From 03928c9058dd32b3a896aa7824d6d1e9cf7dc5b5 Mon Sep 17 00:00:00 2001 From: StingraySA <42263294+StingraySA@users.noreply.github.com> Date: Fri, 10 May 2024 14:45:43 +0200 Subject: [PATCH 1/2] Added two new methods to hook all things okhttp Added two new methods to overload for bypassing okhttp all current versions. --- agent/src/android/pinning.ts | 50 ++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/agent/src/android/pinning.ts b/agent/src/android/pinning.ts index c1522910..1c52e103 100644 --- a/agent/src/android/pinning.ts +++ b/agent/src/android/pinning.ts @@ -167,6 +167,56 @@ const okHttp3CertificatePinnerCheckOkHttp = (ident: string): any | undefined => }); }; +const okHttp3CertificatePinnerExpanded = (ident: string): any | undefined => { + return wrapJavaPerform(() => { + try { + const certificatePinner: CertificatePinner = Java.use("okhttp3.CertificatePinner"); + send(c.blackBright(`Found okhttp3.CertificatePinner, overriding CertificatePinner.check$okhttp()`)); + + try { + const CertificatePinnerCheckOkHttp = certificatePinner.check$okhttp.overload('java.lang.String', 'java.security.cert.Certificate'); + + // tslint:disable-next-line:only-arrow-functions + CertificatePinnerCheckOkHttp.implementation = function (str,cert) { + qsend(quiet, + c.blackBright(`[${ident}] `) + `Called check$okhttp ` + + c.green(`OkHTTP 3.x CertificatePinner.check$okhttp()`) + + str, + } catch(err) { + qsend(quiet, + c.blackBright(`[${ident}] `) + + c.red(`Skipping Expanded OkHTTP Hook`), + } + + try { + const CertificatePinnerCheckOkHttp = certificatePinner.check$okhttp.overload('java.lang.String', '[Ljava.security.cert.Certificate;'); + + // tslint:disable-next-line:only-arrow-functions + CertificatePinnerCheckOkHttp.implementation = function (str,cert_array) { + qsend(quiet, + c.blackBright(`[${ident}] `) + `Called check$okhttp ` + + c.green(`OkHTTP 3.x CertificatePinner.check$okhttp()`) + + str, + } catch(err) { + qsend(quiet, + c.blackBright(`[${ident}] `) + + c.red(`Skipping Expanded OkHTTP Hook`), + } + + ); + }; + + return CertificatePinnerCheckOkHttp; + + } catch (err) { + if ((err as Error).message.indexOf("ClassNotFoundException") === 0) { + throw err; + } + } + }); +}; + + const appceleratorTitaniumPinningTrustManager = (ident: string): any | undefined => { return wrapJavaPerform(() => { try { From b245d79c77634fae36090a3d63f2691d38270b38 Mon Sep 17 00:00:00 2001 From: StingraySA <42263294+StingraySA@users.noreply.github.com> Date: Fri, 10 May 2024 15:07:30 +0200 Subject: [PATCH 2/2] Forgot to actually call the new function Forgot to actually call the new function --- agent/src/android/pinning.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/agent/src/android/pinning.ts b/agent/src/android/pinning.ts index 1c52e103..d9c40c2f 100644 --- a/agent/src/android/pinning.ts +++ b/agent/src/android/pinning.ts @@ -180,7 +180,7 @@ const okHttp3CertificatePinnerExpanded = (ident: string): any | undefined => { CertificatePinnerCheckOkHttp.implementation = function (str,cert) { qsend(quiet, c.blackBright(`[${ident}] `) + `Called check$okhttp ` + - c.green(`OkHTTP 3.x CertificatePinner.check$okhttp()`) + + c.green(`OkHTTP 3.x CertificatePinner.check$okhttp() - `) + str, } catch(err) { qsend(quiet, @@ -195,7 +195,7 @@ const okHttp3CertificatePinnerExpanded = (ident: string): any | undefined => { CertificatePinnerCheckOkHttp.implementation = function (str,cert_array) { qsend(quiet, c.blackBright(`[${ident}] `) + `Called check$okhttp ` + - c.green(`OkHTTP 3.x CertificatePinner.check$okhttp()`) + + c.green(`OkHTTP 3.x CertificatePinner.check$okhttp() - `) + str, } catch(err) { qsend(quiet, @@ -374,6 +374,7 @@ export const disable = (q: boolean): void => { job.implementations.push(sslContextEmptyTrustManager(job.identifier)); job.implementations.push(okHttp3CertificatePinnerCheck(job.identifier)); job.implementations.push(okHttp3CertificatePinnerCheckOkHttp(job.identifier)); + job.implementations.push(okHttp3CertificatePinnerExpanded(job.identifier)); job.implementations.push(appceleratorTitaniumPinningTrustManager(job.identifier)); job.implementations.push(trustManagerImplVerifyChainCheck(job.identifier)); job.implementations.push(trustManagerImplCheckTrustedRecursiveCheck(job.identifier));