AppSecNotes
Patching Applications (for Breaking SSL Pinning)
Automatically With Objection
  1. Path the apk with Frida:
    objection patchapk --source app_name.apk
  2. It is possible to specify the Activity to load the frida-gadget.so with the -t flag. When Objection is not able to patch an apk with a particular Activity we can try to use a different one: e.g.
    objection patchapk --source app_name.apk -t com.package.MainActivity
  3. Uninstall unpatched version.
  4. Install patched version in the emulator or physical device.
  5. After it's installed, start Objection:
    objection explore
  6. Activate disable sslpinning module:
    android sslpinning disable
  7. Intercept the requests in clear text with Burp Suite.
App Split Into Several APK Files
There's a tool on GitHub to bundle apks together called patch-apk.
  1. Pull all apks to the local directory with: 
    adb pull
  2. Patch the base apk: 
    objection patchapk -s base.apk --use-aapt2
  3. Sign all other apks in the same way 
    objection signapk split_config.en.apk
    objection signapk split_config.es.apk
    objection signapk split_config.x86.apk
    objection signapk split_config.xxhdpi.apk
  4. Uninstall unpatched app from the phone.
  5. Install the app with the multiple patched apks with:
    adb install-multiple base.objection.apk split_config.en.objection.apk split_config.es.objection.apk split_config.x86.objection.apk split_config.xxhdpi.objection.apk
Common Issue: Can’t Decode Resources
When running $ objection patchapk with newer applications written in Kotlin we sometimes face the following issue: "invalid resource directory name". This might happen due to newer Kotlin applications using aapt version 2 instead of default aapt version 1.
Fix: Specify the appt version in the Objection command:
objection patchapk -s blah.apk --use-aapt2
Sometimes Objection does not work. When it doesn’t, we can go ahead and try to patch Frida manually.
Patching Applications Manually
Note: When wanting to just change the code of the .smali files related to the certificate pinning feature, to bypass it, and not embed frida, skip steps 2-5 and do the code change in step 6 instead of loading the frida.so library.
  1. Decompile Source Code:
    apktool d -r app_name.apk
  2. Download frida-gadget for the CPU Architecture of your Android emulator from frida releases: e.g. for a x86_64 emulator.
  3. Unzip File, and rename file to frida-gadget.so.
  4. Copy Frida-gadget into Android App under: /lib/CPUArch_For_Your_Device.
  5. If the name of the other .so files in the lib folder start with lib, rename our file to libfrida-gadget.so.
  6. Add reference to frida-gadget to SMALI code, in a known exported activity or otherwise accessible Activity (usually MainActivity.smali, or OnboardingActivity.smali, usually the launcher Activity):
    const-string v0, "frida-gadget" invoke-static v0, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
  7. Recompile application:
    apktool b folder_of_decompiled_code (the folder of the source code) -o recompiled_apk_name.apk
  8. Sign and zipalign the app with latest version from uber-apk-signer.
    java -jar uber-apk-signer-1.3.0.jar --apks recompiled_apk_name.apk
  9. Install the new signed apk: 
    adb -H IP_FROM_HOST_RUNNING_ADB_SERVER -P 5037 install app-release-aligned-debugSigned.apk
  10. After it's installed start objection (when app gets blocked on startup)
    objection explore
  11. Activate disable sslpinning module
    android sslpinning disable
  12. Intercept the requests in clear text with Burp Suite.