How to Bypass mTLS on Android with Frida#2499
Open
carlospolop wants to merge 1 commit into
Open
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://kiratliygt.medium.com/how-to-bypass-mtls-on-android-with-frida-45c5e71373e8 Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting -> Android Anti Instrumentation And Ssl Pinning Bypass, or a new subsection for Android mTLS Bypass / Client Certificate Extraction with Frida". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
The post demonstrates a practical Android mTLS interception technique using Frida, Burp Suite, jadx, and OpenSSL. The attack does not break TLS, ECDSA, PBKDF2, or PKCS12 encryption. Instead, it abuses an architectural weakness: the client private key is generated as an exportable software JCE key and must eventually be decrypted and loaded into JVM memory for every mTLS request.
Security model and why mTLS is harder than normal TLS interception: in standard TLS, only th...
🔧 Technical Details
TrustManager-only pinning bypass for mTLS apps: when an Android app initializes TLS through
SSLContext.init(KeyManager[], TrustManager[], SecureRandom), server certificate validation and client certificate presentation are controlled separately. A Frida hook can replace only theTrustManager[]with a customX509TrustManagerwhosecheckServerTrusted()accepts all chains, while leaving the originalKeyManager[]intact. This allows the app to trust a proxy certificate without removing the client certificate required for the mTLS handshake.Runtime extraction defeats strong at-rest PKCS12 protection: a PKCS12 file protected by a device-derived PBKDF2 password can still be compromised if the application later decrypts it in process memory. Hook the method or constructor that receives the decrypted
KeyStore, alias, and password. From there, log the live password, extract t...🤖 Agent Actions
Updated:
src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.mdAdded concise new content for:
KeyManager[]TrustManager[]KeyStorereload pathgetEncoded()as quick exportability triagePFXKeyPairGenerator.generateKeyPair()KeyStore.setKeyEntry()Also updated the file’s References section with:
I chose not to create a new file because this fits best in the existing Android Frida / SSL pinning bypass page and was not already documented there.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.