csdc

One option I’ve found to work in the past would be to alter the URL strings in the binary to insecure self-hosted endpoints that don’t implement TLS. It would forward requests and responses between the end-client and end-server. This works best for smaller applications, unlike Messenger.

We could use a dynamic instrumentation library, such as Frida to achieve the desired outcome. I’ve found that Messenger in particular is prone to crashes when hooking into it and with all this overhead, it can be difficult to pinpoint the pain-point. There’s also the more complicated distribution process involved with Frida. Those who wanted to run it would need to configure a very specific environment and set of tools.

Despite this, I did attempt to use a Frida script that I’ve been maintaining over the past few years that works to bypass common certificate pinning libraries and methods. It works on the vast majority of applications. Unfortunately, Meta’s subset of applications is not part of this “vast majority.”

In this case, we’ll be looking to turn off certificate pinning entirely in a way which can be easily distributed to my fellow team members using binary patching.