Open in app

Sign in

Write

Sign in

Intercepting SSL Pinned Android App Traffic with Frida and Burp Suite

Andremoore
5 min readOct 30, 2024

--

Source: 476,300+ Injection Stock Photos, Pictures & Royalty-Free …

How did I end up writing about this?

First of all, I’m too lazy 😴 to do repetitive tasks — that’s the main reason I explored ways to intercept Android app traffic. For this practice, I used two tools: Frida and Burp Suite.

Before Continuing

You’ll need a rooted Android device. If you don’t have one, you can use an Android Studio AVD and root it. Follow the steps in Rooting the Android Studio Emulator: A Step-by-Step Guide

First, what is Frida 💉?

Frida is Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.

Frida is an open source tool-kit to inject script, hook function, and to trace private an application code. In short Frida one of tools that normally use in pen-test.

Then, what is Burp-Suite?

Burp Suite is a software tool used for security assessment and penetration testing of web applications

In this case, Burp-Suite is used to monitor the traffic in Android Application. Burp-suite provides a great UI and easiness in monitoring and intercepting the network traffic.

Burp-Suite Community UI

Let’s dive to Main Topic

Before we start intercepting, there’s several things to do

  • A Rooted Android Device (In this case, I used Android Studio Emulator)
  • Burp Suite installed in your laptop
  • Frida installed in your Python environment

Intercepting Application Network Traffic

To begin intercepting, we need to:

  1. Set up Burp Suite.
  2. Configure the Android Emulator to use the Burp Suite proxy (or another intercepting tool’s proxy).
  3. Set up Frida.

Setting Up Burp Suite

  1. Click Continue and use the default settings (no custom settings are needed for the Community Edition).
  2. Open the Proxy tab, then go to Proxy Settings (located at the top, just below the Dashboard tab).
  3. In the Proxy Settings page, click Import/Export CA Certificate and select Certificate in DER Format.
  4. Choose a folder to save the certificate (this certificate will be used later with Frida).
Burp Suite Dashboard’s

Setting Up the Android Emulator

  1. Open the Android Wi-Fi Settings, and set the Proxy to Manual.
  2. Set the Proxy Hostname to 10.0.2.2 (for Android Studio Emulator; others can use 127.0.0.1).
  3. Set the Proxy Port to 8080.
  4. Save the settings. The internet connection may appear limited, but this is normal. You can force the emulator to use Wi-Fi by turning off cellular data.

Let’s Start Sniffing

Prepare the Script
Save the following script as fridascript.js.

/* 
   Android SSL Re-pinning frida script v0.2 030417-pier 

   $ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
   $ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause

   https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
   
   UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !
*/

setTimeout(function(){
    Java.perform(function (){
     console.log("");
     console.log("[.] Cert Pinning Bypass/Re-Pinning");

     var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
     var FileInputStream = Java.use("java.io.FileInputStream");
     var BufferedInputStream = Java.use("java.io.BufferedInputStream");
     var X509Certificate = Java.use("java.security.cert.X509Certificate");
     var KeyStore = Java.use("java.security.KeyStore");
     var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
     var SSLContext = Java.use("javax.net.ssl.SSLContext");

     // Load CAs from an InputStream
     console.log("[+] Loading our CA...")
     var cf = CertificateFactory.getInstance("X.509");
     
     try {
      var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
     }
     catch(err) {
      console.log("[o] " + err);
     }
     
     var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
    var ca = cf.generateCertificate(bufferedInputStream);
     bufferedInputStream.close();

  var certInfo = Java.cast(ca, X509Certificate);
     console.log("[o] Our CA Info: " + certInfo.getSubjectDN());

     // Create a KeyStore containing our trusted CAs
     console.log("[+] Creating a KeyStore for our CA...");
     var keyStoreType = KeyStore.getDefaultType();
     var keyStore = KeyStore.getInstance(keyStoreType);
     keyStore.load(null, null);
     keyStore.setCertificateEntry("ca", ca);
     
     // Create a TrustManager that trusts the CAs in our KeyStore
     console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
     var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
     var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
     tmf.init(keyStore);
     console.log("[+] Our TrustManager is ready...");

     console.log("[+] Hijacking SSLContext methods now...")
     console.log("[-] Waiting for the app to invoke SSLContext.init()...")

     SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
      console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
      SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
      console.log("[+] SSLContext initialized with our custom TrustManager!");
     }
    });
},0);

Convert the Generated Certificate

  1. Retrieve the generated certificate from Burp Suite and convert it to .crt format. You can use any online tool for this, or try an SSL converter.
  2. Rename the converted certificate to cert-der.crt.

Prepare the Frida Server

  1. Download the Frida Server from the Frida Repository.
  2. Be sure to download the version that matches your installed Frida in Python.

Push the Required Files to the Android Device

Push cert-der.crt to the device by running the following command:

adb push [Your PATH]/cert-der.crt /data/local/tmp

Don’t forget to also push the Frida Server to the device

adb push [Your Path]/frida-server-[Your Arhictecture] /data/local/tmp

Grant the Frida server permission to read and write

adb shell chmod 777 /data/local/tmp/frida-server-[Your Arhictecture]

Now, start the Frida Server by running these commands

adb root
adb shell /data/local/tmp/frida-server-arm64 &

At this point, the Frida server is running and ready to inject and hook into the target application for sniffing.

Start The Intercepting

First, ensure you know the package name of your target application. (Do your own research on how to find the package name)

Run Frida to intercept your application by executing the following command

frida -U -f [Target Packages] -l [Your Path]/fridascript.js

Your terminal will look like this

And, you will see your target application traffic in Burp Suite

References:

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Frida
Ssl Pinning
Burpsuite
Android

--

--

Andremoore
Andremoore

Written by Andremoore

8 Followers
35 Following

Junior Android Developer in Phincon. Love to explore about Jetpack Compose and Clean Architecture

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech