Mobile Application Pentesting-Part6

Piyush Patil
May 17, 2019 · 3 min read

Bypassing Certificate Pinning

SSL Pinning is a technique that we use in the client side to avoid man-in-the-middle attack by validating the server certificates again even after SSL handshaking. The developers embed (or pin) a list of trustful certificates to the client application during development, and use them to compare against the server certificates during runtime. If there is a mismatch between the server and the local copy of certificates, the connection will simply be disrupted, and no further user data will be even sent to that server. This enforcement ensures that the user devices are communicating only to the dedicated trustful servers.


Method 1: Manually

Decompile the apk

Find the methods responsible for validating the trustness of the cert

Patch the method by simply removing the code lines


Method 2: Using XPosed Framework

Xposed is a framework that allows users to easily apply add-ons (called Modules) to the ROM. Rather than flashing a new ROM to get a specific feature, you can use Xposed to add individual features to whatever ROM you’re using, or even just the stock ROM.

Installation:-

Download the app from https://www.xda-developers.com/xposed-framework-hub/

Run it and find an application named SSL pinning bypass(SSLunpinning), install it


Method 3: Using Objection

Objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.

You can install it by running

pip3 install objection

Once done get your file name of the application by using Frida or adb.

$ Frida-ps -U

or

$ adb shell ps

then,

objection patchapk -s com.xyz.android.apk

This will create a new apk which is hooked

Push the apk file or install the application by

$ adb push <local file path> <remote file path>

or

$ adb install (path to apk)

Now run,

objection -g (new apk file name) explore -q

Where,

-g stands for “Name of the Frida Gadget/Process to connect to”

explore stands for “objection exploration REPL”

thus if the file is successfully injected

run “android sslpinning disable”


Method 4: Frida

you will need rooted android mobile.

Install the following:-

pip3 install frida

pip3 install frida-tools

You will need to install frida server which will be running on your mobile.

https://github.com/frida/frida/releases

In our case(Nexus Android), we used frida-server-12.4.0-android-arm.xz.

you decompress it and rename decompress file as frida-server

Open terminal and type following commands:-

adb push frida-server /data/local/tmp/

adb shell “chmod 755 /data/local/tmp/frida-server”

adb shell

su

cd /data/local/tmp/

./frida-server

Keep the frida-server running on this terminal

Go to burp suite and generate burp certificate

Click on Import/Export CA certificate

Select certificate in DER format

Then you need to rename the certificate generate by burp to burpca-cert-der.crt

mv cacert.der burpca-cert-der.crt

Open new terminal

wget https://techblog.mediaservice.net/wp-content/uploads/2017/07/frida-android-repinning_sa-1.js

Pushing the rogue certificate to the device:-

adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt —

frida -U -f com.tplink.kasa_android -l frida-android-repinning_sa-1.js — no-pause

com.tplink.kasa_android is package name of android application.To know package name use following:-

# List running applications

$ frida-ps -Ua

# List installed applications

$ frida-ps -Uai

Piyush Patil

Written by

Reverse Engineering, Penetration Testing( Web, Mobile, IoT, Network, Infra)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade