Disable Android Certificate Pinning with Frida

During security assessment on Smarthome applications, I usually need to analyze encrypted HTTPS communications. Applications usually check for valid certificates, but also check that certificates are signed by a specific issuer. This is called “Certificate Pinning”, even if it’s not recommended, it’s widely used:

Caution: Certificate Pinning is not recommended for Android applications due to the high risk of future server configuration changes, such as changing to another Certificate Authority, rendering the application unable to connect to the server without receiving a client software update.

To decypher HTTPS connection protected with Certificate Pinning, we need a different approach: Frida, a Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.

Installing Frida on Kali Linux

Let’s prepare our Kali Linux:

sudo apt install android-tools-adb android-tools-fastboot

We are installing an old Python version from sources:

sudo apt install libssl-dev libsqlite3-dev liblzma-dev libffi-dev zlib1g-dev
wget https://www.python.org/ftp/python/3.7.12/Python-3.7.12.tgz
tar xzvf Python-3.7.12.tgz -o -C /opt
cd /opt/Python-3.7.12
./configure --enable-optimizations
make

Finally, we are building a virtual environment:

./python -m venv ~/.venv-frida

Using the above Python interpreter and virtual environment, we can install Frida:

source ~/.venv-frida/bin/activate
pip install frida-tools objection

Installing Frida server on Android device

On a rooted Android device, enable USB Debugging mode. Go to Settings > About Phone > Software Information and click 7 times on Build Number, then go to Settings > Developer Options > Enable > USB Debugging and enable it.

Connect the phone via USB cable to your computer and restart ADB:

adb kill-server
adb devices
- daemon not running; starting now at tcp:5037
- daemon started successfully
List of devices attached
520011a1a0123143        device

Download the proper Frida version and an additional script :

wget https://github.com/frida/frida/releases/download/15.2.2/frida-server-15.2.2-android-arm64.xz
wget https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js

Upload Frida server to the Android device:

unxz frida-server-15.1.12-android-arm.xz
mv frida-server-15.1.12-android-arm frida-server
adb push frida-server /data/local/tmp/

Finally start the Frida server on the Android device:

adb shell
su
/data/local/tmp/frida-server

Open another shell on Kali Linux, using the Python virtual environment built for Frida, and check the network connection between the client (Kali Linux) and server (Android):

frida-ps -U

The last command should return the list of running processes on the Android.

Running an application without certificate pinning

We are now ready to run an application disabling the certificate pinning. All following commands are run on Kali Linux.

Identify the package name of the application we want to run:

adb shell pm list packages --user 0 -u | grep -i appname

Be sure the application is not running on the Android device:

frida-ps -U | grep -i AppName

Start the application:

frida --no-pause -U -l ./frida-script.js -f com.appname.start

The app will start on the smartphone popping up on the screen. All HTTPS connections will have certificate pinning disabled and could be intercepted by MITM Proxy.