Part of HTTP Toolkit: powerful tools for building, testing & debugging HTTP(S)
This repo contains Frida scripts designed to do everything required for fully automated HTTPS MitM interception on mobile devices.
This set of scripts can be used all together, to handle interception, manage certificate trust & disabling certificate pinning & transparency checks, for MitM interception of HTTP(S) traffic on Android (iOS coming soon!) or they can be used and tweaked independently to hook just specific features.
The scripts can automatically handle:
- Redirection of traffic to an HTTP(S) proxy - modifying both system settings & directly redirecting all socket connections.
- Injecting a given CA certificate into the system trust stores.
- Patching all known certificate pinning and certificate transparency tools to allow interception by the same CA certificate.
- As a fallback: auto-detection of remaining pinning failures, to attempt auto-patching of obfuscated certificate pinning (in fully obfuscated apps, the first request may fail, but this will trigger additional patching so that all subsequent requests work correctly).
To get started:
- Start your MitM proxy (e.g. HTTP Toolkit), and set up your rooted Android device or emulator, connected to ADB.
- Find your MitM proxy's port (e.g. 8000) and its CA certificate in PEM format (should start with
-----BEGIN CERTIFICATE-----
). - Open
config.js
, and add those details:CERT_PEM
: your CA certificate in PEM formatPROXY_PORT
: the proxy's portPROXY_HOST
: the address of your proxy, from the perspective of your device (or useadb reverse tcp:$PORT tcp:$PORT
to forward the port over ADB, and use127.0.0.1
as the host)
- Install & start Frida on your device (e.g. download the relevant server from github.com/frida/frida, extract it,
adb push
it to your device, and then run it withadb shell
,su
,chmod +x /.../frida-server
,/.../frida-server
). - Find the package id for the app you're interested in (for a quick test, try using github.com/httptoolkit/android-ssl-pinning-demo - the package id is
tech.httptoolkit.pinning_demo
) - Use Frida to launch the app you're interested in with the scripts injected (starting with
config.js
). Which scripts to use is up to you, but for Android a good command to start with is:frida -U \ -l ./config.js \ -l ./native-connect-hook.js \ -l ./android/android-proxy-override.js \ -l ./android/android-system-certificate-injection.js \ -l ./android/android-certificate-unpinning.js \ -l ./android/android-certificate-unpinning-fallback.js \ -f $PACKAGE_ID
- Explore, examine & modify all the traffic you're interested in! If you have any problems, please open an issue and help make these scripts even better.