上篇说了Android 应用 HTTPS 通信,那么本次给大家分享如何突破 HTTPS 通信。上篇地址:Android应用安全之 HTTPS通信小结
0x01 Frida绕过SSL单向校验
参考文章Universal Android SSL Pinning bypass with Frida。
更多的frida
官方hook 脚本库地址:https://codeshare.frida.re/
设置Burpuite代理, 手机浏览器访问设置的代理地址下载Burpuite的证书, 将证书直接重命名为burp.crt
。之后将证书push到/data/local/tmp
目录下, 在adb shell里输入./frida-server &
再在PC端进行操作。
新建一个frida-android-repinning.js文件, 详细代码如下:
/* Android SSL Re-pinning frida script v0.2 030417-pier $ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt $ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/ UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !*/setTimeout(function(){
Java.perform(function (){
console.log(""); console.log("[.] Cert Pinning Bypass/Re-Pinning"); var CertificateFactory = Java.use("java.security.cert.CertificateFactory"); var FileInputStream = Java.use("java.io.FileInputStream"); var BufferedInputStream = Java.use("java.io.BufferedInputStream"); var X509Certificate = Java.use("java.security.cert.X509Certificate"); var KeyStore = Java.use("java.security.KeyStore"); var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory"); var SSLContext = Java.use("javax.net.ssl.SSLContext"); // Load CAs from an InputStream console.log("[+] Loading our CA...") var cf = CertificateFactory.getInstance("X.509"); try {
var fileInputStream = FileInputStream.$new("/sdcard/Download/cacert.crt"); // /sdcard/Download/cacert.crt } catch(err) {
console.log("[o] " + err); } var bufferedInputStream = BufferedInputStream.$new(fileInputStream); var ca = cf.generateCertificate(bufferedInputStream); bufferedInputStream.close(); var certInfo = Java.cast(ca, X509Certificate); console.log("[o] Our CA Info: " + certInfo.getSubjectDN()); // Create a KeyStore containing our trusted CAs console.log("[+] Creating a KeyStore for our CA..."); var keyStoreType = KeyStore.getDefaultType(); var keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(null, null); keyStore.setCertificateEntry("ca", ca); // Create a TrustManager that trusts the CAs in our KeyStore console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore..."); var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); var tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); console.log("[+] Our TrustManager is ready..."); console.log("[+] Hijacking SSLContext methods now...") console.log("[-] Waiting for the app to invoke SSLContext.init()...") SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
console.log("[o] App invoked javax.net.ssl.SSLContext.init..."); SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c); console.log("[+] SSLContext initialized with our custom TrustManager!"); } });},0);
在terminal, 输入如下命令:
$ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause
在关闭应用的情况下(避免Magisk Hide处于开启状态), 可得到回显并绕过SSL pinning。
懒人版的 hook 脚本,自动检测了多种情况:
/* Android ssl certificate pinning bypass script for various methods by Maurizio Siddu Run with: frida -U -f [APP_ID] -l frida_multiple_unpinning.js --no-pause*/setTimeout(function() {
Java.perform(function () {
console.log(''); console.log('======'); console.log('[#] Android Bypass for various Certificate Pinning methods [#]'); console.log('======'); var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); var SSLContext = Java.use('javax.net.ssl.SSLContext'); // TrustManager (Android < 7) var TrustManager = Java.registerCla