Encountering SSLPeerUnverifiedException

[gWcyWoo]

Hi everyone,

I'm encountering an SSLPeerUnverifiedException when executing the command. Additionally, Charles Proxy isn't capturing any data from the client.

I've tried configuring PROXY_HOST with both my actual proxy address and localhost (127.0.0.1) along with setting up port forwarding using 'adb reverse tcp:8000 tcp:8888'. However, both attempts failed - the SSL pinning bypass isn't working, and Charles isn't capturing any client data.

Could anyone help me identify what I'm doing wrong? Thanks in advance!

(im-frida) ➜ frida-interception-and-unpinning git:(main) ✗ frida
-U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android/android-proxy-override.js -l ./android/android-system-certificate-injection.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js -f com.wixo.android.music
____
/ _ | Frida 16.5.6 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Pixel 5 (id=11151FDD400352)
Spawning com.wixo.android.music...

*** Starting scripts ***
== Redirecting all TCP connections to 127.0.0.1:8000 ==
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
Spawned com.wixo.android.music. Resuming main thread!
[Pixel 5::com.wixo.android.music ]-> SOCK_TYPE: unix:dgram
Ignoring unix:dgram connection
== Proxy system configuration overridden to 127.0.0.1:8000 ==
Rewriting <class: sun.net.spi.DefaultProxySelector>
Rewriting <class: java.net.ProxySelector>
Rewriting <class: android.net.PacProxySelector>
== Proxy configuration overridden to 127.0.0.1:8000 ==
[+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex
[ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present)
[ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present)
== System certificate trust injected ==

=== Disabling all recognized unpinning libraries ===

[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init() (0)
[+] android.security.net.config.NetworkSecurityConfig $init() (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
*** Scripts completed ***

Ignoring attempt to override http.proxyHost system property
Ignoring attempt to override https.proxyHost system property
Ignoring attempt to override http.proxyPort system property
Ignoring attempt to override https.proxyPort system property
Ignoring attempt to override http.nonProxyHosts system property
Ignoring attempt to override https.nonProxyHosts system property
=> android.security.net.config.NetworkSecurityConfig $init() (0)
=> android.security.net.config.NetworkSecurityConfig $init() (0)
SOCK_TYPE: unix:stream
Ignoring unix:stream connection
SOCK_TYPE: unix:stream
Ignoring unix:stream connection
SOCK_TYPE: unix:stream
Ignoring unix:stream connection
=> com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
SOCK_TYPE: tcp6
Port: 8000
SOCK_TYPE: unix:stream
Ignoring unix:stream connection
SOCK_TYPE: unix:stream
Ignoring unix:stream connection
Connected tcp6 fd 90 to {"ip":"::ffff:127.0.0.1","port":8000} (-1)
SOCK_TYPE: unix:stream
Ignoring unix:stream connection
SOCK_TYPE: unix:stream
Ignoring unix:stream connection
=> javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
=> javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
=> javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
=> javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
=> javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
SOCK_TYPE: unix:stream
Ignoring unix:stream connection

!!! --- Unexpected TLS failure --- !!!
SSLPeerUnverifiedException: No peer certificates
Thrown by com.android.org.conscrypt.ActiveSession->checkPeerCertificatesPresent
[ ] Unrecognized TLS error - this must be patched manually
=> com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)

[pimterry]

Additionally, Charles Proxy isn't capturing any data from the client.

Does that mean it doesn't show anything, or it just doesn't show the intercepted data?

I'm not that familiar with Charles - does it normally show failed TLS connections? If not, you might want to test with HTTP Toolkit or Wireshark or anything else which lets you see incoming TLS connections that don't complete. The key is to differentiate between "connection doesn't reach the proxy" and "connection reaches the proxy, but then fails because it doesn't trust the certificate" (of course, if Charles is showing you that clearly then that's fine, I'm just not clear from your explanation which is happening).

In the former case, where no traffic reaches the proxy at all, that definitely means your proxy address or tunnelling isn't working. This is mainly just a question of confirming the address & port and potentially the tunnel params, nothing else is involved. Note that some enterprise and/or public wifi networks won't let you route traffic directly between peers, which would cause issues with this. You can check the proxy URL by just opening the address in a browser on the target device - you should see something appear at the proxy.

In the latter case, where connections arrive but aren't trusted, that's more complex. From the logs it looks like this is coming from Conscrypt, which is normally handled by the com.android.org.conscrypt.TrustedCertificateIndex hook - this index is used inside Conscrypt's certificate validation, and the hook effectively pre-installs your CA in the trusted cache for everything there. I haven't seen any cases like this where that fails... This might be due to something else about your system configuration but it's hard to know.

From the output it does look like some other hooks are active, are you seeing at least some traffic being intercepted successfully? If not, it might be that your CA config is actually just incorrect - even if one hook is failing, I'd expect something to work correctly and let you intercept some bits of traffic.

If that is your main issue, and you're sure the config is correct, as a next step I'd suggest testing this in a fresh standard emulator, to check if it's a device issue, and then doing some reverse engineering into the app itself to see if it's doing anything unusual related to these Conscrypt APIs that maybe isn't being handled correctly (https://httptoolkit.com/blog/android-reverse-engineering/ might be useful, if you're not familiar with doing this yourself).