SSL pinning enhances SSL/TLS security in mobile apps by associating a specific SSL certificate or public key with a server. This mitigates Man-in-the-middle risks by ensuring communication only with servers presenting the expected and pinned certificates.
- Even with the import of an Android user or root certificate, the app refuses to recognize it when SSL Pinning is active, preventing any attempts to intercept network traffic.
A pentester need to bypass Certificate Pinning to see live application traffic.
- BurpSuite
- Proxyman (available only on macOS)
- mitmproxy
- Charles Proxy
Android Interception Process
- Start the Proxy software and configure it
- Set proxy on the emulator/physical device network settings
- Intercept HTTP traffic
- Import CA Certificates and trust them in the Certificate Store
- Intercept HTTPS Traffic (failing with active SSL Pinning)
- Use Objection/Frida tools to bypass SSL Pinning and intercept HTTPS Traffic
- Supports x86, x86_64 architecture Android 4.1 - 11.0, up to API 30
🔗 Setting up MobSF dynamic analyzer for security testing of Android applications - Sarvesh Sharma
- Start the
GenymotionAndroid VM (e.g.API 29 - it uses Frida and works out of the box) before startingMobSF- Device identifier -
192.168.56.103:5555
- Device identifier -
- (If MobSF Dynamic Analyzer doesn’t detect the android device) Configure
ANALYZER_IDENTIFIERas the VM's device identifier192.168.56.103:5555in the~/docker/mobsf/config.py
ANALYZER_IDENTIFIER = '192.168.56.103:5555'
- Run
MobSFvia Docker
docker run -it --rm --name mobsf -p 8000:8000 -v ~/docker/mobsf:/home/mobsf/.MobSF opensecurity/mobile-security-framework-mobsf:latest- Navigate to http://0.0.0.0:8000/dynamic_analysis/ and click on
MobSFy Android RuntimethenMobSFy!button
Start Dynamic Analysison the desired application
- Try the various Dynamic Testers (Exported Activity, Activity, TLS/SSL) and check the outputs in the UI.
- Check the Logcat Stream and Live API Monitor
- Start Instrumentation with the selected Frida Scripts and check the Frida Logs
- Generate Report with the Dynamic Analysis information
Install BurpSuite and use it to intercept application traffic.
# Kali Linux Install
sudo apt update && sudo apt install -y burpsuite- Set a new
Proxy Listenerbind to port8082onAll interfaces
- Configure the device / emulator to use the proxy
- Settings > Network & internet > Wi-Fi Network details
- Modify the Advanced Options setting the Proxy to the host IP running BurpSuite (
vboxnetLAN or Bridged LAN IP) and port8082
- Open Chrome and navigate to google.com
- HTTPS Traffic cannot be intercepted because of the unknow certificate (PortSwigger CA)
-
Install the BurpSuite certificate on the Android device
- Export BurpSuite certificate in DER format but renaming during saving into
Burp_TCM.CER
- Copy the certificate to the device
cd ~/tcm/mapt adb push Burp_TCM.CER /sdcard/
- Install the certificate (Sony: Settings > Lock screen & security > Advanced > Encryption & credentials > Install from device memory/SD card)
- Export BurpSuite certificate in DER format but renaming during saving into
-
In BurpSuite turn Proxy Intercept ON and on the device re-open Chrome and navigate to google.com
- BurpSuite is accepting HTTPS traffic and Google website is working in Chrome
🔗 Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers
🔗 Objection - a runtime mobile exploration toolkit, powered by Frida
🔗 Apktool
- Install first
Frida, thenObjection. Check the Android Lab for instructions.
Patch the Android app with Objection by automating the patching process (using aapt, adb, jarsigner, apktool).
- This command will determine the target architecture of your device using
adb, extract the source APK, insert the INTERNET permission if it does not already exist, patch and embed thefrida-gadget.soand repackage and sign a new APK for you.
unset _JAVA_OPTIONS # may be necessary
objection patchapk --source InjuredAndroid.apk
# if no device connected, specify the target architecture using the --architecture flag.
# Uninstall the original app and install the patched one
adb uninstall b3nac.injuredandroid
adb install InjuredAndroid.objection.apkIn case of "Can't Decode Resources" error with Kotlin apps, use the command
objection patchapk --source InjuredAndroid.apk --use-aapt2
Frida’s Gadget is a shared library meant to be loaded by programs to be instrumented when the Injected mode of operation isn’t suitable. Gadget gets kickstarted as soon as the dynamic linker executes its constructor function.
- With split apks, use patch-apk tool - An APK patcher, for use with objection, that supports Android app bundles/split APKs
- Decompile the
apk
cd ~/apks
apktool d -r InjuredAndroid.apk
# -r does not decompile resources
- Download frida native libraries (
frida-gadget) for the CPU architecture of the physical/emulator device - Frida release page
# Get CPU architecture
adb shell getprop ro.product.cpu.abi
arm64-v8a
adb shell cat /proc/cpuinfo- Add the
frida-gadgetinto the APK’s /lib folder for the correct architecture - e.g.InjuredAndroid/lib/arm64-v8a
cd ~/apks/InjuredAndroid/lib/arm64-v8a # depends on the CPU architecture
wget -qO - https://github.com/frida/frida/releases/download/16.1.10/frida-gadget-16.1.10-android-arm64.so.xz | xz -d -c > libfrida-gadget.so- Inject
frida-gadgetinto the bytecode (SMALI code) of the app, in a known exported activity or otherwise accessible Activity (usuallyMainActivity.smali, orOnboardingActivity.smali)
nano ~/apks/InjuredAndroid/smali/b3nac/injuredandroid/MainActivity.smali
# add the following lines in the ".method public constructor"const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
- Add the Internet permission to the manifest if not already there (necessary for Frida to open a socket).
- Repackage the application
apktool b -o InjuredAndroid_repackaged.apk InjuredAndroid/
- Sign the
InjuredAndroid_repackaged.apkandzipalignthe app
# Create a Keystore
keytool -genkey -v -keystore demo.keystore -alias demokeys -keyalg RSA -keysize 2048 -validity 10000
# Sign the APK
jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore demo.keystore -storepass demopw InjuredAndroid_repackaged.apk demokeys
# Check the signing status
jarsigner -verify --verbose InjuredAndroid_repackaged.apk
# zipalign the APK
zipalign -v 4 InjuredAndroid_repackaged.apk InjuredAndroid_repackaged-final.apk- Install the signed and aligned app
adb uninstall b3nac.injuredandroid
adb install InjuredAndroid_repackaged-final.apk- Open the app and test Objection
frida-ps -Uai
objection -g b3nac.injuredandroid exploreobjection -g b3nac.injuredandroid explore
# Some objection commands
android sslpinning disable
android clipboard monitor
memory dump all /tmp/dumped
android keystore list
android keystore watch
android root disable
android root simulateFind various Frida scripts in the Frida CodeShare projects.
# Run it with
frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f b3nac.injuredandroid
frida -U --codeshare dzonerzy/fridantiroot -f b3nac.injuredandroid
frida -U --codeshare dki/ios-app-info -f b3nac.injuredandroid
# Or copy the code into a .js file and use it with frida/objection
frida -U -f b3nac.injuredandroid -l fridantiroot.js# Objection
objection -g b3nac.injuredandroid explore --startup-script fridantiroot.js
objection -g b3nac.injuredandroid explore -s "android root disable"Always check the /data/data/ directory of the analyzed app.
Look through the logcat logs.
- Check system and application logs with
logcatorpidcatfor unintended data leakage
# Logcat
adb logcat | grep "$(adb shell ps | grep <package-name> | awk '{print $2}')"
adb logcat -d -b all -v long -e b3nac.injuredandroid
# Pidcat
sudo apt install pidcat
pidcat b3nac.injuredandroid