SSL Pinning is a technique that we use on the client side to avoid a man-in-the-middle attack by validating the server certificates. The developers embed (or pin) a list of trustful certificates to the client application during development, and use them to compare against the server certificates during runtime. If there is a mismatch between the server and the local copy of certificates, the connection will simply be disrupted, and no further user data will even be sent to that server. This enforcement ensures that the user devices are communicating only to the dedicated trustful servers.
SSL Pinning prevents a man-in-the-middle attack, which means an attacker can not intercept the traffic and modify the data. If an attacker can not intercept the traffic then the application automatically prevents many server-side vulnerabilities because an attacker can not perform API-level test cases.
The basic approach for bypassing SSL pinning is to analyze the binary of the application to determine the language it was written in and logic of ssl pinning implementation. Then go for a language-specific way to bypass the SSL pinning of that Android application. For example, if an application builds using flutter or Xamrian then we will use the Hotspot method, if the application builds in Cordova then we will try to replace the hardcoded SHA-256 hashes etc.
Flutter & Xamarin application does not respect system proxy, which means that if you set proxy in your Phone and try to capture the traffic the application will throw an error or will not be able to capture the traffic. This is why this method is used to perform API-level penetration testing of these types of applications.
Steps To Bypass SSL pinning via IPtables Traffic Forwarding
Open burp suite => proxy => Options => edit => Request handling => turn on support invisible peroxy
2. Start adb as root by running the command adb root
3. Flush the existing IPtable rules using below command
adb shell “iptables -t nat -F”
4. Redirect HTTP & HTTPsTraffic using following command
adb shell “iptables -t nat -A OUTPUT -p tcp — dport 80 -j DNAT — to-destination 192.168.1.29:8080” (Destination/system IP)
adb shell “iptables -t nat -A OUTPUT -p tcp — dport 443 -j DNAT — to-destination 192.168.1.29:8080” (Destination/system IP)
5. Activate Masquerading for HTTP & HTTPs using following command
adb shell “iptables -t nat -A POSTROUTING -p tcp — dport 443 -j MASQUERADE”
adb shell “iptables -t nat -A POSTROUTING -p tcp — dport 80 -j MASQUERADE”
6. Start browsing the application and observe that the traffic will be captured in the burp suite.
Some applications use a hardcoded hash of certificates for implementing SSL pinning in the application. Most of the applications which are built-in Cordova use this technique for implementing SSL pinning.
So, we can simply replace the hard coded certificate hash value in the application with our burp suite certificate hash and reinstall the application.
Let’s see how to replace the hard coded certificate’s hash value
apktool d test.apk
look for the hardcoded hash, it might be at a different location for each app
2. Generate your burp suite certificate hash via the following command
openssl x509 -inform DER -in cacert.cer -out cacert.crt
openssl x509 -in cacert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
3. Replace our hash value with application hash via any editor.
4. Recompile the application and signed the application and install
apktool b test -0 test.apk
java -jar uber-apk-signer-1.2.1.jar — apk test.apk
Install the application
5. Start browsing the application and observe that the traffic will be captured in the burp suite.
Some applications define the pinning rules in the Android Manifest file and we can play around with android manifest files and bypass the SSL pinning.
I was testing one of the android application and that application has SSL pinning, I have tried with n no of ways but nothing works, then I start analyzing the android manifest file and tried to remove this part “ android:networkSecurityConfig=”@xml/network_security_config” “ and reinstall the application and SSL pinning got bypassed.
Steps To Bypass SSL pinning via android Manifest modification
apktool d test.apk
2. Go to the Android Manifest file and remove highlighted part completely
3. Rebuild the application via the following command.
apktool b test -o test.apk
4. Sign the application with uber apk signer via the following command.
java -jar uber-apk-signer-1.2.1.jar — apk test.apk
5. Install the application
6. Start browsing the application and observe that the traffic will be captured in the burp suite.
Flutter & Xamarin application does not respect system proxy, which means that if you set proxy in your device and try to capture the traffic the application will throw an error or will not be able to capture the traffic. This is why this approach is used to perform API-level penetration testing of these types of applications.
Before starting, first Identify whether the application is built in Flutter or Xamarin
apktool -d test.apk
2. Go To the “Assets” directory or use the grep command and search for flutter
cd test/assets
Steps to capture traffic via reflutter
reflutter test.apk
3. Select the intercept option and enter the IP address of your system
4. Sign the APK using uber apk signer or any signer.
java -jar uber-apk-signer-1.2.1.jar — apk release.RE.apk
5. Turn on the invisible proxy option in the burp suite
Open burp suite => proxy => Options => edit => Request handling => turn on support invisible peroxy
6. Set the port to 8083 in burp
7. Install the application, Do not set a proxy.
8. Start browsing the application and observe that the traffic will be captured in the burp suite.
Some applications traffic can not be captured via burp suite directly in such cases MITM comes into the picture. Instead of capturing the traffic via burp suite, we can use MITM to capture traffic and then send it to the burp suite using MITM. MITM can also be used with the objection, Frida script, and other tools.It works many times, in one of my projects I tried a lot to bypass SSL pinning but nothing worked then at the end with one Frida script and MITM, I was able to capture the traffic.
brew install mitmproxy
2. Download the MITM certificate in the android phone
3. Connect the device and Macbook via USB and Enter the below command or set the proxy in android device
mitmproxy
4. Enter the below command in the android device browser
Mitm.it (Download the Android certificate)
5. Install the MITM certificate on the android phone
In android phone navigate to Setting => Install from device storage=> CA Certificate => install
6. Enter the below command to start the mitmproxy in the Browser.
mitmweb (mitm get open in the browser automatically)
7. Setup MITMProxy for forwarding traffic from the MITM to the burp suite.
8. Enter the below command
mitmweb
9. Go to the option and click on “Edit Options” and click on “set this configuration”
10. Search for mode and add the following line there
upstream:http://127.0.0.1:8888
11. Search for ssl_insecure and enable it
12. Set proxy in burp suite.
Set the IP address and port no in the burp suite which you have set for the upstream in mode option.
13. Start browsing the application from android phone and observe that the traffic will be captured in the burp suite.
Some applications use a hardcoded certificate for implementing SSL pinning in the android application. The application will check if the certificate is matched or not and then only sends the traffic to the server.
So, we’ll replace the hard coded certificate in the android application with our burp suite certificate and reinstall the app, and we’ll be able to bypass the pinning.
Let’s see how to replace the hard coded certificate
apktool d test.apk
2. Go to the binary
cd /test
3. Search for hardcoded certificate via following command
find . | grep .cer
4. Replace All the hardcoded certificates with your burp suite certificate
cp ~/Path_of_Your_burp_certificate ./Full_Path_Of_Hardcoded_Certificate
5. Recompile the application and signed the application and install
apktool b test -0 test.apk
java -jar uber-apk-signer-1.2.1.jar — apk test.apk
Install the application
6. Start browsing the application and observe that the traffic will be captured in the burp suite.
Flutter & Xamarin application does not respect system proxy, which means that if you set proxy in your android phone and try to capture the traffic the application will throw an error or will not be able to capture the traffic. This is why the hotspot approach is used to perform API-level penetration testing of these types of applications.
Before starting, first Identify the application is built in Flutter or Xamarin
Requirements:
Steps to capture traffic via Hotspot Method
Turn on mobile data = > turn on mobile Bluetooth => connect to the MacBook => turn on Bluetooth tethering from setting in mobile device
(Try to browse some data in MacBook to confirm that Bluetooth tethering is done properly)
2. Share internet connection from MacBook to android phone
In MacBook navigate to System preferences => sharing => internet sharing => share your connection from => bluetooth PAN => To computer using => wifi
3. In Android navigate to Wifi => connect to the Macbook’s wifi
(Try to browse some data in android phone to confirm that this is done properly)
4. Forward the traffic to the burp suite
Create the Pf.rules file with the following data
rdr pass on bridge100 inet proto tcp from any to any -> 127.0.0.1 port 8080
Run the below two command
sudo pfctl -f pf.rules
sudo sysctl -w net.inet.ip.forwarding=1
5. Turn on the invisible proxy option in the burp suite
Open burp suite => proxy => Options => edit => Request handling => turn on support invisible peroxy
6. Start browsing the application from an android device and observe that the traffic will be captured in the burp suite.
Push the frida server according your frida version and device architecture on data/local/tmp location via given command
Give the permission via following command
Run the below command to start the frida server
2. Install objection in MacBook
sudo pip3 install objection
3. Enter the below command to connect the application to the objection and explore the application.
objection — g package_name explore
4. Run the below command to bypass SSL pinning
android sslpinning disable
5. Start browsing the application from android phone and observe that the traffic will be captured in the burp suite.
1. Enter the below command to bypass SSL pinning
frida -U -f package_name -l ssl.js — no-pause
U => To use a connected USB device as a target
F => To indicates the package name
L => To load the script
ssl.js =>
(Download the script from codeshare or you can build your own script according to application)
— no-pause => To force the Frida to “not to pause” app execution after injecting the script.
2. Start browsing the application from an android device and observe that the traffic will be captured in the burp suite.
The amount of private and sensitive information that is handled by mobile apps these days makes them a lucrative target of threat actors. In the case of Android applications, attackers would generally begin with bypassing the SSL/TLS protection layer and gain more information about the functionality and the structure of the apps. That is why in-depth penetration testing becomes a must and knowing the several techniques used by attackers to bypass SSL pinning can be a very proactive start in this direction. Based on the gained insights, you can always add additional security measures to your app and stay ahead of the attackers.
Vaishali Nagori, working as Senior Security Researcher at FEV India. she has dedicated her expertise to assisting CISOs, Security Professionals, and Developers in ensuring the end-to-end security of their organisation. Vaishali specializes in conducting comprehensive security assessments of Web Applications, APIs, Android, and iOS.
DID YOU ENJOY THE BLOG??? IF SO, THEN LET ME KNOW BY LEAVING A COMMENT HERE AND GIVING CLAP……..
July 8, 2024
July 8, 2024
July 8, 2024
Anand Security Solutions, Believes in providing top-notch security. Let’s make cyberspace a safer place together.