(click and switch site mode)
[Android] what is this "native library"?
native library hooking / TikTok SSL Unpinning
We can use libraries written in C/C++ languages with the help of JNI in our Android applications. Although not often used in simple market applications, many large applications require external JNI libraries.
With the help of the Android NDK, we can develop libraries for our applications written in C/C++ other than Java.
JNI libraries end with ".so" and are usually located in the "lib" folder in the "data" folder of our application (I will talk about exceptions in the article).
I targeted application TikTok (but i still hate this app) and targeted bypass SSL pinning. I will all details for native libraries explain on this app.
When I go to the data directory of my application and list the files, as you can see in the picture, our lib folder welcomes us.
Here, showing another directory with an arrow next to the lib folder indicates that a symlink has been made to that directory. So our actual directory is actually the directory specified there.
Let's list the "lib" folder.
As you see we have too many .so files (native libraries). So, we was targeted SSL pinning bypass. So first we need to find the right library (.so file).
For this have too many methods but i explain my finding methods.
We are searching SSL pinning libraries. I always starting search some string in lib folder. This strings contains SSL function names.
When some libraries are searched on google, we come across many results about what they do. But if libraries are special coding you're not find google or anyplace.
so i think most clearly method is string search method. let's search SSL library.
We came up with a few results. ffmpeg and crypto are not the libraries we're looking for. After removing the libraries that are not useful to us, we have 2-3 libraries left.
I searched library names on google and i saw some guys cracked "libsscronet.so" before me. but cracked library version is too old version. so I priority on "libsscronet.so".
We are analysed remaining libraries on ghidra.
After ghidra finished decompile process we are searched potential target functions.
I searched SSL prefix and i saw library have too many ssl functions. if we want to bypass ssl pinning, we change certificate verify flow.
We have 2 options to find the right block.
Firstly, we search certificate error message and find code block run when the certificate doesnt match my proxy certificate.
Secondly, we search ssl function names on ssl verify block. Because library needed this functions for validate my certificate.
I prefer second method for this application. Because i was search ssl prefix and i saw SSL_CTX_set_custom_verify function.
If we take a closer look at this function, you will understand why I chose this method.
This function is under certificate verification in the official documentation. I think we found true function!
We should examine a little more.
After a long search on the internet, I found a small script and edited it myself. This little script helps us to list the functions we want for our target library.
Let's run it and see.
You can access the script here; https://github.com/Ahmeth4n/android-frida-script-archive/blob/main/list_library_modules.js
Result:
Instead of using this script, we could also trace with the jnitrace (https://github.com/chame1eon/jnitrace) tool.
Let's trace and see the result;
I think we're pretty sure we're in the right place now. Let's go back to Ghidra and examine it in more detail.
This method have 3 parameters.
First parameter is client_ctx.get() client context variable.
Second parameter is SSL_VERIFY_PEER it is the parameter that provides the certificate control and does not perform the connection if it is invalid.
Last parameter is &UNK(bla bla bla), callback address.
Finally, I open the library in IDA to view it in detail. (no reason, I like it :X)
Find same function and press F5 show pseudo code.
If you want to review the original document, you can get detailed information by searching
verify cert function on the page at https://boringssl.googlesource.com/boringssl/+/master/ssl/ssl_test.cc.
this code block is "gamechanger". because all operations will proceed according to the value to be returned here.
If this method returns 1, we cannot block application traffic. We need to set the operation of this block to work in reverse.
The function must end with return 0;
When we view this part from the hex editor, we change the value of 01 20, which corresponds to the value of 1, to 00 20 (if it does not work, 00 00).
And the result:
now function return 0 and the game over..
it was a long post. Since I had to take breaks while writing, I hope there was not a part that I missed or explained wrong.
See you.