What is SSL Pinning?
Nowadays most of the applications are using SSL pinning techniq that can be used to improve the security of a application that relies on SSL Certificates. It is possible that an application might use SSL incorrectly such that any attacker may be able to intercept an app’s data over the network.
HTTPs ensures safe, encrypted communication channels between client apps and the backend server. It means the appplication compares the public key of the CA certificate from the server against a “pinned” public key that configured within the app. If it’s not the same, the app rejects the connection.
So today we are going to discuss how we can bypass this restriction and use any proxy to intercept the traffic between application and server.
To accomplish this we will use below tools
- Frida framework.
- Any SSL Pinned Android Application.
- Burp Suite.
- Rooted Android Device.
First of all find the package name of the targeted application using below frida command:
Where U stands for USB device.
So we got the package name, i.e. com.funda.two
Now, decompile the application and find the SSL pinner class. Use jd-gui to decompile the java classes and search for keywords like SSLContext, SSL, TrustManager etc.
We will use a custom CA certificate of Burp suite and frida will re-pin this custom certificate into the target application.
Now run the below frida command to bypass the ssl pinning of the application.
As we can see the frida hijacked the SSLContext and assigned a custom CA certificate from PortSwigger (Burp) to the application.
And now open burp suite, we can able to intercept the traffic from the application.
So This is how we can bypass the SSL pinning on android applications.
Thanks for reading..happy pentesting..