Wednesday, December 21, 2016
ANDROID PT / Bypassing SSL Pinning
BYPASSING SSL PINNING
- Layout for this exercise:
- Connecting Santoku to Nexux 5:
0 - INTRODUCTION
- SSL Pinning is an extra layer of security used by applications to ensure that the certificate provided by the remote server is the expected one.
- By storing the certificate or public key within the application, it is possible a comparison with the certificate or public key provided by the remote server.
- This technique allows the developers to specify what certificates are considered valid by the applications.
- Without SSL pinning, it would be possible to add one certificate to the custom certificate chain, and later to intercept all SSL traffic.
- SSL pinning prevents this from happening, because the certificate introduced by the user doesn't match the certificate embedded or "pinned" into the application.
1 - METHODS TO BYPASS SSL PINNING
- However, this client-side security measure can be bypassed by manipulating the application.
- Applications can be disassembled by removing or manipulating the certificate pinning, also switching the certificate embedded within the application with another.
- In the same way, there are some tools that automatically disable certificate pinning, like for instance the AndroidSSLTrustKiller, by ISECPartners.
- Denis Andzakovic published a paper on 2014 about the SSL Pinning on Android devices. The document can be found here .
2 - SSLPinningExample.apk
- The previous document provides the application SSLPinningExample.apk, very useful to test the bypassing process of SSL Pinning.
- SSLPinningExample.apk just performs an HTTP request to http://github.com, displaying the result of the request.
- In general circumstances, the HTTP response would be returned from Github.
- However, because SSL Pinning is enabled, in case of presence of a proxy like Burp, it would result in an SSL error.
- Once the test application is downloaded from the previous link, it is installed on the Android device:
3 - TESTING WITH BURP
- Burp proxy is enabled on the Android device:
- The proxy hostname corresponds to Santoku's IP (192.168.1.8), where the Burp suite is installed:
- Clicking the icon of the application:
- The user is prompted to test the application:
- Launching Burp and setting to "on" the interception, however nothing happens. The reason is that the application tries to verify the certificate, but not been recognized as the trusted one, the connection is not established.
4 - ANDROID SSL TRUST KILLER
- For the purpose of bypassing the SSL pinning, let's download to Santoku the application AndroidSSLTrustKiller, by ISECPartners:
- Installing AndroidSSLTrustKiller on Nexus 5:
5 - FINAL TEST
- Testing again the application SSLPinningExample.apk:
- Now, the HTTPS request connection to github.com is intercepted:
- Forwarding the request:
- Eventually, the mobile device receives the answer to the HTTPS request:
- The success of this final test is due to the fact that the application Android SSL TrustKiller is disabling the SSL Pinning embedded into SSLPinningExample.apk, what didn't happen at the previous test on point 3.