Intercepting Pinned TLS Connections on Android

Getting past certificate pinning when apps decide to be annoying (but more secure)

Requirements

  • OWASP Zap
  • Frida
  • Rooted Android Phone

    ⚠️ Since the app’s we are interested in are not debuggable we have to be root

Installing Requirements

  1. Install OWASP Zap brew install owasp-zap

    ✅ It is available on basically all platforms: https://www.zaproxy.org/download/

  2. Install Frida pip3 install frida-tools

Configure your phone to work with OWASP Zap

  1. Open “Options” CleanShot 2021-12-02 at 10.05.19.png

  2. In “Options” click “Local Proxies” and add a new proxy with a IP address that is accessible from the phone. CleanShot 2021-12-02 at 10.06.30.png

    NOTE: Be sure to enable “Behind NAT” if you are using a private IP (you should be)

  3. Export the certificate by going to “Dynamic SSL Certificate” and saving the certificate to a path on your machine. CleanShot 2021-12-02 at 10.09.26.png

  4. Add the cert to your Android phone. I used adb push and then installed it in settings

  5. Add the proxy to your network config. Go to “Wi-Fi” → click on the ⚙️ next to your network → click on the ✏️ → Proxy change “None” to “Manual and add the IP address and port that you configured in Step 2

Setup and Run Frida

  1. On a rooted Android phone install frida-server with the instructions here: https://frida.re/docs/android/ or use https://github.com/ViRb3/magisk-frida to install it for you and run it on boot
  2. Get the app id of the app you are interested in by running: frida-ps -Ua CleanShot 2021-12-02 at 16.00.39.png
  3. Download the unpinning script for Frida here: https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js
  4. Run and instrument the app with frida --no-pause -U -l ./frida-script.js -f <YOUR_APP> CleanShot 2021-12-02 at 16.02.00.png
  5. You should see connections from the app start to appear in your OWASP ZAP history window CleanShot 2021-12-02 at 16.02.56@2x.png

Congratulations you now have access to the traffic! Now please go out and make a new Home Assistant integration for your favorite IoT crap.

Built with Hugo
Theme Stack designed by Jimmy