How to disable ssl pinning in android app using Objection

Question

I have a simple app and am trying to bypass its ssl pinning with no luck. Already did android sslpinning disable but didnt work.

Based on this article https://blog.nviso.eu/2020/11/19/proxying-android-app-traffic-common-issues-checklist/ I then used apktool to decompile my app then searched across all smali classes for anything that might be doing pinning using grep -ri "java/lang/String;\[Ljava/lang/String;)L" smali There was 3 smali files and I found the okhttp3 stuff in the last smali file smali_classes3.

This was the output:

smali_classes3/okhttp3/CertificatePinner$Builder.smali:        "(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder;",
smali_classes3/okhttp3/CertificatePinner$Builder.smali:.method public final varargs add(Ljava/lang/String;[Ljava/lang/String;)Lokhttp3/CertificatePinner$Builder;

So I created this script hook2.js

Java.perform(function(){
    var Pinner = Java.use("okhttp3.CertificatePinner$Builder");
    Pinner.Builder.overload('java.lang.String', '[Ljava.lang.String;').implementation = function(Builder, b)
    {
        console.log("Disabling pin for " + Builder);
        return this;
    }
});

and tried to inject it using objection:

objection explore --startup-script hook2.js

I get an error

Importing and running startup script at: <_io.TextIOWrapper name='hook2.js' mode='r' encoding='cp1252'>
[{'type': 'error', 'description': "TypeError: cannot read property 'overload' of undefined", 'stack': "TypeError: cannot read property 'overload' of undefined\n    at <anonymous> (/script2.js:3)\n    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:11)\n    at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:238)\n    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:213)\n    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:11)\n    at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:232)\n    at perform (frida/node_modules/frida-java-bridge/index.js:192)\n    at <eval> (/script2.js:8)", 'fileName': '/script2.js', 'lineNumber': 3, 'columnNumber': 1}]

How can I get this injected properly or is my script wrong?

For an unknown reason some apps do no longer load all classes right at the beginning and thus Frida can not hook them. I am not sure if this is is caused by Android itself or a bug in Frida. Please see the very similar question: https://stackoverflow.com/q/70135333/150978 — Robert, Jan 09 '22 at 11:41
@Robert Oh thats a bugger. Is my script correct though? Any way around this or injecting at some point after starting? Im still new to this so struggling with a few things — West, Jan 09 '22 at 11:49

How to disable ssl pinning in android app using Objection

0 Answers0