Skip to content

[bug & solution] Suggest change to the bypassing SSL-Pinning of Okhttp3 since original code doesn't work #571

New issue
New issue
Open
#572
Open
[bug & solution] Suggest change to the bypassing SSL-Pinning of Okhttp3 since original code doesn't work#571
#572
Labels
freshissueDefault label for new, untriaged issues.
@kiven7299

Description

@kiven7299
kiven7299
opened on Oct 11, 2022

About the issue

There is an Android app which demo ssl-pinning: https://github.com/httptoolkit/android-ssl-pinning-demo.
Try disable its ssl-pinning with Objection (command android sslpinning disable) fails for Okhttp3 library:

  • As can be seen bellow, the pinning still performs well:
    image

Spot the bug in Objection's frida scripts

In file agent.js, function const okHttp3CertificatePinnerCheckOkHttp = (ident) => {...}. The issue is red-underlined code bellow:
image

  • Since there is no check$okhttp with argument of u15 type, the code fails to hook into.

Suggest fix

Just hook okhttp3.CertificatePinner.check$okhttp without overload(...)

  • Change the red-underlined code to const CertificatePinnerCheckOkHttp = certificatePinner.check$okhttp

image

Result

image
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    freshissueDefault label for new, untriaged issues.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions