Universal SSL Pinning Bypass
4 views
81d05d2d...
Description
this is my attempt to create an universal bypass script for android
How to Use
Download the script and run it with Frida CLI:
Download ScriptThen run with Frida:
frida -U -f YOUR_PACKAGE_NAME -l universal-ssl-pinning-bypass.js
Replace YOUR_PACKAGE_NAME with the target app's package name.
Source Code
JavaScript
Java.perform(function() {
console.log("\n Universal SSL Pinning Bypass v2.0");
console.log(" by Jadkorr\n");
try {
// 1. TrustManager - Android Conscrypt
try {
var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
TrustManagerImpl.verifyChain.implementation = function(untrustedChain, host, session) {
console.log("[*] TrustManagerImpl.verifyChain() bypassed for: " + host);
return untrustedChain;
};
console.log("[✓] Android Conscrypt TrustManager hooked");
} catch (err) {
console.log("[!] Android Conscrypt TrustManager not found");
}
// 2. X509TrustManager
try {
var X509TrustManager = Java.use("javax.net.ssl.X509TrustManager");
X509TrustManager.checkClientTrusted.implementation = function(chain, authType) {
console.log("[*] X509TrustManager.checkClientTrusted() bypassed");
};
X509TrustManager.checkServerTrusted.implementation = function(chain, authType) {
console.log("[*] X509TrustManager.checkServerTrusted() bypassed");
};
X509TrustManager.getAcceptedIssuers.implementation = function() {
console.log("[*] X509TrustManager.getAcceptedIssuers() bypassed");
return [];
};
console.log("[✓] X509TrustManager hooked");
} catch (err) {
console.log("[!] X509TrustManager not found");
}
// 3. WebViewClient
try {
var WebViewClient = Java.use("android.webkit.WebViewClient");
WebViewClient.onReceivedSslError.implementation = function(view, handler, error) {
console.log("[*] WebViewClient.onReceivedSslError() bypassed");
handler.proceed();
};
console.log("[✓] WebViewClient SSL error handler hooked");
} catch (err) {
console.log("[!] WebViewClient not found");
}
// 4. OkHttp3 CertificatePinner
try {
var CertificatePinner3 = Java.use("okhttp3.CertificatePinner");
CertificatePinner3.check.overload("java.lang.String", "java.util.List").implementation = function(hostname, peerCertificates) {
console.log("[*] OkHttp3 CertificatePinner.check() bypassed for: " + hostname);
return;
};
console.log("[✓] OkHttp 3.x CertificatePinner hooked");
} catch (err) {
console.log("[!] OkHttp 3.x CertificatePinner not found");
}
// 5. HostnameVerifier
try {
var HostnameVerifier = Java.use("javax.net.ssl.HostnameVerifier");
HostnameVerifier.verify.implementation = function(hostname, session) {
console.log("[*] HostnameVerifier.verify() bypassed for: " + hostname);
return true;
};
console.log("[✓] HostnameVerifier hooked");
} catch (err) {
console.log("[!] HostnameVerifier not found");
}
// 6. OkHttp HostnameVerifier
try {
var OkHostnameVerifier = Java.use("okhttp3.internal.tls.OkHostnameVerifier");
OkHostnameVerifier.verify.overload("java.lang.String", "javax.net.ssl.SSLSession").implementation = function(hostname, session) {
console.log("[*] OkHostnameVerifier.verify() bypassed for: " + hostname);
return true;
};
console.log("[✓] OkHttp HostnameVerifier hooked");
} catch (err) {
console.log("[!] OkHttp HostnameVerifier not found");
}
// 7. SSLContext
try {
var SSLContext = Java.use("javax.net.ssl.SSLContext");
var X509TrustManager = Java.use("javax.net.ssl.X509TrustManager");
var TrustManagerFactory = Java.registerClass({
name: 'com.*******.TrustManagerFactory',
implements: [X509TrustManager],
methods: {
checkClientTrusted: function(chain, authType) {
console.log("[*] Custom TrustManager - checkClientTrusted bypassed");
},
checkServerTrusted: function(chain, authType) {
console.log("[*] Custom TrustManager - checkServerTrusted bypassed");
},
getAcceptedIssuers: function() {
return [];
}
}
});
SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(keyManager, trustManager, secureRandom) {
console.log("[*] SSLContext.init() called - injecting custom TrustManager");
var customTrustManager = TrustManagerFactory.$new();
this.init(keyManager, [customTrustManager], secureRandom);
};
console.log("[✓] SSLContext.init() hooked with custom TrustManager");
} catch (err) {
console.log("[!] SSLContext hooking failed");
}
// 8. Network Security Policy
try {
var NetworkSecurityPolicy = Java.use("android.security.NetworkSecurityPolicy");
NetworkSecurityPolicy.getInstance.implementation = function() {
console.log("[*] NetworkSecurityPolicy.getInstance() bypassed");
return Java.cast(this.getInstance(), NetworkSecurityPolicy);
};
var NetworkSecurityPolicyInstance = NetworkSecurityPolicy.getInstance();
NetworkSecurityPolicyInstance.isCertificateTransparencyVerificationRequired.implementation = function(hostname) {
console.log("[*] Certificate Transparency verification disabled for: " + hostname);
return false;
};
console.log("[✓] Network Security Policy hooked");
} catch (err) {
console.log("[!] Network Security Policy not found");
}
// 9. Hardcoded Certificate Bypass
try {
var X509Certificate = Java.use("java.security.cert.X509Certificate");
X509Certificate.checkValidity.overload().implementation = function() {
console.log("[*] X509Certificate.checkValidity() bypassed");
return;
};
X509Certificate.checkValidity.overload('java.util.Date').implementation = function(date) {
console.log("[*] X509Certificate.checkValidity(Date) bypassed");
return;
};
X509Certificate.verify.overload('java.security.PublicKey').implementation = function(publicKey) {
console.log("[*] X509Certificate.verify() bypassed");
return;
};
console.log("[✓] Hardcoded X509Certificate validation bypassed");
} catch (err) {
console.log("[!] X509Certificate bypass failed");
}
console.log("\n[*] SSL Pinning Bypass initialization completed");
console.log("[*] Monitoring SSL/TLS connections...");
} catch (err) {
console.log("[!] Critical error: " + err);
}
});
Comments