0

So I'm trying to debug this specific app:

https://sahibinden-com.tr.uptodown.com/android

To debug I'm using Frida, Genymotion and this script to unpin the certificate: https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/

Since I'm using android 11 I've installed the Burp certificate like in this blog post: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/

The issue I'm facing is that, when I change the proxy settings of the phone to the local address for burp I'm facing this error:

enter image description here

I've tried removing the certificate manually and with various tools like apk-mitm with no success. I also resetted the emulator tried other versions with no success.

Here is the classes7.dex file which includes the CertPinenr class: https://codefile.io/f/QQccFcGxnN79IBav3TeM

EDIT:

I've just realized if I run the same request in a python script no error appears, just when the app make the request it fails.

curl -i -s -k -X $'GET' \
    -H $'X-Device-Descriptor-Id: Yjk0N2MyYzRkMDhlZDY2Mg' -H $'User-Agent: Sahibinden-Android/4.64.1 (1235; Android 11; Samsung Galaxy S7)' -H $'x-api-key: 51999c399f7cfe43b3bf8c42b2bd002a5b57573b070420923bf952cf98ae3847' -H $'X-Search-Type: LAST_SEARCH/LAST_SEARCH_HOME_PAGE/LIST' -H $'x-client-profile: Generic_v2.1' -H $'x-device-id: c9b0c08c9272406687a3eb586b789657' -H $'x-timestamp: 1680793480176' -H $'x-api-hash: 81B935CCD59E8E8E166FFB2E2DF19DA7ACBA123D' -H $'X-Activity-Session-Id: 0b9e3168-de1b-43e0-8759-ec95d857cb1b' -H $'x-language: tr' -H $'Content-Type: application/json; charset=utf-8' -H $'Host: k8tmllapi.sahibinden.com' -H $'Connection: Keep-Alive' -H $'Accept-Encoding: gzip, deflate' \
    $'https://k8tmllapi.sahibinden.com/sahibinden-ral/rest/classifieds/showcase/homepage?language=tr'

This requests gives me a successful response when running it through python, on the app im getting this response:

{"success":false,"errorCode":"14002","error":{"code":"CFXBNDKA-0406","prefix":null,"name":null,"description":"Cihazınızdan ya da bağlı olduğunuz ağdan sitemize olağan dışı (otomatik) erişim yapılmaya çalışıldığını görüyoruz. Şu anda talebinizi gerçekleştiremiyoruz, kısa bir süre sonra tekrar deneyebilirsiniz.","message":"Olağan dışı erişim tespit ettik...","trace":null,"clientMessage":"Cihazınızdan ya da bağlı olduğunuz ağdan sitemize olağan dışı (otomatik) erişim yapılmaya çalışıldığını görüyoruz. Şu anda talebinizi gerçekleştiremiyoruz, kısa bir süre sonra tekrar deneyebilirsiniz."}}
GoekhanDev
  • 326
  • 2
  • 4
  • 20
  • Have you tested if the Burp certificate works correctly in other apps? Try simple non-Google apps. Apps like Chrome and Firefox are also bad for testing. – Robert Apr 06 '23 at 09:40
  • Note that the referenced Frida Anti-pinning script can only work for known HTTP libraries. Some of those libraries are not included in Android OS but in the app and therefore can be obfuscated so that the script can no longer identify them (the app contains a lot of obfuscated classes see `defpackage` in Jadx). Or the app authors have simply implemented their own pinning solution that is unknown to the unpinning script. – Robert Apr 06 '23 at 10:24
  • Works on different apps flawlessly. The app is obfuscated yes, seems to have a normal pinning solution, saw nothing unique. I'm really confused, they migh have a proxy detection kind of thing? It worked once, then it never worked again (same version). @Robert – GoekhanDev Apr 06 '23 at 11:19
  • 1
    Yes a "proxy detection" is partially possible by performing TLS fingerprinting. Service provider like Cloudflare use such techniques e.g. to detect and reject Python based clients. Not sure how large is the difference between Java in Burp and Android Dalvik Runtime + Android API. – Robert Apr 06 '23 at 12:03

0 Answers0