Update Frida scripts: root detection, meta hooks & h3 blocking

Author: pimterry

overrides/frida/README.md

@@ -12,6 +12,8 @@ The scripts can automatically handle:
 * Injecting a given CA certificate into the system trust stores so they're trusted in connections by default.
 * Patching many (all?) known certificate pinning and certificate transparency tools, to allow interception by your CA certificate even when this is actively blocked.
 * On Android, as a fallback: auto-detection of remaining pinning failures, to attempt auto-patching of obfuscated certificate pinning (in fully obfuscated apps, the first request may fail, but this will trigger additional patching so that all subsequent requests work correctly).
+* Disabling many common root & jailbreak detections.
+* Blocking most HTTP/3 connections (all UDP to port 443), which may be inconvenient to intercept, ensuring apps fall back to HTTP/2 or HTTP/1.
 
 ## Android Getting Started Guide
 
@@ -38,6 +40,7 @@ The scripts can automatically handle:
         -l ./android/android-system-certificate-injection.js \
         -l ./android/android-certificate-unpinning.js \
         -l ./android/android-certificate-unpinning-fallback.js \
+        -l ./android/android-disable-root-detection.js \
         -f $PACKAGE_ID
     ```
 7. Explore, examine & modify all the traffic you're interested in! If you have any problems, please [open an issue](https://github.com/httptoolkit/frida-interception-and-unpinning/issues/new) and help make these scripts even better.
@@ -61,6 +64,7 @@ The scripts can automatically handle:
     frida -U \
         -l ./config.js \
         -l ./ios/ios-connect-hook.js \
+        -l ./ios/ios-disable-detection.js \
         -l ./native-tls-hook.js \
         -l ./native-connect-hook.js \
         -f $APP_ID
@@ -90,14 +94,15 @@ Each script includes detailed documentation on what it does and how it works in
     * `PROXY_HOST` - the IP address (IPv4) of the proxy server to use (not required if you're only unpinning)
     * `PROXY_PORT` - the port of the proxy server to use (not required if you're only unpinning)
     * `DEBUG_MODE` - defaults to `false`, but switching this to `true` will enable lots of extra output that can be useful for debugging and reverse engineering any issues.
+    * `BLOCK_HTTP3` - defaults to `true`, which blocks HTTP/3 by dropping all UDP connections to port 443.
 
     This should be listed on the command line before any other scripts.
 
 * `native-connect-hook.js`
 
     Captures all network traffic directly, routing all connections to the configured proxy host & port.
 
-    This is a low-level hook that applies to _all_ network connections. This ensures that all connections are forcibly redirected to the target proxy server, even those which ignore proxy settings or make other raw socket connections.
+    This is a low-level hook that applies to _all_ network connections. This ensures that all connections are forcibly redirected to the target proxy server, even those which ignore proxy settings or make other raw socket connections, and also blocks HTTP/3 connections if enabled.
 
     This hook applies to libc, and works for Android, Linux, iOS, and many other related environments.
 
@@ -127,6 +132,14 @@ Each script includes detailed documentation on what it does and how it works in
 
         Detects unhandled certificate validation failures, and attempts to handle unknown unrecognized cases with auto-generated fallback patches. This is more experimental and could be slightly unpredictable, but is very helpful for obfuscated cases, and in general will either fix pinning issues (after one initial failure) or will at least highlight code for further reverse engineering in the Frida log output. This script shares some logic with `android-certificate-unpinning.js`, and cannot be used standalone - if you want to use this script, you'll need to include the non-fallback unpinning script too.
 
+    * `android-disable-root-detection.js`
+
+        Disables common root detection checks across native and Java layers to prevent detection of rooted Android devices.
+
+        This script intercepts file system access, shell commands, and package lookups for known root indicators (like `su`, Magisk, and related apps), and fakes key system properties (`ro.secure`, `ro.debuggable`, etc.) to simulate a production environment.
+
+        It blocks suspicious behavior like file existence checks and shell command execution, helping evade detection in apps using both standard and advanced root checks.
+
 * `ios/`
 
     * `ios-connect-hook.js`
@@ -135,13 +148,16 @@ Each script includes detailed documentation on what it does and how it works in
 
         This is a low-level hook that applies to _all_ network connections. This ensures that all connections are forcibly redirected to the target proxy server, even those which ignore proxy settings or make other raw socket connections.
 
+    * `ios-disable-detection.js`
+
+        Disables JailMonkey jailbreak detection.
+
 * `utilities/test-ip-connectivity.js`
 
     You probably don't want to use this normally as part of interception itself, but it can be very useful as part of your configuration setup.
 
     This script allows you to configure a list of possible IP addresses and a target port, and have the process test each address, and send a message to the Frida client for the first reachable address provided. This can be useful for automated configuration processes, if you don't know which IP address is best to use to reach the proxy server (your computer) from the target device (your phone).
 
----
 
 These scripts are part of [a broader HTTP Toolkit project](https://httptoolkit.com/blog/frida-mobile-interception-funding/), funded through the [NGI Zero Entrust Fund](https://nlnet.nl/entrust), established by [NLnet](https://nlnet.nl) with financial support from the European Commission's [Next Generation Internet](https://ngi.eu) program. Learn more on the [NLnet project page](https://nlnet.nl/project/F3-AppInterception#ack).
 

overrides/frida/android/android-certificate-unpinning-fallback.js

@@ -38,6 +38,8 @@ Java.perform(function () {
     try {
         const X509TrustManager = Java.use("javax.net.ssl.X509TrustManager");
         const defaultTrustManager = getCustomX509TrustManager(); // Defined in the unpinning script
+        const certBytes = Java.use("java.lang.String").$new(CERT_PEM).getBytes();
+        const trustedCACert = buildX509CertificateFromBytes(certBytes); // Ditto
 
         const isX509TrustManager = (cls, methodName) =>
             methodName === 'checkServerTrusted' &&
@@ -78,6 +80,12 @@ Java.perform(function () {
             return !!matchedChain;
         };
 
+        const isMetaPinningMethod = (errorMessage, method) =>
+            method.argumentTypes.length === 1 &&
+            method.argumentTypes[0].className === 'java.util.List' &&
+            method.returnType.className === 'void' &&
+            errorMessage.includes('pinning error');
+
         const matchOkHttpChain = (cls, expectedReturnTypeName) => {
             // Find the chain.proceed() method:
             const methods = getMethods(cls);
@@ -202,6 +210,23 @@ Java.perform(function () {
                                     callingClass.class.getName()
                                 }`);
                             }
+                        } else if (isMetaPinningMethod(errorMessage, failingMethod)) {
+                            failingMethod.implementation = function (certs) {
+                                if (DEBUG_MODE) console.log(` => Fallback patch for meta proxygen pinning`);
+                                for (const cert of certs.toArray()) {
+                                    if (cert.equals(trustedCACert)) {
+                                        return; // Our own cert - all good
+                                    }
+                                }
+
+                                if (DEBUG_MODE) {
+                                    console.warn(' Meta unpinning fallback found only untrusted certificates');
+                                }
+                                // Fall back to normal logic, in case of passthrough or similar
+                                return failingMethod.call(this, certs);
+                            }
+
+                            console.log(`      [+] ${className}->${methodName} (Meta proxygen pinning fallback patch)`);
                         } else {
                             console.error('      [ ] Unrecognized TLS error - this must be patched manually');
                             return;