so traffic is always sent via your proxy even if the app explicitly disables proxies. +- Start the target app with Frida and the hook script, and capture requests in mitmproxy. + +Example +```bash +# Device connected via ADB or over network (-U) +# See the repo for the exact script names & options +frida -U -f com.vendor.app \ + -l ./android-unpinning-with-proxy.js \ + --no-pause + +# mitmproxy listening locally +mitmproxy -p 8080 +``` + +Notes +- Combine with a system-wide proxy via `adb shell settings put global http_proxy :` when possible. The Frida hooks will enforce proxy use even when apps bypass global settings. +- This technique is ideal when you need to MITM mobile-to-IoT onboarding flows where pinning/proxy avoidance is common. +- Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning ## References