)
Frida/Objection 实战手动Hook 3类SSL Pinning实现在移动安全测试中SSL Pinning证书绑定是最常见的防抓包手段之一。与直接使用JustTrustMe等现成工具不同本文将深入OkHttp、X509TrustManager和CertificatePinner三种主流实现方式通过Frida/Objection编写精准Hook脚本提供更灵活的绕过方案。1. SSL Pinning技术原理与分类SSL Pinning的核心思想是将服务器证书或公钥预先内置在客户端建立连接时对比校验。根据实现方式可分为三类网络框架层校验以OkHttp为代表的框架内置校验逻辑证书管理器校验通过X509TrustManager自定义验证逻辑证书固定校验使用CertificatePinner进行公钥指纹匹配// 典型SSL Pinning实现示例 OkHttpClient client new OkHttpClient.Builder() .certificatePinner(new CertificatePinner.Builder() .add(example.com, sha256/AAAAAAAA...) .build()) .sslSocketFactory(sslSocketFactory, trustManager) .build();三种方式的对比如下类型实现位置校验粒度典型特征OkHttp校验网络框架层域名级别使用OkHttpClient.BuilderX509TrustManager证书验证层证书链实现checkServerTrusted方法CertificatePinner公钥指纹层公钥哈希配置sha256/前缀的指纹2. OkHttp校验的Hook方案OkHttp的校验通常通过SSLSocketFactory和TrustManager实现。通过Frida Hook关键类方法// Hook OkHttpClient.Builder的sslSocketFactory方法 Java.perform(function() { var OkHttpClient_Builder Java.use(okhttp3.OkHttpClient$Builder); OkHttpClient_Builder.sslSocketFactory.overload( javax.net.ssl.SSLSocketFactory, javax.net.ssl.X509TrustManager ).implementation function(factory, manager) { console.log([] Bypassing OkHttp SSL verification); // 替换为空的TrustManager var TrustManager Java.registerClass({ name: com.example.BypassTrustManager, implements: [Java.use(javax.net.ssl.X509TrustManager)], methods: { checkClientTrusted: function(chain, authType) {}, checkServerTrusted: function(chain, authType) {}, getAcceptedIssuers: function() { return []; } } }); return this.sslSocketFactory(factory, TrustManager.$new()); }; });关键Hook点okhttp3.OkHttpClient.Builder的sslSocketFactory方法替换原TrustManager为空实现保持原始SSLSocketFactory不变3. X509TrustManager的Hook方案自定义TrustManager是Android中最常见的校验方式核心方法是checkServerTrustedJava.perform(function() { var X509TrustManager Java.use(javax.net.ssl.X509TrustManager); // Hook系统TrustManager X509TrustManager.checkServerTrusted.implementation function(chain, authType) { console.log([] Bypassing X509TrustManager verification); return; // 直接跳过验证 }; // Hook自定义TrustManager Java.enumerateClassLoaders({ onMatch: function(loader) { try { var customManager loader.loadClass(com.example.CustomTrustManager); Java.use(customManager.getName()).checkServerTrusted.implementation function() { console.log([] Bypassing custom TrustManager); }; } catch(e) {} }, onComplete: function() {} }); });应对策略全局Hook系统X509TrustManager动态扫描自定义TrustManager实现使用Objection的android sslpinning disable命令4. CertificatePinner的Hook方案CertificatePinner通过比对公钥指纹实现校验需Hook其校验逻辑Java.perform(function() { var CertificatePinner Java.use(okhttp3.CertificatePinner); CertificatePinner.check.overload( java.lang.String, java.util.List ).implementation function(hostname, pins) { console.log([] Bypassing CertificatePinner for ${hostname}); return; // 跳过指纹校验 }; // 针对新版OkHttp的Hook CertificatePinner.check$okhttp.overload( java.lang.String, [Ljava.security.cert.Certificate; ).implementation function() { console.log([] Bypassing OkHttp3.14 CertificatePinner); }; });注意事项OkHttp 3.x与4.x的API差异多域名配置情况下的处理备用指纹(fallback pins)的绕过5. 综合防护的应对策略当应用同时采用多种防护手段时需要组合Hook方案层级化Hook顺序先处理CertificatePinner再处理自定义TrustManager最后处理网络框架层校验Objection自动化脚本objection -g com.example.app explore -s android sslpinning disable典型防护组合的Hook方案防护组合需Hook的类/方法工具推荐OkHttp CertificatePinOkHttpClient.Builder, CertificatePinnerFrida ObjectionApacheHttp TrustManagerSSLSocketFactoryImpl, X509TrustManagerFrida独立脚本双向认证KeyManagerFactory, ClientAuthType需导出客户端证书6. 实战案例与排错指南案例1某金融App的复合校验// Hook链式调用 Java.perform(function() { // 第一层CertificatePinner var CertPinner Java.use(okhttp3.CertificatePinner); CertPinner.check.overload(java.lang.String, java.util.List).implementation function() {}; // 第二层自定义TrustManager Java.enumerateLoadedClasses({ onMatch: function(className) { if (className.includes(SecurityManager)) { var clazz Java.use(className); if (clazz.checkServerTrusted) { clazz.checkServerTrusted.implementation function() {}; } } }, onComplete: function() {} }); // 第三层WebView校验 var WebViewClient Java.use(android.webkit.WebViewClient); WebViewClient.onReceivedSslError.implementation function(view, handler, error) { handler.proceed(); // 忽略SSL错误 }; });常见问题排查Hook不生效检查类名是否混淆使用jadx分析确认Hook时机尽早注入验证Frida版本兼容性应用崩溃避免修改方法返回值类型保持原始参数传递使用try-catch包裹关键操作检测Frida使用非常规端口-l 参数替换Frida-server文件名采用静态编译的注入工具建议的测试流程使用Burp/Charles确认基础代理拦截逐步启用各级Hook脚本通过日志观察校验绕过情况最后处理证书加密和签名校验对于最新Android版本的适配要点Android 10的证书存储位置变化非Root环境下使用frida-gadget注入应对证书透明化(CT)校验处理强化后的JNI保护机制通过理解各层校验原理并编写针对性Hook脚本可以构建比通用工具更精准的解决方案。实际测试中建议先静态分析确定防护方案再动态验证Hook效果最后形成自动化测试脚本。