Android SSL Pinning

Date: 17/03/2021

Introduction

Modern requirements to mobile data processing apps designed for work with personal and financial data include secure data transfer over the Internet. SSL pinning is a mechanism used to satisfy this requirement: it enables the user to identify a server based on an SSL certificate stamp embedded into the app. This makes Man-In-the-Middle attacks almost impossible and prevents the interception of the data traffic between a client and a server.

cyberlands.io


At the same time, this mechanism complicates the application analysis during penetration testing involving BlackBox or GreyBox methods because the pentester has to identify this mechanism and implement some workaround to intercept the traffic and analyze the client–server interaction. This article describes one of the ways to overcome SSL pinning in Android apps.

Research

When our team received an app for research, it was only known that it uses SSL Pinning and Root / Emulator Detection. In addition, the development team reported that during previous penetration tests, the attacking team turned off these checks, so that should have been complicated.

An .apk file was downloaded for research and launched in the emulator with root rights and write access to the system memory area. After installing the app and setting up the emulator, we attempted to configure the proxy settings with the purpose to intercept the communication with the server, but unsuccessfully. Therefore, it was decided to decompile the application and examine the source code in order to identify the security mechanism.

Decompiling

The Jadx-GUI Android decompiler was chosen for decompilation and examination of the application source code. After loading the app into the decompiler, we got something like shown on the picture below:

The screenshot indicates that the app contains various classes, including the okhttp3 class —a library that allows you to manage the HTTP interactions of the app and includes a module for interaction with SSL Pinning. Further examination of the library has shown that there is nothing related to SSL Pinning in it.

Still, there is a protection mechanism, so we attempted to locate it using a code search. In the official okhttp3 library documentation, we found the name of the class related to the protection mechanism. Then we switched to Jadx-Gui and launched the search.

The search results are shown on the screenshot below:

As can be seen, this class is used in a huge number of places in the code. After examining the code of the io.intercom.okhttp3.CertificatePinner class, we located the public Builder add (String str, String … strArr) method; according to the official documentation, this method is used to associate a host with the sha256 hash of the certificate, and if it does not match, an exception is generated.

A search by the method name brought more than 4000 results, which indicates that the current approach is ineffective and a new one is required. Therefore, we run a search by the known hostname.

As can be seen, there are 2 function calls whose first parameter is the sought host. The second parameter is some sha256 hash, which indicates that this may be the target function. After jumping to the place of the call, we found another call of this function for two more domains. Our next step is to make sure that the protection mechanism is based on the okhttp3 library.

Success! We can replace the signatures of the certificates with the signatures of the certificate of our proxy here. The following 2 commands are used to generate sha256 for our certificate:

openssl x509 -inform der -in Burp.cer -out BurpPem.pem
openssl x509 -in BurpPem.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha1 -binary | openssl enc -base64

We unpack the application using apktool:

apktool d Application.apk
vim g/a/b/j.smali

Next, we find the string with the target hashes, replace them with the new ones that we have generated for our certificate, and rebuild the app

apktool b Application/ -o Application-without-SSLPinning.apk

Finally, the app is signed with a pre-generated signature

keytool -genkey -v -keystore my-release-key.keystore -alias Cyberlands -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore Application-without-SSLPinning.apk Cyberlands

Now we can install the app on the emulator phone, configure the proxy, and examine the app’s traffic.

Conclusions

SSL Pinning can be bypassed in many ways, including both automated (e.g. frida.re) and manual (like the one shown above) techniques. The selection of a specific method depends on the implementation you are dealing with. In future articles, we will examine other methods used to bypass SSL Pinning and Root Detection, both automated and manual ones.

Related posts:
2022.02.15 — First contact: How hackers steal money from bank cards

Network fraudsters and carders continuously invent new ways to steal money from cardholders and card accounts. This article discusses techniques used by criminals to bypass security…

Full article →
2023.04.20 — Sad Guard. Identifying and exploiting vulnerability in AdGuard driver for Windows

Last year, I discovered a binary bug in the AdGuard driver. Its ID in the National Vulnerability Database is CVE-2022-45770. I was disassembling the ad blocker and found…

Full article →
2022.01.13 — Bug in Laravel. Disassembling an exploit that allows RCE in a popular PHP framework

Bad news: the Ignition library shipped with the Laravel PHP web framework contains a vulnerability. The bug enables unauthorized users to execute arbitrary code. This article examines…

Full article →
2022.02.15 — Reverse shell of 237 bytes. How to reduce the executable file using Linux hacks

Once I was asked: is it possible to write a reverse shell some 200 bytes in size? This shell should perform the following functions: change its name…

Full article →
2022.06.03 — Challenge the Keemaker! How to bypass antiviruses and inject shellcode into KeePass memory

Recently, I was involved with a challenging pentesting project. Using the KeeThief utility from GhostPack, I tried to extract the master password for the open-source KeePass database…

Full article →
2022.01.12 — Post-quantum VPN. Understanding quantum computers and installing OpenVPN to protect them against future threats

Quantum computers have been widely discussed since the 1980s. Even though very few people have dealt with them by now, such devices steadily…

Full article →
2022.04.04 — Fastest shot. Optimizing Blind SQL injection

Being employed with BI.ZONE, I have to exploit Blind SQL injection vulnerabilities on a regular basis. In fact, I encounter Blind-based cases even more frequently…

Full article →
2022.06.03 — Playful Xamarin. Researching and hacking a C# mobile app

Java or Kotlin are not the only languages you can use to create apps for Android. C# programmers can develop mobile apps using the Xamarin open-source…

Full article →
2023.06.08 — Croc-in-the-middle. Using crocodile clips do dump traffic from twisted pair cable

Some people say that eavesdropping is bad. But for many security specialists, traffic sniffing is a profession, not a hobby. For some reason, it's believed…

Full article →
2023.03.26 — Attacks on the DHCP protocol: DHCP starvation, DHCP spoofing, and protection against these techniques

Chances are high that you had dealt with DHCP when configuring a router. But are you aware of risks arising if this protocol is misconfigured on a…

Full article →