Mobile Pentesting Series - part 1: bypass SSL pinning in Android

Mobile Hacking
Mobile applications utilize SSL pinning as a security mechanism to avoid man-in-the-middle attacks through the verification of the server's SSL certificate. Nevertheless, developers or security evaluators might be compelled to circumvent SSL pinning in order to modify or examine network traffic. The purpose of this article is to demonstrate how to circumvent SSL pinning on Android.

Certain Android applications employ extraordinary measures to prevent even the device's proprietor from ever being able to view the content of the application's HTTPS requests.

This presents a challenge for privacy analysis, debugging, security research, and overall device control. This is not a purely theoretical issue either; protections such as this attempt to block HTTPS inspection tools like HTTP Toolkit, which enable inspection, testing, and mocking of HTTPS from Android devices automatically.

This is contingent upon the target applications placing their trust in the certificate of the diagnostic proxy for HTTPS traffic. Although HTTP interception and mimicking techniques are highly beneficial for testing and comprehending the majority of applications, they encounter complications when applied to a subset of hyper-vigilant applications that implement additional safeguards to encrypt their HTTPS traffic and prevent this type of inspection.

Ultimately, this is your Android device, and you should be able to view the messages that the apps you use transmit and receive on your own phone, regardless of whether you are a privacy advocate documenting what data an app is sharing, a security researcher checking for vulnerabilities, or a developer attempting to comprehend how an app uses its API.

In other words, security measures such as certificate pinning complicate the situation.

Lab setup

Emulator - First of all, for the SSL pinning bypass procedure to begin, an Android emulator is required (or rooted Android device).
It is preferable to install the MEmu emulator on our computer in order to establish a virtual Android environment. Furthermore, Genymotion is also available for download.

Android Debug Bridge(ADB) Platform-Tools - The Android SDK Platform-Tools constitutes an element of the Android SDK. It comprises interface utilities for the Android platform, predominantly ADB and fastboot. Despite the fact that ADB is mandatory for Android application development, app developers typically utilize the copy studio installations instead.

In the kali linux machine just run:

sudo apt install adb

mob-pen-1

Frida - In order to use Frida framework, certain applications or libraries must be installed. Installation is possible directly via the terminal.

frida

It is a dynamic code instrumentation toolkit, to speak in terms that are more technical. It gives you the ability to inject small pieces of JavaScript or your own library into native applications running on Windows, macOS, GNU/Linux, iOS, watchOS, tvOS, Android, FreeBSD, and QNX. You will also have access to some straightforward utilities that have been developed atop the Frida API. These can be utilized in their current form, modified to suit your requirements, or repurposed as examples of how to make use of the API.

The core of Frida is written in C, and it injects QuickJS into the processes that it targets. In these processes, your JS code is executed, and it has full access to memory, can hook functions, and can even invoke native functions within the target process. Your app and the JS that is executing inside the target process can talk to one another via a communication channel that can send and receive messages in both directions.

The use of Python and JS enables rapid development while eliminating the need for API testing. You'll be able to easily catch problems in JS with the assistance of Frida, which will then present you with an exception rather than crashing.

Download the latest frida-server for Android from releases page and uncompress it:

$ unxz frida-server.xz
$ adb root # might be required
$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"
$ adb shell "/data/local/tmp/frida-server &"

We can perform a fast check by running (which will display the processes currently running on the device) if everything goes as planned:

frida-ps -U

mob-pen-1

Frida script - You can copy or create your own JavaScript as the final component of Frida.

Android app - Finally, we will use any SSL pinned Android application.

Note: It is mandatory to root your device, should you not have already done so. Technically, it is also possible to utilize Frida without modifying your device; for instance, you could accomplish this by repackaging the application to include the frida-gadget or by employing a debugger. However, in this post, we shall concentrate on the most basic scenario: An application-rooted device.

mob-pen-1

mob-pen-1

Bypass SSL Pinning with Frida

Currently, SSL pinning can be evaded by employing a Frida script.

Having effectively circumvented SSL pinning with Frida, one is now capable of intercepting and examining the target application's network traffic. Configure Burp Suite, a well-known web vulnerability scanner and proxy application, to accomplish this. Install Burp Suite and configure it to intercept network traffic.

Initially, we must launch the Genymotion emulator or, if you are using a mobile device, enable debugging mode. To accomplish this, navigate to settings > developer options on both devices and enable debugging mode so that adb can communicate with them.

mob-pen-1

mob-pen-1

Proceed to the platform-tools folder and launch the terminal or command prompt to establish an ADB connection. The state of our devices' connections will be reflected in the ADB. We can verify this using the commands listed below:

adb devices

mob-pen-1

As we can see, the emulator is running on IP 192.168.58.101 and port 5555

So, adb has identified Genymotion, let's establish a connection to this device:

adb connect 192.168.58.101:5555

mob-pen-1

The preceding command will display the version of architecture used:

adb shell getprop ro.product.cpu.abi

mob-pen-1

You then need to copy the frida binary onto the device, make it executable, and start the server as root. Like so (running on our device):

adb root

mob-pen-1

adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"

mob-pen-1

You have a debuggable device that is connected to an operating Frida server. You must install the Frida CLI utilities on your computer in order to manage it. Python must be installed for this, thereafter, simply execute:

pip install frida-tools

To verify this, execute

frida-ps -U

This will establish a USB (-U) connection to the server and display the details of each process currently operating on the target device. If this returns a list of processes, everything is in order.

mob-pen-1

Last but not least, we must instruct Frida to remove certificate pinning from the target application so that we can inspect the traffic it transmits.

Before proceeding, the package id of the target process is required. This will look similar to com.mytestapp.android, which is the reversed form of a domain name.

You can find this listed somewhere in:

The output of frida-ps -U -a, which lists every app that's currently running. The output of running adb shell then pm list packages -f, to see the full raw list of packages on the device.

mob-pen-1

mob-pen-1

adb shell
pm list packages -f

mob-pen-1

We will now inject both the SSL bypass script and the burp's certificate into the same tmp directory. The script sslbypass.js has been previously saved in the local directory:

mob-pen-1

Our sslbypass.js script intercepts the requests by utilizing the burp's certificate.

It is now time to integrate the uploaded script into the installed application for testing purposes.

frida -U -f com.duolingo.literacy -l "sslbypass.js"

mob-pen-1

That restarts Duolingo app on our phone, and We've immediately got traffic:

We've removed the pinning, so that the Duolingo ABC app now trusts our MitM proxy, and we can intercept and inspect its traffic.

Caveats

Theoretically, Frida has the capability to circumvent any certificate pinning that could be implemented; if it is possible to create code that verifies a certificate, Frida can eliminate that code.

Nevertheless, this is entirely dependent on whether or not the script is cognizant of the particular certificate anchoring code or APIs in use. The effectiveness of this method is wholly dependent on the target application and the Frida script.

Certain applications will even go the extra mile by developing their own unique certificate pinning methods in order to make its disabling as challenging as feasible. This is exemplified by the fact that every Facebook application implements its own unique version of TLS in lieu of utilizing the standard platform APIs.

Theoretically, it is also possible to automate the removal of certificate pinning features from that within the same Frida script. However, this task is considerably more complex than shambolizing a widely used common library. As such, we have not yet implemented this functionality, and as a result, this script is not applicable to platforms such as Facebook, Facebook Messenger, Instagram, or similar ones.

Fortunately, this is inconsequential, as Facebook's applications include a whitehat option that enables security researchers to directly disable certificate pinning; you may utilize this alternative.

Conclusion

SSL Certificate Pinning Drawbacks:

References

Android Debug Bridge
MEMU
Genymotion
Frida
Frida: Github
Universal Android SSL Pinning Bypass with Frida