Android App SSL Pinning Bypass [NoxPlayer + nox_adb + Frida + Objection] — English Version
بسم الله الرحمن الرحيم
Summary
In this tutorial, I will try to discuss step-by-step SSL Pinning Bypass using NoxPlayer as an emulator, nox_adb, frida, and Objection on Windows OS. As far as I have experienced, the method that I will explain below is easy and in some applications, this method "completely works", but there are also some applications that have unique SSL Pinning, this method does not work. But, it's worth trying.
Initial State
Again, in this tutorial, I'm using Windows OS, for other OS it might take a little adjustment. Some things that need to be prepared (and not covered in this tutorial) are:
- NoxPlayer Installation. (Download here)
- Python Installation on Windows. (Tutorial)
What will be covered in this tutorial:
- Frida and Objection Installation
- Connect NoxPlayer Device using nox_adb.exe
- Frida-Server Installation
- Burp Proxy Settings on NoxPlayer
- SSL Pinning Bypass (Study Case)
I. Frida and Objection Installation
Frida installation is done on Windows, using pip. Next, we need to install Frida-server on NoxPlayer (Android Emulator).
If you want to know more about frida, you can read it here https://frida.re/
- Download + Install using pip
Open Powershell, dan run this command:
pip install frida-tools
frida --version // to confirm frida successfully installedpip install objection
II. Connect NoxPlayer Device using nox_adb.exe
Android Debug Bridge (adb) is a command line device that can connect us to the device.
While nox_adb.exe is a special adb for devices that run on NoxPlayer emulator.
2.1 Turn on NoxPlayer (Make sure Root mode is on)
2.2 After NoxPlayer running, let's try to connect using nox_adb.exe
Notes: nox_adb.exe is located in bin folder on Nox root folder . I installed Nox on D:/Program Files , so the nox_adb.exe is located on D:\Program Files\Nox\bin
If you installed nox in C:/Program Files/ so the nox_adb.exe is located on C:/Program Files/Nox/bin/nox_adb.exe
2.3 Open PowerShell On Bin Folder, by :
“SHIFT+Right Click > Open PowerShell Window here”
2.4 To check connected device, run this command :
.\nox_adb.exe devices
III. Frida-Server Installation
3.1 First, check the android device version that we used.
.\nox_adb.exe shell getprop ro.product.cpu.abi
3.2 I used x86, next download the frida-server package here
Download :
frida-server-15.1.2-android-x86.xz
3.3 Rename frida-server-15.1.2-android-x86.xz to frida-server-andro.xz And then extract it.
3.4 After that, copy frida-server-andro file to ../Nox/bin/
3.5 Upload frida-server-andro to Nox :
.\nox_adb.exe push .\frida-server-andro /data/local/tmp
.\nox_adb.exe shell "chmod 777 /data/local/tmp/frida-server-andro"
At this stage, we upload frida-server-andro to /data/local/tmp folder on the Nox android device. Then change the permissions to make it executable
3.6 Turn on frida-server
.\nox_adb.exe shell "/data/local/tmp/frida-server &"
IV. Burp Proxy Settings On NoxPlayer
After Frida and Objection are ready, we need to set Burp Proxy on the NoxPlayer Andro Device, so Burp can intercept any request on it.
4.1 Check your Host IP (Windows)
Open Command Prompt (CMD) and then ‘ipconfig’
4.2 Turn On BurpSuite and then add Proxy Listener on IP 192.168.1.6:8080
4.3 Proxy Setting On Android Device
- Open “Settings>Wifi>WiredSSID” Hold on WiredSSID, and then “Modify Network”
Notes: This step will be different on yours, it depends on the Android Device.
- Choose“Advanced Options”. And then choose “Manual”. Insert your Host IP on Proxy Hostname, and set port to 8080
4.4 Burp Certificate Installation
- Open http://burp on Browser. (Make sure burp intercept is On)
- Click CA Certificate to download Burp Certificate
- It will download the certificate as cacert.der , after that rename the file to cacert.cer
- Open Settings and then Search ‘Certificate’ . Choose “Install Certificates” and then “Install Certificates” choose the “cacert.cer”
- Insert Certificate name as “Burp”.
- Burp Certificate Installation is Finish.
Notes: If it is necessary to set the Device PIN first, then set the Device PIN.
V. SSL Pinning Bypass (Study Case)
After stages I-IV have been done well, next we will try to bypass a SSL Pinning.
In this section, we will try a case study on the Medium Application. Or you can directly try to use the application you want to bypass.
5.1 First, Install The App.
Notes: If you want to download the app via Playstore, you need to change the android Proxy to default first.
5.2 Check the list of installed applications
frida-ps -Uai
Notes: If there is an error, make sure that the frida-server is turned on
From the results above we can find out the name of the application and its identifier. In this case, the Medium application has the identifier com.medium.reader
5.3 Make sure the Proxy setting is set to Burp again, then open the application to ensure that the application uses SSL Pinning.
Applications that use SSL Pinning will display the Error "Received fatal alert: certificate_unknown". This is a sign that Burp failed to intercept the request sent by the application because of SSL Pinning.
5.4 SSL Pinning Bypass Using Objection
Open new PowerShell tab, and then run this command:
“objection -g <identifier name> explore”
objection -g com.medium.reader explore
To disable SSLPinning, on Objection run this command:
android sslpinning disable
Next, try to sign in, and look at Burp Interceptor.
Yups! we successfully Intercept the request, which means we success in Bypass the SSL Pinning!
Closing
The method I have described above may or may not work. It depends on the application used and how complicated the SSL Pinning is. However, hopefully this article can help you in bypassing SSL Pinning.
Thank you for reading! Please provide feedback if you have any suggestions regarding this article.
Regards, Harrmahar.