frida-interception-and-unpinning
frida-interception-and-unpinning copied to clipboard
httptoolkit
SSL error when trying to bypass Youtube pinning
Hey, first I just wanted to mention that I really appreciate your hard work, thank you.
I'm using Burp as my proxy and mostly able to sniff most of the application I tried so far.
When trying to sniff Youtube's app, the app starts but nothing loads, as if it has no internet connection.
When looking on the logs (I'm on debug mode), I can see no errors or even an attempt to bypass the pinning (log attached at the end)
I examined Logcat, and saw that the only indication I got is:
[0314/163027.859572:ERROR:ssl_client_socket_impl.cc(975)] handshake failed; returned -1, SSL error code 1, net_error -202
BTW, if I try to sniff using HTTP Toolkit there are no error and I can see the traffic. Thank you
Log from frida
____
/ _ | Frida 16.2.1 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.google.android.youtube`...
*** Starting scripts ***
Spawned `com.google.android.youtube`. Resuming main thread!
[Android Emulator 5554::com.google.android.youtube ]->
=== Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
*** Scripts completed ***
=> android.security.net.config.NetworkSecurityConfig $init(*) (0)
=> android.security.net.config.NetworkSecurityConfig $init(*) (0)
=> android.security.net.config.NetworkSecurityConfig $init(*) (0)
=> android.security.net.config.NetworkSecurityConfig $init(*) (0)
=> javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
