httptoolkit
native-connect-hook issue.
└─$ frida -H 127.0.0.1:27042 -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android/android-proxy-override.js -l ./android/android-system-certificate-injection.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js -p 16082 ____ / _ | Frida 17.1.2 - A world-class dynamic instrumentation toolkit | (| | > _ | Commands: // |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to 127.0.0.1:27042 ([email protected]:27042) Attaching...
*** Starting scripts *** == Proxy system configuration overridden to 127.0.0.1:9000 == Rewriting <class: java.net.ProxySelector> Rewriting <class: sun.net.spi.DefaultProxySelector> == Proxy configuration overridden to 127.0.0.1:9000 == [+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex [ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present) [ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present) == System certificate trust injected ==
=== Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier [+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory [+] javax.net.ssl.HttpsURLConnection setHostnameVerifier [+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom) [ ] com.android.org.conscrypt.CertPinManager isChainValid [+] com.android.org.conscrypt.CertPinManager checkChainPinning [+] android.security.net.config.NetworkSecurityConfig $init() (0) [+] android.security.net.config.NetworkSecurityConfig $init() (1) => android.security.net.config.NetworkSecurityConfig $init() (0) [+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession) [+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector) [ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector) [ ] okhttp3.CertificatePinner * [ ] com.squareup.okhttp.CertificatePinner * [ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager * [ ] appcelerator.https.PinningTrustManager * [ ] nl.xservices.plugins.sslCertificateChecker * [ ] com.worklight.wlclient.api.WLClient * [ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning * [ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin * [ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager * [ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory * [ ] com.silkimen.cordovahttp.CordovaServerTrust * [ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier * [ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor * [ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager * == Certificate unpinning completed == => android.security.net.config.NetworkSecurityConfig $init() (0) == Unpinning fallback auto-patcher installed == *** Scripts completed ***
TypeError: not a function
at
Hi @kaifcodec, thanks for reporting this! I think this is due to a breaking change in the recently released Frida v17: https://frida.re/news/2025/05/17/frida-17-0-0-released/#static-module-apis:
For the rest, you first need to look up the Module, and then access the desired property or method on it. For example, instead of:
Module.getExportByName('libc.so', 'open')The new way is:
Process.getModuleByName('libc.so').getExportByName('open')
Would you like to open a PR to update this? We have a few places where we use Module.* methods and it sounds like those will each need updating. The changes should be fairly quick, it just needs testing.
From what I can see, the new approach here has been supported since v16 so we shouldn't need any backward compatibility logic (although if you have time to quickly double check this by testing with v16 that would be very helpful).
I tried with frida v16.x.x and it worked but.
I wanted to capture https traffics of Instagram Lite app, I used the following command,
frida -H 127.0.0.1:27042 -l ./config.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js -l ./android/android-system-certificate-injection.js -l native-tls-hook.js -p 18356
As i am using Reqable app on my android phone which captures traffics over VPN (My phone is rooted, CA cert of reqable is installed system level)
As i don't want that it forwards the traffic to proxy thats why i tried the above command, let me know will it work,
This results in this output,
. . . Connected to 127.0.0.1:27042 ([email protected]:27042)
Attaching...
*** Starting scripts ***
Disabling all recognized unpinning libraries
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
=> android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
=> android.security.net.config.NetworkSecurityConfig $init(*) (0)
== Unpinning fallback auto-patcher installed ==
[+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex
[ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present)
[ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present)
== System certificate trust injected ==
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
*** Scripts completed ***
[Remote::Instagram Lite ]->
But in reqable app traffics are coming but the the requests of instagram lite is being shutdown and the response showing,
Unable to connect to https://iglite-z.instagram.com
Let me know if this tool can help me on Instagram or not.
I can't help with specific apps, and I don't know anything about Instagram specifically. If you try the changes from this PR though, do those work for you? That hasn't been merged yet as it doesn't quite fit into some constraints of the other scripts here, but in theory that should cover Meta's certificate verification.
Yeah, The native-connect-hook.js had some mismatches with frida v17.x.x so I made it work, but maybe the owner is too busy to merge it.
You can use it from the forked repository of it from my profile.
(As i know you, maybe you want to test this on Instagram but let me tell you that this hooks doesn't work with Instagram, cause Instagram doesn't use java level ssl pinning, they most likely doing it natively from one of the libX.so libraries, native C++/C code, that's why frida hooking may not be working)
是的,它与 frida v17.x.x 有一些不匹配,所以我让它工作,但也许所有者太忙了,无法合并它。
native-connect-hook.js您可以从我的个人资料的 fork 存储库中使用它。
(据我所知,也许你想在 Instagram 上测试这个,但让我告诉你,这个钩子不适用于 Instagram,因为 Instagram 不使用 java 级别的 ssl 固定,他们很可能从其中一个库、原生 C++/C 代码本地执行此作,这就是 frida hooking 可能不起作用的原因)
libX.soDo you have Telegram? I want to consult you on some questions.
Yeah, The
native-connect-hook.jshad some mismatches with frida v17.x.x so I made it work, but maybe the owner is too busy to merge it.You can use it from the forked repository of it from my profile.
(As i know you, maybe you want to test this on Instagram but let me tell you that this hooks doesn't work with Instagram, cause Instagram doesn't use java level ssl pinning, they most likely doing it natively from one of the
libX.solibraries, native C++/C code, that's why frida hooking may not be working)
Yeah, I wanted to intercept instagram, but I was getting another error and I did not used native-connect hook.
So we can't intercept instagram? but I have did that in past....I used the patched instagram apk
Even if you hook native-connect-hook.js you still can't bypass there ssl pinning because Instagram doesn't trust system certificates too which force it to pass their connections using proxy. The only option is to use the patched apk and Reqable app, if you got your phone rooted then you will get full power to intercept https requests seamlessly.
Yes I have root, Please share me the working, most recent pathed apk link, also, what, how can I intercept the https traffic of that instagram app on windoes (using adb), not on the android iteself
Have you tried using the Frida script from https://github.com/Eltion/Instagram-SSL-Pinning-Bypass? This seems to be actively updated and should work well with the existing scripts here. Please let me know if that works for you and I can potentially integrate some of that logic here too.
Yes I had used it and It worked well, on android. You can use those logic and it's needed too.
Have you tried using the Frida script from https://github.com/Eltion/Instagram-SSL-Pinning-Bypass? This seems to be actively updated and should work well with the existing scripts here. Please let me know if that works for you and I can potentially integrate some of that logic here too.
What changes did you make, Is it now workable for Instagram?
I've just pushed some updates that might be able to handle insta etc automatically. The unpinning fallback script now detects some of these cases and resolves them automatically. Can somebody interested in this test it out and see if it works for you?
From some discussion I've seen elsewhere, it may only work the first time - after that, it detects HTTP/3 support, and thereby uses this to skip interception by most proxy tools. For now just clear storage & cache beforehand to test this, which should work every time. Blocking HTTP/3 (forcing downgrade to HTTP/2) is coming here imminently though and that should resolve this anyway.
I'm a bit tied up with another project and some personal work at the moment, so I won't be able to test the new changes right away. But it sounds like a great step forward — I’ll definitely try it out when I get the chance.
Appreciate the quick iterations you're making on this!