Skip to content

How to Bypass mTLS on Android with Frida#2499

Open
carlospolop wants to merge 1 commit into
masterfrom
update_How_to_Bypass_mTLS_on_Android_with_Frida_4dc066fc51577140
Open

How to Bypass mTLS on Android with Frida#2499
carlospolop wants to merge 1 commit into
masterfrom
update_How_to_Bypass_mTLS_on_Android_with_Frida_4dc066fc51577140

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

The post demonstrates a practical Android mTLS interception technique using Frida, Burp Suite, jadx, and OpenSSL. The attack does not break TLS, ECDSA, PBKDF2, or PKCS12 encryption. Instead, it abuses an architectural weakness: the client private key is generated as an exportable software JCE key and must eventually be decrypted and loaded into JVM memory for every mTLS request.

Security model and why mTLS is harder than normal TLS interception: in standard TLS, only th...

🔧 Technical Details

TrustManager-only pinning bypass for mTLS apps: when an Android app initializes TLS through SSLContext.init(KeyManager[], TrustManager[], SecureRandom), server certificate validation and client certificate presentation are controlled separately. A Frida hook can replace only the TrustManager[] with a custom X509TrustManager whose checkServerTrusted() accepts all chains, while leaving the original KeyManager[] intact. This allows the app to trust a proxy certificate without removing the client certificate required for the mTLS handshake.

Runtime extraction defeats strong at-rest PKCS12 protection: a PKCS12 file protected by a device-derived PBKDF2 password can still be compromised if the application later decrypts it in process memory. Hook the method or constructor that receives the decrypted KeyStore, alias, and password. From there, log the live password, extract t...

🤖 Agent Actions

Updated:

  • src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md

Added concise new content for:

  • mTLS-specific Frida interception
    • preserve KeyManager[]
    • replace only TrustManager[]
  • Runtime extraction of client cert/private key
    • hook decrypted KeyStore reload path
    • use getEncoded() as quick exportability triage
    • convert dumped material into Burp-compatible PFX
  • Early enrollment hook points
    • KeyPairGenerator.generateKeyPair()
    • KeyStore.setKeyEntry()

Also updated the file’s References section with:

  • the Medium blog
  • the demo repo

I chose not to create a new file because this fits best in the existing Android Frida / SSL pinning bypass page and was not already documented there.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://kiratliygt.medium.com/how-to-bypass-mtls-on-android-with-frida-45c5e71373e8

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting -> Android Anti Instrumentation And Ssl Pinning Bypass, or a new subsection for Android mTLS Bypass / Client Certificate Extraction with Frida".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant