Frida: Root Detection & Certificate Pinning Bypass
Summary
This documentation provides detailed instructions for setting up and using Frida to bypass root detection and certificate pinning on an Android emulator. It includes steps for installing necessary tools, configuring the environment, and running specific commands to test and bypass security mechanisms in mobile applications.
Requirements
- Operating System: Kali Linux
- Pip installed on your System
- Installed Android Studio (Guide)
- Android Studio emulator with a Non-production android image (Guide)
- Installed Apps on the emulator device (Twitter, Paypal, AndroGoat)
- Installed Burpsuite
Setup
Install the following things using pip:
pip install Frida pip install objection pip install frida-tools
Add this path to ~./bashrc
export PATH=$PATH:/home/kali/.local/bin
Save & Exit the file.
Execute the bashrc file to make the changes effective:
bash source ~/.bashrc
To check if variables are added to PATH:
echo $PATH
Install the frida-server
The frida-server will run on the emulator.
Find out which architecture the virtual device has.
If you followed the Android Studio setup the return should be: x86
adb shell getprop ro.product.cpu.abi
Download the frida-server from Github.
At the time of testing the latest version is 16.2.1
frida-server-16.2.1-android-x86.xz
Go to the Downloads directory
cd Downloads/
Unzip the downloaded file
xz -d frida-server-16.2.1-android-x86.xz
Rename the file
mv frida-server-16.2.1-android-x86 frida-server
Start adb as root (only possible if the emulator is without Google Play)
adb root
Push the frida-server to the emulator
adb push frida-server /data/local/tmp/
Make it executable
adb shell "chmod +x /data/local/tmp/frida-server"
Run the frida-server in the background
adb shell "/data/local/tmp/frida-server" &
List all processes running on the device to make sure frida-server is running
frida-ps -Uia
Root detection bypass using frida-server
For testing purposes we use the Uncrackable L1 Apk from OWASP.
Download UnCrackable L1 Apk
Download the Android UnCrackable L1 Apk
Run the emulator
emulator -avd Pixel_6_Pro_API_28 -writable-system -no-snapshot
Install the apk on the device
adb install UnCrackable-Level1.apk
This command outputs the package names for the processes running on the device, only works if the frida-server is still running
frida-ps -Uia
When opening the UnCrackable-Level1.apk it states the following:
To bypass this we use a frida codeshare command
frida --codeshare dzonerzy/fridantiroot -f owasp.mstg.uncrackable1 -U
The terminal should look like this:
Now the UnCrackable-Level1.apk should start without the root detection warning:
Errors?
If any error with the frida-server occurs, it is possible that an old server is already running. For this you have to look up running servers in the shell. Don't forget to run adb as root.
adb shell
ps -e | grep frida-server
If any server is running, kill it.
kill -9 <process-id>
Now you can start a new server.
Certificate Pinning Bypass using frida-server
In order to intercept the communication to the internet of the device, you have to connect it to the Burp Suite proxy.
Frida should be running on the device.
If it is not already use this command to start the server. Don't forget to run adb as root before.
adb shell "/data/local/tmp/frida-server" &
Run the codeshare command to bypass certificate pinning:
frida --codeshare masbog/frida-android-unpinning-ssl -U -f <APP-PACKAGE_NAME> -U
Twitter has certificate pinning checks, which means we have to start it with the frida command to intercept the traffic. Otherwise, Twitter won't allow you to open the login page.
frida --codeshare masbog/frida-android-unpinning-ssl -U -f com.twitter.android -U
Now we can click on login and capture the encrypted messages in Burp Suite.
Twitter:
Burp Suite:
PayPal
Another popular app which has certificate pinning is PayPal. But unlike Twitter, PayPal doesn't encrypt their login requests. This means we are able to read credentials in cleartext, once we bypassed the certificate pinning.
Download the newest version of PayPal onto your device and find out the package name with frida.
frida-ps -Uia
When starting PayPal normally it will display an error about the internet connection. This is because the certificate pinning check will detect your Burp Suite proxy.
We start the app again with frida
frida --codeshare masbog/frida-android-unpinning-ssl -U -f com.paypal.android.p2pmobile -U
Now we won't get any error message when logging in. When looking into Burp Suite we can see a request to /v1/mfsauth/proxy-auth/token.
In the middle of the green text, the password is highlighted, also as the last the pair, email information is visible.
Root and SSL bypass as one
So far we've only tried doing either just root detection or just SSL pinning alone. But in order to bypass both of them at the same time we can use the frida codeshare.
- For our test we use the root detection bypass by dzonerzy: https://codeshare.frida.re/@dzonerzy/fridantiroot/
- And the SSL pinning bypass by masbog: https://codeshare.frida.re/@masbog/frida-android-unpinning-ssl/
To use both at the same time we will copy the code of those bypasses and paste them into a text file on our local machine.
Now we have a file, for example rootandssl.txt where both codes are contained.
Here is our file containing both bypasses uploaded to: https://file.io/6fxSi8IMHqwZ
It is possible to add as many scripts as you like.
To execute our own file we will use the following frida command:
frida -l rootandssl.txt -f <APP_PACKAGE_NAME> -U
In an app like AndroGoat.apk we can check if both test cases will work.