Frida-based runtime instrumentation for observing Android attestation pipelines from inside the application layer.
Modern mobile attestation does not happen over the network.
It happens inside the device:
- via Binder IPC
- inside privileged system processes
- using hardware-backed keys
- Hooks OkHttp at execution layer (
RealCall.execute) - Extracts hidden request bodies from internal structures
- Decodes compressed responses (gzip)
- Reveals attestation traffic (nonce, tokens, integrity calls)
frida -U -f com.twitter.android -l interceptor.jsSSL pinning bypass is not enough.
If your proxy can't see it, you're looking at the wrong layer.
This approach instruments the application at runtime instead of intercepting network traffic:
App Runtime → OkHttp → (hook here) → TLS → Network
Instead of:
TLS → Network → Proxy
POST /GenerateAttestationNonce
→ nonce: 698b1f52-...
Play Integrity Call
→ nonce = Base64(SHA256(attestation_object))
POST /GenerateAttestationTokenV2
→ signed_attestation_object
Response:
→ X-Attest-Token (JWT)
Usage:
→ Header injected into all subsequent requests
The nonce derivation can be independently verified:
python verify_nonce.pyFull write-up: https://berkdede.medium.com/breaking-the-black-box-reverse-engineering-twitters-play-integrity-attestation-pipeline-d3dbd2cf37ae
This project is for educational and research purposes only.
Do not use it against systems you do not own or have permission to test.
This is not just a script.
It is a research companion to the write-up.
Modern mobile security is not about hiding data in transit it is about controlling where that data can be observed.
If your proxy sees nothing, you are probably looking at the wrong layer.