This tool automatically injects the frida-gadget binary into an Android application (.apk format), in order to bypass SSL Pinning to intercept and decrypt the communication between the mobile client and the server.
The tool only tampers the application, post installation of apk, configuration of device and running frida needs to be done manually.
- Reverse engineer application with apktool.
- Inject frida-gadget.
- Inject smali hook.
- Increase application version.
- Re-build application with apktool.
- Align application with zipalign.
- Sign the application with apksigner.
- python 2.7
- apktool
- openssl
- frida (+ frida-gadget binary)
- zipalign
- keytool
- apksigner
To complete the task, you will also need:
- Android Debug Bridge (part of Android SDK)
- Android emulation (i.e.: Genymotion).
- Proxy (i.e.: Burpsuite).
./gadget-injector.py -h -a, --target-apk The target apk file.
-c, --proxy-cert The proxy's CA certificate file in DER format.
-g, --frida-gadget The frida-gadget Android library.
-r, --device-arch The device's architecture (i.e: x86).
./gadget-injector.py -a app.apk -c cacert.der -g frida-gadget-12.2.26-android-x86.so -r x86 [i] Converting DER to PEM...
[i] Decoding with apktool...
[i] Tampering yml file...
[+] Injecting frida-gadget...
[+] Injecting smali hook...
[i] Re-building application
[i] Zipaligning re-builded app
[+] Creating keystore...
[+] Signing with apksigner...
[+] TAMPERED APK HERE -> path/to/apk-aligned-signed.apk
After that, you need to:
- Install tampered apk on device.
- Configure device to use proxy (i.e.: Burpsuite)
- Run atmpered application.
- Run
frida -U gadget -l frida-sslpinning.js - Check proxy for intercepted traffic.
More on SSL pinning bypass with frida-gadget here.
The tool was created for and tested for a limitted amount of Android applications, tweaking the code may be necessary to make it work under specific enviroment conditions.
The tool does not attempt to bypass integrity checks.