Android and Objection

Objection is a toolkit utilizing Frida making various little tasks in playing with Android accessible and easy to use.

Prerequisites

  • Install frida & Objection
    • `pip3 install objection
  • Root the target device
  • Download and push frida-server onto device
    • Select correct plattform! :)
    • i.e. /data/local/tmp , chmod +x
  • Connect to phone via ADB and start frida-server

Circumenvent Cert Pinning

Identify target

Run frida-ps -U to fetch process information from target device. Don’t forget to start the target app!

 PID  Name
----  -------------------------------------------------------
1591  .dataservices
1002  adbd
 921  adsprpcd
 780  android.hardware.audio@2.0-service
 975  android.hardware.biometrics.fingerprint@2.1-service.fpc
 782  android.hardware.bluetooth@1.0-service-qti
 599  android.hardware.boot@1.0-service
 784  android.hardware.camera.provider@2.4-service
 787  android.hardware.cas@1.0-service
 616  android.hardware.configstore@1.1-service
 789  android.hardware.contexthub@1.0-service
 790  android.hardware.drm@1.0-service
 791  android.hardware.drm@1.1-service.clearkey
 792  android.hardware.drm@1.1-service.widevine
 793  android.hardware.dumpstate@1.0-service.wahoo
 600  android.hardware.gatekeeper@1.0-service-qti
 794  android.hardware.gnss@1.0-service-qti
 617  android.hardware.graphics.allocator@2.0-service
 615  android.hardware.graphics.composer@2.1-service
 796  android.hardware.health@2.0-service.wahoo
 601  android.hardware.keymaster@3.0-service-qti
 798  android.hardware.light@2.0-service
 799  android.hardware.memtrack@1.0-service
 800  android.hardware.nfc@1.1-service
 801  android.hardware.oemlock@1.0-service
 805  android.hardware.power@1.2-service.wahoo-libperfmgr
 815  android.hardware.sensors@1.0-service
 817  android.hardware.usb@1.1-service.wahoo
 818  android.hardware.vibrator@1.2-service.wahoo
 819  android.hardware.vr@1.0-service.wahoo
 822  android.hardware.wifi@1.0-service
 777  android.hidl.allocator@1.0-service
6018  android.process.acore
5827  android.process.media
 857  audioserver
 858  bufferhubd
 934  cameraserver
 970  chre
 923  cnd
 964  cnss-daemon
1410  com.android.bluetooth
6140  com.android.chrome
6433  com.android.chrome:webview_service
2462  com.android.ims.rcsservice
2431  com.android.nfc
1614  com.android.phone
2445  com.android.se
1646  com.android.settings
1439  com.android.systemui
3530  com.android.vending
1514  com.breel.wallpapers
2475  com.google.SSRestartDetector
5429  com.google.android.apps.gcs
5639  com.google.android.apps.messaging
2559  com.google.android.apps.nexuslauncher
3937  com.google.android.apps.turbo:aab
5723  com.google.android.apps.wellbeing
2524  com.google.android.as
4168  com.google.android.connectivitymonitor
6055  com.google.android.contacts
1807  com.google.android.ext.services
2738  com.google.android.gms
1959  com.google.android.gms.persistent
4665  com.google.android.gms.unstable
2401  com.google.android.googlequicksearchbox:interactor
2567  com.google.android.googlequicksearchbox:search
3841  com.google.android.ims
1427  com.google.android.inputmethod.latin
5767  com.google.android.music:main
5699  com.google.android.setupwizard
4611  com.google.android.youtube
2512  com.google.intelligence.sense
1458  com.google.modemservice
2386  com.google.process.gservices
6358  com.pentlandfirth.whizcart
1662  com.qualcomm.qcrilmsgtunnel
1608  com.qualcomm.qti.telephonyservice
5883  com.topjohnwu.magisk
 935  drmserver
 825  esed
 912  folio_daemon
5945  frida-helper-32
5922  frida-server
 971  gatekeeperd
 778  healthd
 586  hwservicemanager
 984  imsdatadaemon
 922  imsqmidaemon
 936  incidentd
   1  init
 556  init
 557  init
 937  installd
 750  ip6tables-restore
 930  ipacm
 749  iptables-restore
 938  keystore
 859  lmkd
 966  loc_launcher
 708  logcat
5924  logcat
 595  logd
1584  lowi-server
 703  magiskd
 951  media.codec
 940  media.extractor
 941  media.metrics
 939  mediadrmserver
 942  mediaserver
 833  msm_irqbalance
 741  netd
 924  netmgrd
 802  oemlock-bridge
 855  pd-mapper
 864  performanced
 916  pm-proxy
 836  pm-service
 927  port-bridge
 582  qseecomd
 588  qseecomd
 931  qti
 953  rild
 849  rmt_storage
 840  sensors.qcom
 596  servicemanager
5860  sh
5869  sh
 944  statsd
 945  storaged
5865  su
 613  surfaceflinger
1184  system_server
 854  tftp_server
 776  thermal-engine
 865  thermalserviced
 645  time_daemon
 972  tombstoned
 917  traced
 918  traced_probes
 558  ueventd
 973  update_engine
 866  virtual_touchpad
 597  vndservicemanager
 646  vold
 779  vr_hwc
1488  webview_zygote
 946  wificond
2351  wpa_supplicant
1585  xtra-daemon
 748  zygote
 747  zygote64

com.pentlandfirth.whizcart is what we were looking for!

Connect with objection

objection --gadget com.pentlandfirth.whizcart explore

Using USB device `Pixel 2`
Agent injected and responds ok!

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.9.6

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.pentlandfirth.whizcart on (google: 9) [usb] #

Use the autocompletion to find what you want to do

com.pentlandfirth.whizcart on (google: 9) [usb] # android sslpinning disable
(agent) Custom TrustManager ready, overriding SSLContext.init()
(agent) Found okhttp3.CertificatePinner, overriding CertificatePinner.check()
(agent) Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.verifyChain()
(agent) Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.checkTrustedRecursive()
(agent) Registering job 8528042094279. Type: android-sslpinning-disable
com.pentlandfirth.whizcart on (google: 9) [usb] #

Rest

Intercepting Proxy and done :)

objection will produce a log line, each time it let’s you bypass the certificate check

(agent) [8528042094279] Called OkHTTP 3.x CertificatePinner.check(), not throwing an exception.
(agent) [8528042094279] Called OkHTTP 3.x CertificatePinner.check(), not throwing an exception.
(agent) [8528042094279] Called OkHTTP 3.x CertificatePinner.check(), not throwing an exception.
(agent) [8528042094279] Called OkHTTP 3.x CertificatePinner.check(), not throwing an exception.
(agent) [8528042094279] Called (Android 7+) TrustManagerImpl.checkTrustedRecursive(), not throwing an exception.
(agent) [8528042094279] Called OkHTTP 3.x CertificatePinner.check(), not throwing an exception.
(agent) [8528042094279] Called OkHTTP 3.x CertificatePinner.check(), not throwing an exception.
(agent) [8528042094279] Called OkHTTP 3.x CertificatePinner.check(), not throwing an exception.