Post by Berk Dedekargınoğlu

Offensive Security Engineer | Vulnerability Researcher | 14+ CVEs | Building MentionCheck

I bypassed SSL pinning on Twitter Android. And still couldn't see the most important requests. Not encrypted. Not obfuscated. They simply weren't there. Twitter's device attestation never touches the network. It happens over Android Binder IPC. Between the app and Google Play Store on the same device. No socket. No proxy. Nothing to intercept. So I stopped looking at the network and started instrumenting the runtime instead. What I found: 1. The nonce is not random. Twitter takes a server-issued UUID and computes Base64(SHA-256(attestation_object)). Every field device, user, app version is cryptographically bound before the request even leaves the app. 2. Attestation runs twice. Pre-login to prove the device. Post-login to bind to the account. Google's token is identical across both cycles (device-bound). Twitter's JWT is fresh each time (session-bound). 3. The request body is hidden. OkHttp sees nothing useful. The payload lives inside an obfuscated internal wrapper had to extract it via runtime Java reflection. 4. Binder IPC captured live: Code=2 → warm-up (756 bytes) Code=3 → token request (912 bytes) The warm.up.sid session mechanism only becomes visible at this layer. 5. Tested on Huawei (no Google Play Services). Attestation endpoints never called. Login fails with AttestationDenied. Stock app, non-rooted device. Same result. The takeaway: SSL pinning bypass is necessary. But it is not sufficient. If your proxy can’t see it, you’re probably looking at the wrong layer. Full write-up and open source Frida script in the comments. #AndroidSecurity #ReverseEngineering #MobileSecurity #PlayIntegrity #Frida #AppSec

Post content