Android App SSL Pinning Bypass [NoxPlayer + nox_adb + Frida + Objection]

1. NoxPlayer Installation. (Download here)

2. Python Installation on Windows. (Tutorial)

What will be covered in this tutorial:

1. Frida and Objection Installation

2. Connect NoxPlayer Device using nox_adb.exe

3. Frida-Server Installation

4. Burp Proxy Settings on NoxPlayer

5. SSL Pinning Bypass (Study Case)

I. Frida and Objection Installation

Frida installation is done on Windows, using pip. Next, we need to install Frida-server on NoxPlayer (Android Emulator).

If you want to know more about frida, you can read it here https://frida.re/

1. Download + Install using pip Open Powershell, dan run this command:

pip install frida-tools
frida --version // to confirm frida successfully installedpip install objection

Zoom image will be displayed

Frida successfully installed

Objection successfully installed

II. Connect NoxPlayer Device using nox_adb.exe

Android Debug Bridge (adb) is a command line device that can connect us to the device. While nox_adb.exe is a special adb for devices that run on NoxPlayer emulator.

2.1 Turn on NoxPlayer (Make sure Root mode is on)

Zoom image will be displayed

2.2 After NoxPlayer running, let's try to connect using nox_adb.exe

Notes: nox_adb.exe is located in bin folder on Nox root folder . I installed Nox on D:/Program Files , so the nox_adb.exe is located on D:\Program Files\Nox\bin If you installed nox in C:/Program Files/ so the nox_adb.exe is located on C:/Program Files/Nox/bin/nox_adb.exe

2.3 Open PowerShell On Bin Folder, by :

“SHIFT+Right Click > Open PowerShell Window here”

2.4 To check connected device, run this command :

.\nox_adb.exe devices

Device attached

III. Frida-Server Installation

3.1 First, check the android device version that we used.

.\nox_adb.exe shell getprop ro.product.cpu.abi

Zoom image will be displayed

x86

3.2 I used x86, next download the frida-server package here Download :

frida-server-15.1.2-android-x86.xz

3.3 Rename frida-server-15.1.2-android-x86.xz to frida-server-andro.xz And then extract it.

3.4 After that, copy frida-server-andro file to ../Nox/bin/

Zoom image will be displayed

3.5 Upload frida-server-andro to Nox :

.\nox_adb.exe push .\frida-server-andro /data/local/tmp
.\nox_adb.exe shell "chmod 777 /data/local/tmp/frida-server-andro"

At this stage, we upload frida-server-andro to /data/local/tmp folder on the Nox android device. Then change the permissions to make it executable

Zoom image will be displayed

Succefully Upload frida-server-andro

3.6 Turn on frida-server

.\nox_adb.exe shell "/data/local/tmp/frida-server &"

Zoom image will be displayed

Frida-Server is Up

IV. Burp Proxy Settings On NoxPlayer

After Frida and Objection are ready, we need to set Burp Proxy on the NoxPlayer Andro Device, so Burp can intercept any request on it.

4.1 Check your Host IP (Windows) Open Command Prompt (CMD) and then ‘ipconfig’

My Host IP is 192.168.1.6

4.2 Turn On BurpSuite and then add Proxy Listener on IP 192.168.1.6:8080

Zoom image will be displayed

Add Burp Proxy Listener

4.3 Proxy Setting On Android Device

• Open “Settings>Wifi>WiredSSID” Hold on WiredSSID, and then “Modify Network”

Notes: This step will be different on yours, it depends on the Android Device.

Zoom image will be displayed

• Choose“Advanced Options”. And then choose “Manual”. Insert your Host IP on Proxy Hostname, and set port to 8080

4.4 Burp Certificate Installation

• Open http://burp on Browser. (Make sure burp intercept is On)

• Click CA Certificate to download Burp Certificate

Zoom image will be displayed

• It will download the certificate as cacert.der , after that rename the file to cacert.cer

Zoom image will be displayed

• Open Settings and then Search ‘Certificate’ . Choose “Install Certificates” and then “Install Certificates” choose the “cacert.cer”

Zoom image will be displayed

Search Install Certificates

Pilih Kembali Install Certificates

Choose cacert.cer

• Insert Certificate name as “Burp”.

• Burp Certificate Installation is Finish.

Notes: If it is necessary to set the Device PIN first, then set the Device PIN.

V. SSL Pinning Bypass (Study Case)

After stages I-IV have been done well, next we will try to bypass a SSL Pinning. In this section, we will try a case study on the Medium Application. Or you can directly try to use the application you want to bypass.

5.1 First, Install The App.

Notes: If you want to download the app via Playstore, you need to change the android Proxy to default first.

5.2 Check the list of installed applications

frida-ps -Uai

List installed Apps

Notes: If there is an error, make sure that the frida-server is turned on

From the results above we can find out the name of the application and its identifier. In this case, the Medium application has the identifier com.medium.reader

5.3 Make sure the Proxy setting is set to Burp again, then open the application to ensure that the application uses SSL Pinning.

Applications that use SSL Pinning will display the Error "Received fatal alert: certificate_unknown". This is a sign that Burp failed to intercept the request sent by the application because of SSL Pinning.

Zoom image will be displayed

Received Fatal Alert: Certificate_unknown

5.4 SSL Pinning Bypass Using Objection

Open new PowerShell tab, and then run this command: “objection -g <identifier name> explore”

objection -g com.medium.reader explore

To disable SSLPinning, on Objection run this command:

android sslpinning disable

Zoom image will be displayed

SSL Pinning Bypass using Objection

Next, try to sign in, and look at Burp Interceptor.

Zoom image will be displayed

Yups! we successfully Intercept the request, which means we success in Bypass the SSL Pinning!