Caido
Get StartedHow-to GuidesTutorialsReferenceConceptsTroubleshooting

Modifying an Android Application: Virtual & Physical Devices

NOTE

This tutorial is a continuation of the previous tutorials. Ensure your environment and virtual/physical device is prepared before continuing.

To proceed with this tutorial, you will need to download/install the SSL Pinning Demo application.

SSL Pinning Demo

The SSL Pinning Demo is an Android application developed by HTTPToolkit for security education. It blocks HTTPS traffic from being proxied or intercepted via certificate pinning and a security configuration file.

The application provides an array of buttons that issue requests under various secure and insecure configurations. Unpacking and modifying the Android Package Kit (APK) file bundle that comprises the application demonstrates how these protective measures can be bypassed.

If an application's traffic is still not proxied through Caido or you encounter errors or limited functionality, similar protective measures likely exist in its code or configuration.

NOTE

This tutorial was written using:

We recommend using the same version to ensure the instructions align.

List of connected Android devices.

INFO

  • This process does NOT require a rooted device.
  • Be aware that the exact names and locations of setting options may vary between devices.
  • Ensure to pay attention to any prompts on the device itself while proceeding through these steps.
  • For physical devices, ensure the device is connected to the computer running Caido via USB and that both the device and the computer are on the same Wi-Fi network.

Once the SSL Pinning Demo v1.4.1 APK has been downloaded to your computer, to install it on your device:

  1. Execute the adb tool with devices to ensure the device is listed.
bash
adb devices

  1. Navigate to the file system location of the APK file.

  2. Execute the adb tool with the device ID as the value of the -s argument and the file system location of the pinning-demo.apk as the value of the install argument to install the application.

bash
adb -s <device-id> install pinning-demo.apk

Extracting an APK

Once the SSL Pinning Demo v1.4.1 application has been installed on your device, to simulate extracting the APK from the installation:

  1. Execute the adb tool against the device with shell to initialize a terminal.
bash
adb -s <device-id> shell
  1. Find the application's base.apk package on your device by listing all the file paths of installed packages and filtering the results by the application name.
bash
pm list packages -f | grep -i pinning
Finding the base package.

  1. Copy the absolute file path (starting from /data and ending with /base.apk) and exit the device command-line interface using CTRL + D or by typing and entering exit.

  2. Execute the adb tool against the device with the file path as the value of the pull argument to pull the APK to your computer.

bash
adb -s <device-id> pull </data/app/<path-segments>/base.apk>
Pulling the base package.

Unpacking APKs

Once you have an application's APK, to decompile the package into its individual resources:

  1. Download and install Apktool for your operating system.

  2. Open a terminal and navigate to the file system location of the APK file.

  3. Execute apktool with d and the output directory (e.g. unpacked) as the value of the -o argument against the APK file (e.g. base.apk) to unpack the contents to the specified directory.

bash
apktool d -o unpacked base.apk
Unpacking the APK.

Modifying the Network Security Configuration File

Application traffic may be blocked from interception/proxying due to the presence of a Network Security Configuration file. Introduced in Android 7.0 (API level 24), the network_security_config.xml file allows developers to customize network security settings for their applications.

In some cases, modifying this file and including the <certificates src="user" overridePins="true" /> directive to trust user-supplied certificates may be sufficient enough to configure the application to be Caido compatible.

To make the appropriate changes:

  1. Open the /res/xml/network_security_config.xml file from the unpacked directory in an editor (or, if it doesn't exist, create it).

  2. Replace/write the content of the file to:

xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <!-- Base configuration that applies to all connections if not overridden. -->
    <base-config>
        <!-- Define which certificates should be trusted as root CAs (trust anchors). -->
        <trust-anchors>
            <!-- Trust the pre-installed system certificates. -->
            <certificates src="system" />
            <!-- Trust user-installed certificates (like Caido's CA) and allow them to override certificate pinning. -->
            <certificates src="user" overridePins="true" />
        </trust-anchors>
    </base-config>
</network-security-config>

  1. Save the changes to /res/xml/network_security_config.xml.

  2. Ensure that the main configuration file, AndroidManifest.xml references the network_security_config.xml file via the android:networkSecurityConfig="@xml/network_security_config" attribute in the <application> tag (if you created a new network_security_config.xml file, you will have to explicitly add this).

  3. Save any changes to AndroidManifest.xml.

  4. From the root directory of the unpacked APK, execute apktool with b and the output filename (e.g. modified.apk) as the value of the -o argument to repack the contents into an APK.

bash
apktool b -o modified.apk ./
Repacking the APK.

  1. Download and install Java Development Kit (JDK) for your operating system and add the /bin directory to your system's PATH environment variable.

  2. Open a new terminal and navigate to the file system location of the repacked APK file.

  3. Execute keytool to generate a signing key with a keystore filename as the value of the -keystore argument (e.g. custom.keystore).

bash
keytool -genkey -v -keystore custom.keystore -alias aliasname -keyalg RSA -keysize 2048 -validity 10000
Generating a key.

  1. Follow the prompts to configure the key.

  2. Add the build-tools\<version> directory (a subdirectory of the file system location stated in the Android SDK Location field) to your system's PATH environment variable.

  3. Open a new terminal and navigate to the file system location of the repacked APK file.

  4. Execute zipalign with -p 4 against the repacked APK filename (e.g. modified.apk) and specify a new APK filename for the aligned file (e.g. aligned.apk).

bash
zipalign -p 4 modified.apk aligned.apk
  1. Sign the APK.
bash
apksigner sign --ks custom.keystore aligned.apk
  1. Execute the adb tool against the device with uninstall tech.httptoolkit.pinning_demo to uninstall the existing installation.
bash
adb -s <device-id> uninstall tech.httptoolkit.pinning_demo
  1. Install the modified application on the device.
bash
adb -s <device-id> install aligned.apk

Open the SSL Pinning Demo application on your device. Modifying the network_security_config.xml file allows for the following requests (highlighted in green):

Testing requests.

You will now see traffic generated by the application in Caido's HTTP History traffic table.

APK traffic.

As you can see, certain requests still result in an error message and are not proxied through Caido. This is due to certificate pinning within the application code.

Frida

Frida is a toolkit that allows you to hook custom scripts into running Android application processes, enabling real-time analysis and modification. This can be used to modify the processes that are checking the SSL/TLS certificates.

NOTE

This tutorial was written using:

  • Frida v16.6.6
  • Frida Tools v13.6.0

We recommend using the same versions to ensure the instructions align.

To bypass the additional certificate pinning protections:

  1. Download and install the Frida CLI tools (Frida and Frida Tools):
bash
pip install frida==16.6.6 frida-tools==13.6.0

  1. Add the /scripts directory of the package to your system's PATH environment variable.

  2. Open a new terminal and navigate to the file system location of the unpacked APK directory.

Frida Gadget

Since certain Frida operations may not work with unrooted devices, you will also need the Frida Gadget library. Once the library is injected into the APK, commands can be executed using the CLI tools.

NOTE

This tutorial was written using:

  • Frida Gadget v16.6.6

We recommend using the same versions to ensure the instructions align.

To check which download you will need for your device's architecture:

  1. Execute the adb tool against the device with shell getprop ro.product.cpu.abi to get the device's CPU ABI.
bash
adb -s <device-id> shell getprop ro.product.cpu.abi
  1. Download the latest appropriate frida-gadget-16.6.6-android-<architecture>.so.xz package:

Once downloaded, extract the library folder to your working directory and rename the .so file to:

text
libfrida-gadget.so

Bypassing Hardcoded Certificate Pinning

To bypass hardcoded certificate pinning protections, you will need to insert the Frida Gadget library into the main activity stated in the AndroidManifest.xml configuration file:

INFO

In Android development, an "activity" is the term used to refer to a specific page/screen of the application.

  1. Open the AndroidManifest.xml file of the unpacked APK in a text editor.
xml
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="33" android:compileSdkVersionCodename="13" package="tech.httptoolkit.pinning_demo" platformBuildVersionCode="33" platformBuildVersionName="13">
    <uses-permission android:name="android.permission.INTERNET"/>
    <application android:allowBackup="true" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:extractNativeLibs="false" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:networkSecurityConfig="@xml/network_security_config" android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:theme="@style/Theme.MyApplication">
        <activity android:exported="true" android:name="tech.httptoolkit.pinning_demo.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
    </application>
</manifest>

  1. Change the value of the android:extractNativeLibs attribute from "false" to "true".

  2. Save the changes to the AndroidManifest.xml file.

xml
android:extractNativeLibs="true"
  1. Next, search for the activity tag for the value of the android:name attribute which stores the full name of the package that serves the main activity of the application upon launch.
xml
<activity android:exported="true" android:name="tech.httptoolkit.pinning_demo.MainActivity">

INFO

The packages can be recognized by their ending syntax of <Keyword>Activity (e.g. MainActivity, SplashActivity, WindowActivity, LauncherActivity, etc.).

  1. Recursively search through the unpacked APK for the MainActivity's .smali file.

  2. Open the smali/tech/httptoolkit/pinning_demo/MainActivity.smali file and locate the .method public constructor <init>()V initialization function (lines 74-81).

smali
.method public constructor <init>()V
    .locals 0

    .line 51
    invoke-direct {p0}, Landroidx/appcompat/app/AppCompatActivity;-><init>()V

    return-void
.end method
  1. Modify this method to include the Frida Gadget script and increment the value of its .locals property to account for the change.
smali
.method public constructor <init>()V
    .locals 1

    const-string v0, "frida-gadget"
    invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

    .line 51
    invoke-direct {p0}, Landroidx/appcompat/app/AppCompatActivity;-><init>()V

    return-void
.end method

  1. Save the changes to smali/tech/httptoolkit/pinning_demo/MainActivity.smali.

  2. Next, create a lib directory in the root of the unpacked APK folder, an architecture specific subdirectory, and move the libfrida-gadget.so file into it (example: /unpacked/lib/x86/libfrida-gadget.so).

  3. Execute apktool with b and the output filename (e.g. frida-app.apk) as the value of the -o argument against the unpacked APK directory to repack the contents.

bash
apktool b -o frida-app.apk ./
Repacking the APK.
  1. Align the file (e.g. frida-aligned.apk).
bash
zipalign -p 4 frida-app.apk frida-aligned.apk
  1. Sign the APK.
bash
apksigner sign --ks custom.keystore frida-aligned.apk
  1. Uninstall the original application from the device.
bash
adb -s <device-id> uninstall tech.httptoolkit.pinning_demo
  1. Install the modified APK.
bash
adb -s <device-id> install frida-aligned.apk

Frida CodeShare

Frida Codeshare is Frida's official repository of scripts for bypassing the protective measures of various HTTP libraries utilized by Android applications.

To utilize a script from the repository:

  1. Open the SSL Pinning Demo application on your device. The screen will be blank as it is awaiting the script that will hook into the application's initialization.

  2. Execute frida against the device with -U gadget and the script <author>/<name> (e.g. fdciabdul/frida-multiple-bypass) as the value of the --codeshare argument.

bash
frida -U gadget --codeshare fdciabdul/frida-multiple-bypass

Depending on the script used, you will now be able to make additional requests that previously failed.

WARNING

When sourcing files online, ensure to evaluate the code for any malicious operations before executing it.

TIP

To specify a local script, use the filename as the value of the -l argument.

bash
./frida -U gadget -l <file>