Setup HTTP Toolkit, Frida, and LDPlayer to Monitor SSL Certificate Pinned Android Apps

Aaron Lin

February 19, 2023

4 min read

• Python
• 7zip

For more context, this tutorial is following similar steps to this post originally from HttpToolkit blogspot, however under Windows

The endgoal of this tutorial is to be able to look into HTTPS requests for an Android app that has been SSL certificate pinned.

First we're going to need an Android emulator

Download and install LDPlayer9 OR use the direct download link

Open the emulator, and it should look like this when started, minus the apps I have already installed

Once you have it installed, go to the Settings page under the gear icon on the right side menu. It should open up to a screen like this

Under Other settings, set the following options:

Root permission: Enable
ADB debugging: Open local connection

Click Save settings and it'll ask you to restart the emulator

Finally, you should drag and drop your .apk file into anywhere on the emulator screen.
Once it appears on your home screen, open up the application.

TL;DR: Frida allows us to bypass SSL certificate pinning

Clone this repository: https://github.com/httptoolkit/frida-android-unpinning

bash
1git clone git@github.com:httptoolkit/frida-android-unpinning.git

Change directory into the cloned repository

bash
1cd frida-android-unpinning

Create a virtual environment

bash
1python -m venv frida

Activate the virtual environment

bash
1frida\Scripts\activate.bat

Install frida-tools

bash
1pip install frida-tools

Make sure frida-tools was installed by running frida-ps

bash
1frida-ps

Install SDK Platform-Tools for Windows from this link

Double check that it installed and is working properly

bash
1adb

Install Frida Android server from here or check the most up-to-date version from https://github.com/frida/frida/releases

The current version as of this tutorial is 16.0.10.
We're using x86_64 version because we're going to be using LDPlayer9 on Windows

Unzip the .xz file using 7zip
Drop the unzipped file into frida-android-unpinning folder

It should look like the following after everything

Make sure your emulator is visible

bash
1adb devices -l

Start the emulator as root

bash
1adb root

bash
1adb push frida-server-16.0.10-android-x86_64 /data/local/tmp/frida-server

bash
1adb shell "chmod 755 /data/local/tmp/frida-server"

Start the frida server. You shouldn't see any errors if it started correctly

bash
1adb shell "/data/local/tmp/frida-server &"

Open up another terminal

Find the app identifier after opening the app

bash
1frida-ps -U -a

In my case, it is com.p1.mobile.putong. Now run the following command

bash
1frida -U -l ./frida-script.js -f com.p1.mobile.putong

Install the community edition of HTTP Toolkit: https://httptoolkit.com/download/win-exe/

It should automatically start downloading

Once installed it should look like this

Click Android device via ADB

Go to LDPlayer9, and allow the connection to be made

Open the app you want to monitor traffic for again

Finally, you should the requests populate on HTTP HttpToolkit

Open LDPlayer9

Open HTTP Toolkit

Click Android device via ADB

Open up a terminal and change directory into the cloned repository

bash
1cd frida-android-unpinning

Open up a terminal and start the emulator as root

bash
1adb root

Start the Frida server

bash
1adb shell "/data/local/tmp/frida-server &"

Open up another terminal

Activate the virtual environment

bash
1frida\Scripts\activate.bat

Find the app identifier after opening the app

bash
1frida-ps -U -a

bash
1frida -U -l ./frida-script.js -f com.p1.mobile.putong

Monitor traffic

If Frida was suddenly stopped but the address is already in use when trying to start the server again

Run the following command. This starts the shell inside the Android emulator, kills the PID tied to frida-server and then exits out

bash
1adb shell "ps -e | grep frida-server | awk '{print $2}' | xargs kill -9 && exit"

If you're getting this error

You haven't started the frida server

bash
1adb root

bash
1adb shell "/data/local/tmp/frida-server &"