Merge pull request #1916 from HackTricks-wiki/research_update_src_mobile-pentesting_android-app-pentesting_android-anti-instrumentation-and-ssl-pinning-bypass_20260219_024214

Research Update Enhanced src/mobile-pentesting/android-app-p...

Author: carlospolop

src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md

@@ -23,6 +23,14 @@ Many apps only look for obvious indicators (su/Magisk paths/getprop). DenyList o
 References:
 - Magisk (Zygisk & DenyList): https://github.com/topjohnwu/Magisk
 
+### Play Integrity / Zygisk detections (post‑SafetyNet)
+
+Newer banking/ID apps tie runtime checks to Google Play Integrity (SafetyNet replacement) and can also crash if Zygisk itself is present. Quick triage tips:
+
+- Temporarily disable Zygisk (toggle off + reboot) and retry; some apps crash as soon as Zygote injection loads.
+- If attestation blocks login, patch Google Play Services with PlayIntegrityFix/Fork + TrickyStore or use ReZygisk/Zygisk‑Next only when testing. Keep the target in DenyList and avoid LSPosed modules that leak props.
+- For one‑off runs, use KernelSU/APatch (no Zygote injection) to stay under Zygisk heuristics, then attach Frida.
+
 ## Step 2 — 30‑second Frida Codeshare tests
 
 Try common drop‑in scripts before deep diving:
@@ -185,6 +193,41 @@ Notes
 - Extend for OkHttp: hook okhttp3.CertificatePinner and HostnameVerifier as needed, or use a universal unpinning script from CodeShare.
 - Run example: `frida -U -f com.target.app -l ssl-bypass.js --no-pause`
 
+### OkHttp4 / gRPC / Cronet pinning (2024+)
+
+Modern stacks pin inside newer APIs (OkHttp4+, gRPC over Cronet/BoringSSL). Add these hooks when the basic SSLContext hook hangs:
+
+```js
+Java.perform(() => {
+  try {
+    const Pinner = Java.use('okhttp3.CertificatePinner');
+    Pinner.check.overload('java.lang.String', 'java.util.List').implementation = function(){};
+    Pinner.check$okhttp.implementation = function(){};
+  } catch (e) {}
+
+  try {
+    const CronetB = Java.use('org.chromium.net.CronetEngine$Builder');
+    CronetB.enablePublicKeyPinningBypassForLocalTrustAnchors.overload('boolean').implementation = function(){ return this; };
+    CronetB.setPublicKeyPins.overload('java.lang.String', 'java.util.Set', 'boolean').implementation = function(){ return this; };
+  } catch (e) {}
+});
+```
+
+If TLS still fails, drop to native and patch BoringSSL verification entry points used by Cronet/gRPC:
+
+```js
+const customVerify = Module.findExportByName(null, 'SSL_CTX_set_custom_verify');
+if (customVerify) {
+  Interceptor.attach(customVerify, {
+    onEnter(args){
+      // arg0 = SSL_CTX*, arg1 = mode, arg2 = callback
+      args[1] = ptr(0); // SSL_VERIFY_NONE
+      args[2] = NULL;  // disable callback
+    }
+  });
+}
+```
+
 ## Step 6 — Follow the JNI/native trail when Java hooks fail
 
 Trace JNI entry points to locate native loaders and detection init:
@@ -322,5 +365,7 @@ Notes
 - [Magisk](https://github.com/topjohnwu/Magisk)
 - [Medusa (Android Frida framework)](https://github.com/Ch0pin/medusa)
 - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
+- [Frida OkHttp4 SSL pinning bypass script](https://github.com/Zero3141/Frida-OkHttp-Bypass)
+- [XDA guide to strong Play Integrity bypass (2025)](https://xdaforums.com/t/updated-11-17-2025-guide-get-strong-integrity-fix-banking-apps-revolut-google-wallet-android-16-working.4753805/)
 
 {{#include ../../banners/hacktricks-training.md}}