In the case of the August app, the scripts above did not allow 100% of requests to get through, but regardless may have ended up getting me the information I was looking for. Moving back to Proxyman, you can validate that the SSL unpinning scripts were either successful or unsuccessful. SSLContext initialized with our custom TrustManager! Waiting for the app to invoke SSLContext.init(). Creating a TrustManager that trusts the CA in our KeyStore. Our CA Info: OU=, CN="Proxyman CA (, harper.local)", O=Proxyman Inc, L=Singapore, C=SG object? -> Display information about 'object' _ | Frida 15.0.13 - A world-class dynamic instrumentation toolkit Here we’ll copy the SSL cert to place the frida script will be able to read it.
crt file to your Android phone’s Downloads - we’ll need this certificate in the next step.
How to install and trust self-signed certificates on Android 11?.You’ll want to be able to see your Android app’s traffic in the proxyman UI, even if you aren’t able to view the actual HTTP bodies.įor more info for MITM’ing your device, see Proxyman’s guide on: Set up a local proxy, sending your Android phone’s connection through something like Proxyman with a trusted SSL cert. XXXXXXXXXXXXXX device usb:XXXXXXX product:sunfish model:Pixel_4a device:sunfish transport_id:1 Plugging your device into your computer, you should be able to issue the following commands. In Developer settings, turn on USB debugging. Starting frida on your android device sets ADB & Frida You may also start frida-server manually. I did this by installing the frida-server package in magisk itself (just open the app and search Frida in the packages panel). You’ll want to start the frida-server on your android phone. Setup Install Frida on your rooted device Download the Android Debug Bridge ( adb) binary, bundled as a part of Android platform tools.I’m using a Mac with Proxyman installed for this tutorial. Install some proxy/HTTP introspection application on your computer.Note for this article i’m using a rooted Pixel 4a. A rooted Android phone (see my old guide on rooting pixel 1).If that’s what you’re interesting in learning more about too, this is the guide to follow.
The goal of this article was to understand the August Lock private API. Please see the acknowledgments at the end for the various guides that helped me get there!
This article is a braindump of how I was successful in bypassing SSL pinning on Android 11 in 2021.