SSL Pinning Bypass — Android PenTesting

Sarang Khilare
Dec 13, 2019 · 3 min read

What is SSL Pinning?

Nowadays most of the applications are using SSL pinning techniq that can be used to improve the security of a application that relies on SSL Certificates. It is possible that an application might use SSL incorrectly such that any attacker may be able to intercept an app’s data over the network.

HTTPs ensures safe, encrypted communication channels between client apps and the backend server. It means the appplication compares the public key of the CA certificate from the server against a “pinned” public key that configured within the app. If it’s not the same, the app rejects the connection.

So today we are going to discuss how we can bypass this restriction and use any proxy to intercept the traffic between application and server.

To accomplish this we will use below tools

  • Frida framework.
  • Any SSL Pinned Android Application.
  • Burp Suite.
  • Rooted Android Device.

First of all find the package name of the targeted application using below frida command:

Frida-ps -U

Where U stands for USB device.

So we got the package name, i.e. com.funda.two

We will use ssl unpinner javascript code from user Piergiovanni Cipolloni. Below is the link for reference.

https://techblog.mediaservice.net/wp-content/uploads/2017/07/frida-android-repinning_sa-1.js

Now, decompile the application and find the SSL pinner class. Use jd-gui to decompile the java classes and search for keywords like SSLContext, SSL, TrustManager etc.

We will use a custom CA certificate of Burp suite and frida will re-pin this custom certificate into the target application.

Copy the cacert.crt certificate to /data/local/tmp/ directory in android device and mention same in the javascript script. Also same certificate in android device so we can intercept the traffic.

Now run the below frida command to bypass the ssl pinning of the application.

Frida Command to bypass SSL Pinning

As we can see the frida hijacked the SSLContext and assigned a custom CA certificate from PortSwigger (Burp) to the application.

And now open burp suite, we can able to intercept the traffic from the application.

So This is how we can bypass the SSL pinning on android applications.

Thanks for reading..happy pentesting..

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade