Unexpected TLS failure --- !!! SSLPeerUnverifiedException: Certificate pinning failure!

[Yusufkulcu]

I'm getting the following error. The application opens when I use the httptoolkit frida mod. I tried Mitmproxy, I tried Burpsuite, and I got the same error in all of them.

PS C:\Users\Yusuf\Desktop\frida\frida-interception-and-unpinning-main> frida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android/android-proxy-override.js -l ./android/android-system-certificate-injection.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js -l ./android/android-disable-root-detection.js -f com.aktifbank.passo
____
/ _ | Frida 17.8.2 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Android Emulator 5554 (id=emulator-5554)
Spawning com.aktifbank.passo...

== Redirecting all TCP connections to 127.0.0.1:8080 ==
== Hooked native TLS lib libssl.so ==
== Disabled Android root detection ==
Spawned com.aktifbank.passo. Resuming main thread!
[Android Emulator 5554::com.aktifbank.passo ]-> == Proxy system configuration overridden to 127.0.0.1:8080 ==
== Proxy configuration overridden to 127.0.0.1:8080 ==
== System certificate trust injected ==
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
=> Blocked possible root detection checks. Enable DEBUG_MODE for more details.

!!! --- Unexpected TLS failure --- !!!
SSLPeerUnverifiedException: Certificate pinning failure!
Peer certificate chain:
sha256/lsIvjVPvy3XNCGLq6slMlH3713TXoETSi7KIoPIm/1A=: CN=api.passo.com.tr
sha256/lsIvjVPvy3XNCGLq6slMlH3713TXoETSi7KIoPIm/1A=: O=mitmproxy,CN=mitmproxy
Pinned certificates for api.passo.com.tr:
sha256/Ocrd0O3cfze/rtg3ItwkIm15Lg9KNOscpS/EhzDCZ6w=
sha256/2v7XLu/cerCOSU5nt/GmEukfX21KhEPin/wk6p82uSA=
Thrown by okhttp3.CertificatePinner->check$okhttp
Already patched - but still failing!

!!! --- Unexpected TLS failure --- !!!
SSLPeerUnverifiedException: Certificate pinning failure!
Peer certificate chain:
sha256/lsIvjVPvy3XNCGLq6slMlH3713TXoETSi7KIoPIm/1A=: CN=api.passo.com.tr
sha256/lsIvjVPvy3XNCGLq6slMlH3713TXoETSi7KIoPIm/1A=: O=mitmproxy,CN=mitmproxy
Pinned certificates for api.passo.com.tr:
sha256/Ocrd0O3cfze/rtg3ItwkIm15Lg9KNOscpS/EhzDCZ6w=
sha256/2v7XLu/cerCOSU5nt/GmEukfX21KhEPin/wk6p82uSA=
Thrown by okhttp3.CertificatePinner->check$okhttp
Already patched - but still failing!

!!! --- Unexpected TLS failure --- !!!
SSLPeerUnverifiedException: Certificate pinning failure!
Peer certificate chain:
sha256/lsIvjVPvy3XNCGLq6slMlH3713TXoETSi7KIoPIm/1A=: CN=api.passo.com.tr
sha256/lsIvjVPvy3XNCGLq6slMlH3713TXoETSi7KIoPIm/1A=: O=mitmproxy,CN=mitmproxy
Pinned certificates for api.passo.com.tr:
sha256/Ocrd0O3cfze/rtg3ItwkIm15Lg9KNOscpS/EhzDCZ6w=
sha256/2v7XLu/cerCOSU5nt/GmEukfX21KhEPin/wk6p82uSA=
Thrown by okhttp3.CertificatePinner->check$okhttp
Already patched - but still failing!

!!! --- Unexpected TLS failure --- !!!
SSLPeerUnverifiedException: Certificate pinning failure!
Peer certificate chain:
sha256/lsIvjVPvy3XNCGLq6slMlH3713TXoETSi7KIoPIm/1A=: CN=api.passo.com.tr
sha256/lsIvjVPvy3XNCGLq6slMlH3713TXoETSi7KIoPIm/1A=: O=mitmproxy,CN=mitmproxy
Pinned certificates for api.passo.com.tr:
sha256/Ocrd0O3cfze/rtg3ItwkIm15Lg9KNOscpS/EhzDCZ6w=
sha256/2v7XLu/cerCOSU5nt/GmEukfX21KhEPin/wk6p82uSA=
Thrown by okhttp3.CertificatePinner->check$okhttp
Already patched - but still failing!

[Yusufkulcu]

and demo app not working

PS C:\Users\Yusuf\Desktop\frida\frida-interception-and-unpinning-main> frida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android/android-proxy-override.js -l ./android/android-system-certificate-injection.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js -l ./android/android-disable-root-detection.js -f tech.httptoolkit.pinning_demo
____
/ _ | Frida 17.8.2 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Android Emulator 5554 (id=emulator-5554)
Spawning tech.httptoolkit.pinning_demo...

== Redirecting all TCP connections to 127.0.0.1:8080 ==
== Hooked native TLS lib libssl.so ==
== Disabled Android root detection ==
Spawned tech.httptoolkit.pinning_demo. Resuming main thread!
[Android Emulator 5554::tech.httptoolkit.pinning_demo ]-> == Proxy system configuration overridden to 127.0.0.1:8080 ==
== Proxy configuration overridden to 127.0.0.1:8080 ==
== System certificate trust injected ==
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
=> Blocked possible root detection checks. Enable DEBUG_MODE for more details.
Process crashed: java.lang.UnsatisfiedLinkError: dlopen failed: "/data/data/tech.httptoolkit.pinning_demo/app_lib/libflutter.so" is for EM_ARM (40) instead of EM_386 (3)

---

FATAL EXCEPTION: main
Process: tech.httptoolkit.pinning_demo, PID: 15263
java.lang.RuntimeException: Unable to start activity ComponentInfo{tech.httptoolkit.pinning_demo/tech.httptoolkit.pinning_demo.MainActivity}: java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.UnsatisfiedLinkError: dlopen failed: "/data/data/tech.httptoolkit.pinning_demo/app_lib/libflutter.so" is for EM_ARM (40) instead of EM_386 (3)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3449)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3601)
at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:85)
at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2066)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7656)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
Caused by: java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.UnsatisfiedLinkError: dlopen failed: "/data/data/tech.httptoolkit.pinning_demo/app_lib/libflutter.so" is for EM_ARM (40) instead of EM_386 (3)
at io.flutter.embedding.engine.loader.FlutterLoader.ensureInitializationComplete(FlutterLoader.java:409)
at io.flutter.embedding.engine.FlutterEngine.(FlutterEngine.java:383)
at io.flutter.embedding.engine.FlutterEngine.(FlutterEngine.java:310)
at io.flutter.embedding.engine.FlutterEngine.(FlutterEngine.java:291)
at io.flutter.embedding.engine.FlutterEngine.(FlutterEngine.java:271)
at io.flutter.embedding.engine.FlutterEngine.(FlutterEngine.java:191)
at io.flutter.embedding.engine.FlutterEngine.(FlutterEngine.java:182)
at tech.httptoolkit.pinning_demo.MainActivity.onCreate(MainActivity.kt:74)
at android.app.Activity.performCreate(Activity.java:7994)
at android.app.Activity.performCreate(Activity.java:7978)
at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1309)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3422)
... 11 more
Caused by: java.util.concurrent.ExecutionException: java.lang.UnsatisfiedLinkError: dlopen failed: "/data/data/tech.httptoolkit.pinning_demo/app_lib/libflutter.so" is for EM_ARM (40) instead of EM_386 (3)
at java.util.concurrent.FutureTask.report(FutureTask.java:123)
at java.util.concurrent.FutureTask.get(FutureTask.java:193)
at io.flutter.embedding.engine.loader.FlutterLoader.ensureInitializationComplete(FlutterLoader.java:271)
... 22 more
Caused by: java.lang.UnsatisfiedLinkError: dlopen failed: "/data/data/tech.httptoolkit.pinning_demo/app_lib/libflutter.so" is for EM_ARM (40) instead of EM_386 (3)
at java.lang.Runtime.load0(Runtime.java:939)
at java.lang.System.load(System.java:1628)
at com.getkeepsafe.relinker.SystemLibraryLoader.loadPath(SystemLibraryLoader.java:31)
at com.getkeepsafe.relinker.ReLinkerInstance.loadLibraryInternal(ReLinkerInstance.java:206)
at com.getkeepsafe.relinker.ReLinkerInstance.loadLibrary(ReLinkerInstance.java:136)
at com.getkeepsafe.relinker.ReLinker.loadLibrary(ReLinker.java:70)
at com.getkeepsafe.relinker.ReLinker.loadLibrary(ReLinker.java:51)
at io.flutter.embedding.engine.FlutterJNI.loadLibrary(FlutterJNI.java:150)
at io.flutter.embedding.engine.loader.FlutterLoader$1.call(FlutterLoader.java:191)
at io.flutter.embedding.engine.loader.FlutterLoader$1.call(FlutterLoader.java:184)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)

---

[Android Emulator 5554::tech.httptoolkit.pinning_demo ]->

Thank you for using Frida!
PS C:\Users\Yusuf\Desktop\frida\frida-interception-and-unpinning-main>

[Yusufkulcu]

And the target application is giving an internet connection error.

[Yusufkulcu]

detailed debug file

debug.txt

[pimterry]

For the demo app:

Process crashed: java.lang.UnsatisfiedLinkError: dlopen failed: "/data/data/tech.httptoolkit.pinning_demo/app_lib/libflutter.so" is for EM_ARM (40) instead of EM_386 (3)

This is an issue with the app on an x86 emulator. I think Flutter is only supported on ARM APIs or x64. I've just pushed a fix that might help (forcing it to fall back to emulation), can you trying using the app build from https://github.com/httptoolkit/android-ssl-pinning-demo/actions/runs/23440933255?

If that doesn't work you'll need an x64 emulator, or an actual device. Or you can try and older release before the Flutter integration, which won't hit this issue.

Thrown by okhttp3.CertificatePinner->check$okhttp

This is surprising because we patch this method specifically here. Maybe OkHttp is being loaded in a very strange way which means it's not hitting these hooks or something?

Can you enable DEBUG_MODE in config.js and share the output? That will confirm which patches were applied and may have some other clues as well. You might need to tweak the Frida scripts manually for your setup to debug this and see what exactly is happening.