SSL Pinning is the trickiest part when doing penetration testing for android application target. You may hear of frida, objection, and other methods doing the great job for bypassing android SSL pinning. But, what if all methods is not suitable for your target? ssl pinning system function is not covered by common tools? Let’s assume that.
So, what’s next? Throwing your phone? Tell your manager that the application is super duper hard to bypass? HAHAHAHA
Relax, there are still many roads to mars. Did you ever do reverse engineer/unpacking android applications? We still can use this technique to bypass SSL pinning, for some reason doing manual modification is better than relying on tools. But how?
Debugging Android APP
We need to debug our android app so we can know what’s going on. Plug your android and run
$ [sudo] pip install logcat-color # install logcat-color
$ adb logcat | logcat-colorBOOOM! You will see android debug log that coming so fast HAHAHA
To know what’s going on, try to run your application and make an HTTP request. After that, Ctrl+C the logcat and scroll up to see the logs. Search for android certificate error like mine(using okhttp3)
As you can see, android certificate pinning is failing and complaining about mismatch certificate hash. Our peer certificate chain is for PortSwigger(BurpSuite), but the Pinned Certificate for a domain(masked) is defined in the android resource file.
Unpacking Android APK
The android developer will store the certificate pin on the resource file in the android apk. So we need to unpack it first. I’m using apktool for doing this task.
java -jar apktool.jar d base.apk -o decompiled
I: Using Apktool 2.5.0-dirty on base.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/user/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...Look at the resource folder and search for the pinning file.
grep -r "sha256/dGxxxxxxxxxxxx" decompiled/* #adjust with your folderFor me, it’s at resource/assets/www/pinning/ because I’m pentesting cordova application based, please adjust with your environment.
Edit the file and inject with your burp suite sha256 hash from the output log, mine is sha256/fKR2xxxxxxxxxxxx
That’s it. Now we need to repack/recompile again so we can run this on the android.
Recompile APK
$ java -jar apktool.jar b decompiled -o app-certpin-bypass.apk
I: Using Apktool 2.5.0-dirty
I: Checking whether sources has changed...
I: Checking whether resources has changed...
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk...
$ ls
app-certpin-bypass.apk base.apk decompiledWe can’t just install it after recompiled, the apk needs to be re-signed. We can use uber-apk-signer
java -jar uber-apk-signer.jar -a app-certpin-bypass.apkOr if you want to sign all apk in specific directory
java -jar uber-apk-signer.jar --apks /path/to/apksOutput:
uber-apk-signer -a app-certpin-bypass.apk
source:
/home/user/apk
zipalign location: PATH
/bin/zipalign
keystore:
[0] 161a0018 /tmp/temp_10038107399149177087_debug.keystore (DEBUG_EMBEDDED)01. app-certpin-bypass.apkSIGN
file: /home/user/apk/app-certpin-bypass.apk (24.53 MiB)
checksum: 79489a567c31bcc1f82bf45b5d9d6ffa1de2ca71487a538505b31a8b8e01435c (sha256)
- zipalign success
- sign successVERIFY
file: /home/user/apk/app-certpin-bypass-aligned-debugSigned.apk (24.65 MiB)
checksum: 5ade3620151dd81029508faa40fa1a63240cf1e55150702aa79b3928f2bb9703 (sha256)
- zipalign verified
- signature verified [v1, v2, v3]
Subject: CN=Android Debug, OU=Android, O=US, L=US, ST=US, C=US
SHA256: 1e08a903aef9c3a721541b54ec764e01d3d094eb954161b62544ea8f187b5953 / SHA256withRSA
Expires: Fri Mar 11 03:10:05 WIB 2044[Wed Mar 17 16:36:55 WIB 2021][v1.2.1]
Successfully processed 1 APKs and 0 errors in 3.08 seconds.
It will use android debug certificate, so it can be installed on our phone.
adb install app-certpin-bypass-aligned-debugSigned.apkRun the application and check BurpSuite interceptor. VOILAAAAAAAAAA
That’s all, if you have any question just tell me in the comment section and feedback is welcome ❤