Home

Awesome

Frida Mobile Interception Scripts Funded by NLnet - NGI Zero Entrust

Part of HTTP Toolkit: powerful tools for building, testing & debugging HTTP(S)

This repo contains Frida scripts designed to do everything required for fully automated HTTPS MitM interception on mobile devices.

This set of scripts can be used all together, to handle interception, manage certificate trust & disable certificate pinning & transparency checks, for MitM interception of HTTP(S) traffic on Android and iOS, or they can be used and tweaked independently to hook just specific features.

The scripts can automatically handle:

Android Getting Started Guide

  1. Start your MitM proxy (e.g. HTTP Toolkit), and set up your rooted Android device or emulator, connected to ADB.
  2. Find your MitM proxy's port (e.g. 8000) and its CA certificate in PEM format
    • The CA certificate should start with -----BEGIN CERTIFICATE-----. You can open it with a text editor to see and extract this content.
    • In HTTP Toolkit, both details can be found in the 'Anything' option on the Intercept page.
  3. Open config.js, and add those details:
    • CERT_PEM: your CA certificate in PEM format.
    • PROXY_PORT: the proxy's port
    • PROXY_HOST: the address of your proxy, from the perspective of your device (or use adb reverse tcp:$PORT tcp:$PORT to forward the port over ADB, and use 127.0.0.1 as the host)
  4. Install & start Frida on your device
    • The steps here may depend on your specific device & configuration.
    • For example: download the relevant frida-server from github.com/frida/frida, extract it, adb push it to your device, and then run it with the following 4 commands: adb shell, su, chmod +x /.../frida-server, /.../frida-server.
    • If you have issues, remember to check the device is on & connected (using adb devices) before running commands. Note that Frida will only run on the device as root, which is what su provides in the example above, when run on a rooted device. To check you are root after running su or similar, check that running whoami in the shell prints root.
  5. Find the package id for the app you're interested in (for a quick test, try using github.com/httptoolkit/android-ssl-pinning-demo - the package id is tech.httptoolkit.pinning_demo)
  6. Use Frida to launch the app you're interested in with the scripts injected (starting with config.js). Which scripts to use is up to you, but for Android a good command to start with is:
    frida -U \
        -l ./config.js \
        -l ./native-connect-hook.js \
        -l ./native-tls-hook.js \
        -l ./android/android-proxy-override.js \
        -l ./android/android-system-certificate-injection.js \
        -l ./android/android-certificate-unpinning.js \
        -l ./android/android-certificate-unpinning-fallback.js \
        -f $PACKAGE_ID
    
  7. Explore, examine & modify all the traffic you're interested in! If you have any problems, please open an issue and help make these scripts even better.

iOS Getting Started Guide

  1. Start your MitM proxy (e.g. HTTP Toolkit), and set up your jailbroken iOS device, connected to your computer.
  2. Find your MitM proxy's port (e.g. 8000) and its CA certificate in PEM format
    • The CA certificate should start with -----BEGIN CERTIFICATE-----. You can open it with a text editor to see and extract this content.
    • In HTTP Toolkit, both details can be found in the 'Anything' option on the Intercept page.
  3. Open config.js, and add those details:
    • CERT_PEM: your CA certificate in PEM format.
    • PROXY_PORT: the proxy's port
    • PROXY_HOST: the address of your proxy, from the perspective of your device
  4. Install & start Frida on your device
    • The steps here may depend on your specific device & configuration, but this is generally available via Cydia/Sileo etc using https://build.frida.re as a package source.
    • Ensure you can run frida-ps -Uai on your computer to confirm this is working correctly.
  5. Find the id for the app you're interested in via frida-ps -Uai (for a quick test, try using github.com/httptoolkit/ios-ssl-pinning-demo - the id is com.httptoolkit.ios-pinning-demo)
  6. Use Frida to launch the app you're interested in with the scripts injected (starting with config.js). Which scripts to use is up to you, but for iOS a good command to start with is:
    frida -U \
        -l ./config.js \
        -l ./ios/ios-connect-hook.js \
        -l ./native-tls-hook.js \
        -l ./native-connect-hook.js \
        -f $APP_ID
    
  7. Explore, examine & modify all the traffic you're interested in! If you have any problems, please open an issue and help make these scripts even better.

The Scripts

The commands above use all the relevant scripts, but you can generally use any subset you like, although in almost all cases you will want to include config.js as the first script (this defines some variables that are used by other scripts).

For example, to do unpinning alone on Android, when handling proxy & certificate configuration elsewhere and without obfuscation fallbacks, you could just run:

frida -U \
    -l ./config.js \
    -l ./android/android-certificate-unpinning.js
    -f $PACKAGE_ID

Each script includes detailed documentation on what it does and how it works in a large comment section at the top. The scripts are:


These scripts are part of a broader HTTP Toolkit project, funded through the NGI Zero Entrust Fund, established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more on the NLnet project page.

<img src="https://nlnet.nl/logo/banner.png" alt="NLnet foundation logo" width="20%" /> <img src="https://nlnet.nl/image/logos/NGI0Entrust_tag.svg" alt="NGI Zero Entrust Logo" width="20%" />