24 C
Jaipur
Saturday, October 24, 2020

Bypass SSL Pinning on Android to Perform Man-in-the-Middle Attack

Must read

2020 World Series live stream: how to watch Dodgers vs Rays game 4 from anywhere

Over the next few days,  the year's shortened MLB season will come to an end and baseball will crown a new champion - but...

Michigan vs Minnesota live stream: how to watch Big Ten college football tonight

Big Ten college football is back, and the Michigan Wolverines vs Minnesota Golden Gophers game - one of the oldest rivalries in American college...

How to watch Khabib vs Gaethje: live stream UFC 254 right now

It's Fight Island's final bout of the year, and what a clash to be ringing that final bell to. UFC 254 plays host to...

How to watch Khabib vs Gaethje: live stream UFC 254 right now

It's Fight Island's final bout of the year, and what a clash to be ringing that final bell to. UFC 254 plays host to...

Certificate Pinning is an extra layer of security to achieve protection against man-in-the-middle. It ensures only certified Certificate Authorities (CA) can sign certificates for your domain, and not any CA in your browser store.

Application developers implement Certificate pinning to avoid reverse engineering, it allows developers to specify which certificate the application allowed to trust. Instead of relying on the certificate store.

Analyzing Source Code for SSL Pinning

By searching for strings like “checkClientTrusted” or “checkServerTrusted“, it would show you a piece of code with pinning.

If the code isn’t obfuscated, then we will modify the code to get rid of the pinning, recompile and sign with the APKTOOL.

Also, you can do a static analysis with a Security framework like MOBSF, if you find “Certificate/Key Files Hard-coded inside the App” or “Hardcoded Keystore Found” then it has SSL pinning.

Bypass SSL Pinning

In order to disable the promise, we want to decompile the application file and find the method bound for pinning control and remove the check. The end goal is to have the client accept your own SSL certificate as valid.

We are taking an android application in our scenario, if you have the device rooted then you can use Xposed Framework modules available to disable SSL Pinning. It is a very simple and straightforward method.

But the best way is to conduct a manual review by disassembling the apk you will need to locate where within the small source code the certificate pinning checks are done.

$ apktool -d test.apk

Searching the small code for keywords such as “X509TrustManager”, “cert”, “pinning”, to find where the certificate pinning login is keywords such as “X509TrustManager”, “cert”, “pinning”, etc, to find where the certificate pinning login is performed.

Once you have finished modifying the code need to compile and resign the app with a developer certificate. The code signing certificate here provides the integrity and ensures the application does not tamper.

$ apktool b test/ -o example.modified.apk

After this, the app needs to just be reinstalled on the device and tested against. Once installed the app still, works, as supposed, however, is currently prone to a man in the middle attack as a result of the pinned certificate being bypassed.

Bypassing certificate pinning either of those ways permits you to effectively conduct a man in the middle attack on the apps that shielded with HTTPS and SSL having the ability to intercept session tokens and even seeing usernames and passwords in plain text in a tool like a burp suite or fiddler.

Mitigation – Bypass SSL

The certificate is tended to expire as per CAB forum CA certificates will not be issued with the maximum period of 3 years. So you should plan an app update with an updated certificate.

We should implement obfuscation methods to avoid our source code to be decompiled. You can submit an app for pentesting companies for source code analysis.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

2020 World Series live stream: how to watch Dodgers vs Rays game 4 from anywhere

Over the next few days,  the year's shortened MLB season will come to an end and baseball will crown a new champion - but...

Michigan vs Minnesota live stream: how to watch Big Ten college football tonight

Big Ten college football is back, and the Michigan Wolverines vs Minnesota Golden Gophers game - one of the oldest rivalries in American college...

How to watch Khabib vs Gaethje: live stream UFC 254 right now

It's Fight Island's final bout of the year, and what a clash to be ringing that final bell to. UFC 254 plays host to...

How to watch Khabib vs Gaethje: live stream UFC 254 right now

It's Fight Island's final bout of the year, and what a clash to be ringing that final bell to. UFC 254 plays host to...

US sanctions Russian institute linked to dangerous malware – Latest News

Washington imposed sanctions on a Russian research institute tied to the development of a dangerous computer program capable of causing catastrophic industrial damage, a...