androiddisassemblyinstrumentationcertificate-pinningfrida

Avoid disabling certificate pinning Android


I am developing an Android application that uses Certificate Pinning (in a similar fashion such this).

However, I've came across dynamic instrumentation libraries such as Frida, or worse yet, Objection, that can bypass this safeguard.

I understand that security must be implemented on server side, but, I'd like to keep prying eyes outside my API. Moreover I also understand that Java executables are easy to disassemble and analyze.

How can I make this process more difficult for an attacker, i.e. make basic commands such as objection's

android sslpinning disable

fail and harden my app? I've seen that depending on the namings of the assets this process also crashes.

Any ideas?


Solution

  • Several harding frameworks can make it more difficult for Frida and similar tools to attach and manipulate the app process. However with enough time, motivation and/or money you can even break those frameworks.

    However usually it is not the question "using a hardening framework or not" but "how many money are you willing to pay to get this little extra protection?

    From my knowledge there are no free or even cheap hardening frameworks (please correct me if I am wrong and provide links to those free/cheap solutions with good protection), therefore it is just a question how much protection you want and how much you are willing to pay.

    Note: Proguard and R8 are not hardening frameworks! They only just obfuscate the code a bit, but especially when it comes to certificate pinning and disabling this via Frida they do not offer any protection!