Frida: Root Detection & Certificate Pinning Bypass

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
Frida Logo

Summary

This documentation provides detailed instructions for setting up and using Frida to bypass root detection and certificate pinning on an Android emulator. It includes steps for installing necessary tools, configuring the environment, and running specific commands to test and bypass security mechanisms in mobile applications.

Requirements

  • Operating System: Kali Linux
  • Pip installed on your System
  • Installed Android Studio (Guide)
  • Android Studio emulator with a Non-production android image (Guide)
  • Installed Apps on the emulator device (Twitter, Paypal, AndroGoat)
  • Installed Burpsuite

Setup

Install the following things using pip:

pip install Frida

pip install objection

pip install frida-tools

Add this path to ~./bashrc

export PATH=$PATH:/home/kali/.local/bin

Save & Exit the file.

Execute the bashrc file to make the changes effective:

bash
source ~/.bashrc

To check if variables are added to PATH:

echo $PATH

Install the frida-server

The frida-server will run on the emulator.

Find out which architecture the virtual device has.

If you followed the Android Studio setup the return should be: x86

adb shell getprop ro.product.cpu.abi

Download the frida-server from Github.

At the time of testing the latest version is 16.2.1

frida-server-16.2.1-android-x86.xz

Frida server datei.PNG

Go to the Downloads directory

cd Downloads/

Unzip the downloaded file

xz -d frida-server-16.2.1-android-x86.xz

Rename the file

mv frida-server-16.2.1-android-x86 frida-server

Start adb as root (only possible if the emulator is without Google Play)

adb root

Push the frida-server to the emulator

adb push frida-server /data/local/tmp/

Make it executable

adb shell "chmod +x /data/local/tmp/frida-server"

Run the frida-server in the background

adb shell "/data/local/tmp/frida-server" &

List all processes running on the device to make sure frida-server is running

frida-ps -Uia

Root detection bypass using frida-server

For testing purposes we use the Uncrackable L1 Apk from OWASP.

Download UnCrackable L1 Apk

Download the Android UnCrackable L1 Apk

Frida uncrackable.PNG

Run the emulator

emulator -avd Pixel_6_Pro_API_28 -writable-system -no-snapshot

Install the apk on the device

adb install UnCrackable-Level1.apk

This command outputs the package names for the processes running on the device, only works if the frida-server is still running

frida-ps -Uia

When opening the UnCrackable-Level1.apk it states the following:

Frida uncrackable devicescreen.PNG

To bypass this we use a frida codeshare command

frida --codeshare dzonerzy/fridantiroot -f owasp.mstg.uncrackable1 -U

The terminal should look like this:

Frida rootbypass cli.PNG

Now the UnCrackable-Level1.apk should start without the root detection warning:

Frida uncrackable devicescreen afterbypass.PNG

Errors?

If any error with the frida-server occurs, it is possible that an old server is already running. For this you have to look up running servers in the shell. Don't forget to run adb as root.

adb shell
ps -e | grep frida-server

If any server is running, kill it.

kill -9 <process-id>

Now you can start a new server.

Certificate Pinning Bypass using frida-server

In order to intercept the communication to the internet of the device, you have to connect it to the Burp Suite proxy.

Frida should be running on the device.

If it is not already use this command to start the server. Don't forget to run adb as root before.

adb shell "/data/local/tmp/frida-server" &

Run the codeshare command to bypass certificate pinning:

frida --codeshare masbog/frida-android-unpinning-ssl -U -f <APP-PACKAGE_NAME> -U

Twitter

Twitter has certificate pinning checks, which means we have to start it with the frida command to intercept the traffic. Otherwise, Twitter won't allow you to open the login page.

frida --codeshare masbog/frida-android-unpinning-ssl -U -f com.twitter.android -U

Now we can click on login and capture the encrypted messages in Burp Suite.

Twitter:

Frida twitter login.PNG

Burp Suite:

Frida burpsuite twitter login.PNG

PayPal

Another popular app which has certificate pinning is PayPal. But unlike Twitter, PayPal doesn't encrypt their login requests. This means we are able to read credentials in cleartext, once we bypassed the certificate pinning.

Download the newest version of PayPal onto your device and find out the package name with frida.

frida-ps -Uia

When starting PayPal normally it will display an error about the internet connection. This is because the certificate pinning check will detect your Burp Suite proxy.

Frida paypal login.PNG

We start the app again with frida

frida --codeshare masbog/frida-android-unpinning-ssl -U -f com.paypal.android.p2pmobile -U

Now we won't get any error message when logging in. When looking into Burp Suite we can see a request to /v1/mfsauth/proxy-auth/token.

In the middle of the green text, the password is highlighted, also as the last the pair, email information is visible.

Frida burpsuite paypal login.PNG

Root and SSL bypass as one

So far we've only tried doing either just root detection or just SSL pinning alone. But in order to bypass both of them at the same time we can use the frida codeshare.

To use both at the same time we will copy the code of those bypasses and paste them into a text file on our local machine.

Now we have a file, for example rootandssl.txt where both codes are contained.

Here is our file containing both bypasses uploaded to: https://file.io/6fxSi8IMHqwZ

It is possible to add as many scripts as you like.

To execute our own file we will use the following frida command:

frida -l rootandssl.txt -f <APP_PACKAGE_NAME> -U

In an app like AndroGoat.apk we can check if both test cases will work.

Frida custom script execution.PNG

References