Skip to content

Instantly share code, notes, and snippets.

@akabe1

akabe1/frida_universal_pinning_bypasser.js

Last active April 17, 2025 13:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save akabe1/ac6029bf2315c6d95ff2ad00fb7be1fc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save akabe1/ac6029bf2315c6d95ff2ad00fb7be1fc to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. akabe1 revised this gist Nov 18, 2019. 1 changed file with 4 additions and 4 deletions.
    8 changes: 4 additions & 4 deletions frida_universal_pinning_bypasser.js
    View file
    Original file line number Diff line number Diff line change
    @@ -7,10 +7,10 @@

    setTimeout(function() {
    Java.perform(function() {
    console.log('')
    console.log('======')
    console.log('[#] Android Universal Certificate Pinning Bypasser [#]')
    console.log('======')
    console.log('');
    console.log('======');
    console.log('[#] Android Universal Certificate Pinning Bypasser [#]');
    console.log('======');

    // TrustManagerImpl Certificate Pinning Bypass
    try {
  2. akabe1 revised this gist Nov 16, 2019. 1 changed file with 27 additions and 206 deletions.
    233 changes: 27 additions & 206 deletions frida_universal_pinning_bypasser.js
    View file
    Original file line number Diff line number Diff line change
    @@ -1,224 +1,45 @@
    /* Android ssl certificate pinning bypass script for various methods
    /* Another universal ssl certificate pinning bypass script for Android
    by Maurizio Siddu
    Run with:
    frida -U -f [APP_ID] -l frida_multiple_unpinning.js --no-pause
    frida -U -f [APP_ID] -l frida_universal_pinning_bypasser.js --no-pause
    */

    setTimeout(function() {
    Java.perform(function () {
    Java.perform(function() {
    console.log('')
    console.log('======')
    console.log('[#] Android Bypass for various Certificate Pinning methods [#]')
    console.log('[#] Android Universal Certificate Pinning Bypasser [#]')
    console.log('======')

    var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
    var SSLContext = Java.use('javax.net.ssl.SSLContext');


    // TrustManager (Android < 7)
    var TrustManager = Java.registerClass({
    // Implement a custom TrustManager
    name: 'dev.asd.test.TrustManager',
    implements: [X509TrustManager],
    methods: {
    checkClientTrusted: function (chain, authType) {},
    checkServerTrusted: function (chain, authType) {},
    getAcceptedIssuers: function () {return []; }
    }
    });

    // Prepare the TrustManager array to pass to SSLContext.init()
    var TrustManagers = [TrustManager.$new()];
    // Get a handle on the init() on the SSLContext class
    var SSLContext_init = SSLContext.init.overload(
    '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');
    try {
    // Override the init method, specifying the custom TrustManager
    SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {
    console.log('[+] Intercepted Trustmanager (Android < 7) request');
    SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
    };

    console.log('[+] Bypassing TrustManager (Android < 7) pinning');
    } catch (err) {
    console.log('[-] TrustManager (Android < 7) pinner not found');
    }




    // okhttp3 (double bypass)
    try {
    var okhttp3_Activity = Java.use('okhttp3.CertificatePinner');
    okhttp3_Activity.check.overload('java.lang.String', 'java.util.List').implementation = function (str) {
    console.log('[+] Intercepted OkHTTP3 {1}: ' + str);
    return true;
    };
    // This method of CertificatePinner.check could be found in some old Android app
    okhttp3_Activity.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function (str) {
    console.log('[+] Intercepted OkHTTP3 {2}: ' + str);
    return true;
    };

    console.log('[+] Bypassing OkHTTP3 pinning');
    } catch (err) {
    console.log('[-] OkHTTP3 pinner not found');
    }




    // Trustkit (triple bypass)
    try {
    var trustkit_Activity = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier');
    trustkit_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
    console.log('[+] Intercepted Trustkit {1}: ' + str);
    return true;
    };
    trustkit_Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
    console.log('[+] Intercepted Trustkit {2}: ' + str);
    return true;
    };
    var trustkit_PinningTrustManager = Java.use('com.datatheorem.android.trustkit.pinning.PinningTrustManager');
    trustkit_PinningTrustManager.checkServerTrusted.implementation = function () {
    console.log('[+] Intercepted Trustkit {3}');
    // TrustManagerImpl Certificate Pinning Bypass
    try {
    var array_list = Java.use('java.util.ArrayList');
    var custom_TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');

    //custom_TrustManagerImpl.checkTrustedRecursive.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
    custom_TrustManagerImpl.checkTrustedRecursive.implementation = function(a, b, c, d, e, f, g, h) {
    //if host:
    console.log('[+] Bypassing TrustManagerImpl pinner for: ' + b + '...');
    //else:
    // console.log('[+] Bypassing TrustManagerImpl pinner...');
    var fakeTrusted = array_list.$new();
    return fakeTrusted;
    }

    console.log('[+] Bypassing Trustkit pinning');
    } catch (err) {
    console.log('[-] Trustkit pinner not found');
    }




    // TrustManagerImpl (Android > 7)
    try {
    var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
    TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
    console.log('[+] Intercepted TrustManagerImpl (Android > 7): ' + host);
    return untrustedChain;
    };

    console.log('[+] Bypassing TrustManagerImpl (Android > 7) pinning');
    } catch (err) {
    console.log('[-] TrustManagerImpl (Android > 7) pinner not found');
    }




    // Appcelerator Titanium
    try {
    var appcelerator_PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
    appcelerator_PinningTrustManager.checkServerTrusted.implementation = function () {
    console.log('[+] Intercepted Appcelerator');
    };

    console.log('[+] Bypassing Appcelerator pinning');
    } catch (err) {
    console.log('[-] Appcelerator pinner not found');
    console.log('[-] TrustManagerImpl pinner not found');
    }




    // OpenSSLSocketImpl
    // OpenSSLSocketImpl Certificate Pinning Bypass
    try {
    var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
    OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certRefs, authMethod) {
    console.log('[+] Intercepted OpenSSLSocketImpl');
    };

    console.log('[+] Bypassing OpenSSLSocketImpl pinning');
    } catch (err) {
    console.log('[-] OpenSSLSocketImpl pinner not found');
    }




    // PhoneGap sslCertificateChecker (https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin)
    try {
    var phonegap_Activity = Java.use('nl.xservices.plugins.sslCertificateChecker');
    phonegap_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function (str) {
    console.log('[+] Intercepted PhoneGap sslCertificateChecker: ' + str);
    return true;
    };

    console.log('[+] Bypassing PhoneGap sslCertificateChecker pinning');
    } catch (err) {
    console.log('[-] PhoneGap sslCertificateChecker pinner not found');
    }




    // IBM MobileFirst pinTrustedCertificatePublicKey
    // TODO check it out better
    try {
    var WLClient = Java.use('com.worklight.wlclient.api.WLClient.getInstance()');
    // if above does not works try with this
    //var WLClient = Java.use('com.worklight.wlclient.api.WLClient');
    WLClient.pinTrustedCertificatePublicKey.implementation = function (cert) {
    console.log('[+] Intercepted IBM MobileFirst pinTrustedCertificatePublicKey');
    return;
    };

    console.log('[+] Bypassing IBM MobileFirst pinTrustedCertificatePublicKey pinning');
    } catch (err) {
    console.log('[-] IBM MobileFirst pinTrustedCertificatePublicKey pinner not found');
    }




    // IBM WorkLight (ancestor of MobileFirst) HostNameVerifierWithCertificatePinning (quadruple bypass)
    try {
    var worklight_Activity = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
    worklight_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSocket').implementation = function (str) {
    console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {1}: ' + str);
    return;
    };
    worklight_Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
    console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {2}: ' + str);
    return;
    };
    worklight_Activity.verify.overload('java.lang.String', 'java.util.List', 'java.util.List').implementation = function (str) {
    console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {3}: ' + str);
    return;
    };
    worklight_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
    console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {4}: ' + str);
    return true;
    };

    console.log('[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning pinning');
    } catch (err) {
    console.log('[-] IBM WorkLight HostNameVerifierWithCertificatePinning pinner not found');
    }





    // CWAC-Netsecurity (unofficial back-port pinner for Android < 4.2) CertPinManager
    try {
    var CertPinManager_Activity = Java.use('com.commonsware.cwac.netsecurity.conscrypt.CertPinManager');
    CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function (str) {
    console.log('[+] Intercepted CWAC-Netsecurity CertPinManager: ' + str);
    return true;
    };

    console.log('[+] Bypassing CWAC-Netsecurity CertPinManager pinning');
    var custom_OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
    custom_OpenSSLSocketImpl.verifyCertificateChain.implementation = function (g, i) {
    console.log('[+] Bypassing OpenSSLSocketImpl pinner...');
    }
    } catch (err) {
    console.log('[-] CWAC-Netsecurity CertPinManager pinner not found');
    }


    console.log('[-] OpenSSLSocketImpl pinner not found');
    }


    });

    }, 0);
    },0);
  3. akabe1 revised this gist Nov 16, 2019. 1 changed file with 206 additions and 27 deletions.
    233 changes: 206 additions & 27 deletions frida_universal_pinning_bypasser.js
    View file
    Original file line number Diff line number Diff line change
    @@ -1,45 +1,224 @@
    /* Another universal ssl certificate pinning bypass script for Android
    /* Android ssl certificate pinning bypass script for various methods
    by Maurizio Siddu
    Run with:
    frida -U -f [APP_ID] -l frida_universal_pinning_bypasser.js --no-pause
    frida -U -f [APP_ID] -l frida_multiple_unpinning.js --no-pause
    */

    setTimeout(function() {
    Java.perform(function() {
    Java.perform(function () {
    console.log('')
    console.log('======')
    console.log('[#] Android Universal Certificate Pinning Bypasser [#]')
    console.log('[#] Android Bypass for various Certificate Pinning methods [#]')
    console.log('======')

    // TrustManagerImpl Certificate Pinning Bypass
    try {
    var array_list = Java.use('java.util.ArrayList');
    var custom_TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');

    //custom_TrustManagerImpl.checkTrustedRecursive.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
    custom_TrustManagerImpl.checkTrustedRecursive.implementation = function(a, b, c, d, e, f, g, h) {
    //if host:
    console.log('[+] Bypassing TrustManagerImpl pinner for: ' + b + '...');
    //else:
    // console.log('[+] Bypassing TrustManagerImpl pinner...');
    var fakeTrusted = array_list.$new();
    return fakeTrusted;
    var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
    var SSLContext = Java.use('javax.net.ssl.SSLContext');


    // TrustManager (Android < 7)
    var TrustManager = Java.registerClass({
    // Implement a custom TrustManager
    name: 'dev.asd.test.TrustManager',
    implements: [X509TrustManager],
    methods: {
    checkClientTrusted: function (chain, authType) {},
    checkServerTrusted: function (chain, authType) {},
    getAcceptedIssuers: function () {return []; }
    }
    });

    // Prepare the TrustManager array to pass to SSLContext.init()
    var TrustManagers = [TrustManager.$new()];
    // Get a handle on the init() on the SSLContext class
    var SSLContext_init = SSLContext.init.overload(
    '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');
    try {
    // Override the init method, specifying the custom TrustManager
    SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {
    console.log('[+] Intercepted Trustmanager (Android < 7) request');
    SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
    };

    console.log('[+] Bypassing TrustManager (Android < 7) pinning');
    } catch (err) {
    console.log('[-] TrustManager (Android < 7) pinner not found');
    }




    // okhttp3 (double bypass)
    try {
    var okhttp3_Activity = Java.use('okhttp3.CertificatePinner');
    okhttp3_Activity.check.overload('java.lang.String', 'java.util.List').implementation = function (str) {
    console.log('[+] Intercepted OkHTTP3 {1}: ' + str);
    return true;
    };
    // This method of CertificatePinner.check could be found in some old Android app
    okhttp3_Activity.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function (str) {
    console.log('[+] Intercepted OkHTTP3 {2}: ' + str);
    return true;
    };

    console.log('[+] Bypassing OkHTTP3 pinning');
    } catch (err) {
    console.log('[-] TrustManagerImpl pinner not found');
    console.log('[-] OkHTTP3 pinner not found');
    }


    // OpenSSLSocketImpl Certificate Pinning Bypass


    // Trustkit (triple bypass)
    try {
    var custom_OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
    custom_OpenSSLSocketImpl.verifyCertificateChain.implementation = function (g, i) {
    console.log('[+] Bypassing OpenSSLSocketImpl pinner...');
    var trustkit_Activity = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier');
    trustkit_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
    console.log('[+] Intercepted Trustkit {1}: ' + str);
    return true;
    };
    trustkit_Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
    console.log('[+] Intercepted Trustkit {2}: ' + str);
    return true;
    };
    var trustkit_PinningTrustManager = Java.use('com.datatheorem.android.trustkit.pinning.PinningTrustManager');
    trustkit_PinningTrustManager.checkServerTrusted.implementation = function () {
    console.log('[+] Intercepted Trustkit {3}');
    }

    console.log('[+] Bypassing Trustkit pinning');
    } catch (err) {
    console.log('[-] OpenSSLSocketImpl pinner not found');
    }
    console.log('[-] Trustkit pinner not found');
    }




    // TrustManagerImpl (Android > 7)
    try {
    var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
    TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
    console.log('[+] Intercepted TrustManagerImpl (Android > 7): ' + host);
    return untrustedChain;
    };

    console.log('[+] Bypassing TrustManagerImpl (Android > 7) pinning');
    } catch (err) {
    console.log('[-] TrustManagerImpl (Android > 7) pinner not found');
    }




    // Appcelerator Titanium
    try {
    var appcelerator_PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
    appcelerator_PinningTrustManager.checkServerTrusted.implementation = function () {
    console.log('[+] Intercepted Appcelerator');
    };

    console.log('[+] Bypassing Appcelerator pinning');
    } catch (err) {
    console.log('[-] Appcelerator pinner not found');
    }




    // OpenSSLSocketImpl
    try {
    var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
    OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certRefs, authMethod) {
    console.log('[+] Intercepted OpenSSLSocketImpl');
    };

    console.log('[+] Bypassing OpenSSLSocketImpl pinning');
    } catch (err) {
    console.log('[-] OpenSSLSocketImpl pinner not found');
    }




    // PhoneGap sslCertificateChecker (https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin)
    try {
    var phonegap_Activity = Java.use('nl.xservices.plugins.sslCertificateChecker');
    phonegap_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function (str) {
    console.log('[+] Intercepted PhoneGap sslCertificateChecker: ' + str);
    return true;
    };

    console.log('[+] Bypassing PhoneGap sslCertificateChecker pinning');
    } catch (err) {
    console.log('[-] PhoneGap sslCertificateChecker pinner not found');
    }




    // IBM MobileFirst pinTrustedCertificatePublicKey
    // TODO check it out better
    try {
    var WLClient = Java.use('com.worklight.wlclient.api.WLClient.getInstance()');
    // if above does not works try with this
    //var WLClient = Java.use('com.worklight.wlclient.api.WLClient');
    WLClient.pinTrustedCertificatePublicKey.implementation = function (cert) {
    console.log('[+] Intercepted IBM MobileFirst pinTrustedCertificatePublicKey');
    return;
    };

    console.log('[+] Bypassing IBM MobileFirst pinTrustedCertificatePublicKey pinning');
    } catch (err) {
    console.log('[-] IBM MobileFirst pinTrustedCertificatePublicKey pinner not found');
    }




    // IBM WorkLight (ancestor of MobileFirst) HostNameVerifierWithCertificatePinning (quadruple bypass)
    try {
    var worklight_Activity = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
    worklight_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSocket').implementation = function (str) {
    console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {1}: ' + str);
    return;
    };
    worklight_Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
    console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {2}: ' + str);
    return;
    };
    worklight_Activity.verify.overload('java.lang.String', 'java.util.List', 'java.util.List').implementation = function (str) {
    console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {3}: ' + str);
    return;
    };
    worklight_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
    console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {4}: ' + str);
    return true;
    };

    console.log('[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning pinning');
    } catch (err) {
    console.log('[-] IBM WorkLight HostNameVerifierWithCertificatePinning pinner not found');
    }





    // CWAC-Netsecurity (unofficial back-port pinner for Android < 4.2) CertPinManager
    try {
    var CertPinManager_Activity = Java.use('com.commonsware.cwac.netsecurity.conscrypt.CertPinManager');
    CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function (str) {
    console.log('[+] Intercepted CWAC-Netsecurity CertPinManager: ' + str);
    return true;
    };

    console.log('[+] Bypassing CWAC-Netsecurity CertPinManager pinning');
    } catch (err) {
    console.log('[-] CWAC-Netsecurity CertPinManager pinner not found');
    }




    });
    },0);

    }, 0);
  4. akabe1 created this gist Apr 11, 2019.
    45 changes: 45 additions & 0 deletions frida_universal_pinning_bypasser.js
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,45 @@
    /* Another universal ssl certificate pinning bypass script for Android
    by Maurizio Siddu
    Run with:
    frida -U -f [APP_ID] -l frida_universal_pinning_bypasser.js --no-pause
    */

    setTimeout(function() {
    Java.perform(function() {
    console.log('')
    console.log('======')
    console.log('[#] Android Universal Certificate Pinning Bypasser [#]')
    console.log('======')

    // TrustManagerImpl Certificate Pinning Bypass
    try {
    var array_list = Java.use('java.util.ArrayList');
    var custom_TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');

    //custom_TrustManagerImpl.checkTrustedRecursive.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
    custom_TrustManagerImpl.checkTrustedRecursive.implementation = function(a, b, c, d, e, f, g, h) {
    //if host:
    console.log('[+] Bypassing TrustManagerImpl pinner for: ' + b + '...');
    //else:
    // console.log('[+] Bypassing TrustManagerImpl pinner...');
    var fakeTrusted = array_list.$new();
    return fakeTrusted;
    }
    } catch (err) {
    console.log('[-] TrustManagerImpl pinner not found');
    }


    // OpenSSLSocketImpl Certificate Pinning Bypass
    try {
    var custom_OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
    custom_OpenSSLSocketImpl.verifyCertificateChain.implementation = function (g, i) {
    console.log('[+] Bypassing OpenSSLSocketImpl pinner...');
    }
    } catch (err) {
    console.log('[-] OpenSSLSocketImpl pinner not found');
    }

    });
    },0);