diff --git a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md index 1ca8d83dc9a..d3f8e6cbd36 100644 --- a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md +++ b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md @@ -114,6 +114,28 @@ Notes - Auto-Frida can auto-install `frida`/`frida-tools` if missing and supports multi-device selection. - Generated scripts can be executed immediately or merged with your custom hooks after analysis. +## Static-first targeted Frida generation (apktool + JADX + pattern maps) + +A useful workflow before attaching Frida is to **decompile first** (`apktool` for smali/resources and `jadx` for Java), then **scan both outputs for concrete protection artifacts** and generate hooks only for what is actually present. This reduces trial-and-error and avoids loading oversized universal bypass bundles. + +Typical detections worth mapping to hook groups: +- **Root / anti-instrumentation**: `su` and BusyBox path checks, Magisk/SuperSU packages, `Build.TAGS`, `ro.secure`, `ro.debuggable`, RootBeer/RootTools, Frida/Xposed self-detection, emulator heuristics, APK signature/tamper checks, SafetyNet / Play Integrity calls. +- **TLS pinning**: OkHttp `CertificatePinner`, custom `X509TrustManager`, custom `HostnameVerifier`, `network_security_config`, TrustKit, WebView SSL handlers, `HttpsURLConnection`, gRPC/Cronet/Conscrypt, Firebase/GMS TLS, public-key pinning, certificate-transparency checks. + +Practical use: +```bash +apktool d app.apk -o apktool_out +jadx app.apk -d jadx_out +frida -U -f com.target.app -l frida/master_bypass.js --no-pause +``` + +Why this is useful: +- **Targeted hooks** are usually more stable than universal scripts because each overload can be chosen from the matched implementation. +- The report from the static scan tells you **which bypass family failed** (file/package/build-prop/root-library/TrustManager/CertificatePinner/etc.) so you can extend only that part. +- If the scan flags **native JNI root checks** or **native TLS pinning**, expect Java hooks to be incomplete and pivot early to native tracing/patching (`JNI_OnLoad`, exported JNI methods, BoringSSL callbacks). + +Example tooling following this model: **APKShield-PT** generates `master_bypass.js`, `root_bypass.js`, `ssl_bypass.js`, `safetynet_bypass.js`, and `frida_detection_bypass.js` from the protections found in the APK instead of guessing blindly. + ## Step 3 — Bypass init-time detectors by attaching late Many detections only run during process spawn/onCreate(). Spawn‑time injection (-f) or gadgets get caught; attaching after UI loads can slip past. @@ -477,6 +499,7 @@ Notes - [Magisk](https://github.com/topjohnwu/Magisk) - [Medusa (Android Frida framework)](https://github.com/Ch0pin/medusa) - [Auto-Frida (Android Frida automation toolkit)](https://github.com/ommirkute/Auto-Frida) +- [APKShield-PT](https://github.com/Whitehat987/apkshield-pt) - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools) - [phantom-frida (stealth Frida server builder)](https://github.com/TheQmaks/phantom-frida) - [Frida OkHttp4 SSL pinning bypass script](https://github.com/Zero3141/Frida-OkHttp-Bypass)